If I'm running a website that, say, takes a survey, must I protect user data from disclosure if the users are informed initially that it's insecure? I'm not storing financial data or social security numbers, just opinions, (user)names and e-mails.
Asked
Active
Viewed 174 times
3 Answers
3
You expect user's to read the agreement? Really? That simply doesn't happen, it's a rare user that reads the EULA instead of simply clicking next or checking that checkbox that says they read it.
These days there's an implicit assumption that you'd going to take some care over what you're doing, in the same way that you expect a surgeon to know what organ to remove, and even if you sign a piece of paper before going into surgery agreeing not to sue if they remove a leg instead of a kidney the implicit duty of care expectation and subsequent publicity nightmare when you're hopping mad on television because they lopped off a leg (pun intended!) would sink that doctor's career for good.
blowdart
- 859
- 4
- 5
-
Not a EULA - a simple alert at the top of the page, similar to the SO welcome message should suffice: `"Any information you enter on this website is in the public domain. By using this site, you agree."` – Moshe Nov 21 '10 at 18:06
-
Same argument applies - people don't read things like that, nor can you assume they will. – blowdart Nov 21 '10 at 18:27
1
"Knowing" its insecure is a tricky thing... How do they know this? A nice big message on the site (that is easily ignored)? A long ToS that noone bothers to click on, much less read? An intrusive popup, that the typical user will not read and click right through to get to the site?
So, is it okay to not secure this data?
If this data was completely anonymous, I would say "perhaps". Maaaaybe even "probably", given some more information.
Given that the information includes email addresses, and correlates between names and opinions (on what? politics? religion? sexual preferences? employer? employer's religiously sexual preferences?) I would say it's a resounding "Not so much".
Again, it still depends on what precise information is there, and why you think the user knows (e.g. displaying blog comments is pretty obvious this is displayed).
Also, when you say "secure" and "protect", these terms are not completely unambiguous... My assumption is that you're referring to "protect from disclosure", obviously you still want to prevent SQL Injection, XSS, etc etc.
AviD
- 72,138
- 22
- 136
- 218
-
-
I agree to @AviD, it really depends on how valuable information is, how it affects user privacy. Anyway, every site must protect users identity if there is a place for user privacy integrity. – Nov 21 '10 at 16:14
-
@Moshe, thanks that does clear up the last point, but the first point still stands. How this "informed" thing you speak of works is important, but ultimately probably ignored. – AviD Nov 21 '10 at 16:15
0
To add, though there are many “it depends” here, if you have money and an user can cry foul then you open yourself up to civil suits.
Tate Hansen
- 13,714
- 3
- 40
- 83
-
1True, although I don't have money. :-) (PS Shouldn't this be a comment?) – Moshe Nov 21 '10 at 18:06