The Consequences of Revealing Innocuous Data

Once you've lost your privacy, you realize you've lost an extremely valuable thing. - Billy Graham

Privacy is not something that I'm merely entitled to, it's an absolute prerequisite. - Marlon Brando

The #1206 “fiction” series continues …

---

The short, well-dressed but nondescript man sat in the car dealership with other customers in the customer service waiting area as they waited for their vehicles.  While most people put waiting at the dealership only a few pegs lower on the “fun scale” behind seeing their dentist or renewing their licence in the DMV line, he actually enjoyed spending time here.

After all, he wasn’t here waiting for his vehicle.

He was here to steal someone else’s.

Customers came and went over the next hour as he waited for a specific event to take place that would make his day worthwhile.  Finally, his wait was rewarded when the customer service supervisor walked into the waiting area and on a large board on one wall, began to write customer names and vehicle identifying information.  It was a promotion for a vehicle buy-back program that the dealership was running and they had written on the board, the names of the customers who would be in the dealership that week.

He pulled out his phone and began texting the information on the board to a colleague of his and as he did so, he smiled.  He and his team used to roam the streets of Calgary looking for specific models that were either easy to steal, easy to sell or both.  He had invested a lot of money in the security system disabler for those specific vehicles so he was locked into specific makes and models unless he chose to diversify his operation.

Now as he sat amongst the bored, tired and stressed customers, an employee of the dealership posted the information he needed which took away the need to waste hours roaming the streets.

“Efficiency is the name of the game in any business”, he thought with a smile.

When he first discovered this some time ago, he tried to take a photo of the board but someone stopped him and said it was a violation of privacy to do so.  He could have protested that the posting of information was more of a violation than photographing it but he needed the information and so he had apologized with a smile and sat down.

Now he stopped in every few days to obtain a new list of names, texted the information to a colleague and once confirmation came back regarding the home addresses of the individuals on the board, he would get up and leave. 

He didn’t take everyone’s name down but rather, only the ones whose vehicle descriptions were of appeal to him and over the next 24 hours, those vehicles would disappear from the driveways of unsuspecting customers and within hours after that, be disposed of.

As he noted the names from today’s “harvest”, he paused and frowned when he got to the last name on the list.

The name was very familiar to him.

After pausing for a moment more, he sent the name to his colleague as with the other ones but this one didn’t have any vehicle that he was interested in.

---

About 8 hours later, he sat parked in his car on a quiet street in Calgary ….. waiting in the dark.

As the vehicle he had seen on the list earlier in the day pulled into the driveway, for a moment he was distracted as memories tumbled through his mind.

Memories of love …. of pain …. and of revenge.

The restraining order that had been issued against him had insulted and embarrassed him in front of his friends and had been almost too much to bear.

When she had gone into hiding, it angered him because he wasn’t able to talk to her about her obvious misunderstanding and he swore that someday, she would pay for what she had done to him.

And now, in a moment of serendipity, he saw her climb out of her car and walk towards her door.

He turned off his interior vehicle lights so they wouldn’t illuminate when he opened the door, opened the door quietly and began to walk towards her quickly.

To be continued.

---

© 2015 – Harry Tucker – All Rights Reserved

Background

The story was inspired by an event that occurred this morning.  In the process of getting my vehicle serviced for a recall at a car dealership in Calgary, I realized that my name, my vehicle information and similar information for other customers was posted prominently on a board in the customer service area.

Given that the information was being used in a public area for a promotion and was being displayed without my consent, I requested that my name be removed.  I also pointed out that the information could be used to violate someone’s privacy and to prove the point, within 5 minutes, I had obtained the home addresses of 8 of the 10 customers displayed.

When I attempted to obtain a photo of the board, I was informed that photos couldn’t be taken because of privacy reasons.  Unfortunately, the privacy of these customers (and who knows how many before them) may have already been breached merely by posting the info on the board.

The tale of the auto thief is fiction and serves as an example of what a miscreant can do with such information.

The security system disabler referenced in this post is real and is easily obtained by those who make crime their bread and butter.

By the time this post was written, the board at the dealership had been erased but I still managed to obtain a photo anyway.

Was it erased to appease a customer and then redone when the customer left or will it remain empty?

