Security of data
Bill Binko
bill at BINKO.NET
Thu Jun 30 13:40:03 EDT 2005
On Thu, 30 Jun 2005, Randy James wrote:
> Thanks for all the input. I now have a clearer picture of what i am faced with.
No problem: you'll find amazing people in this community -- and most of
them are decent human beings, too! :-)
I hope (since this has turned into a non-technical discussion) you don't
mind if I spout off a bit for a second...
> I need to be able for people to use the data but not be able to take it
> out of the office and allow someone who will use it the wrong way to
> obtain it.
I have some issues with the wording "not be able to" and "need". You
simply won't find success with them. How about:
"The goal is to make it easy for users to access the image in our
location, while making it difficult to remove the images without it being
detected. Also, we'd like to provide our lawyers and local authorities
with everything they need to prosecute those who are caught so that the
threat of incarceration and fines is a significant deterrant."
> Like I need for a logging company to be able to avoid a
> spotted owl nest so the managers/planners need to know, but there has
> been a problem because people who are loggers not the managers get the
> maps and have cut down the tree that has the nest.
(There's that word 'need' again!)
What you have here is a criminal problem. I'm fairly sure that chopping
down a nest in the act of logging (i.e. accidentally or carelessly) is a
civil infraction with a fine, but that intentionally chopping down that
tree to kill the bird is criminal. I'm also sure that if someone
_intentionally_ removed your images and then provided them to people who
would chop down the trees, that would be considered conspiracy or being an
accessory.
Your best bet is to strengthen your position and make it damned clear to
everyone who comes into your location just how serious you are about
pilfering your pix. IMNAL, but I'd start like this:
1) Hire a lawyer (had to be said)
2) If possible, only allow information at kiosks you control (with no
floppies, external network access or USB ports accessible)
3) Offer to extract images for a fee that is > $2000 per extract. This
lets you have a known price if you do catch someone stealing, in most
states (and provinces, probably), it's Grand, not Petty Theft, and it lets
you write a contract for those who really would benefit from off-site
access (and are willing to follow your rules).
4) Put cryptographic and visual watermarks on the images, both from the
paid extracts and from the web access. Ideally, you could put a session
identifier in the watermarks, so that you can tell when and by whom they
were stolen.
a) Visual Watermark: http://tinyurl.com/ambpg
b) Digital Watermark: http://www.watermarkingworld.org
5) Put "picket fences" up to stop the lazy 90% from copying your images...
but realize that they provide a false sense of security -- they just slow
down lazy people:
a) Setup the HTTP headers to NOT allows caching (see other thread)
so that there isn't a cache folder full of your images.
b) Use a "one pixel image" trick to disable the "Save Image As".
That loads a one pixel image instead of your map, and then loads the map
via javascript. If people choose "Save Image As", they will get the
one-pixel image.
6) Finally, post clear terms of use, both on your site, and physically
when people sign in. The physical act of signing a paper will actually
cause people to follow the rules (Read "Influence: The Psychology of
Persuasion" http://tinyurl.com/bz2ky ). Unfortunately, click-through
licenses don't have the same effect.
> I know there has got to be some trust and ethics should be followed but
> when the issue of jobs and millions of dollars is on the line everything
> goes out the window.
I'm actually not a strong believer in trust (in the workplace, that is).
I do believe in the law, however, and in fear.
Make it illegal, make it enforceable, and make it clear you'll hold the
users you grant access to responsible.
You'll be fine :)
Bill
More information about the mapserver-users
mailing list