A proposal on how security bugs in software should be responsibly disclosed to the public was withdrawn from the Internet's primary technical-standards body Monday.

The draft guidelines are intended to make peace between the two sides in the security arena: software companies, who would rather the public didn't know about their products' vulnerabilities at all, and security researchers, some of whom have been known to publish vulnerability information to embarrass a program's maker and garner publicity for themselves.

The proposal would outline how and when researchers should release information on software security holes and the steps software makers should take to fix problems as soon as possible.

Members of the security section of the "Internet Engineering Task Force", the organization that sets technical standards on the Net, signaled in comments on the draft submitted in February that human procedures are not its purview, said Steve Christey. Christey is lead information security engineer for government engineering firm MITRE and one of the two authors of the guidelines.

"Enough members of the IETF thought it inappropriate to put forward any document," Christey said. Instead, Christey, along with co-author Chris Wysopal, director of research and development for security company @Stake, will look for another group to submit the draft to.

Wall Street Journal ( Paid subscription required ) - EBay plans to drop a controversial proposal to amend its privacy policy... This link is an indirect one via Moreover.com - Paid subscription required and I don't have a subscription so I can't provide any interesting pull quotes from the article.

CNET NEWS.COM - eBay backs off privacy-policy change.

The revision had said that eBay might make statements regarding privacy rules on its site that conflict with its official privacy policy. In those cases, members had to agree that only the official privacy policy was the true statement of eBay's rules.

eBay is now updating that revision to encourage members to read the company's official policy if they have questions about eBay's rules on privacy.

[ ... ]

The change of the conflicting language is welcome, but it's just a start, said "Jason Catlett", president of privacy advocate Junkbusters.

"This was the first change that needed to be made," Catlett said. "But there are still a lot of other problems with the privacy policy. It's still far from satisfactory."

eBay notified members last month that it was updating its user agreement and privacy policy. The changes immediately drew criticism from auction watchdogs and privacy advocates, who charged that the company was making it easier to disclose members' personal information or ban them from the site.

Catlett had taken special offense to the portion of the revised privacy policy that mentioned the multiple and possibly conflicting privacy statements.

He had said that the change would allow the company to misrepresent its policies to unsuspecting members, not to mention Web browsers that have built-in privacy protection features. Browsers such as Internet Explorer 6.0 do not depend on a company's full privacy policy, but on a concise summary of a company's privacy principles to guard against unwanted cookies.

Article also carried by: ZDNet |UK| - Auction site backs off privacy-policy change. After controversy surrounded proposed modifications to its privacy policy, eBay has provided clarification for worried users ZDNet - eBay updates privacy policy revision.

Newsbytes - Lawyers Cite Web Privacy Traps.

Companies marketing through Web sites in Australia may encounter some unexpected traps, law firm Corrs Chambers Westgarth warns.

The firm notes the Australian Competition and Consumer Commission (ACCC) and the Federal Privacy Commissioner have formed a joint taskforce to crack down on corporate Web sites which don't meet the requirements of privacy laws.

"Companies which mislead the public - even unintentionally - about their compliance with the Privacy Act, or how they deal with personal information, could be doubly exposed," says Corrs partner David Smith.

The Heritage Foundation - EFP02-02 (03/18/02): Privacy as a Trade Issue: Guidelines for U.S. Trade Negotiators. Link to: | PDF (207k) | Produced by the Center for International Trade and Economics (CITE)

The differential presents a classic trade problem. Country X prohibits or heavily regulates certain activity; country Y does not. The activity continues and expands in country Y, while representatives in country X become more frustrated. What should these countries do? Tolerate the regulatory arbitrage? Sanction country X to remove its regulations, or sanction country Y to adopt them? In large part, the answer depends on whether policymakers think that country Y or country X is doing the right thing. The assumption often is made that by passing data protection laws, the European nations are doing the right thing and the United States is not.

On close examination, this assumption is flawed. U.S. rules have favored the free flow of truthful information about real people and real events throughout the economy, with privacy as a carefully crafted exception rather than a default rule, and with protections for sensitive information that affects national security and defense. Only by protecting the free flow of information can consumers and firms around the world reap the full benefits of free trade.

Business Journals - Expert Opinion: Europes privacy laws are some U.S. firms privacy laws This link is an indirect one via Moreover.com - Registration required and I don't have a subscription so I can't provide any interesting pull quotes from the article.

Slashdot | Optical Cryptography.

Slashdot | More on Dell Dropping Linux Support.

New York Times - free registration required The Place for Public Documents: On File or Online?

Hospitals and insurance companies can readily obtain information about a physician's malpractice claims, but in most states the public cannot. But in at least 15 states, the Federation of State Medical Boards says, some such records are available on official Web sites. Physician groups in most states oppose the practice. Gale Scott discussed the issue with the presidents of two medical societies. These are edited excerpts of those interviews.