The real lesson from the devastation at Sony Pictures

By Kashmir Hill  |  December 15, 2014 | 6:22pm
Latest

Over the weekend, Sony Pictures attempted to put its digital toothpaste back into its poorly secured tube. It sent a letter on Sunday to news organizations requesting that they cease reporting on the “confidential and privileged” documents stolen from the company and delete any “stolen information” in their possession. The letter from renowned attorney David Boies, first reported by the New York Times and put online by the Hollywood Reporter, contained no explicit legal threat but did say that Sony Pictures would hold those who refuse to comply “responsible for any damage or loss arising from such use or dissemination by you… [including] any loss of value of intellectual property and trade secrets.”

Sony Pictures is trying to staunch its information bleed. Last week it tried to do so technologically, reportedly launching ‘bad seed’ attacks on the torrents used to disseminate stolen files. Now it’s attempting to muzzle the press. Though it’s a tactic that can backfire, bringing a new cycle of stories about the company’s troubles, it was inevitable. The only surprising part of the letter was how long it took Sony Pictures to send it out, two weeks after the hack became public.

Journalists have the right to report on illegally obtained information, but a chorus of voices have started questioning the ethics of that reporting and its impact on the privacy of Sony Pictures’ employees and those they corresponded with by email. On Twitter, director Judd Apatow compared the publication of executives’ embarrassing emails to releasing Jennifer Lawrence’s nude photos. And in the op-ed section of the New York Times, producer and screenwriter Aaron Sorkin, whose name and emails have popped up in reports, called the media coverage “morally treasonous and spectacularly dishonorable,” arguing that journalists are giving “material aid to criminals” by assisting hackers in dismantling Sony Pictures’ reputation. “I know there’s juicy stuff in the emails and I know some of us have been insulted and I know there’s more to come,” The Newsroom creator writes. “No one’s private life can totally withstand public scrutiny.”

This is true, but it is also true that these are no longer ‘private lives,’ simply by virtue of having been made publicly available on the Internet by criminal hackers. Once information is loose in the world, we can hem and haw about what should be done with it, but unless Sony Pictures has some actual memory zappers left over from Men In Black, it is virtually impossible to make that information just disappear — even with a sternly worded letter from a preeminent attorney. Unlike the nude photos released by iCloud hackers earlier this year, the documents contain information about the inner workings of a public company that are relevant for civic discourse, including evidence of salary inequity, casual racism by Hollywood’s power brokers, and attempts by industry groups to enlist attorneys general to punish their enemies (namely Google).

Sony Pictures’ efforts are too late. It needed to take action to prevent this volume of information from getting into the hands of hackers in the first place. When the leakage first began, Gizmodo’s Brian Barrett wrote a widely circulated piece calling the hack “goddamn terrifying” because of the way the hackers, in their desire to embarrass, extort or force the hand of a major Hollywood studio, made the privacy of the thousands of “civilians” who work at Sony Pictures collateral damage. Barrett’s takeaway from the hack was a privacy one: that we should assume we have none as soon as our fingers touch a keyboard. Via Gizmodo:

If there’s any positive outcome from all of this, it’s the brute-force reminder that we’re all vulnerable in ways we don’t even realize. The best we can do—the deeply imperfect solution we’re left with—is to be aware of what we say at all times. To assume no private moments, at least not on any screen.

I reject that conclusion. It’s too psychologically depleting to be “aware at all times” that everything we say, do, and digitize could go public. Accepting that premise means embracing the permanent state of paranoia necessitated by life in a Panopticon. The better grand takeaway from the Sony Pictures hack is a security lesson. We desperately need better stewardship of our data. Whether it’s our employers, or our social network, or the cab company with an app on our phone, we need these entities to understand how valuable our information is and protect it.

Perfect security does not exist. There are no walls — digital or physical — that can’t be scaled with time and skill, but there are reasonable steps to be taken to minimize the risks of information escaping those walls. Sony Pictures, by many accounts, did not take security seriously. Its information security team was small and top-heavy. The salaries for the entire information security team add up to just over half of what Sony’s CEO made last year, a reflection of the company’s priorities. The company had been informed that it was vulnerable to attack and that it had unencrypted personal information all over its network, ripe for the taking, but it apparently did not value that information highly enough to lock it down.

On top of insecure corporate infrastructure, individuals made poor decisions. They put passwords in files titled “passwords.” And the company’s employees learned nothing from Snapchat. Amy Pascal should not have had a casually racist email exchange — discussing the movies Barack Obama might enjoy — hanging around in her inbox for over a year just waiting to be hacked. Ephemerality is a privacy solution. The delete button exists for a reason.

Many companies regularly purge their corporate email, only retaining business records, like contracts, that they’re required to retain by federal regulatory law; anything relevant to ongoing litigation; or emails employees have specifically put into folders to be saved. “Most companies have an email deletion policy of 30 days, 60 days, 90 days, or 120 days,” says Lisa Sotto, a lawyer who specializes in privacy and security at Hunton & Williams. “People are very loose-lipped in emails so more often than not, companies want to have deletion policies in place to eliminate the legal risk around email.”

Actually, Gizmodo, the positive outcome from this is that executives across the land are watching the ravaging of the inboxes of Sony honcho Amy Pascal and her fellow executives. They are seeing how damaging this has been for her and for her company, and how truly devastating a breach can be, far worse than the spilling of credit card numbers — which are expensive but replaceable. They must be thinking seriously about re-evaluating the security of their own companies to make sure that this complete and total hacking won’t happen to them. And at the end of the day, that may well mean more private, un-hacked moments for us all rather than fewer.

* Updated with comments from Lisa Sotto

 
Join the discussion...