Meow Ethics and Data Cop

2020-07-26

What are the ethics of a Meow attack? Bleeping Computer states:

If behind these incidents are positive intentions, sometimes nothing good comes out of them and valuable data that could be lost in the process.

But is that true? I think most people would agree they would rather have their Equifax data erased than leaked. If there is an insecure, public-facing database on the Internet holding people's personal data that the company behind the database should have secured in the first place, why shouldn't the database be wiped?

It's also possible that the data on the public-facing database should not have been collected in the first place; think the myriad number of applications and services that surveil on people and siphon data on their every move to exploit it for advertising profit. In this case, having the data leaked is likely to be more harmful to people than having it erased. In fact, having the data erased, as opposed to leaked, may not even be of concern to people, just to the company behind the application or service. And that company should already be spending a considerable sum securing their infrastructure, so the loss that comes from the data wipe is not necessarily larger than what they should have spent in security in the first place.

Alas, we might be onto something. Let us make an ethical leap here and consider the following system. Hold tight, it's automated policing.

Consider a system like the Meow attack that goes around the Internet scouting for insecure databases. Unlike Meow, however, it does not delete the data: it ransoms it. The encrypted data is stored on the original database itself or externally, depending on whether the attack can successfully modify the original data. Should the company wish to recover the data, they must pay a ransom. The punishment should be proportional to the crime, of course; we would not want a hefty ransom, or perhaps any ransom at all, on a kid's demo database they had set up for educational purposes, for example (surely having the databased ransomed will be educational too!). On the other hand, the ransom could be proportional (and not necessary linear) to the company's size, revenue, whether the database holds personal data, the sensitivity of that data, and so on. In a way, this system is a form of automated law enforcement: companies large and small should be taking every effort to protect customer data. If they don't, they should pay a fine. The system just described automates that. We can call it Data Cop.

There are number of details we have not considered. For example, what if Data Cop uses a 0day in one of its crusades? Should a company be held accountable for failing to secure the database against a 0day? Or is it the database provider's responsibility? If that particular database should not be public-facing in the first place, then maybe the company can indeed take part of the blame and face a fine? This is just an example, but you can imagine similar nuances.

There are of course a good number of ethical flaws in this argument, but perhaps Data Cop, or some alteration thereof, could do more good than harm and bring about some justice to companies and their complete disregard and disrespect for security and people's data confidentiality?