By the way, it was interesting to note that the service people’s names on the bottom of the list were identified by first name only.  We mustn’t breach their privacy after all!

Maybe I should stop back tomorrow to check  ….. before someone else sees the board first.  Criminals are, after all, opportunists.  We need to think before we do stupid things so that we stop creating opportunities for them. [Author note: I checked the next day and the names are no longer on the board.  This dealership has always been amazing to me and I will continue to give them my business.  Sometimes what sets someone apart from others when it comes to service is how they respond when a customer has an issue and this dealership responded quickly and appropriately. However, may this post serve as a warning to what happens when we don’t think before we act when it comes to other people’s privacy.]

What do you think?

PS As a long time strategy advisor, I am paid to “see into the future”, anticipate actions and measurable outcomes for my client as well as for competitors and to create proactive strategic plans that maximize results while minimizing / mitigating risk.  If more people thought through their actions in the manner in which people in my industry do, with full knowledge of what could be, we would be able to avoid situations like this.  No matter how strange a scenario, failure to anticipate it almost always enables it.

Truth is stranger, and often more frightening, than fiction.

An Amusing Anecdote – Related But Not

I remember some years ago when a car dealership in my hometown was offering high-end stereos with the purchase of a new vehicle.  It turned out that the dealership had purchased a small number of these stereos and so when they sold new cars with the stereo installed in it, they arranged for someone to go to the home address of the new car buyers in order to steal the stereo from the new vehicle.  The stolen stereos were then “re-sold” in new vehicles, thus allowing the promotion to continue.

I don’t remember who eventually figured this out, but the notion of a car dealership involved in theft (instead of enabling it) came to mind as I wrote this.

Series Origin

This series, a departure from my usual musings, is inspired as a result of conversations with former senior advisors to multiple Presidents of the United States, senior officers in the US Military and other interesting folks as well as my own professional background as a Wall St. / Fortune 25 strategy and large-scale technology architect.

While this musing is just “fiction” (note the quotes) and a departure from my musings on technology, strategy, politics and society, as a strategy guy, I do everything for a reason and with a measurable outcome in mind. :-)

This “fictional” musing is a continuation of the #1206 series noted here.

Social Media: When TMI Stands For "Steal My Identity"

If we don't act now to safeguard our privacy, we could all become victims of identity theft. - Bill Nelson

When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. - David Brin

While in Calgary airport the other night, I happened to overhear someone from the drilling industry in Calgary speaking to an airline representative on the phone.  While in the process of making a reservation change to postpone his flight until the next day, he gave his email address to the person on the other end of the conversation.

I started twiddling on my phone and my travel companion asked me what I was doing.

“Professional curiosity”, I replied as I continued to poke on my phone.

Within 60 seconds, I had obtained this person’s name, birthday, home and work addresses, his home, work and mobile numbers, his boss’s name and contact information and how long he would be out of town.  At the same time, I obtained the same personal information for his girlfriend, thus confirming that they lived apart.  I also had his flight reservation code. One call on my part could have obtained his credit card information as well since I had sufficient information to pose as either of them.

I looked at my travel companion, sighed and then made the following observation.

“So after 60 seconds, I can do the following.  I can alter his flight information, changing or cancelling his flight.  I know he is out of town so I can arrange to break into his home.  If his girlfriend is staying at his house while he is away, I can break into her home instead since I know where she lives also.  I could stop by to see his girlfriend or stalk her if I was depraved enough to do so.  Their social media profiles are open to posting by non-friends so I could post things on either of their social media profiles just for the point of making trouble (something like “It was great seeing you last night, __name__.  I was relieved when you said that __name__ wouldn’t be back into town until __date__ and can’t wait to see you again.” or “the company that I work for, __name__, really sucks and doesn’t know how to do anything right”).

I also had enough information to begin the process of stealing both of their identifies.

All because of a couple of pieces of information that we carelessly toss around at will, not caring who hears it, and being a little too liberal with what is shared on the Internet.

People are always screaming about the importance of governments and social media platforms like Facebook working harder to protect our privacy.

However, I think that we need to do a better job of protecting our own privacy.

What do you think?

