Yesterday, Norwegian technology news site featured an article on shoulder surfing (Google translated link). Roughly 25% of those who commute by train are killing time working during the commute. With all new changes to work habits, focusing on commuters fall short – given that more and more people working from anywhere else than their workplace. A few years ago ComRes conducted a survey on behalf of The European Association for Visual Data Security, which showed that 71% of employees in companies had been able to see or read what others in the company worked with – over the shoulder of the person concerned. Given that, a whopping 53% said they took no precautions to hinder people from glaring at their screens – even if they worked on trains, planes or somewhere else. Could this possibly be related to my blog post “Culture and Lemonade React to Water“? It could be, or maybe not.  Anyhow – the article at focused much on work habits, but this issue also relates to communication. Isn’t this what this really is all about?

Trying to define “communicate” on Google yields this gem: “the imparting or exchanging of information by speaking, writing, or using some other medium”. Showing someone something is an act of communication, doesn’t matter if willingly or not. Think of it, if you glance at a computer screen, what has it communicated? Colors. Most likely. In my definition: noise, since you haven’t interpreted it yet. The problem hinted at in the introduction occurs when people starts interpreting it. Only then – IMHO – we got a problem.

Over the last few months I’ve spent my time commuting at just listening and observing my fellow commuters. I’m not spying, but I like to see how people interact with the social environment. So far there has been two observations that I want to pitch into the article. Here goes:

First. It amaze me how much information I can pull from a phone conversation. Last week on my way home a man plumped into the seat next to me. He was talking loudly on the phone. He was clearly questioning out a fellow employee. From what I could deduce he was a boss, or something similar. It turns out that his man blamed the employee for doing something not quite accepted. I felt quite sorry for the receiver, I think it is flat-out wrong discussing sensitive matters on phone on public transportation. During the conversation the man began to twist and turn in his seat making him flash his phone directly at me. I was thus able to see the name of the person he was calling. So from this I knew her name and roughly the reason for the conversation. I thought to myself: I should have reported this.

Second. People flashing confidential papers on the train. One morning before Christmas I was heading to work. I was simply relaxing sitting in my seat listening in on some suiting metal. A man plump down next to me. Yup. Norwegians loves to just plump down when they need to sit. In an old-fashioned way he whipped out a stack of papers. Every time he turned a page he would bump into me. Me getting a bit annoyed wanted to notice him about it and make him stop. Then I noticed some interesting headers and footers. They were “confidential”. It turns out he was reading business acquisition plan. Obviously, his company wanted to buy into a foreign plant. Great, I though to myself. Thanks for the information!

Yes. Before you mention it. I should have said a thing or two to them. But I didn’t. Anyway. As stated in the introduction, sharing information unwillingly happens all the time. Let’s consider the ramifications for a second. What if I applied some social engineering based in the information I’ve just obtained from my fellow commuters? What could I be able to do? Never mind what I can do, think of what a skilled attacker could do! For instance, an attacker might abuse the fact the man from the first observation had loose lips. The chances are that this man would reveal more juicy information if the attacker could track him around a bit. Even worse, if an attacker knew that the company from the second observation was planning to acquire a competing company, he could easily leak that information to a competitor which could/would place an even higher bid. OK – I might exaggerate the observation. But I can’t help myself toying with the idea.

Hmmm. From all of this I can’t keep wondering: why do people leak so much information? How is easy to explain. But the reasons why’s?