I happened to kick off a rather spirited discussion yesterday, when I tweeted that there were strong parallels between WikiLeaks and Pirate Bay -- both decided to widely distribute stolen information, and both are now in trouble for it.
From my point of view, I couldn't see much of a difference. I quickly found out that there were many alternative views on this topic, which -- for me -- makes it even *more* interesting!
My Case
I believe that ownership rights extend to information.
Whether we're talking copyright, patents, fair use licenses, or even simple notions of privacy -- many forms of information have an inherent notion of "owner" that can assert rights around how it is or isn't used.
Modern law is very clear on ownership rights in regards to property, but frustratingly less clear when it comes to various forms of information.
And, as we increasingly move to an "information economy", we will inevitably bump up against new and interesting cases where "who owns information" and thus controls its fair use becomes a heated debate.
A Case Of Information Theft, Plain And Simple
As far as I can tell, the facts are pretty clear. Someone stole a bunch of information from the US government. They knew the information didn't belong to them.
They handed this information over to another entity, who was also aware that the information was stolen, and didn't belong to them. This organization distributed it widely, against the wishes of the owner.
Political aspects aside, I can't see much difference between this activity, and doing the same for digital content, health records, credit card information, trade secrets, proprietary code, etc. Information is information at the end of the day.
Just to be absolutely clear, this wouldn't be much of a debate if the individuals in question had stolen physical property from the US government. Probably wouldn't even make the evening news.
What Makes This Interesting
One school of thought that emerged was that "free and unfettered access to information is essential to a good government". Well, yes and no. Any person -- and by extension any organization -- is entitled to control their information. We extend that right to corporations -- indeed, there are large jury awards for improper use of "owned" information.
Is the government all that different? In the US, we elect officials who establish laws around what sort of information must be disclosed, and how. We may argue that the process works, or does not work -- but that's a political debate and not a legal or technical one.
Personally, I am under the impression that (collectively) various government entities might know a lot about me -- more than I would feel comfortable with. I, for one, would respect them not sharing what they know publicly via WikiLeaks :-)
Another school of thought emerged around the role of the "press". I put that term in quotes, because these days there is no well-defined category of "press" these days -- social media and the web has seen to that. Once information has been knowingly stolen and made available, what responsibilities to other entities have in that regard?
If we were discussing stolen property, it'd be pretty clear, wouldn't it? Also, I think it would be pretty clear regarding customer lists, sensitive IP, etc.
Not clear, either, is it?
The Inevitable Impact
Like so many "bad information days", this one didn't have to happen either.
EMC (and other vendors) have a wide range of proven technology solutions that detect unauthorized information flowing (think DLP), can screen security events and flag unusual patterns (think enVision and SIEM), as well as produce high-level security and GRC reports that can verify that the appropriate measures are in place and working as intended.
The technology doesn't do any good sitting on the shelf. Nor does simply deploying the technology without re-engineering the associated processes do much good, either.
One of my favorite rants is that we're all going to have to learn how to manage information as money.
The government has (usually acceptable) processes in place to control unauthorized access to money ; maybe we'll see the same level of attention given to information going forward.
Chuck,
Excellent post! The conclusion that "this didn't have to happen", is spot on. But, when it comes to government, I'm not sure you can draw a line between political and legal debate, or define ownership rights quite as clearly.... The pentagon papers are a prime example of this.
/KW
Posted by: Keith Waryas | December 08, 2010 at 01:58 PM
Let's assume the informatione has been "stolen".
Information can be used in favor or against individuals and organizations (that's why we wouldn't feel comfortable if the government would publish all information they have about us).
When improper use of information can become dangerous, its "owner" has the responsibility, to ensure that access is trictly controlled. (if you own a gun, you should take the same responsibility)
So you could argue, whether WikiLeaks should have published the information they "stole".
On the other hand: the fact, that so much information can be stolen, needs to be published.
It demonstrates that access control in the govenment is not what it should be. This has to do with behaviour and responsibility of people you have voted for.
Posted by: Christoph Wenzel | December 10, 2010 at 06:10 AM
Could this whole affair serve as a wake-up call on cloud security? I wonder if financial institutions, for example, are envisioning themselves as the victims instead of the government? Maybe this will raise some awareness about the security of corporate Internet communications. http://www.theinfoboom.com/articles/cloud-security-concerns-heighten-as-wikileaks-and-other-threats-amass/
Posted by: InfoBOOM | December 10, 2010 at 02:36 PM
I struggle with this one - on one hand, I completely agree that I don't want *my* data shared (and by extension, anyone else's), but there is a legitimate role for the "whistle-blower". My struggle is where does legitimate whistle-blowing activity become information theft. Clearly a lot of the stuff on wikileaks goes beyond the legit whistle-blower scenario, but maybe defining that line is where we should all focus...
Posted by: Steve Litras | December 13, 2010 at 12:48 PM
I feel it is important to know what our government is doing. It is our government so the information belongs to the people
Posted by: Douglas ( MLM ) | December 17, 2010 at 02:17 PM