By Zachary Amos, Features Editor at ReHack
Incidents of whistleblowing — especially those dealing with data privacy and security — frequently make headlines. Although whistleblowing in cybersecurity might seem like a good thing, the nature of consumer privacy complicates things.
What Is Whistleblowing?
The practice of revealing information to stop wrongdoing is called whistleblowing. A whistleblower reveals information about negligence, malpractice or illegal activity to a trusted source. It often occurs between a company and an employee, and whistleblowers can report information to their employer or choose to go public.
How Whistleblowing Relates to Cybersecurity
Whistleblowing can happen in any industry. Cybersecurity professionals handle private information often and are familiar with proper practices to ensure confidentiality. However, the sensitive nature of the industry allows for exploitation. For example, a cybersecurity company might take advantage of private consumer information by giving it to a third party.
Cybersecurity manages risks involving hardware, software and client data. While companies might break the law outright, whistleblowing usually occurs because of less malicious behavior. For example, a business might fail to secure client data. A whistleblower could notice this error and escalate the issue by making it public information.
Additionally, the greater the consequence or importance of an issue, the more likely someone will become a whistleblower. Cybersecurity regularly deals with such matters, so the likelihood of whistleblowing is high. President Biden signed a cybersecurity reporting act into law in 2022, emphasizing ethical whistleblowing.
Ethical Considerations of Whistleblowing
The role of ethics in whistleblowing is a gray area. On the one hand, companies that ignore pressing security issues or act maliciously with user data should be held accountable. However, employees violate people’s privacy when they reveal confidential data. While whistleblowing stops the company’s wrongdoing, it might harm others in the process.
Cases of Whistleblowing in Cybersecurity
The dilemma of ethics has happened before, as cybersecurity is no stranger to whistleblowing. On July 6, 2022, the former chief security officer for Twitter disclosed the platform’s noncompliance with data privacy and consumer protection laws. The former employee — Peiter Zatko — blew the whistle to multiple government agencies about the mishandling and negligence involving user information.
This seems ethical, but it is concerning that Zatko came out with the information after Twitter let him go. Twitter argued Zatko’s allegations were false and stated it met its minimum data privacy requirements. It also implied that Zatko’s recent firing prompted his accusations. Beyond that, Twitter brought up the financial damage of such allegations.
This case outlines the ethical considerations of whistleblowing. Someone’s relationship with their employer, a company’s history and the level of wrongdoing all need to be considered.
Is Whistleblowing Ethical?
Is whistleblowing good when an employee does it in retaliation? What standards should a company be held to when handling public data? Each situation of whistleblowing is unique, and the public should consider every angle. Whistleblowing can be a great tool to help the public, but it sometimes protects the wrong people.
For example, take the case of Matthew Vannoy against Celanese Corp. In 2007, Vannoy filed a complaint internally but also filed a claim with the IRS Whistleblower Rewards Program. The corporation eventually found Vannoy had abused his access to private data and sent himself the Social Security numbers of other employees. The government allows whistleblowers to share confidential company data, so whether this information was protected under Vannoy’s whistleblowing activity was questionable.
The privacy and data of regular people are seemingly at risk either way. In the United States, 86% of adults are concerned about their data privacy, so the general public would likely appreciate the transparency of whistleblowing. However, publicizing their information might not be the correct answer.
Can Whistleblowing Be Used for Good?
Whistleblowing poses risks to consumer data, but the company getting called out is usually already taking such risks. Whistleblowers who are careful about revealing information can do good. Multiple government agencies exist specifically to protect this info when this occurs, so a whistleblower can protect people’s privacy by going directly to them. Even if someone is doing this out of spite, companies engaging in illegal or unethical practices deserve to be held accountable.
Whistleblowing in Cybersecurity
An industry that deals with online security should always strive to protect consumer data. While whistleblowing can be ethical, consumer privacy is still at risk. Overall, people should be the first thing considered when discussing the ethics of whistleblowing in cybersecurity.
As the Features Editor at ReHack, Zac Amos writes about cybersecurity, artificial intelligence, and other tech topics. He is a frequent contributor to Brilliance Security Magazine.
Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.