I’m fascinated by the hand-wringing and disbelief that accompanied the recent hack of Sony’s network, and particularly about the disclosure of embarrassing internal emails. Most of the commentary regarding the Sony hack has concerned either the salacious internal gossip that was revealed or the potential suppression of a mediocre movie whose plot may have been a catalyst for the hack, along with ongoing analysis of the security challenges for corporate networks in general. Yet, there has been little discussion of the “vulnerable-by-design” nature of email and the purposeful weakening of any expectation of privacy in workplace communications. Even if Sony’s leadership had responded more adroitly, and its technical staff had been able to rebuff the massive attack on their network, Sony’s email was already a potential weak point in the defense of sensitive information before any extortionist hackers got involved.
Consider, first, that email was designed in a more innocent age and traces its roots back to a time before the World Wide Web and the Internet as we know it today. An example of the limitations of the original design is the ease with which a spammer or phisher can “spoof” a legitimate email address, which basically involves swapping one address for another with about as much fuss as copy/pasting a sentence in Word. Just like revelations in recent years about the security weaknesses of the domain name system (DNS), there are venerable, fundamental systems operating on the internet that are nearly unpatchable and supremely vulnerable to the corruption and malfeasance of the modern age.
But there is more to the story of email’s vulnerability to disclosure than its technical limitations. We have actually chosen to make email particularly insecure, particularly in the workplace. Numerous times, employers have gone to court and consistently won cases upholding their right to read and monitor employee email without any specific cause or provocation. In addition to lower court rulings, a Supreme Court decision makes the employer’s right to monitor employee communications pretty clear. There have even been cases of employers seeking to legitimize the monitoring of non-work emails of their employees, and sometimes winning those too. Email privacy stands starkly apart from the the sacred trust conferred on a sealed letter headed to the post office. The grim acceptance of email content (and other electronic text) occupying some uniquely not-private status has been the norm for a very long time. Sony–its executives in particular–relied on an extremely untrustworthy medium to make snarky, even offensive comments about actors, projects, and President Obama, but they really should have known better. Unless we’re willing to wage a righteous fight to enshrine email, along with other workplace communications, with the same legitimacy enjoyed by the written (and mailed) word, we all need to grow up right now and stop pretending we can freely dish about our coworkers, clients, bosses, and other important people over email at work without repercussions. Let the Sony email hack serve as an eye-opening reminder to us all.
While we’re on the topic of workplace privacy intrusions, it bears briefly examining others to suggest that there is a progressive erosion of workplace privacy and ever-expanding culture of worker surveillance. If you work in a modern office, perhaps you’ve heard of “presence,” which involves using cues like a colored square in an email program to indicate your engagement with work. Maybe it’s green whenever you’re logged in and using your computer actively, red when you’re away or “busy,” and some other color for when all the system knows is that you’ve stopped typing–presumably to indicate that you might have stepped away or you might be talking directly to a colleague or you might be daydreaming. You’re forced to expose the moments that you dare to stop typing or clicking at your terminal like a good robot, even if you have otherwise satisfied the definitions of “present.” Newer phone systems, through integration with calendaring and messaging systems, helpfully supplement all this surveillance in the name of workplace efficiency and visibility. All in all, each generation of office technology seeks to inform others more and more about our every utterance and inclination.
Given such a workplace climate, should the staff at Sony really have had any expectation that their inner thoughts and most tasteless humor would not be made pubic someday? It’s not enough to cluck our tongues reciting abstractions about electronic privacy, particularly in the business world, being so shockingly vulnerable due to the efforts of hackers and other bad actors. In the case of workplace email, a culture of accessibility, disclosure, and exposure is built right in.
An in-depth NYT overview of the Sony hack can be found here.