I happened to kick off a rather spirited discussion yesterday, when I tweeted that there were strong parallels between WikiLeaks and Pirate Bay -- both decided to widely distribute stolen information, and both are now in trouble for it.
From my point of view, I couldn't see much of a difference. I quickly found out that there were many alternative views on this topic, which -- for me -- makes it even *more* interesting!
I believe that ownership rights extend to information.
Whether we're talking copyright, patents, fair use licenses, or even simple notions of privacy -- many forms of information have an inherent notion of "owner" that can assert rights around how it is or isn't used.
Modern law is very clear on ownership rights in regards to property, but frustratingly less clear when it comes to various forms of information.
And, as we increasingly move to an "information economy", we will inevitably bump up against new and interesting cases where "who owns information" and thus controls its fair use becomes a heated debate.
A Case Of Information Theft, Plain And Simple
As far as I can tell, the facts are pretty clear. Someone stole a bunch of information from the US government. They knew the information didn't belong to them.
They handed this information over to another entity, who was also aware that the information was stolen, and didn't belong to them. This organization distributed it widely, against the wishes of the owner.
Political aspects aside, I can't see much difference between this activity, and doing the same for digital content, health records, credit card information, trade secrets, proprietary code, etc. Information is information at the end of the day.
Just to be absolutely clear, this wouldn't be much of a debate if the individuals in question had stolen physical property from the US government. Probably wouldn't even make the evening news.
What Makes This Interesting
One school of thought that emerged was that "free and unfettered access to information is essential to a good government". Well, yes and no. Any person -- and by extension any organization -- is entitled to control their information. We extend that right to corporations -- indeed, there are large jury awards for improper use of "owned" information.
Is the government all that different? In the US, we elect officials who establish laws around what sort of information must be disclosed, and how. We may argue that the process works, or does not work -- but that's a political debate and not a legal or technical one.
Personally, I am under the impression that (collectively) various government entities might know a lot about me -- more than I would feel comfortable with. I, for one, would respect them not sharing what they know publicly via WikiLeaks :-)
Another school of thought emerged around the role of the "press". I put that term in quotes, because these days there is no well-defined category of "press" these days -- social media and the web has seen to that. Once information has been knowingly stolen and made available, what responsibilities to other entities have in that regard?
If we were discussing stolen property, it'd be pretty clear, wouldn't it? Also, I think it would be pretty clear regarding customer lists, sensitive IP, etc.
Not clear, either, is it?
The Inevitable Impact
Like so many "bad information days", this one didn't have to happen either.
EMC (and other vendors) have a wide range of proven technology solutions that detect unauthorized information flowing (think DLP), can screen security events and flag unusual patterns (think enVision and SIEM), as well as produce high-level security and GRC reports that can verify that the appropriate measures are in place and working as intended.
The technology doesn't do any good sitting on the shelf. Nor does simply deploying the technology without re-engineering the associated processes do much good, either.
One of my favorite rants is that we're all going to have to learn how to manage information as money.
The government has (usually acceptable) processes in place to control unauthorized access to money ; maybe we'll see the same level of attention given to information going forward.