Q3  PricewaterhouseCoopers acted in a short-sighted
                         fashion in trying to thwart the publication of ESNC’s


                         findings.

                 A3  ESNC operates to a responsible disclosure policy

                         publicly credited by SAP. A cease and desist order

                         and the implied threat of being sued, would in-of-

                         itself negate the raison d’etre of ESNC.


                         PWC seems to have acted in a knee-jerk manner,

                         seeing only the immediate potential impact on the

                         company rather the potential time-bomb waiting to

                         go off. Moreover, if it did explode it would have far

                         greater consequences on PWC as the company had

                         prior knowledge of its existence.


                         It may well be that the actions of PWC were based

                         on ESNC not being a company that had

                         authorisation or access to a license to use PWC’s

                         software and that ESNC were not entitled to warn
                         PWC. Moreover, the problem was hypothetical and


                         an unlikely scenario.


                         PWC did not sue ESNC

                 Q4  At the heart of the case study is the freedom of

                         security researchers publishing their findings.


                 A4  The World Wide Web Consortium standard,

                         Encrypted Media Extensions aimed at integrating

                         globally Digital Rights Management into browsers

                         carries with it the threat that if security researchers

                         come forward with reports of defects, they may be