Sökformulär

Man-Machine interaction!

I've had two random comments on my recent blogpost about Anakata and freedom on twitter that were so interesting I wish to recite them here, with longer commentary than 140 characters:

Henrik Kramshoej (professional security consultant with an understanding of business and economics with regards to securing enterprises) says the following:

"houses are not people, and they should not be protected by criminal law as if they were people." so what about burglary?

Computers are, in addition to not being people, also not houses. If an apartment in an apartment block is burgled, we do not protect the apartment block owner, we protect the apartment owner or the resident of the apartment. But actually, in the vast majority of cases we also don't do that because less than 5% of all burglaries are ever investigated by the police. This is why private security is very common in apartment blocks now. That is a major difference between IT crime law and house burglary law: in the former, we have a specific goal and ambition to protect whoever provided the flawed security system or whoever owns the computer ("the house") where different entities co-exist. In house burglary law, we have a clear focus on protecting the individual whose home was burgled.

The two legal regimes covering private real estate and computers are based on completely different problem formulations, and relatively similar solutions. The solution, as explained by Mr Kramshoej, is that

if NOT kept illegal to break into computers you will allow a lot to try it, which will require costly protections for all :( [...] just investigating a simple breakin is extremely costly and smaller companies and orgs will suffer greatly :-(

Luckily, this was not unaccounted for in my blogpost. There is nothing which says cost remedies for private persons or small and medium-sized enterprises needs to be routed through law enforcement. In fact, we may even suspect that market problems are better solved by market mechanisms, which was also pointed out in my original blogpost. I can think of at least three authorities in Sweden that would be potential market regulators: the Consumer Rights Authority, Competition Authority, and the Telecoms and Post Authority.

David Remahl instead puts (translated by me from Swedish):

Företag består av människor; min dator är en utbyggnad av min person. [Companies consist of people, my computer is an extension of my person.]

The context is that I proposed that IT crime laws protect machines and companies, rather than individuals. The response here is that IT crime laws, by protecting companies and machines, in fact protect individuals since individuals can be extended by their machines, and work at companies. It's certainly a more interesting philosophical argument: I would argue that a computer is only an extension of myself in so far as I have control over it, the way that I have control over my own body and its functions. There can be a flexibility norm around this perceived self, of course, but it's clear that if somebody I know remotely or physically seized control over my hardware, I would no longer consider the results of actions engaged by that device to be representative of myself. Similarly, if someone takes over my Twitter account and starts writing random stuff in my name, I would not see that as being comments made by me. I would see that as comments being made by someone using my Twitter account.

On the company side of things, companies engage with two types of individuals: employees and customers. The above comment seems to suggest that employees of a company are protected by IT crime law. I would argue that this is the case only in so far as the employment contract establishes as much, but customers in general are definitely not protected by IT crime law. On the other hand, further interactions between me and Mr Remahl seem to indicate that he and I have a different understanding of which interests a company can and cannot have. As far as I understand company law (and this of course can differ between jurisdictions), companies are very restricted in the interests they can and cannot have. Therefore we cannot see companies as individuals, for they are regulated in ways that individuals are not, and are less free to determine their self-interest.

2 kommentarer

You might want to check out https://www.pcisecuritystandards.org/index.php

The PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. The updated version, version 1.1, developed by the founding members of the PCI Security Standards Council, became effective with the launch of the PCI Security Standards Council.

I'm not unaware of business self-regulation processes. They spend many millions of euros every year informing me of their desires not to fall under legal obligations. :-)

I am hesistant of business self-regulation as a single tool in this case for two reasons:

- it's been shown not to work unless one has proper transparency procedures in place. Corporate Social Responsibility schemes at the end of the day fail when they are put against the strong obligations on companies, in law, to serve interests of share-holders and creditors. Compliance with business self-regulation is also difficult to ensure without transparency. In network and information security we additionally have strong governmental interests positioned to weaken effects of self-regulatory schemes.

- one has to be careful not to allow self-regulating businesses to become a de facto establisher of social norms and contracts. We have democratized the establishment of social norms because we need legitimate transfers of powers than can occur non-conflictually. It's to my view for a good reason that we apply democratic procedures for this purpose. Corporate self-regulation by definition is not democratic.

Lägg till ny kommentar