Truthful security disclosures should always be legal. Period.

After a week of blockbuster security revelations from Defcon it's important to take a step back and address the ongoing battle by companies to seize a veto over who can reveal defects in their products.

There's never been a US law that gives companies the power to decide who can make truthful statements about bugs in their products, and such a law would not pass constitutional muster. But corporations and federal prosecutors have created a corporate veto on bug disclosures, by stretching and distorting other laws like the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act.

Even the best companies, with the best coordinated disclosure policies, make implicit claims that they have the right to decide who can tell the truth about their products, and how. Disclosure policies from Mozilla, Dropbox and Tesla all promise not to use the DMCA to punish you for going public with bugs in their systems, but only if you use their disclosure system.

The problem isn't that Mozilla is likely to abuse this power — they're one of the good ones, trustworthy and upstanding. The problem is that Mozilla (and Dropbox and Tesla) are normalizing and furthering the idea of that companies get to decide who criticizes them, and that power isn't limited to good actors like them. The company that makes your pacemaker, voting machine and bank software are not necessarily as honorable as these upstanding citizens, and the argument that corporations get to gag inconvenient truths applies to them, too — which makes it a risk to all of us.

EFF is hosting a Reddit AMA on August 21, from 12PM-3PM, where we'll be discussing our lawsuits and regulatory action to get rid of this pernicious idea.

I've written this up for EFF's Deeplinks, along with a model promise that good companies should make to delegitimize the idea of corporate censorship:

We believe that conveying truthful warnings about defects in systems is always legal. Of course, we have a strong preference for you to use our disclosure system [LINK] where we promise to investigate your bugs and fix them in a timely manner. But we don't believe we have the right to force you to use our system.

Accordingly, we promise to NEVER invoke any statutory right — for example, rights we are granted under trade secret law, anti-hacking law, or anti-circumvention law — against ANYONE who makes a truthful disclosure about a defect in one of our products or services, regardless of the manner of that disclosure.

We really do think that the best way to keep our customers safe and our products bug-free is to enter into a cooperative relationship with security researchers and that's why our disclosure system exists and we really hope you'll use it, but we don't think we should have the right to force you to use it.

Telling the Truth About Defects in Technology Should Never, Ever, Ever Be Illegal. EVER.
[Cory Doctorow/EFF Deeplinks]

(Image: Newtown Graffiti, CC-BY)