On the security of visitor badges

| Comments (1) | Misc
If you've ever attended a meeting at your local Silicon Valley company, you've no doubt had the opportunity to sign in in the lobby. At many such companies—Google, for one—you are given the opportunity to accept or decline an NDA. In either case, you get a machine-printed name label, but if you declined the NDA, it has some distinctive mark indicating that you're not to be exposed to anything confidential.

As usual, it's worth asking what the threat model is here. There seem to be two major cases:

  • To prevent employees from accidentally treating non-NDA visitors as if they were NDAed.
  • To prevent non-NDA visitors from impersonating visitors who have signed the NDA.

With respect to the first question, I should start by mentioning that in my experience these badges are almost universally ignored. I, of course, decline the NDA and yet (without naming any names), colleagues routinely take me into sensitive areas or just let me walk around on my own without any kind of supervision. Even if employees did pay attention to the status of visitor badge, the scope of the visitor NDA is so broad—and remember that when companies are really serious about confidentiality they have you sign a paper NDA—that it's hard to imagine your average employee wanting to reveal anything really confidential based on something you typed onto a console in the reception area So, even in a non-malicious environment, it's not clear that this sort of labelling is of much use in distinguishing people who have signed the NDA from those who haven't.

Now let's turn to the malicious case. These badges are just ordinary sticky name labels like you could buy at Office Depot. It's trivial for me to get my own label maker and produce any label I want, including one that indicates I've signed the NDA. The only trick is knowing what a valid label looks like, but seeing as any reasonable-sized company mints hundreds of these badges a day, a little dumpster diving around campus is likely to yield a valid labels. Alternately, you can just visit campus with a group of other people, decline the NDA, and hope that someone else doesn't so you can get a good look. In either case, you don't need to do a very good job, since, as I mentioned above, employees don't seem to do a very good job of checking. [I should note at this point that there's a very similar but a bit more sophisticated set of objections to the ubiquitous RFID employee badges, but that's a topic for another post.]

Finally, consider the threat from the visitor's perspective. To the extent to which you're expected to be bound by an NDA you signed in the lobby (and since "signed" means that you clicked on some check-box or hit return in response to a dialog box, it's unclear to what extent that is), and that you've presumably thrown away your badge, what stops the company from retroactively claiming that you executed the NDA even if you actually didn't? It's not clear whether this would really hold up in court, it's easy to claim that you weren't really paying attention and accidentally "signed", but that argument cuts against the value of the NDA to the company as well.


These procedures are often in place, but not strongly enforced, for two other reasons:

(1) The law often presumes that everything is free and open unless you take steps to make it otherwise. By having these badges (and perhaps by using a perfunctory NDA), they are providing a veneer of non-openness, and perhaps a thick enough veneer to give them legal protection.

(2) Having procedures ready and having people used to using them, at least at some level, makes it much easier to use them more seriously when they find they need to. If they should suddenly have a really super-secret project that they absolutely wanted to lock down, they might have some hope of doing so, where they wouldn't have a chance if people just came and went with no badges and no NDAs, however insecure it all is now.

Back when I worked on government projects, where Secret and Top Secret clearances and code-worded "compartments" were taken quite seriously, the badges needed to be displayed prominently and were harder to spoof. Escorts were also required, and the escorts would remind people that there were uncleared people present. At some facilities, there were red flashing lights installed in the ceilings, and they'd be turned on in the presence of uncleared people. That was hard to miss.

Conversations got to sound like something on "The Sopranos": "Hey, Bill," someone would say, seeing the "uncleared" lights on, "I have a question about that thing we were talking about last week. You know, the one where the tall woman and the fat guy thought we'd need a different algorithm for that stuff we're doing."

Leave a comment