Friday, May 23, 2008

Explaining the Data Removal Policy Change on

It is well known to many members of the data removal policy that was put in effect around the 2002 time frame. At that time, the political climate in the United States was at times very worrisome - especially after September 11th. After some drawn out discussions with multiple people within the Federal Government and US military, I decided that it was in the best interest of, and myself, to allow US Federal and Military officials an opportunity to formally request that I remove data from the site, only under certain conditions. Basically, an "out", and the ability to stay off the radar of some folks that were looking to cause trouble. It is important to note that policy did not under any circumstances provide for the removal of data from the site for state and local government, or businesses, even though we had had received many requests to do so.

At the time, many wondered why I "caved" in to the US Military and Federal government, and I was strongly criticized for implementing this policy. I even wrote a lengthy position statement that helped explain the approach we were taking. However, in looking out for the best interest of community and my family, with the political climate as it was at the time, I had decided to implement a removal policy to keep such a large target from becoming "shot at."

Moving forward though, now that the political climate has calmed and it has been very apparent that the 10 or so requests that I had to remove data did nothing to actually remove the information from the public domain - and frankly it is a well known fact in the security industry that security-by-obscurity does not work. Therefore, effective May 19th 2008 I made the conscious decision to rescind the policy and not remove any data from the site unless ordered to by a court that has jurisdiction over the site.

I'm sure that even this "policy change" will result in criticism, and I welcome the discussion. But remember, at the end of the day if something is important enough to be requested for removal, then it is important enough to either be encrypted or not broadcast over the air.

No comments: