|
WebWord Weblog Posting Posting Date: October 31, 2002 Is "guessing" ethical? -- Reader DGJ writes: "A small Swedish company posted its quarterly earnings on its website, without any password protection, but without publicizing the URL. A Reuters reporter guessed the URL and found the report before it was supposed to be released. Now the reporter is being sued for hacking a URL, which is a fundamental navigation technique that many users employ every day. Let's go a little further into the grey area: a reporter for Wired guessed the password for Saddam Hussein's e-mail account, and published a story about what he found there. Is this ethical?" (Comments: Tough, but interesting question.)
Reader Comments...
This is stupid. A Web site is a public place. If you put private or confidential information on a publically accessible server without any kind of password protection, then it could be argued that you were not concerned about the sensitivity of that information. It could also be argued that you're mind-numbingly stupid, and deserve what happened to you. The reporter has not illegally broken into anything. He has not pretended to be anyone else, hacked into somebody else's account, or attempted to access a password-protected area. Posted by: MadMan on October 31, 2002 11:47 PM
Yeah, the Reuters reporter wasn't trying to gain access to a restricted area. Things can get rather murky with security holes which can be easily exploited via URLs (e.g. it used to be possible to view the global.asa files, often including database passwords etc., of many sites, including Microsoft UK, simply by adding a few characters to the URL), I guess it comes down to whether the person is trying to circumvent security measures. I don't consider not publicising a URL a security measure.
The Swedish company's legal bozo says that they want a legal opinion on what can be considered public and private information on a web site. I'll give them the advice for free - if it's password protected, it's private. If it isn't, it's not. Whether the URL is available 'through normal channels' or not is irrelevant. Posted by: Alan Fisher on November 1, 2002 03:59 AM
Gotta go with the others on this one: a no-brainer. Is it that the company really didn't know the difference between secure/password protected sites and public websites, or is their legal department back pedalling? I suspect the latter. ANYONE who has used the web seems to intrisically know that once you post something in an open area the whole world can see it. In fact, this is exactly why companies have websites: to communicate to the outside world (the whole world). It is what makes the web attractive and exactly what digital agencies sometimes sell. That they didn't know someone could access the documents is highly unlikely, or at least incredibly dumb. Posted by: Jim Kalbach on November 1, 2002 04:10 AM
The developer(s) that allowed that to happen is either incredibly lazy or stupid. How could someone that knows ANYTHING about running a website allow that too happen? Sounds like laziness to me. By the way, it's a no brainer. The reporter should definetly not be liable. Posted by: on November 1, 2002 09:11 AM
Madman writes: "The reporter has not illegally broken into anything. He has not pretended to be anyone else, hacked into somebody else's account, or attempted to access a password-protected area." But that's exactly what the Wired reporter did when he hacked into Saddam Hussein's e-mail. I'm really more interested in THAT. I completely agree that there's nothing wrong with hacking a URL, but Madman, what do you say about guessing the password? Posted by: Dennis G. Jerz on November 1, 2002 09:53 AM
Another example of how lawyers and the suits they bring cause more harm (wasting time, money, etc.) than good. (Don't interpret this comment to mean I wish all lawyers instantly vaporized.) Posted by: boysen on November 1, 2002 10:07 AM
Dennis, That was a different situation. The question is if the reporter was "breaking in". I'd argue that it was. There are two aspects to this in my opinion: a) Intent: The reporter clearly knew that he didn't have unprotected access to the email account. It was protected by a password, albeit weak. He intentionally attempted to bypass the regular security measures, and succeeded. b) Public v/s private information: What's in Saddam's email box is private information, which was not openly available to anyone else. It was also protected by a password. In contrast, the reporter in this case made no attempt to break into any computer system, and merely accessed data in a public place. Yes, a website without any protective measures for data IS in the public. For instance, if John Rhodes linked to an image in his IMAGES folder, and then I hacked the URL to get www.webword.com/images and saw the directory listing of all the images in that folder, and then downloaded one of those files, I'm not breaking in. I'm just accessing material available to anyone/everyone else. (Note to John: Leaving directory listing on is crappy security. Creates BIG security holes. Your hosting company sucks for leaving that on by default.) Posted by: MadMan on November 1, 2002 01:55 PM
If the quetion is was the behavior unethical, in my opinion, it may have been ethical to break in, but it wasn't ethical to do anything with the info beyond alert the company and write up their goof afterwards. Legal? Don't know. And I don't know that the discussion should be limited to financial statements. A company might be soft launching a section of a web site about an as-yet unlaunched product. The company is certainly stupid, but the person hacking the url has to know they're going into unfriendly territory: it's not like they're clicking on a link. And of course I think the host company is a complete idiot. Posted by: Frank on November 1, 2002 04:21 PM
Hacking a URL is not unethical. It's taught as a navigational tip in some "Introduction to the Internet" classes. Stumbling upon unlinked content is not unethical. Alerting the public to unlinked and obviously meant-to-be-hidden content _is_ unethical, but it is not illegal. It's just plain sloppy security, like undressing in your front living room, then calling the cops when a door-to-door salesman sees you naked. Posted by: on November 1, 2002 04:47 PM
Everyone seems to have answered the easy question about the Reuters and the Swedish company and avoided the difficult one about Saddam Hussein's email account. In the case of Saddam Hussein it's easy enough - until he admits weapons programme inspectors without restrictions he's obviously up to no good and his privacy should therefore not be respected. You might want to add "and human rights inspectors". But then it gets greyer. Would it have been ethical to hack Enron for evidence of their now-notorious malpractices? At what stage, i.e. how much prima facie evidence would you need in order to justify the hacking? In fact the whole concept of privacy is very grey. David Brin, a former research scientist turned science fiction writer, has argued rather convincingly that privacy laws exist mainly to protect the powerful (the powerful can always get round privacy laws if they want information about you and me) and are therefore ethically dubious in their own right. I don't think Mr. Brin considered the thought that he lives in a libertarian society and that privacy protection may be more desirable in less tolerant societies - or perhaps he assumed less tolerant societies would not enact prvacy laws. Anyone up for a real debate? Posted by: philip chalmers on November 12, 2002 12:37 PM
Home | Moving WebWord | Cool Books | Hot Web Sites
URL: http://webword.com/weblog/ ©1998-2005 by WebWord.com. All rights reserved. |