Wednesday, February 15, 2012

Privacy and the Real Weakest Link

An interaction I had with someone in a coffee shop today reminded me that much of our anxiety about privacy is being focused in the wrong direction.

This gentleman was speaking quite loudly into his cell phone and given that he had his phone volume turned very high, I was able to hear both sides of the conversation quite plainly.

When he was done, he noticed I was sitting in close proximity and came over with paper in hand.  As I looked up, he asked me if I would be kind enough to review and execute the document he held out to me.

I looked at it and realized he was asking me to sign a nondisclosure agreement (NDA) on behalf of a company clearly identified on the documents.  The purpose of the document, for those unfamiliar with NDAs) is to protect him and his client from any inappropriate use of the information I had gleaned from his conversation.

When I indicated that I had no interest in signing the document, he grew a little agitated and insisted that I sign it or face some kind of unidentified penalty.  I got equally insistent (and slightly agitated) that I had no interest in signing it and was not legally bound to do so merely due to his inappropriate activity.

He got very upset but left without further incident.

After he left, I got to thinking about privacy in general.  As someone who has consulted to Wall St. organizations, Fortune 25 companies and government agencies for years, I know for a fact that privacy and security of information is merely a suggestion, an empty promise made to the public so that they will continue to consume the services offered by these organizations.

Major compromises of this information by people who have the capability to steal our private information at will are not an “if” but a “when”, with most of them waiting for the appropriate time that provides them with maximum value for the data stolen.

Meanwhile we live with the myth that everything has been done to safeguard our information (in much the same way that we promote the myth of airline security so that people will continue to fly).

Despite these myths, we pour billions of dollars into information and personal security, providing little real security with the exception of financial security for the firms providing ineffective solutions.

Closer to Home

Thinking back to my interaction with this guy this morning, I have enough information to sink this company or to create an overnight competitor.  Clearly his activity is in violation of the very NDA agreement he and his client are pushing on others.

But he is not alone in inappropriate behaviour.

I have overheard other interesting conversations in public places over the years, including accountants explaining to clients how to illegally circumvent taxation rules, lawyers explaining to DUI hit-and-run clients how to successfully get the charges dropped through various loopholes, company executives discussing private information prior to mergers, acquisitions and takeovers and a potpourri of other tidbits that I really shouldn’t be privy to.

Such incidents are not limited to conversations overheard in public areas.  On a red-eye from Calgary, Alberta to St. John’s, Newfoundland a couple of years ago, as I walked to the bathroom in executive class I walked by two well-known Newfoundland and Labrador Government Ministers.  They had both fallen asleep in their seats, with a collection of clearly marked highly confidential documents spread out on their trays.  I could have lifted a few, dropped them off at a newspaper office anonymously and watched with amusement as a controversy developed.

How about the NTSB official sitting next to me on a flight out of Newark, NJ who went to the bathroom and left a highly confidential crash report (complete with delicate photos) spread out on his tray?

How about the two women (whom I assume to be social workers of some type) sitting next to me as I write this, explicitly naming the people in their case files and expressing disgust over the best way to “handle them”.

Or one of my favourites … when I inadvertently happened to look over someone’s shoulder in a Starbucks and discovered a potential terrorist documenting his interests and intentions.  I wrote about that in “The Power of Trusting Your Instinct”.

The bottom line is this.

Technology is not and should not be the sole focus of our concern around the protection of sensitive information.

The weakest link is, not surprisingly, the individuals who carry the information and how they conduct business when in possession of this information.

Until we demand better common sense and accountability from these individuals, our concerns around privacy will go unanswered, mostly because we are pouring too much of our time, energy and money into solving the wrong problem while still feeling good about how secure we are.

When organizations tout some technology as the latest and greatest in information protection, we should never forget that the weakest link when it comes to vulnerability will always be people and we should hold these organizations to be appropriately accountable as a result.

When they assure us that everything is secure, we must never be timid in asking “How do you know?” and to continue asking until we are satisfied with the answer.

Now … what about this company in Calgary?

Their secret is safe with me.

However, the next guy who overhears such a conversation may not be as kind.

Create a great day for yourself and others, in service and servanthood.


Addendum – August 20, 2013

After listening to some team members of Alberta Health Services today openly discussing things that I shouldn’t have overheard, I wrote The Coffee Shop–The New Source of Privacy Leaks.

No comments:

Post a Comment