Tag Archives: Transparency

Lead or go out of business

That’s increasingly the reality around communications and online security/privacy incidents. If you don’t lead in providing information then others will do it for you. And that can mean your company could be out of business in just a few days. Google, Microsoft, Mozilla and the Dutch government have all made this point very clear over the course of the past few days in regards to the DigiNotar compromise.

You can get full details in Gregg Keizer’s story but the important facts are that DigiNotar is a Dutch company that issues digital certificates used for secure web browsing. Around August 29, 2011 Google discovered a forged DigiNotar certificate was being used on the Internet. In real terms, this means that someone could use this certificate to watch what you’re doing on the Internet when you’re using a secure channel without you knowing it. Google, Microsoft, and Mozilla all responded by making the forged certificate unusable in their browsers but keeping the rest of DigiNotar’s certificates usable. This is a standard response when situations like this have happened in the past.

But over the next four days, it emerged that DigiNotar had been aware of this attack since mid-July, that it was broader than a single certificate and had said nothing. In response to that lack of transparency and communication Google, Microsoft, Mozilla, and the Dutch government, now involved because they used DigiNotar for sensitive government websites, took an unprecedented step in response. They revoked all certificates that DigiNotar has issued or will ever issue, basically putting them out of business. It would be like United States Government declaring that a state’s driver’s license issuing procedures were so weak that none of their licenses will be accepted as valid IDs ever again.

If you need any proof that the lack of transparency and communication was the chief driver of this decision,  Johnathan Nightingale who is Director of Firefox Engineering over at Mozilla cites the lack of notification as the first reason behind their decision. He goes on to talk about  how “Incidents like this one demonstrate the need for active, immediate and comprehensive communication”. While his comments are to this specific incident, they apply to any online security/privacy incident.

DigiNotar had two chances to take the lead in this situation. First, when it was discovered in mid-July, and then when it first broke publicly in late August. If they had made a point to be the source of authoritative information at either of these junctures, they may have been able to keep control of the situation and keep from being shunted to the sides and shuttered by the other affected parties. As it is, though, they’ve become a cautionary tale of how fast things move in Internet time and how quickly one poorly handled incident can close down a business.

Wikileaks-ification of Journalism

I just noticed that MSNBC has posted a digital archive of email from Sarah Palin’s time as governor. As they describe it:

[This] free, public, searchable archive is now complete, with 12,045 documents and 24,361 pages, hosted by msnbc.com at http://palinemail.msnbc.msn.com.

That’s a lot of email to wade through.

What I find interesting though is less what’s in the the archive and more the fact that MSNBC has made the archive itself.

Whatever you may think of Wikileaks and their release of information, their work has made a fundamental change around expectations for information. People now want access to the full raw materials themselves. They will welcome the analysis and digesting that journalists can do. But they want access to the raw materials now on their own as well.

Journalism outlets understand this and want to keep eyeballs on their sites. So they’re moving to copy the Wikileaks model and keep people on their sites.

Given that, it makes sense that MSNBC would do this. They’re not the only ones doing this, though. Al Jazeera, the Wall Street Journal and others have been talking about building their own competitors to Wikileaks in terms of where people can submit documents. There is a lot of discussion about whether they can match Wikileaks’ guarantees that protect the submitters. But the fact that they’re entering that side of this game is telling too.

What this all means is that the era of hyper-full-disclosure isn’t going away, likely ever. The increasingly fragile distinction between purely private and purely public communication is pretty much gone now. All communication in any digital format can and will be used against you in the court of public opinion in case of a crisis.

That’s inherently neither a good nor a bad thing. It’s just a reality that we all need to understand and adapt to.