Last week, I was interviewed by NPR show host Larry Mantle about the recent Sony hack. I was asked to speak about it, I believe, because I was featured in the first paragraph of the recent Pew Internet report, The Future of Privacy. The authors asked this question:
Will policy makers and technology innovators create a secure, popularly accepted, and trusted privacy-rights infrastructure by 2025 that allows for business innovation and monetization while also offering individuals choices for protecting their personal information in easy-to-use formats? Describe what you think the reality will be in 2025 when it comes to the overall public perception about whether policy makers and corporations have struck the right balance between personal privacy, secure data, and compelling content and apps that emerge from consumer tracking and analytics. Bonus question: Consider the future of privacy in a broader social context. How will public norms about privacy be different in 2025 from the way they are now?
I responded in this way (bold added for emphasis):
The powers-that-be will not come together to support this, and the technological underpinnings of the massively distributed infrastructure of the Web—changing all the time—cannot be easily curtailed. For example, imagine just the issue of Chinese-designed and built mobile operating systems. We have seen the emergence of publicy as the default modality, with privacy declining. In order to ‘exist’ online, you have to publish things to be shared, and that has to be done in open, public spaces if serendipity—or influence on more than existing friends—is desired. People have come to rely on implicit norms that do not take into account big data algorithms or the NSA reading literally everything, or they accept the hypothetical consequences of openness as a byproduct of its direct benefits.
And Larry Mantle asked me whether the Sony hack is going to represent a real turning point in the business around security, specifically when it comes to email. Here’s more or less what I said:
Email should be treated, going forward, as if it is ephemeral, and companies should, to the extent that they legally can, delete all emails after a relatively short period of time. Email is a system of communication, not a system of record. It’s notoriously bad as a repository for information. So we should all start putting important information into other systems, and try to secure them better than Sony did.
JP Rangaswami, now the Chief Scientist at Salesforce, told me about his open email policy, which he used while at UK phone company BT. He set up his email in such a way that all of his direct reports could see all of his email communications. His intent was to let them “look over his shoulder” when dealing with partners, fellow execs, and others. That practice led to a very different set of behaviors in that group. And I bet that many of the folks at Sony now wish that they had operated as if their email was public instead of private.
But what we have learned from the Sony hack is that we need to operate as if everything we write is public, because it could be, next week.