A couple of stories in the news this week highlight interesting intersections of corporate and legal worlds. In both cases — Google Street View data snooping and the LinkedIn security breach — there appears to be a lack of management oversight and common sense.¹

Lawyers may ask, How could corporate legal allow these errors to happen? The real-world answer is that it’s management’s job to raise the questions and ask for opinions in the first place.

1. Google Street View Investigation

All sorts of agencies are investigating “don’t-be-evil” Google (that used to be their motto; doesn’t saying something three times make it true?). For years they collected all sorts of interesting information by snooping on WiFi transmissions as their cars took pictures for their Street View project. Here’s a link to today’s NY Times story (which may be behind a translucent paywall).

The issue isn’t whether this was a dumb idea (can anyone doubt that?) but whether someone at Google should have caught it. Lots of people supposedly reviewed the code and project plans. How can they not have noticed this? People are drawing the conclusion that there was a great conspiracy at play.

Never attribute to conspiracy that which can be explained by incompetence.

Is it believable that ”sworn declarations by nine people … said they were not aware of the data collection either because it was not part of their job or they did not review the project documentation, even when it was provided to them”?

Unfortunately, yes.

First, Google has a notoriously lax (as in virtually nonexistent) management structure. There is no one saying you must do this or that, other than defining the general outlines of their job. Often this is good, but not always. It is highly probably that reviewing someone else’s documentation never hit the top three on anyone’s to-do list, which means it either didn’t get done or got a cursory I-glanced-at-the-first-page once-over.

Second, here’s a quote from the Times article about a senior programmer:

One person whose job was to review the computer code that operated the data collection program said that while he checked syntax and debugged the code, he had “no recollection of reviewing the Wi-Fi project design document.”

I worked with outstanding programmers for decades. Code reviews and debugging sessions focus intensely on finding low-level coding errors, with some review of overall efficiency (“elegance” in programmer-speak). There is little to no thought about what the code is actually doing.

Obviously, it was someone’s job to determine whether gathering WiFi data was a good (and legal) idea. It’s not at all clear to me that anyone has identified that person, or even given thought to discerning who that person was.

It’s also possible that no one at Google had that role. This isn’t a role for corporate legal per se; it’s a managerial role to know when to ask corporate legal for an opinion.

That brings us to story #2.

2. Linked-In Security Breach

If you’re a LinkedIn user, you have changed your password in the past week, haven’t you? If not, put this article aside and change your LinkedIn password. Now.

More importantly, make sure you change the passwords to any other sites for which you used the same password as you did for LinkedIn. Now. (It’s critical that you do so for sites that contain real information, from a bank to your Facebook account to any corporate systems. It’s not so critical to change it for things like NY Times access, where thieves who know your password can do no more damage than lock you out by changing it on you.) See the security digression below.

You say you don’t really care about your LinkedIn info, that you don’t really use it anyway? Fine… but that’s not the real risk.

It’s likely that once the thieves have cracked the LinkedIn passwords, they’ll try them on the password holders’ other accounts. Some people will have used the same password on their checking account; they might as well wire their funds to the “Dear Sir or Madam” phishing letters from retired African dictators. Some will have used the same password for corporate access; oops….

Here’s the bigger issue:

1. LinkedIn did not use anything resembling “best practices” in their password security.² (See here, for example.)
2. LinkedIn did not have a senior manager responsible for security. From an NY Times article: “LinkedIn does not have a chief security officer whose sole job it is to monitor for breaches. The company says David Henke, its senior vice president for operations, oversees security in addition to other roles.”

Again, how is corporate legal going to offer advice if no one is tasked with figuring this stuff out on the business side? Yes, I’m sure one or more engineers were responsible for coding the online security algorithm. Some years ago, someone likely said “we need to hash our passwords” and looked up the algorithm to do so; the presumably coded it correctly as well. However, it’s a management role to say, “Are we doing all the right things for security? Are we keeping up with advances both in the state of the art and the capabilities of the bad guys?”

People often ask, what does corporate management do, besides set budgets and hire people?

The answer is, they know what the tough questions are, they ask them, and they insist on answers.

Never attribute to conspiracy that which can be explained by incompetence.

Go attend to two matters of competency, one now and one this evening when you get home:

1. Change your passwords for any sites for which you used your LinkedIn password. Now.
2. This evening, put a password on your wireless router at home.

Security Digression

1. Consider using a vault such as LastPass to generate and store unique passwords for each site.
2. Use pass phrases where sites will allow spaces. (All should, but a few still don’t — including some Microsoft sites, which is ridiculous since Microsoft security people have been advocating this for a dozen years.) In other words, you might use “I Am the Walrus was Paul” (a conflation of two John Lennon songs), spaces included, for access to a Beatles-memorabilia site. Throw in a number or two and some punctuation as well. These phrases should be memorable to you but not obvious to anyone else. Don’t use your birthday, first pet’s name, etc. Longer, of course, is better, but in this case longer also equals easier to remember.
3. Use different passwords for each account that contains any information of value. It’s fine to log into Slate and the NY Times with the same password. It’s probably not a good idea to log into Twitter with the same password, since if it’s compromised you could be in for some reputation repair. It’s certainly not a good idea to log into your bank or corporate/firm network with the same password.