I am working on a project in the area of IT security where we are analyzing a proprietary embedded system. While researching the system, we came across a confidential data sheet that was made publically available by a third party without the consent of the manufacturer of the system. The datasheet is marked confidential and usually only given out after an NDA is signed. It describes an outdated version of the system we are analyzing, but is partially relevant, as some parts of the system have not changed since then.
Is it ethical / acceptable to use and reference this resource in a paper?
"Related Work": this and this question ask about citing documents that aren't widely available (while my document can be found by anyone using Google, and none of the involved researchers have signed any NDAs).
Edit: To add some additional information that I added spread over a few comments:
The datasheet in question describes the security protocols used by an older version of a popular embedded security chip, current versions of which are being used in payment and access control systems
The manufacturer is aware that the data sheet has been leaked and is not happy about it, but has not gotten the datasheet removed from the third-party servers where it is located for the past two years. The reasons for this are unclear
The data is confidential (as in private-sector NDA-confidential), but not classified in a government sense.
The company has already stated that they would prefer if we did not publish based on this document, but that they would not be taking any legal action if we did, as long as all information was factually correct.
Answer
Sounds like you have found an interesting source and are considering the moral implications of using it. What I will say is based purely on personal opinion and probably what I would do unless instructed otherwise.
Leaks are a fact of life. With the proliferation of digital material they are commonplace. Look at Wikileaks, the Snowden revelations etc. Once material has become public there is - fortunately or unfortunately - no going back, regardless of how that information became public. It is the responsibility of the owner/creator of the material to ensure it says secure.
Dissemination of such material could be highly fruitful - but think of it this way - will your publishing research based on the material be ultimately constructive or destructive? Will it benefit just you or the wider world? Who is it really advantageous for? If the answer is just you, I would probably withhold your research based on it. If it has wider ramifications of great import, go with it. Also consider the reasons why it is confidential. Who does it serve - who does it protect? Was the confidentially because of financial reasons, incomplete research, company policy, or 'national security'?
There is a heavy moral tinge to this question, and you may have to do some soul-searching. But ultimately, if it serves the wider discipline in a positive way, and such servitude grossly outweighs the few individuals who it would ire, I would use it, as long as there are no legal implications for yourself [unlikely since a third party leaked it, but you can never be too careful].
No comments:
Post a Comment