All posts by Chinmayi SK

Ethical Reporting of Data and Security Issues

Who is this document for  ? 

In this era where we have a mobile application  and a website for everyone even with more software engineers; data leaks or security issues are a common phenomenon. This document will hopefully help anyone who finds leaks report them ethically without causing too much harm. 

What is the need of this document ? 
In India recently we have seen a lot of leaks from government websites to JIO to Zomato to Medical Testing Data . More engineers are willing to share these leaks on twitter and more news organisations are covering them. But in most of these cases we have observed that care has not been taken to protect the user information and privacy. Hence we decided to write this document. 
Warning :  This is not a comprehensive guide  but this is what we think are best practices to follow at this time. Please make sure you talk to a lawyer in addition to this.

First things first

Determining the criticality of a Issue
 A data leak or a security issue could have varied levels of criticality depending on who it causes damage to. Some leaks could cause loss of revenue for a organisation (eg a food ordering service Food Panda in India lost a lot of revenue because of a bug). While other leaks could result in invasion of privacy and  end up affecting personal lives of people like the pathology clinic in Mumbai where the medical records of patients were leaked . Some leaks could have financial outcomes for the data subjects,  such as leaks involving financial information, passwords to accounts tied to transaction ability etc. 
The more the criticality of a leak the more caution you have to exercise in reporting either on social media or otherwise. So how does one determine the criticality ? Here are some simple questions to guide you to understand the criticality 
  1. Does this affect more than one person ?
  2. Does reporting this damage lives in a long term and is the damage irrevocable ?eg : The leak of health records of HIV Patients from a pathology lab or a hospital could affect the people involved by marking them for their entire life. This information coupled with social stigma could affect their prospects of a healthy life or their professional lives
  3. How long will it take for the organisation to close the leak ?
  4. In case there is no clear tangible impact, could this have an impact in combination with other public data?
Ideally  It is recommended that one does not publicize a leak without first informing the organisation affected and following up with them to close it. 
Consequences I should consider when i report a security issues
Reporting a leak in India is always a tricky situation. It could lead to criminal proceedings against you. We advice that you always get a legal advise before you report anything. Especially if the organisation has not defined a bug reporting program. The information technology act 2000 for eg is one of the laws which defines what is considered a crime with respect to action online.
For eg : Some of the sections particularly section 43 of the act defines it be a crime to gain unintentional access or even download or damage a system. 
Remember reporting a leak sometimes takes extensive  follow ups. It needs perseverance and patience. Sometimes reporting a leak requires you to gain skills which are not technology oriented eg:  networking to connect with decision maker who could help plug the issues or even writing skills to share the issue online. One has to be prepared to learn and get more support when not equipped with the right skills.  
We  highly recommend that you do a personal risk assessment before you move forward. 
Risk Assesment for a reporter 
Warning : This is only a guideline we recommend you talk to your lawyers and security professionals and your network support for a better assessment 
  1. Do I have support  by which we mean :
    • Financial to support me in case of consequences
    • Personal networks to support me
    • Legal Support Systems 
  2.  Who else is at risk if i am in trouble 
  3.  What are the chances that the organisation you are reporting against will act to prosecute you 
  4.  Do I have the mental ability / support to handle the stress for the period of time
  5.  Do I have the technological support to help me protect myself and my loved ones   
Calculating the risk of a vulnerability 
Security professionals around the world use some standard methodologies to calculate risk of a vulnerability. One such tools which can help you calculate the risk is this : 
It is highly recommend that you do the risk assessment of a vulnerability in order to help you stratergise or even decide on continuing to work on it 

Effectively document your finding 

Documenting your story
When you chance upon a leak and confirm it by double checking. It is highly recommended to make elaborate notes on how you discovered the leak. This documentation should be done as soon as possible if possible right after you are confident of it as a leak. The reason being this is going to be something various stakeholder will be asking you repeatedly and having as many accurate details will help support your case. You can use secure note taking platforms like etherpad / riseup pad to protect your privacy if you making notes online. It is recommended that you store this offline in an encrypted format. Also take screenshots with time stamps ( this could be a double edged sword too if you are liable to prosecution because of the leak) 

Documenting the Bug

An elaborate documentation of the leak itself helps in getting it fixed faster. Engineers always find it useful to have more information. 