In service and servanthood,

Harry

Addendum

In this situation, neither of the people had children.  If they had, it is likely that I would have been able to obtain more information about the children than the parents would have appreciated.  However, I was able to obtain information about their relatives’ children.  I’m not sure their relatives would have been amused.

What if it were your kids?

The Alberta Government, Privacy and the Weakest Link

The trust of the innocent is the liar's most useful tool. - Stephen King

Learning to trust is one of life's most difficult tasks. - Isaac Watts

The Wildrose Party of Alberta, the Province’s official opposition, revealed an email today written by Darren Cunningham, the Director of Operations for the Premier of Alberta.

Here is the content of the email:

In Question Period today in the Alberta Legislature, the Wildrose Party attempted to make issue of this email and the costs that allegedly resulted from the request made by Mr. Cunningham (as explained on their website here).

Frankly I don’t think cost is the issue.  A few thousand here, a few thousand there – it’s all chump change when it comes to government budgets and in truth, the Wildrose Party (and any political party for that matter) can be dinged for wasting money just as easily.

As for the notion of piggybacking political gain on the backs of the people who were wiped out by the floods this year in Alberta, it is a terrible thing to do but politicians have done this since the beginning of time.  If you don’t like stuff like this, then turn your back on most politicians.

However, there is something important here that I am surprised the Wildrose Party didn’t appear to catch and presents a larger concern to me.

It is the fact that this email identifies a number of people inside the inner circle of the Premier of Alberta, one of the most influential politicians in Provincial / State politics in North America.

And it reveals that one of the people identified in this email, the staffers of one of these people or someone within the IT infrastructure of the Government cannot be trusted with the confidential information that they are privy to.

Why it matters.

The Premier of Alberta has partaken in many government and corporate sessions where the details are private for a number of reasons – either politically, diplomatically, national security-wise or some other perfectly legitimate reason, including the protection of corporate or personal information.  Much of this information could be very damaging if it were released inappropriately or to inappropriate recipients.

What this leak reveals today is that someone within this inner sanctum or someone attached to them cannot be trusted to honor the trust bestowed upon the Government and the safekeeping of the complex myriad of information that the Government requires in order to be effective.

Until we discover who is responsible for the leak, any piece of information communicated to or within the Premier’s Office must be considered as a candidate to be leaked if the leak serves someone’s need.

It’s like whispering secrets to the local busybody.  It’s not a matter of if the information will be shared but when – if the gossip is juicy enough, of course.

That’s the great challenge in regards to protecting sensitive information in the modern era.  We can wrap as many layers of technology and legislation around it as we want but it only takes one individual with an ulterior motive to undermine all of it.

The money allegedly misspent as a result of the aforementioned email can be recovered somewhere and in the grand scheme of things, doesn’t even register.

However, I think trust, once misspent, is not so easily recovered and therein lies a warning for all of us to strive harder to protect it.

What do you think?

In service and servanthood,

Harry

The Coffee Shop–The New Source of Privacy Leaks

I was in a coffee shop this morning where I couldn’t help but overhear a very loud conversation taking place. 

It was a strategy planning session for Alberta Health Services and ironically, the strategy session was about protecting privacy.  Names were named, email addresses and phone numbers were tossed around, different people’s positions were discussed, ways to bypass “difficult people” were evaluated, strategies to secure capital in a time of austerity were discussed, etc.

It was probably a conversation that I shouldn’t have heard and I won’t share details of it nor did I take notes.

However, it is not the first Alberta Health Services conversation I have heard in a public place.  I remember overhearing a nurse last year who proudly pointed out to a coffee colleague that she only looks up private patient information on behalf of people that she can trust and in a specific way so that no one else finds out she is doing it.

The only problem is that if you really want to keep a secret you don’t tell anyone – especially in a public place. :-)

I’m not picking on Alberta Health Services. 

I have overheard accountants discussing a company’s financial position in public (without the owners being present), lawyers planning their defense for murder, DUI cases and other litigation matters, politicians discussing strategy, senior politicians who left confidential or classified briefing notes on their table while they went to the restroom, confidential employee reviews, married lovers planning adulterous rendezvous, businessmen preparing for hostile takeovers, etc.

And then there is the less impactful but potentially problematic “Are you ready for me to read my credit card # to you?  It is ….. and the expiry date is …… and the name on the card is …..”.

