The Price of Restricting Vulnerability Publications: Difference between revisions
No edit summary |
No edit summary |
||
| Line 16: | Line 16: | ||
==Key Words== | ==Key Words== | ||
[Disclosure Policy], | |||
[Information Security], | |||
[Software Vulnerability], | |||
[Zero-Day Exploit] | |||
==Synopsis== | ==Synopsis== | ||
| Line 25: | Line 25: | ||
There are calls from some quarters to restrict the publication of information about security vulnerabilities in an effort to limit the number of people with the knowledge and ability to attack computer systems. Scientists in other fields have considered similar proposals and rejected them, or adopted only narrow, voluntary restrictions. As in other fields of science, there is a real danger that publication restrictions will inhibit the advancement of the state of the art in computer security. Proponents of disclosure restrictions argue that computer security information is different from other scientific research because it is often expressed in the form of functioning software code. Code has a dual nature, as both speech and tool. While researchers readily understand the information expressed in code, code enables many more people to do harm more readily than with the non-functional information typical of most research publications. Yet, there are strong reasons to reject the argument that code is different, and that restrictions are therefore good policy. Code's functionality may help security as much as it hurts it and the open distribution of functional code has valuable effects for consumers, including the ability to pressure vendors for more secure products and to counteract monopolistic practices. | There are calls from some quarters to restrict the publication of information about security vulnerabilities in an effort to limit the number of people with the knowledge and ability to attack computer systems. Scientists in other fields have considered similar proposals and rejected them, or adopted only narrow, voluntary restrictions. As in other fields of science, there is a real danger that publication restrictions will inhibit the advancement of the state of the art in computer security. Proponents of disclosure restrictions argue that computer security information is different from other scientific research because it is often expressed in the form of functioning software code. Code has a dual nature, as both speech and tool. While researchers readily understand the information expressed in code, code enables many more people to do harm more readily than with the non-functional information typical of most research publications. Yet, there are strong reasons to reject the argument that code is different, and that restrictions are therefore good policy. Code's functionality may help security as much as it hurts it and the open distribution of functional code has valuable effects for consumers, including the ability to pressure vendors for more secure products and to counteract monopolistic practices. | ||
Part One of this paper explains the current state of computer (in)security and sets | ===Computer Insecurity and Disclosure Restrictions=== | ||
forth three ways to restrict publications followed by the most common arguments for and | Part One of this paper explains the current state of computer (in)security and sets forth three ways to restrict publications followed by the most common arguments for and against. It then illustrates the popularity of security publication restrictions with an overview of proposed and enacted publication restrictions. | ||
against. It then illustrates the popularity of security publication restrictions with an | |||
overview of proposed and enacted publication restrictions. Part Two reviews the debate | ===Publication Restrictions in Other Scientific Fields=== | ||
surrounding publication restrictions in other scientific fields and shows that, except in | Part Two reviews the debate surrounding publication restrictions in other scientific fields and shows that, except in rare cases, policy makers and scientists agree that the strong interest in sharing, peer review and cooperation that is essential to the development of scientific knowledge outweighs the benefit to security interests attained from restraining publication. The law cannot regulate code without impacting research, so policy makers must decide whether any security gain from disclosure restrictions is worth the price. | ||
rare cases, policy makers and scientists agree that the strong interest in sharing, peer | |||
review and cooperation that is essential to the development of scientific knowledge | ===The Benefits of Openness in Computer Security=== | ||
outweighs the benefit to security interests attained from restraining publication. The law | Part Three asks how computer security is different from other fields of science and whether these differences warrant a more or less restrictive approach to regulating vulnerability publications. The paper concludes that while the functionality of code superficially appears to be a strong factor in favor of limiting computer security publications, security is not improved by secrecy in the computer context. Additionally, code restrictions undesirably favor anti-competitive practices on the part of market actors in a networked economy. The public interest particularly benefits from openness in computer security. | ||
