“Dear Valued AT&T Customer”

weasel - coniferconifer - 4612194466_500ace216e_b

Just received this email from “AT&T Chief Privacy Officer” <IPAD.06132010.001563@econfirmation.att-mail.com>. It’s a good example of a weasel apology.

Dear Valued AT&T Customer,

Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. I am writing to let you know that no other information was exposed and the matter has been resolved.  We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.

Here’s some additional detail:

On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service.  The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address.   When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.

The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses.  They then put together a list of these emails and distributed it for their own publicity.

As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses.  Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.

I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk.  The hackers never had access to AT&T communications or data networks, or your iPad.  AT&T 3G service for other mobile devices was not affected.

While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.

AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites.   We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.

AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe.  Thank you very much for your understanding, and for being an AT&T customer.

Sincerely,

Dorothys_signature

Dorothy Attwood
Senior Vice President, Public Policy and Chief Privacy Officer for AT&T

Please do not reply to this email. This address is automated, unattended and cannot help with questions or requests.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property.

Four comments:

  • Has AT&T has invented mind-reading software that can determine peoples’ intent? The email asserts that the people who obtained the email addresses and ICC-ID  “maliciously exploited” AT&T’s failure to secure private information, “deliberately went to great efforts”, and “distributed it for their own publicity”. Smearing people by assigning them ulterior motives for which you have no evidence is an old propaganda trick. It helps to deflect attention from your own culpability.
  • Speaking of culpability, AT&T apologizes “for the incident and any inconvenience it may have caused ” but not for their negligence in setting up a system that allowed public access to private information in the first place. Come on now, AT&T, you can do better than that. How about: “AT&T apologizes for the lapse in our security that allowed this information to be obtained”? That’s what a proper apology looks like.
  • AT&T provides no explanation as to the consequences of publicizing my ICC-ID. I don’t care about exposing my email address, since it’s already strewn all over the internet (though I can imagine that some people are not pleased that their email address was exposed). But I have no idea what the ramifications are of exposing my ICC-ID to all and sundry. What should I look out for? Telling me to “be alert to scams that could attempt to use this information to obtain other data” is useless pap.
  • We should judge people and organizations by what they do, not what they say. When what is said is at odds with what is done, trust is broken. I don’t expect perfection, but the fact that AT&T avoids admitting that they screwed up makes me skeptical that “AT&T takes your privacy seriously.” Or that I can “Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.” Well, AT&T, I’m not assured.

Frankly, receiving this email reduced my trust and opinion of AT&T. It would have been better for them if they had never sent it.

#fail.

A potential drawback to hybrid events

Virtual audience 603737821_e39a2d268d_o

Recently, there’s been a lot of buzz in the events industry about what are being called hybrid events where there are two audiences: people physically present, the local audience, and people connected to the event remotely, via Twitter, chat, audio, and video streams, the remote audience.

Event planners are excited about this new event model because it has the potential to increase:

  • overall audiences
  • interaction between attendees
  • exposure for the event
  • exposure for event sponsors and the hosting organization
  • the value of attendee experience through new virtual tools
  • the likelihood that a remote attendee will become a face-to-face attendee in the future

Because of these positives, I think it’s likely that events that include local and remote audiences will become more popular over time, as we gain experience about what formats work and become proficient at resolving the technical issues involved in successfully hosting these event environments.

But there’s one thing we may lose if we add a remote audience to our events.

At the face-to-face conferences I run, attendees start by agreeing to a set of ground rules. These ground rules create an environment where participants can speak freely and ask questions without worrying that their individual statements or viewpoints will be revealed outside the event.

It’s hard to convey the difference this assurance makes to the climate at Conferences That Work unless you’ve attended one. The level of intimacy, learning, and community is significantly raised when people feel safe to ask “stupid” questions and share sensitive information with their peers.

I’m not sure that it’s possible to create the same environment of trust when an unseen remote audience joins the local participants. Believing that everyone will adhere to a set of ground rules is risky enough when everyone who agrees is in the same room as you. To sustain the same trust when an invisible remote audience is added is, I think, a significant stretch for many people. If I’m right, the end result of opening up a conference to a remote audience may be a reversion to the more common environment of most conferences today, where asking a question may be more about defining status than a simple request to learn or understand something new.

Do you think that hybrid events can be designed so that they are still safe places for people to ask questions and share around sensitive issues? Or do you think I’m over-blowing the whole issue?

Jerry Weinberg’s ten laws of trust

soc100dpiJerry Weinberg’s ten laws of trust are shared in his fantastic book, published twenty-five years ago and still in print: The Secrets of Consulting: A Guide to Giving & Getting Advice Successfully:

  1. Nobody but you cares about the reason you let another person down.
  2. Trust takes years to win, moments to lose.
  3. People don’t tell you when they stop trusting you.
  4. The trick of earning trust is to avoid all tricks.
  5. People are never liars—in their own eyes.
  6. Always trust your client—and cut the cards.
  7. Never be dishonest, even if the client requests it.
  8. Never promise anything.
  9. Always keep your promise.
  10. Get it in writing, but depend on trust.