Reader's advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.
The theory of security by obscurity may soon come under legal review.
Intentia, a prominent, mid-sized enterprise software vendor, says it filed a complaint on Monday with Sweden's National Criminal Investigation Department. The company claims a reporter from Reuters news service "broke into Intentia's computer systems" to obtain Intentia's third quarter 2002 financial results.
Reuters then published a news story revealing Intentia's quarterly results several hours before the company was scheduled to publicly announce the information.
Both Intentia and Reuters agree the Reuters reporter obtained Intentia's financial statement directly from Intentia's website.
But since Intentia did not provide an explicit link to the report, Intentia's lawyers consider Reuters' retrieval and early publication of the information a violation of intellectual property and computer system protection laws.
Reuters believes that once Intentia placed its quarterly report on its website, the information could no longer be considered confidential or private.
Swedish courts may be asked to determine whether or not providing an explicit link to information contained on a website is a valid method of protecting that information.
Internet security and legal experts say there should be no logical expectation of privacy when sensitive, confidential material is placed on a public website or server.
But security experts are concerned over the possible implications Intentia's complaint might have on researchers and reporters using the Internet to obtain information.
Reuters spokeswoman Susan Allsopp said the reporter who obtained the data was monitoring the Intentia site for the release of the company's quarterly results.
"The reporter did not use software that would penetrate or search Intentia's private systems. The reporter did not enter a password in order to obtain the data," Allsopp said. "The reporter simply went to the area of Intentia's site where such information is normally posted and found the report."
Sources employed by Reuters who requested anonymity speculated the reporter was able to guess the URL from prior knowledge of how Intentia URLs are constructed. Internet-savvy users will often tinker with URLs to quickly get to where they want to be on a website.
At first glance, the URL linking to Intentia's 2002 third-quarter report doesn't appear to be easily guessable, but an Intentia spokesman told reporters the same "protection" was used on previous financial releases. So it is possible that a reporter familiar with Intentia could have made an educated guess.
"I don't see how people are supposed to know what are 'public URLs' vs. 'private URLs' at a website," said security and privacy consultant Richard Smith. "People can't be mind readers."
"It's pretty simple. If Intentia didn't want outsiders to see their quarterly results before a certain time, then they shouldn't post them on their public website or they need a security system in place to protect their private documents."
Intentia CEO Björn Algkvist was quoted in the Financial Times as saying he "accepted the data should have been better protected."
But Algkvist insisted that since the Reuters reporter had to make "a determined effort" to obtain the document, the news agency should have known that the report wasn't intended to be public at the time it was retrieved.
Allsopp said that once the document was published by Intentia, it became public.
"It's not like a privately circulated press release where you would need to abide by a stated NDA (non-disclosure agreement)," Allsopp said. "By default, once the report was published by Intentia, it immediately became public. And it became a news story that we had to report."
Legal experts agreed that Intentia may have a problem convincing a court that the document was properly protected.
"So far, it has been up to the owner of the website to secure information of a confidential nature behind password protections, encryptions, firewalls or otherwise made inaccessible to the general browsing public," said Harvey Jacobs, an attorney specializing in Internet and intellectual property law.
But since the information published by Reuters was financial data that could influence investment decisions, other issues could come into play that could affect both Intentia and Reuters.
Reuters is headquartered in Great Britain. The U.K. Financial Services Authority forbids British companies from publishing sensitive material on their websites before distributing it to the market. Reuters could argue that Intentia violated that rule.
"It would seem that, at least under U.S. and U.K. law, Intentia could be held liable for negligently safeguarding information or for failing to take minimal steps to prevent inadvertent publication of sensitive market information," Jacobs said.
Swedish law requires listed companies to disclose financial information to the Stockholm stock exchange (Stockholmsbörsen) as well as at least two news agencies and three newspapers.