Ethics and Security

10 Jul 2005

Paul Jones has published an entry on his blog discussing ethics and security. Although I don't have the time to properly respond, I do want to make a few points.

There is a tendency to view security research (in any form) as malicious. This seems to be the primary reason that people object to it. Of course, without such research, those with malicious intentions would gain an advantage. It is for this reason that I view attempts to curtail the ethical boundaries confining security research as counterproductive.

This is very similar to the issues surrounding the blood alcohol content levels used in certain laws. An overzealous restriction causes more people to be considered criminals. This makes the enforcement of severe penalties unjust in edge cases. In terms of security research, as soon as more researchers are viewed as unethical, fewer people are willing to engage in such research, and we all lose.

Of course, there must be boundaries, but I believe more flexibility needs to be afforded researchers than Paul asserts. I'm not suggesting that a Patriot Act approach is a good idea, but I think we need to be more forgiving rather than less when it comes to judging those with good intentions.

To those interested in this particular topic, the policies of the PHP Security Consortium are worth considering.