I saw a segment on The Rachel Maddow Show tonight that bothered me a great deal. The segment was about how Adria Richards found and publicized a vulnerability on the Coleman for Senate website.
There are a couple of reasons this segment bothered me. First, the way she exposed the vulnerability was unethical. Ms. Richards obviously does not believe what she did was unethical. She thought that by exposing the security lapses of the Coleman site she was performing a public service, holding it up as what not to do. On her blog, she stated that she treated the discovery as “breaking news”, so she publicized it without making any attempt to contact the site administrator or the Coleman people to warn them. She said that her motivation was to expose the Colman site administrators as negligent and who didn’t protect people’s privacy, yet she put those very people at risk by posting the vulnerability on Flickr. Odd.
The second thing that bothers me about this segment is that Rachel Maddow had Ms. Richards on her show and did not bring up any of these ethical questions. The angle of the story was how the Coleman people claimed their site was hacked with Ms. Richards countering that the site was simply mis-configured, allowing her to gain access (quite easily) to the sensitive information.
I am very disappointed that the ethical questions about Ms. Richards actions were ignored. I understand that Rachel Maddow’s show is primarily political so things will be viewed in that light. I am a technical person with an emphasis on Information Assurance and Security, so I view things in that light. Nevertheless, I believe the more interesting question here is the ethical one, rather than the political one.
I outline the ethical questions in a reply to Ms. Richards on her blog. I copied the reply I posted on Ms. Richards site below:
“I agree with Pixelpusher. You found an unlocked door, walked in, looked around and took pictures. Rather than notify the owner, you chose to put a big sign in the front yard announcing that the door is unlocked and posted pictures of the contents for everyone to see. For a technology professional, this is an ethical question, not a political one.
You said it yourself, you thought it was “news” and that is lens through which you filtered your decisions. Your desire to be part of a news story outweighed your duty to act responsibly, and you helped to expose sensitive personal data that might not have been otherwise. It doesn’t matter that you were not the first on the scene.
Sure, you didn’t unlock the door or store information that isn’t supposed to be stored unencrypted, but you did tell as many people as you could about the vulnerability, and did so before the door was locked. You could have publicized the negligent actions of the site administrator after the vulnerability was dealt with. You would have made your point without unnecessarily exposing people to identity theft or credit card fraud.
It’s an easy mistake to make given the current emphasis on instant communication, Internet fame and the view that data [is] nearly valueless. If nothing else, this incident serves as another case study for Information Assurance and Business Ethics students.”
Update: Please see the article I wrote with Dr. Mich Kabay for Network World about the ethics of this case. Dr. Kabay and I examine ethical choices and how to make them. The intent is to learn, and not to bash Ms. Richards. In fact, Dr. Kabay sent the article to Ms. Richards for her review before he published it.
Subscribe (free) via RSS
LinkedIn
email
{ 2 comments… read them below or add one }
I think by her definition of why she did not notify the site was clear. What I find more disturbing is the timeline of the site notification that they were hacked. They were not hacked and she discovered the site situation AFTER they said they were hacked. It’s clear you know little about the situation, but, yes, she could have notified them, but considering the options, we would have chosen the same route because if they have already accused “liberal” hackers…when in fact there were no hackers, then she stood to lose more by notifiying them and having them accuse her of hacking.
I would protect myself, before anything, especially with a political site.
Branding,
Thank you for you reasoned comment. I appreciate a respectful discussion on this very interesting, and important topic.
I agree with you that the Coleman people mis-handled the situation on their end. I am not supporting what the Coleman people did at all. My lack of comment on the Coleman people’s actions should not be taken to be an endorsement of them. However, that is a separate issue from the one I addressed in my post and in my comment on Adria Richards’ blog.
I can appreciate the delicate situation in which Ms. Richards found herself once she saw the site’s directory listing including the database file. She was in dangerous territory even if she had been on a site that was owned by a non-politician. This is a great example of why it is important for technology professionals to recognize and understand these issues so they can act ethically. That is what motivated me to write the post on it.
There are several organizations that can help people learn more on these topics. The (ISC)2, ISACA, SANS, and EC-Council all have good resources to help people advance their knowledge in this field. Those interested in a degree on Information Assurance can do an online search for colleges. As a current MSIA student at Norwich University, I do recommend them to anyone interested in that route.
Regardless of what happens in the short term, I think this situation will be studied as an example of what not to do on multiple fronts.