4

In cybersecurity, we have a subject called "security theater" which means implementing a feature that only looks like a real security mechanism but doesn't do anything literally.

Is it against the law for, let say, a company to implement a layer of security which is indeed nothing but a theater (in both deliberately and indeliberately cases)?

It gives false confidence for the users of the system thinking their data are protected by the machine while it's not.

Amirreza Nasiri
  • 143
  • 7
  • 8
    That's not what security through obscurity means. Security through obscurity is "it's unlikely an attacker would realize this." What you're talking about is security theater. – cpast May 05 '20 at 01:09
  • @cpast Yeah I think it's a security theater indeed – Amirreza Nasiri May 05 '20 at 09:47
  • It just needs some token port scanner or similar. Most security services are crappy so it is a low bar to meet. What you are saying is what most companies do. –  May 05 '20 at 02:03
  • How does this answer the question? – JBentley May 05 '20 at 09:55

1 Answers1

6

Given that obscurity is not security, the company potentially exposes itself to claims of:

  • Misrepresentation under consumer protection laws, or even fraud (things that you sell are not quite what you claim they are, and you know it)
  • Negligence (people rely on your goods/services to be secure as per your claim but you take this very lightly and they get burnt).
Greendrake
  • 27,460
  • 4
  • 63
  • 126