Recently in Privacy Category

Why China's Web Filtering Plan Won't Work

By
Larissa Gaston
 on June 22, 2009 12:13 PM | | Comments (0)

As you've no doubt already heard, China recently announced plans mandating that all new computers sold in that country - including imported PCs - be delivered with pre-installed and pre-configured Web filtering technology beginning July 1, 2009.

 

Branded Green Dam-Youth Escort, China's foreign ministry spokesman defends the software claiming it's "aimed at blocking and filtering some unhealthy content, including pornography and violence" in an effort to protect children.

 

Putting aside the obvious discussions of censorship versus freedom of information, there's a fatal flaw in China's plan. Maybe we shouldn't tell them this, but Web filtering software alone doesn't block people from visiting Web sites and/or accessing Web applications.

 

Surprised? While the Internet used to be primarily about transmitting and accessing fairly static information via HTTP, FTP and e-mail it's now dominated by Web 2.0 applications such as instant messaging, P2P, VoIP and social networking sites. Savvy Internet users already use tools like anonymizers to mask their browsing habits, and real-time communications and Web 2.0 applications are highly evasive, specifically designed to get around Web filtering, firewalls and other traditional security solutions using a variety of techniques like port crawling, tunneling, onion routing, etc. - after all, their goal is to grow their communities and ensure users have the full experience.

 

From what I've read, neither China nor the media has considered or addressed this. I'm certainly not in favor of China to block access -- yes, FaceTime helps organizations control employee Web browsing and use of Web 2.0 applications, where visiting certain sites or using certain applications may be inappropriate in the workplace, put the company at risk or impact productivity -- but the Web sites you choose to visit and applications you use at home are for you to decide and parents to control.

 

The backlash over China's censorship plans is widespread, including nearly 20 trade groups representing technology companies calling on the Chinese government to reconsider the mandate contending that it "raises significant questions of security, privacy, system reliability, the free flow of information and user choice." There's also the California company that claims the mandated Internet filtering software contains stolen programming code. Other articles say the Chinese government has already backed down, retreating on its controversial new web filtering plan, saying the software can be uninstalled or switched off.

 

It's not clear yet how all of this will play out, but you have to ask, if China's mandate won't be effective, why do it at all?

Lessons from Yahoogate

By
Frank Cabri
 on September 24, 2008 12:53 PM | | Comments (0)

They say you can find anything on Google. Turns out it's especially useful when one is searching for personal data to crack a Yahoo! Web mail password.  

 

In the remote case you missed it: Vice Presidential candidate Sarah Palin's Yahoo! Webmail was hacked last week, and the contents were posted on Wikileaks.  Wired reported that the hacker easily broke into Palin's Webmail, hoping to find incriminating evidence that could derail her campaign.

 

We see this happen a lot. While IT installs email and IM archiving software, the workforce moves their personal and sometimes ill-advised communications to what I would call rogue channels. These channels include Webmail, public IM, Skype, and even Facebook. Employees think that management doesn't monitor or control these tools and it becomes an appealing place for improper or even illegal activity to occur.

 

Michael Osterman explained this well when he wrote about the lessons IT should learn from the Sarah Palin Webmail hack.

 

More examples of infamous rogue channel use in recent times include Senator Mark Foley, whose IM conversations with a intern cost him his jobJerome Kerviel, the French banker who alledgedly cost his company $7B, and Scott Sidell, the former CEO who funneled client lists to himself through Webmail.

 

What are your employees doing thru Webmail, personal IM networks and social networking sites?

 

When I ask IT professionals the above question the majority respond (very confidently) that nothing rogue or unsanctioned is happening on their networks. Common responses include, "We block it with our firewall" or "we have a policy against it."  Then we deploy an evaluation unit and provide a report of actual employee initiated traffic and it becomes clear: hope is not a strategy. 

 

As customers move to adopt Unified Communications platforms from Microsoft, IBM and others, I believe the same issue will exist - employees will use personal systems and corporate sanctioned systems interchangeably.  IT will have the hard task of managing policies and controls consistently across this heterogeneous environment. 

Caught Stealing with Yahoo! Mail?

By
Frank Cabri
 on July 8, 2008 2:41 PM | | Comments (1)

Does an employer have the right to access an employee's PC and everything on it? Scott Sidell says no. I read about his situation in the New York Times and Ars Technica. Scott is the ex-CEO of Structured Settlements, who was hustled out of his office after being fired. Apparently, he was logged into his Yahoo! email account when this happened and now Scott alleges that his former company snooped around and copied files from his email account. They found that he'd transferred sensitive company documents, including customer lists and terms of deals, to his personal account. The company also monitored Sidell's conversations with his lawyers about how to win the arbitration over his firing.

 

A ruling on Sidell's complaint has not yet been made, but he might find the court on his side, since this case could be influenced by a decision made two weeks ago by the US 9th Circuit Court. According to the recent ruling, personal messages sent via work equipment are off limits to search by an employer unless the employer has an existing practice of regularly accessing the equipment.

 

This case is most interesting to me because Scott was allegedly caught sending company data to his personal account. He just happened to be caught. My guess is that thousands of companies lose confidential or sensitive information this way and don't even know it. Trade secrets are escaping through consumer communication channels such as IM and Skype all the time. Malicious behavior has always filtered through the "corporate back alley" - a savvy employee who knows which communication routes are monitored, and is smart enough to pick the route where they won't get caught.

 

This is also another good example of the blurred lines between work and personal communications technology. What belongs to my employer when I check Web based email on the company owned laptop from home?  What can I keep private when I text my friends from my work provided cell phone?  Where is the common ground between an employee's privacy and a company's network?  Companies looking to create or revise their Internet policies should clear with employees about how they monitor their communication channels.

« New Internet | Main Index | Archives | Product Announcements »

About this Archive

This page is a archive of recent entries in the Privacy category.

New Internet is the previous category.

Product Announcements is the next category.

Find recent content on the main index or look in the archives to find all content.

Twitter Updates

follow us on Twitter

Search

Blog Roll

Collaborative Thinking

Ed Brill

Eileen Brown's Weblog

Enterprise 2.0 Blog

FastForward

Irwin Lazar

No Jitter

Schneier

Single Point of Contact

SKT

Team Think

Technology Live

Techland

The Facebook Blog

The Impact of Information Technology (IT) on Businesses and their Leaders

The Osterman Research Blog

The User View

Security Fix

Zero Day

Comment/Trackback Policy

This site supports an open comment policy. Rude, wasteful, off-topic, privacy-intruding or libelous comments will be deleted. Comments will remain open unless abused.