Question of the Week number 28 got an astonishing amount of views and answers – it is a very hot topic in the world of privacy and data protection.
User anonymousquery wrote this question, as he is concerned about the ethical implications of such a backdoor, whether it is intentional or not, whilst his employers don’t see it as a big deal as they, “aren’t going to use it.”
Oleksi posted the top scoring answer which makes the point which should be raised in any similar circumstance:
Just because they won’t use it, doesn’t mean someone else won’t find it and use it.
It will present a major risk by just existing – if an attacker finds this backdoor, their job is made so much easier. In a comment on this answer, makerofthings7 added the interesting fact that Microsoft have even taken the step of banning harmless Easter Eggs from their software in order to help customers buy in to their Trustworthy Computing concept and to meet government regulations.
Mason Wheeler targeted the question specifically, answering the “What should I do?” part by discussing the moral and ethical responsibility to protect customers from a product with serious security flaws. He suggests whistleblowing – possibly to the FBI or similar body if it is serious enough!
Martianinvader also pointed out the following important point:
Fixing this issue isn’t just ethical, it’s essential for your company’s survival. It’s far, far better to fix it quietly now than a week after all your users and customers have left you because it was revealed by some online journalist.
Avio pointed out that there are risks to you and your company, and points out another course of action which may be preferable:
And if I were you, I’ll just be very cautious. First, I’ll make really really sure that what I saw was a backdoor, I mean legally speaking. Second, I’ll try in any way to convince the company to remove the backdoor.
Bruce Ediger gave some essential information on protecting yourself – as this is now almost public knowledge, you may get blamed if it is exploited!
With another 17 answers in addition to these ones, there are a wide range of viewpoints and pieces of advice, but the overall view is that the first thing to do is understand where you stand legally, and where ethical issues come into the equation, then consider the impact of either whistleblowing or staying quiet about the issue before making a decision which may affect your career.
Liked this question of the week? Interested in reading it or adding an answer? See the question in full. Have questions of a security nature of your own? Security expert and want to help others? Come and join us at security.stackexchange.com.