I have been approached by lawyers and businessmen who, upon realizing that they were overheard, approached me and demanded I sign an NDA, which I have refused (although I have told a few of those folks that if they worked for me, they would have been fired immediately for indiscriminately sharing confidential information).

And I interrupted a potential terrorist who was writing a pro-Jihad presentation.  I wrote about this event in The Power of Trusting Your Instinct.

Protecting privacy used to be a source of humor

Back in the late 60s, we used to laugh at the character of Maxwell Smart in the TV Series “Get Smart” when he would insist upon using the Cone of Silence to protect the privacy of sensitive conversations.

But in the modern era, privacy is not a laughing matter.  We get up in arms about the NSA, Facebook and other groups snooping in our emails, social media interactions and phone calls while we freely share information that we shouldn’t (especially regarding our children) and we speak loudly in public places when we probably should wait for a more private moment. 

We log onto public Wi-Fi and conduct sensitive transactions despite the number of products out there that have been demonstrated to be able to read our online interactions no matter how secure those interactions are according to software vendors.

And yet we cry foul when someone else contravenes our privacy.

Protection of our privacy, whether personal or professional, is not only a matter for other organizations, private, public, judicial or legislative to take care of.

It is something we need to play a bigger role in ourselves.

Otherwise, it doesn’t matter what groups like the NSA or Facebook do – we’ve given it all away anyway.

Most of us who overhear or see that which we shouldn’t are trustworthy and will do nothing with the incessant flow of sensitive information that comes in our direction.

Unfortunately, the same cannot be said for all members of the human species.

Do you really want to take the risk of not knowing who is in the room taking notes?

I didn’t think so.

In service and servanthood,

Harry

PS Bad news, ██████████. You are about to be fired from ██████████ in Calgary.  HR and corporate legal just wrapped up their meeting at the table beside me and will tell you on Friday.  I Googled your name and found you in LinkedIn, Twitter and Facebook but it’s not my place to tell you.

Or is it – you appear to be a nice family guy from what you have shared publicly.  The GPS coords on the photos of your family are a nice touch also … if someone wanted to violate the personal space of your family.  Hmmmm … maybe you’re not so smart after all.

---

Addendum – August 20, 2013

I wrote about the same subject back in February of 2012 in the blog post Privacy and the Real Weakest Link, highlighting some of my concerns then. While not trying to be redundant, I think it is a subject that is worthy of revisiting once in a while until organizations and the people who represent them get their act together when it comes to privacy. 

What is curious to me as I revisit that blog entry is that it mentioned two social workers who were openly discussing (with some level of disgust) their current cases (with names).  I wonder if they were associated with Alberta Health Services also.  I hope note.

I also noticed that I was in a coffee shop when I wrote that blog also.  Before anyone asks, the answer is “No – I don’t live in or own a coffee shop”. :-)

---

Addendum – No One Cares - April 15, 2014

As news broke today of over $1 Billion in spending within AHS via sole-sourced contracts (in some cases in violation of its own rules) I reviewed some email exchanges I had with AHS staff where I described the things I noted in this blog post and other posts

For the different interactions, people thanked me for the emails (proving they received them) but they never seemed to care nor did they ever bother asking for details.

I wonder what it will take to make them care.

---

The Shaw Fire And Why It Matters

At 7:12am MDT on July 13, 2012, Alberta Treasury Branch tweeted that their online systems were officially back up, approximately 40 hours after the fire in Shaw Court took out the primary servers of the data center they exist in and water from a sprinkler system took out their backup servers sitting in the same location. 

I’ve been on a bit of a rant lately about the thoroughness of IT architecture and this unfortunate incident makes me angry.

I know there’s a lot of debate going on around why sprinklers were in the data center and why a non-water-based fire suppression system wouldn’t have been used.  As my buddy Mike D. explains, in a world where inert gas and other forms of fire suppression are very expensive, there are many data centers that actually opt for sprinklers (with an important caveat, which I will explain in a moment).

When hardware was expensive, we tried to save the hardware with non-water solutions.  As hardware became cheaper, the services provided by the hardware (and not the hardware itself) became the priority, which means bouncing control to the secondary site while aggressive fire suppression (including water) deals with the primary location. 

