McNealy's Law
“You have no privacy. Get over it.”
Oh, Scott McNealy caught alot of heat for that one. Formerly the CEO of Sun Microsystems, his observation — all the way back in 1999 — set off a huge firestorm. How dare the CEO of Sun, whose machines store terabytes and terabytes of private information, say openly that this information is bound to leak! The reaction was pretty much uniformly either…Denial or Anger.
That doesn’t mean he wasn’t right.
So the Chairwoman of HP’s board got caught with her hand in the metaphorical privacy cookie jar. Maybe she’ll lose her job, maybe she won’t. But the fact that she had the cookie jar, sitting right there, filled with yummy delicious potentially leak-identifying cookies, is the greatest proof of McNealy’s Law yet.
I hereby dubb it Dunn’s Corollary: Not even board members have privacy. Get over it.
Now, before everyone goes Denial/Anger on me too, please understand. I despise this state of affairs. But to despise a state of affairs is to accept that it exists — and there’s ample evidence that shows that what Dunn has been accused of ordering, is actually pretty common. It’s been almost a year since the Chicago Sun-Times remarked in an investigation (oddly similar to “you can download pirated software online!!!”) that Your Phone Records Are For Sale. Sure was alot of noise back then too, and then…nothing. I mean, how hard would it have been to go and arrest these guys? These aren’t back-alley cash transactions; they’re taking money over the Internet. I do believe we know how to track such things.
There were lots of conspiracy theories as to why these arrests never happened, but nothing solid. And now, eight months later, Patricia Dunn finds herself under seige by people shocked — shocked! — that cell phone records can be acquired surreptitiously. Has there been even a single press report that’s observed that cell phone traffic have essentially been public records for over a year? Everything I’ve seen has implied that “pretexting” (read: social engineering) is some big complex thing that was practically invented to go after HP Board Members. Ah, no.
If there’s a lesson to be learned from Dunn’s Corollary, it’s that privacy vulnerability does not constrain itself to politically convenient segments of society. And if we are to respond to this latest demonstration of McNealy’s Law, we could potentially restate it as: You have no privacy except that which is enforced.
Will there be greater enforcement? I don’t know. Perhaps this is radioactive enough to be the first of what my friend Adam Shostack has dubbed “Privacy Chernobyls”. I’ll wait and see.
Dan Kaminsky's Blog 