Is it right for a company or a service to force you to pay in order to be secure? Put another way, you will not be secure from attackers and other nefarious goings-on unless you pay up. The most sinister possibility of these is the chance you could fall prey to identity thieves and spend the next many years cleaning up the mess an identity thief can create.

If you look at a lot of online web services, they will only provide you with secure sessions (using SSL) if you pay. What would be their liability, one wonders, if data sent in the clear was intercepted and used for some ill gain?

Alternately, some computer companies (and even security companies) have taken the stance that, in order to be secure, you must pay for a membership or support contract. If you do not pay, then you will remain insecure (though usually only for a few weeks instead of forever). Thus, patches and notifications of security risks are held back, placing servers across the Internet at risk and affecting thousands of users.

Certainly, enhanced security products may be sold to users and administrators, but what if even basic security requires an up-front payment? Who is liable for the lack of security when even the basic elements are missing?

When is it right to withhold information that would improve the security of servers on the Internet or of users at large? Perhaps the only time is when there is no way (yet) to mitigate the security risk – perhaps.