The following statement, released yesterday, explains why this incident makes me angry as an architect:

The system-wide outage was caused when a transformer exploded in an electrical room at Shaw Communications’ downtown headquarters Wednesday afternoon. Although the backup system was activated, when the sprinklers came on, they were also taken out.

This statement violates a basic truth in IT infrastructure.

It doesn’t matter if your building is fire proof, earthquake proof, tornado proof, nuclear bomb proof or whether it has its own nuclear reactor for unlimited power.  It doesn’t matter if error-prone humans are not allowed in the building, replaced by “perfect robots” (created by error-prone humans).

You never put your primary and backup servers in the same place.

There’s one thing that we know about IT and communications.

Murphy’s Law rules everywhere.

When you put your primary and secondary systems together, you are doing so while crossing your fingers, picking a 4-leaf clover, sacrificing a goat to the gods and saying a silent prayer that bad things won’t happen to you.

Most people who put both systems together often do it because:

1. They are saving money

2. They don’t know any better

3. They are overly confident of their solution

4. They don’t care, exposing themselves to Hanlon’s Razor – “Never attribute to malice that which is adequately explained by stupidity.”

Money Rules the Day

I suspect it was reason #1 … well, I hope it was anyway because the other 3 reasons are REALLY problematic.

The reason this event makes me angry is that physical separation of primary and failover servers is basic, teach-the-kids-in-college stuff.

And so when I see some significant names taken out because economics seem to have ruled the day, I wonder what other architectural best practices have been compromised by economics – best practices in the areas of privacy, security or other areas.

I worry because I have seen over the years that the factors listed above tend to not settle in just one area of an organization’s architectural best practices.  Once factors that limit effective solutions are present, they tend to be pervasive through all aspects of an organization’s IT solutions.

If it was for reasons 2-4 (non-financial reasons), the players involved need to be considered for re-education, reprimand or “retirement”, including but not limited to:

1. The architect(s) who designed the solution.

2. The data center facility manager(s) who approved it.

3. The customer service exec(s) who sold it to other orgs (unless they don’t understand it, in which case they shouldn’t be selling it anyway).

Regardless of the reason, the following need to be considered for the same “special treatment”:

1. The leadership team of the creator of the solution.

2. The buyers representing ATB, Alberta Health Services or other groups who evaluated and recommended use of the solution.

3. The leadership team of the buyers who signed off on the solution.

If it was for reason #1 (which, in a twisted sort of way, offers the most comfort), the bean counters now need to reflect on the result of their cost saving venture as they sort out consumer impact and a multi-tier service level agreement involving IBM, Shaw Communications and the many users of the facilities, including ATB, Service Alberta, Alberta Health Services (which cancelled surgeries as a result of the fire) and other groups.

Failures like this matter to all of us since that which we tolerate today becomes the norm tomorrow. And we know what history teaches us:

Those who don’t study history are doomed to repeat it while those who study history are doomed to watch those who don’t to repeat it.

Or maybe, given that similar failures have occurred in the past such as with Aliant 6 years ago, maybe the truth is that:

History teaches us that history teaches us nothing.

The Bottom Line

For me, no matter what the reason for the failure, doubt has been planted in my mind.  Doubt that makes me wonder where else compromises have been made.

And will such compromises produce a 2-day inconvenience the next time or will it be more dramatic or problematic?

Only the architects of the affected organizations really know.

I wonder how many 4-leaf clovers they have in their back pocket.

In service and servanthood,

Harry

 

PS   In reflecting on my experience over the years with data centers, I remembered an interesting incident early in my career.  During a tour of a data center containing classified government information, I was asking questions about the halon fire suppression system.  The system was designed to seal the data center, with no means of reopening the doors or exiting from the inside until the fire was under control. 

As a young, naive IT guy at the time, I remarked that while I saw 20 or 30 people working in the data center, I only saw a small handful of breathing apparatus to be used by these people should escape be required.

With that, he escorted me to his office and pulled out their operations guide.  In it, in clear language that could not be misinterpreted, one policy jumped out at me.

In case of fire, the first priority was to save the facility.

To be able to save the people inside was secondary in importance.

In essence, they were expendable.

Of course, everyone assumed that a fire would never occur in that data center and so such a policy wasn’t questioned. 

