For those of you who have appreciated The Leaking Vault series of data breach statistics reports, I have some sad news. Just as I was days away from releasing the third installment in the series with the addition of the 2011 data, plus the breaches that had come to light in the past year, I received an email from Brian Martin with the Open Security Foundation. The Open Security Foundation (OSF) manages the DataLossDB, which has this to say of their mission (from their website’s homepage):
DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation's DataLossDB.org, asks for contributions of new incidents and new data for existing incidents [Open Security Foundation].
The email indicated that the OSF was explicitly stating that I do not have permission to publish the new report using their data without a license. After inquiring about the cost of a license, I was referred to Barry Kouns with Risk Based Security, who handles licensing of the OSF data. In a subsequent conversation with Barry, I was told that they see The Leaking Vault as being in direct competition with the consulting and analysis services that Risk Based Security provides Their services are based on the data that has been gathered by the volunteers and staff of the OSF, and the community, myself included. To clarify, he stated that while the DataLossDB site allows for people to access the data in the OSF site for “internal research”, they draw the line on publishing it in a report such as mine. (Note, I have always cited them as one of my sources, and praised their work on both maintaining the DataLossDB and the Primary Sources Archive.)
Here is the only indication of acceptable use I was able to find on their website, so this was a surprise, since I thought that research, properly cited, was what this organization was trying to foster:
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements [Open Security Foundation].
Barry told me that Risk Based Security has developed a dashboard for paying customers to access the data from the DataLossDB where they can run their own custom reports. This is provided for an annual subscription fee which is based on the type and frequency of access desired. He indicated that the pricing model was likely outside of my ability to pay. In fact, he mentioned that since they see my report as competition, they would have to price the license such that it would make it worthwhile for them to allow a competitor in the market. (The original email from Brian had some inaccurate statements as to the monetary benefit they believed the DFA and I had received from the report, which I countered. They knew the license fee would have to come out of my own pocket.)
I am a Ph.D. student, and I started The Leaking Vault as a research project for school. When I had compiled 5 years of data, I wanted to publish because I felt this was important information (and at the time the only similar papers I could find were in the academic journals—which are not commonly used by people outside of academia due to their pricing model). This was a way of giving back to the Information Security community that had been so good to me over the course of my career. I have presented it at local conferences without compensation, and made the presentation slides freely available, as are the reports. It should be noted that the Digital Forensics Association, who publishes these reports, is also a nonprofit research organization, and that no commercial benefit has ever been received for these reports.
In closing, I must caution anyone who is relying on their data (particularly if it is for thesis or dissertation work) that they should immediately find alternate sources for the same publicly available data, lest they find themselves in a position similar to mine. Having spent months of work compiling statistics and performing the analysis that is required to put a report like The Leaking Vault 2012 together, I am forbidden to publish.
While I am unable to share the results I have compiled, I have been tracking the 2012 breaches and shall be starting my research over again without the use of any OSF data. The Leaking Vault website will continue to track recent breaches in the blog, so please consider letting me know if you hear of one I don't list. Hopefully this decision by the OSF to censor the research of an individual scholar will not have a chilling effect on the overall data breach research community.
Thank you for your support.