|
|
|
|
|
|
by merrywhether
3680 days ago
|
|
|
Reading this, I had an idea for a new law that could counteract this stupid reaction to security research: Particularly for protected patient information (but maybe for other classes of sensitive data as well), it would be interesting to somehow classify having this information breached as a crime by the holder of the information (I realize this might be hard to do given the reality of security these days, so there would need to be some nuance of course). The crux of my idea would be to automatically count any access that results in prosecution as a breach of said data, thus meaning that prosecuting a security researcher would automatically put the information holder under separate prosecution. I wonder if something like this could be feasible. |
|
|
The source of the problem in this case is that the CFAA is too loose/broad and the penalties are absurd. The solution is to fix that. Make it so that the only penalties available are proportional and innocuous actions like reporting vulnerabilities are bright-line not illegal whatsoever.
You're essentially suggesting cold war style MAD as a solution to the government foolishly supplying toxic waste to children who are then found using it to poison people they don't like, under the theory that if everyone can poison everyone then everyone will have to behave. Better to clean up the toxic waste than ensure equal access to it.