By Bruce Schneier
August 20, 2008
In eerily similar cases in the Netherlands and the United States, courts
have recently grappled with the computer-security norm of "full
disclosure," asking whether researchers should be permitted to disclose
details of a fare-card vulnerability that allows people to ride the
subway for free.
The "Oyster card" used on the London Tube was at issue in the Dutch
case, and a similar fare card used on the Boston "T" was the center of
the U.S. case. The Dutch court got it right, and the American court, in
Boston, got it wrong from the start -- despite facing an open-and-shut
case of First Amendment prior restraint.
The U.S. court has since seen the error of its ways -- but the damage is
done. The MIT security researchers who were prepared to discuss their
Boston findings at the DefCon security conference were prevented from
giving their talk.
The ethics of full disclosure are intimately familiar to those of us in
the computer-security field. Before full disclosure became the norm,
researchers would quietly disclose vulnerabilities to the vendors -- who
would routinely ignore them. Sometimes vendors would even threaten
researchers with legal action if they disclosed the vulnerabilities.