[plug] preventing data "theft"

[Bernd Felsche]

Stuart Midgley <stuart.midgley at ivec.org> writes:

>hmmm... perhaps make the data owned by another user and NOT allow the  
>assistants to read the files... then make the actual statistics  
>package setuid user?

>That way, when they run the package, it runs as a user who has read  
>access to the files... still doesn't prevent them copying the files,  
>but does make it harder...

A sufficiently-persistent user can still exercise the stats
application to glean the "complete" data set.

setuid would _move_ control of who read the data into the setuid
application. If the application is designed for access control, then
it'll provide lots of back doors.

Sensitive data should never be presented for ad hoc analysis by
untrusted people. If it's data relating to personal records, then
what makes it personal has to be removed from the data set. If such
personal data is "needed", it can be replaced with fuzzy placebos
that are "near-enough" to allow meaningful analysis... It is of
course *necessary* to say that this has been done.

In the end; researchers must always make all raw data from which
they draw statistics (and conclusions) available for independent
verification. Providing the access to independents via a stats
package is simply wrong; the package is a "filter" that can taint
the data. It can be used for prestidigitation by the unscurpulous
and a crutch by the incompetent.
-- 
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ /  ASCII ribbon campaign | "If we let things terrify us,
 X   against HTML mail     |  life will not be worth living."
/ \  and postings          | Lucius Annaeus Seneca, c. 4BC - 65AD.