But as in the case of the Shaw Court fire, you know what happens when one assumes things.

I would like to think that in today’s world, such a policy within a data center like that couldn’t exist.

But then again, who knows?

 

Addendum: July 14, 2012

Three days after the fire, the impact on Alberta Health Services and other organizations continues to be felt. Public accountability and transparency are essential to understanding what happened and how such situations can be prevented moving forward.

Sex and Premature Dissemination

I was riding public transit recently and seated across from me was a lady in her mid 30s, impeccably dressed with what appeared to be painful abrasions on her knees.

While it was definitely none of my business to ask how she had acquired them, a lady sitting next to her happened to notice them and asked what had happened.

In a hushed voice (we all know how “hushed” a voice we can use on a bus, right?), the lady with the scabbed knees went into great detail about Ron ███████, apparently a successful attorney in the city of ███████, and his insatiable but delightful prowess in certain areas.

While Mr. ███████ may be an awesome lover, his reputation is being destroyed by this woman who happily describes many things about him that the rest of us shouldn’t know.  He should either find a more intelligent woman to hang out with or buy his women carpenter’s knee pads to prevent curious passengers on public transit from instigating dialog.

Information is a fascinating thing, being a key component to creating success or catastrophic failure depending on how it is used.

Too much information can make some people paranoid while empowering others to create powerful results.  Too little can allow some people to live a life of ignorant bliss while driving others to rearrange their Life priorities in order to satisfy some craving or need.

As we immerse ourselves in the age of mobility, preferring to be out-and-about instead of being confined to an office, many are forgetting that such mobility comes with new rules regarding who is around us when we are discussing private matters and who is in a position to obtain and use the information we believe to be private.

I’ve watched businessmen in coffee shops vehemently complain about how Facebook’s privacy policy is way too lenient and then go into amazing levels of detail about an imminent court case against a specific person while stressing the importance of not telling anyone because they don’t want the potential defendant in the case to be prepared.  Meanwhile, people like me, who could be someone closely related to their target, sits at the table next to them and hears the entire conversation.

I’ve overheard lawyers explaining loopholes to DUI drivers who had killed others in accidents, accountants showing clients how to hide their money illegally from the system, guys planning M&A (merger and acquisition) intentions with the highest level of confidentiality, investors discussing secret arrangements, lawyers and doctors discussing privileged information (naming their clients) and even observed one possible terrorist preparing a PowerPoint deck containing his thoughts on jihad.

Then there’s my other personal favorite … the occasional errant email meant for someone else, outlining a highly confidential arrangement that gets emailed to me by accident, followed by a follow-up threat that the information sent to me by accident is privileged and I am not allowed to do anything with it.  They don’t realize that one-way implied contracts have no legal merit nor can they undo the damage that may have been done.  At that moment, they are relying on the values and ethics of the person who received such information in error.  If I were the owner of the information, I’d rather not peg my success on such wishful thinking.

More than once, I’ve had people who, upon realizing that I had overheard them in a public place, had demanded that I sign an NDA (non disclosure agreement).  Unfortunately, I could not comply with their request.  Signing such a document doesn’t cover up their incompetence.

Information in the hands of the unknowing is useless and much of it goes by our ears every day without striking a chord with us.  However, information when mixed with context, strategic plans and tactical intention in the right person’s hands becomes knowledge.

And knowledge is power.

Who you share it with, who shares it on your behalf and who shares knowledge about you provides the opportunity to amplify or diminish that power.

I hear a lot of “gurus” tell people about how they are always on the alert to glean things from the information being shared around them.

Success, personal and professional, also requires one to be on the alert regarding how we share information with others and whom we share it with.

Instead of focusing solely on people who have access to our private information and being paranoid about what they will do with it, whether it be Facebook, some email provider or the like, we should remember that oftentimes, the greatest disseminator of private information is still the person who owns the information and who therefore has ultimate responsibility for keeping private what is meant to be private.

When we point our finger elsewhere and demand better privacy oversight from someone else, we should note where the other three fingers are pointing.

Because oftentimes, that is who we should be expecting more from.

In service and servanthood,

Harry

Privacy and the Real Weakest Link

An interaction I had with someone in a coffee shop today reminded me that much of our anxiety about privacy is being focused in the wrong direction.

