A Dutch court ruled today that a group of researchers who figured out how to break into RFID tags used in smartcards around the world can publish how they did it. The ruling takes a difficult and likely unpopular stand for free speech. If a computer program has a vulnerability, you should be able to publish it – both to ensure that no future programmers make such mistakes and to provide information to consumers about the security of the company’s products – unless such knowledge was gained through fraud or breaking of contract.
As my colleague Ryan Radia wrote me in an email on the subject, “The burden of ensuring a technology’s robustness lies with the creator. Government shouldn’t step in because you developed an insecure authentication system.”