cannot regulate code without impacting research, so policy makers must decide whether | |||
any security gain from disclosure restrictions is worth the price. Part Three asks how | |||
computer security is different from other fields of science and whether these differences | |||
warrant a more or less restrictive approach to regulating vulnerability publications. The | |||
paper concludes that while the functionality of code superficially appears to be a strong | |||
factor in favor of limiting computer security publications, security is not improved by | |||
secrecy in the computer context. Additionally, code restrictions undesirably favor anti- | |||
competitive practices on the part of market actors in a networked economy. The public | |||
interest particularly benefits from openness in computer security. | |||
Revision as of 15:55, 22 June 2010
Full Title of Reference
The Price of Restricting Vulnerability Publications
Full Citation
Jennifer Stisa Granick, The Price of Restricting Vulnerability Publications, 9 Intl. J. CommLaw & Pol'y, 2005. Web
Categorization
- Issues: Information Sharing/Disclosure
- Approaches: Regulation/Liability
Key Words
[Disclosure Policy], [Information Security], [Software Vulnerability], [Zero-Day Exploit]
Synopsis
There are calls from some quarters to restrict the publication of information about security vulnerabilities in an effort to limit the number of people with the knowledge and ability to attack computer systems. Scientists in other fields have considered similar proposals and rejected them, or adopted only narrow, voluntary restrictions. As in other fields of science, there is a real danger that publication restrictions will inhibit the advancement of the state of the art in computer security. Proponents of disclosure restrictions argue that computer security information is different from other scientific research because it is often expressed in the form of functioning software code. Code has a dual nature, as both speech and tool. While researchers readily understand the information expressed in code, code enables many more people to do harm more readily than with the non-functional information typical of most research publications. Yet, there are strong reasons to reject the argument that code is different, and that restrictions are therefore good policy. Code's functionality may help security as much as it hurts it and the open distribution of functional code has valuable effects for consumers, including the ability to pressure vendors for more secure products and to counteract monopolistic practices.
Computer Insecurity and Disclosure Restrictions
Part One of this paper explains the current state of computer (in)security and sets forth three ways to restrict publications followed by the most common arguments for and against. It then illustrates the popularity of security publication restrictions with an overview of proposed and enacted publication restrictions.
Publication Restrictions in Other Scientific Fields
Part Two reviews the debate surrounding publication restrictions in other scientific fields and shows that, except in rare cases, policy makers and scientists agree that the strong interest in sharing, peer review and cooperation that is essential to the development of scientific knowledge outweighs the benefit to security interests attained from restraining publication. The law cannot regulate code without impacting research, so policy makers must decide whether any security gain from disclosure restrictions is worth the price.
The Benefits of Openness in Computer Security
Part Three asks how computer security is different from other fields of science and whether these differences warrant a more or less restrictive approach to regulating vulnerability publications. The paper concludes that while the functionality of code superficially appears to be a strong factor in favor of limiting computer security publications, security is not improved by secrecy in the computer context. Additionally, code restrictions undesirably favor anti-competitive practices on the part of market actors in a networked economy. The public interest particularly benefits from openness in computer security.
Additional Notes and Highlights
Outline:
INTRODUCTION
PART ONE
I. The State of Computer (In)security
II. Types of Vulnerability Disclosure Restrictions
A. Audience Restrictions
B. Time Restrictions
C. Information Restrictions
III. Proposed and Enacted Publication Restrictions
PART TWO
I. Scientific Advancement Requires Publication and Openness
II. How Publication Restrictions Cannot Target the Utilitarian Aspects of Code Without Chilling Legitimate Research and Burdening the Advancement of Computer Security
PART THREE
I. Computer Security Benefits More From Widespread Dissemination of State of the Art Knowledge Than Do Other Scientific Fields
II. Computer Insecurity Poses Less Harm Than That Threatened by “Dangerous Science”
III. The Likelihood of Abuse of Computer Security Information is Greater Than In Other Scientific Fields
IV. Secrecy Is Unlikely to Benefit Security More Than Openness in the Context of Computer Networks
V. Publication Restrictions Contribute to the Market Failure in Security Provision
CONCLUSION