Ran Bar-Zik reports what sounds like a situation where a cybersecurity student who engaged in responsible disclosure after finding a leak at the scholarship application website of the American Joint Distribution Committee (“the Joint”) felt pressured and anxious by the Joint trying to get him to sign a statement afterwards. And so far, he hasn’t signed it, it seems.
Representatives of the Joint stress that they had told him he could edit or amend the statement to make it comfortable for him to sign:
“With regard to Shmuel Lenchner, he was contacted by phone and asked to delete the material and not to make use of it. In addition, he was sent a draft of a statement that he would act accordingly. He was explicitly informed and in writing that he could amend the text to the extent that he found it proper so that he would feel comfortable with the statement, but since then, his response has not been received.”
Okay, but having been in that situation myself numerous times, I would point out that he is under no obligation to provide any signed statement for them at all, is there? Is there some legal obligation in Israel? An ethical one? What? Did the Joint provide a draft statement that explicitly waived any action against him? Without any assurance, why would he sign anything?
DataBreaches has signed statements in some cases, and I know Jelle Ursem has also been asked to provide statements in some leaks we have reported together. I also know that I have not signed statements in some cases. This is where the approach of the entity or their counsel really matters.
Providing a statement helps an entity cover themselves for insurance or litigation purposes. But taking a threatening or heavy-handed approach to getting a statement, may not be successful (the Joint says they told him he could edit it, but maybe even that wasn’t non-threatening enough?).
Based on my experiences, which may not be valid for others, one of the more effective approaches was when counsel for one firm contacted me, didn’t come across as threatening any legal action at all, and said they would be happy to provide me with a subscription to software that would provide military-grade destruction of any files of theirs that might be on my system. I took them up on that offer after editing their draft statement a bit. As a result of how they handled it, they got a signed statement, their files were destroyed securely, and they got the report showing the secure destruction of files. And I wound up with a one-year subscription to a service to securely destroy files. And it was all very non-threatening.
You can read the sequence and details of this Israelis incident at Haaretz. Maybe the Joint could try again. The student obviously didn’t engage in responsible disclosure for a reward, but he sure as heck didn’t want to feel that he might get into trouble for doing the right thing on that.