This gentleman was speaking quite loudly into his cell phone and given that he had his phone volume turned very high, I was able to hear both sides of the conversation quite plainly.

When he was done, he noticed I was sitting in close proximity and came over with paper in hand.  As I looked up, he asked me if I would be kind enough to review and execute the document he held out to me.

I looked at it and realized he was asking me to sign a nondisclosure agreement (NDA) on behalf of a company clearly identified on the documents.  The purpose of the document, for those unfamiliar with NDAs) is to protect him and his client from any inappropriate use of the information I had gleaned from his conversation.

When I indicated that I had no interest in signing the document, he grew a little agitated and insisted that I sign it or face some kind of unidentified penalty.  I got equally insistent (and slightly agitated) that I had no interest in signing it and was not legally bound to do so merely due to his inappropriate activity.

He got very upset but left without further incident.

After he left, I got to thinking about privacy in general.  As someone who has consulted to Wall St. organizations, Fortune 25 companies and government agencies for years, I know for a fact that privacy and security of information is merely a suggestion, an empty promise made to the public so that they will continue to consume the services offered by these organizations.

Major compromises of this information by people who have the capability to steal our private information at will are not an “if” but a “when”, with most of them waiting for the appropriate time that provides them with maximum value for the data stolen.

Meanwhile we live with the myth that everything has been done to safeguard our information (in much the same way that we promote the myth of airline security so that people will continue to fly).

Despite these myths, we pour billions of dollars into information and personal security, providing little real security with the exception of financial security for the firms providing ineffective solutions.

Closer to Home

Thinking back to my interaction with this guy this morning, I have enough information to sink this company or to create an overnight competitor.  Clearly his activity is in violation of the very NDA agreement he and his client are pushing on others.

But he is not alone in inappropriate behaviour.

I have overheard other interesting conversations in public places over the years, including accountants explaining to clients how to illegally circumvent taxation rules, lawyers explaining to DUI hit-and-run clients how to successfully get the charges dropped through various loopholes, company executives discussing private information prior to mergers, acquisitions and takeovers and a potpourri of other tidbits that I really shouldn’t be privy to.

Such incidents are not limited to conversations overheard in public areas.  On a red-eye from Calgary, Alberta to St. John’s, Newfoundland a couple of years ago, as I walked to the bathroom in executive class I walked by two well-known Newfoundland and Labrador Government Ministers.  They had both fallen asleep in their seats, with a collection of clearly marked highly confidential documents spread out on their trays.  I could have lifted a few, dropped them off at a newspaper office anonymously and watched with amusement as a controversy developed.

How about the NTSB official sitting next to me on a flight out of Newark, NJ who went to the bathroom and left a highly confidential crash report (complete with delicate photos) spread out on his tray?

How about the two women (whom I assume to be social workers of some type) sitting next to me as I write this, explicitly naming the people in their case files and expressing disgust over the best way to “handle them”.

Or one of my favourites … when I inadvertently happened to look over someone’s shoulder in a Starbucks and discovered a potential terrorist documenting his interests and intentions.  I wrote about that in “The Power of Trusting Your Instinct”.

The bottom line is this.

Technology is not and should not be the sole focus of our concern around the protection of sensitive information.

The weakest link is, not surprisingly, the individuals who carry the information and how they conduct business when in possession of this information.

Until we demand better common sense and accountability from these individuals, our concerns around privacy will go unanswered, mostly because we are pouring too much of our time, energy and money into solving the wrong problem while still feeling good about how secure we are.

When organizations tout some technology as the latest and greatest in information protection, we should never forget that the weakest link when it comes to vulnerability will always be people and we should hold these organizations to be appropriately accountable as a result.

When they assure us that everything is secure, we must never be timid in asking “How do you know?” and to continue asking until we are satisfied with the answer.

Now … what about this company in Calgary?

Their secret is safe with me.

However, the next guy who overhears such a conversation may not be as kind.

Create a great day for yourself and others, in service and servanthood.

Harry

Addendum – August 20, 2013

After listening to some team members of Alberta Health Services today openly discussing things that I shouldn’t have overheard, I wrote The Coffee Shop–The New Source of Privacy Leaks.