I consider the Palin Yahoo email account “hacking” incident a bit of a godsend. Yes, what happened was wrong, but it certainly brought to light some uncomfortable truths about digital security, policies, and even human nature. Warning: unpolished rambling ahead!
1) First, we get to question (all over again!) the actual security benefit of those super secret security questions. They’re not a security measure so much as a human forgetfulness safety net, although that may be arguable.
2) Palin was doing government business over public, personal communications lines. The drama continues to unfold, and this article on the Washington Post does an excellent job of illustrating the downward spiral that occurs when an important employee uses a personal, public service. (Turns out she has yet another non-compliant email address, too!)
The judge issued the orders at the request of Andree McLeod, an Anchorage activist whose pursuit of Palin’s e-mails revealed that the governor did considerable state business from a Yahoo e-mail address — an arrangement that avoided the safeguards and accountability of the state’s secure e-mail system.
This is only a portion of what happens when an employee decides to circumvent policies and use un-approved public/personal communication avenues. These policies are in place as much for entities to CYA as they are for security, and a lot of this legal wrangling over the implications of Palin’s practices has to do with her breaking known, accepted policies.
This will eventually go away and be forgotten, but it is a case-in-point about following policy and watching where the lines of personal and corporate interests lie.
3) I huddle in hacker circles, so I have to include conspiracy theory ramblings. 🙂 One has to look at the reasons why Palin and some of her associates would choose to do business over Yahoo and even that second, little-known, personal email account. In fact, why would anyone in a corporation or government have a drive to remain out-of-channel? Is it because they are evil and doing immoral things?
Most likely not. I’m realistic about human beings. We make mistakes, we have flaws, and we do have a tendency to cling to some sort of privacy; not just our own personal privacy but also some measure of privacy in dealings with others. We’re just really bad at it right now, because the Internet (and digital communications in general) have exposed all those water-cooler whisperings or gym-locker jokes or wine-club business conversations or conference-room meetings to logged, tagged, indexed, and archived records. We’re still not used to that…hell, we’re still not legally sure where this all falls out! Yesterday’s off-the-cuff comments are today’s e-Discovery evidence.
In the end, we do have a human need and a tendency to keep some things off the record. We have to, really. But I don’t know if there is any really defensible way to say that without opening up terrible holes.
4) I would almost wager that every single employee at some point breaks policies about using work assets for personal uses, or vice versa. So, the question becomes: Is that bad? The trouble is the answer that starts with, “That depends…”