  • Include steps to show how to replicate your bug , talk about pre conditions eg : it could be accessing a particular page with a particular browser /  accessing it with a certain phone 
  • Include screenshots if possible. 

Effective process to share your findings 

Reaching out to concerned officials / Organisations

The right way to report a leak would be to reach out the organisation of the leak and write to them about your findings before you go public with a leak ( offcourse this has consequences we certainly dont recommend this for Snowden or Manning type leaks assessing you risk is very important before you do this ). This can be done in many ways

  • Bug Bounty Programs  : Most technology orgs have a bug bounty program and also sometimes offer rewards for reporting of leaks this is the easiest and the most rewarding way to reach out to orgs.
  • Organisation Public Issue trackers :  Some open organisation do not have a bug bounty programs but have public bug repositories this is either linked to their code repos or to their websites. This is another way to report any security leaks.  
  • Community Outreach Co-ordinators : In the absence of a bug bounty programs or Issue trackers  some organisation have Outreach Coordinators and they are developer and business liaisons for a organisation. For any critical leak it is highly advisable to talk to them to report bugs this will ensure the closure of leaks with minimal lead time   
  • Public / Private mail ids :  While some prefer anonymous reporting , sometimes personal reporting helps build confidence and obtains quick results. If you wish to stay anonymous it might be best to report to the public email ids available on the website. On the other hand if you have a certain degree of confidence on the intent of an organisation. It might be best to use your personal network to reach out to them and talk them through it 

In case of leaks of the government websites  : Every country has a specific process to report leaks on government websites. In India specifically CERT India is responsible for the security of government websites and it is best to report to them. The other organizations one can reach out to are  

  1. CERT India
  2. MEITY
  3. Government Body that it is affected

Talking  about the Security Issue  in Public

While it is very easy to talk about a security issue in public . It is also considered a honor by many and sometime a necessity to report. We recommend the following actions if you plan to do so 

As a general rule avoid talking about a leak or a issue before it has been fixed  

Initiating the removal of sensitive data

Make sure atleast the sensitive data is removed before you share a issue if you cant get the complete issue fixed. By Sensitive Data we mean Personally Identifiable Information. It is also recommended that you clean the data for secondary Identifiers ( these are identifiers when coupled with other information can still make data personally identifiable). If you are not sure of identifiers we recommend that you talk to organisations which have been working on Open Data for a while  ( below is a list of some organisations) 

Building a campaign

While sporadic tweeting or sharing help sometime . It is always recommended that you build a plan to talk about the leak. 

  •  Decide on your objectives for sharing the leak what would like to achieve . 
  • Identify people who are working in this field and could help you amplify your voice.
  • Talk in as much accuracy of the effects of the leak and its origin
  • It might be best to leave out details of reproduction of the leak if you think it could harm more people  

Using Screenshots 

Sometimes using screen shots not amplifies your report and its impact. We recommend using it as opposed to share the methodology of replication in public. Though one has to be cautious while sharing screenshots make sure you block any personally Identifiable information or information that could cause damage to lives or property.

Talking to Press

Before talking to the press please be clear of your intentions to do so. Again we recommend this only after the issues have been fixed. But sometimes it is important that you talk in your help to close the issues and we understand that. So we have put together a set of things that would make this conversation ethical and effective

Disclosure  :

  • Make sure to disclose you intent of reporting leaks
  • Disclose any funding you have received to do this work 
  • Avoid sharing in detailed description of the leak in case it has not been closed yet
  • Make sure to not share sensitive data either through your screenshots or through data 

 

List of organizations to ask for support

Online Security and Whistle Blower Protection

Open Data Questions 

Legal Support ( India ) 

ALF  

Research Methodologies 

Security Methodology and Advice

Further Reading

This guide was written by Chinmayi S K with contributions and feedback from Thejesh GN , Chris Kubeca , Amber Sinha and Nisha Thompson

This post is released under the Creative Commons Share Alike 4.0 License

If you have any feedback or  comments please feel free to write to us through this contact form and we will get back to you asap