Closing the Vault Door

Tuesday, December 18, 2012

Suzanne Widup


For those of you who have appreciated The Leaking Vault series of data breach statistics reports, I have some sad news.  Just as I was days away from releasing the third installment in the series with the addition of the 2011 data, plus the breaches that had come to light in the past year, I received an email from Brian Martin with the Open Security Foundation.   The Open Security Foundation (OSF) manages the DataLossDB, which has this to say of their mission (from their website’s homepage):

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation's, asks for contributions of new incidents and new data for existing incidents [Open Security Foundation].

The email indicated that the OSF was explicitly stating that I do not have permission to publish the new report using their data without a license.  After inquiring about the cost of a license, I was referred to Barry Kouns with Risk Based Security, who handles licensing of the OSF data.  In a subsequent conversation with Barry, I was told that they see The Leaking Vault as being in direct competition with the consulting and analysis services that Risk Based Security provides  Their services are based on the data that has been gathered by the volunteers and staff of the OSF, and the community, myself included.  To clarify, he stated that while the DataLossDB site allows for people to access the data in the OSF site for “internal research”, they draw the line on publishing it in a report such as mine.  (Note, I have always cited them as one of my sources, and praised their work on both maintaining the DataLossDB and the Primary Sources Archive.) 

Here is the only indication of acceptable use I was able to find on their website, so this was a surprise, since I thought that research, properly cited, was what this organization was trying to foster:

Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements [Open Security Foundation].

Barry told me that Risk Based Security has developed a dashboard for paying customers to access the data from the DataLossDB where they can run their own custom reports.  This is provided for an annual subscription fee which is based on the type and frequency of access desired.  He indicated that the pricing model was likely outside of my ability to pay.  In fact, he mentioned that since they see my report as competition, they would have to price the license such that it would make it worthwhile for them to allow a competitor in the market.  (The original email from Brian had some inaccurate statements as to the monetary benefit they believed the DFA and I had received from the report, which I countered.  They knew the license fee would have to come out of my own pocket.)

I am a Ph.D. student, and I started The Leaking Vault as a research project for school.  When I had compiled 5 years of data, I wanted to publish because I felt this was important information (and at the time the only similar papers I could find were in the academic journals—which are not commonly used by people outside of academia due to their pricing model).  This was a way of giving back to the Information Security community that had been so good to me over the course of my career.  I have presented it at local conferences without compensation, and made the presentation slides freely available, as are the reports.  It should be noted that the Digital Forensics Association, who publishes these reports, is also a nonprofit research organization, and that no commercial benefit has ever been received for these reports.

In closing, I must caution anyone who is relying on their data (particularly if it is for thesis or dissertation work) that they should immediately find alternate sources for the same publicly available data, lest they find themselves in a position similar to mine.  Having spent months of work compiling statistics and performing the analysis that is required to put a report like The Leaking Vault 2012 together, I am forbidden to publish.

While I am unable to share the results I have compiled, I have been tracking the 2012 breaches and shall be starting my research over again without the use of any OSF data.  The Leaking Vault website will continue to track recent breaches in the blog, so please consider letting me know if you hear of one I don't list.  Hopefully this decision by the OSF to censor the research of an individual scholar will not have a chilling effect on the overall data breach research community.

Thank you for your support.

Suzanne Widup

Possibly Related Articles:
Information Security
breaches Security Awareness Copyright DataLossDB
Post Rating I Like this!
Michael Johnson I don't see how they could legally stop you quoting their statistics, if you're producing an original work based on publicly-available material which properly cites and references the OSF, and you're not profiting financially from the use of their stats. People do the same on their blogs (sometimes even plagiarise) without any issues.

Their acceptable use policy you quoted was also too vague. What constitutes 'use of', and 'authorisation'? You could argue they've already authorised the use by making their stats public. You could even argue the statement's incorrect, as it's entirely possible to use the material (as you've already done) without authorisation.
Kathleen Jungck Suzanne, Check with your advisor(s). In many cases, you can use even copyrighted material for academic use under the fair use doctrine. You'd think they'd want you to cite their data -- you're giving them free advertising! Perhaps if you approached the issue on those grounds, of a mutually beneficial solution. More on fair use from
Kathleen Jungck To quote the information on fair use from the copyright office, "Copyright protects the particular way authors have expressed themselves. It does not extend to any ideas, systems, or factual information conveyed in a work."
Ray Pesek I'm not sure they could bind you to an agreement you did not explicitly agree to. EULAs that are simply a link have been found to be invalid. But this may be a battle that's not worth fighting for you, particularly if they file a DMCA notice with your ISP.

Remember one thing: A person who does not know their rights has no rights. Don't give up without knowing your rights if this is important to you.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.