Misc: September 2010 Archives


September 30, 2010

If you've ever attended a meeting at your local Silicon Valley company, you've no doubt had the opportunity to sign in in the lobby. At many such companies—Google, for one—you are given the opportunity to accept or decline an NDA. In either case, you get a machine-printed name label, but if you declined the NDA, it has some distinctive mark indicating that you're not to be exposed to anything confidential.

As usual, it's worth asking what the threat model is here. There seem to be two major cases:

  • To prevent employees from accidentally treating non-NDA visitors as if they were NDAed.
  • To prevent non-NDA visitors from impersonating visitors who have signed the NDA.

With respect to the first question, I should start by mentioning that in my experience these badges are almost universally ignored. I, of course, decline the NDA and yet (without naming any names), colleagues routinely take me into sensitive areas or just let me walk around on my own without any kind of supervision. Even if employees did pay attention to the status of visitor badge, the scope of the visitor NDA is so broad—and remember that when companies are really serious about confidentiality they have you sign a paper NDA—that it's hard to imagine your average employee wanting to reveal anything really confidential based on something you typed onto a console in the reception area So, even in a non-malicious environment, it's not clear that this sort of labelling is of much use in distinguishing people who have signed the NDA from those who haven't.

Now let's turn to the malicious case. These badges are just ordinary sticky name labels like you could buy at Office Depot. It's trivial for me to get my own label maker and produce any label I want, including one that indicates I've signed the NDA. The only trick is knowing what a valid label looks like, but seeing as any reasonable-sized company mints hundreds of these badges a day, a little dumpster diving around campus is likely to yield a valid labels. Alternately, you can just visit campus with a group of other people, decline the NDA, and hope that someone else doesn't so you can get a good look. In either case, you don't need to do a very good job, since, as I mentioned above, employees don't seem to do a very good job of checking. [I should note at this point that there's a very similar but a bit more sophisticated set of objections to the ubiquitous RFID employee badges, but that's a topic for another post.]

Finally, consider the threat from the visitor's perspective. To the extent to which you're expected to be bound by an NDA you signed in the lobby (and since "signed" means that you clicked on some check-box or hit return in response to a dialog box, it's unclear to what extent that is), and that you've presumably thrown away your badge, what stops the company from retroactively claiming that you executed the NDA even if you actually didn't? It's not clear whether this would really hold up in court, it's easy to claim that you weren't really paying attention and accidentally "signed", but that argument cuts against the value of the NDA to the company as well.