Tuesday, November 20, 2012

Right Idea - Wrong Execution?

In my opinion, the Aussie government have always had a robust public stance on on-line child protection issues.  However, it seems that they've wobbled a bit recently and dropped their own detailed Australian Communications and Media Authority (ACMA) child abuse content lists for the rather flat-footed INTERPOL 'worst of' lists.  The Australian Financial Review has a detailed article on the politics behind the decision here - it makes for interesting reading especially as a foreigner with no axe to grind.

Better and more technically qualified people than I will tell you that the INTERPOL 'worst of' list is just that - it's also the slowest refreshed and the bluntest of tools.  Blocking entire domains and IP addresses at DNS level is a concept and technology that belongs in the bad old days. And more importantly, really doesn't provide adequate protection for anybody especially those who are affected by the abuse.

It is also surprising that the Aussies have taken this path as the technology, resources and the will exists all around the world to do battle with this global and persistent threat.  The guys at the Internet Watch Foundation and INHOPE (and their colleagues around the world) are delivering quantifiable results without adversely impacting on freedom of expression or access to legitimate content.

So - I applaud the Aussies for doing something - but I believe they (and we) can do better than implementing 'a just enough' policies on on-line child abuse content.

Monday, November 19, 2012

Block or Unlock?

With facebook's announcement that they're slowly opting all their users into HTTPS, yet another large chunk of the web gets a welcome layer of encryption.

Welcome, of course, as it helps protect users' highly personal data - often all to recoverable by network sniffing tools, and decreases the possibility of cookie hijack. It's by no means perfect, but it's a great addition.

On the other hand, this SSLization of the web universe does pose a threat in businesses and schools alike - with more traffic going over HTTPS, the requirement for web filtering to intercept and decrypt this traffic rises. In many instances, the stark choice is to either block a site completely, or perform an intrusive "Man in the Middle" inspection. These issues are always going to be most keenly felt on BYOD devices where the MitM decryption would be both more intrusive technically, and socially - hey, it's my device, my traffic, keep out!

There are no silver bullets here. Sure, we can identify most HTTPS traffic's ultimate destination (it's facebook, it's google), but many organisations need a finer level of policy of they are to allow these sites - forcing safesearch is an important one for Schools, or for businesses, maybe a restriction on facebook posts.

The creeping tide of HTTPS is not going away - the only thing keeping more large sites from going fully SSL is the cost/speed tradeoff (encryption on that scale can be computationally expensive), but the need for web filtering for an ever more varied set of organisations has yet to wane either.

This is going to be a long and interesting ride... and I would welcome any comments from our readers on what they are doing to work around these problems, or what they think would be the ideal scenario.

Friday, November 16, 2012

Whose views are they anyway?

Have a look at your various social media accounts – do any of them contain the name of the company you work for? Do you post a mixture of work and personal material? If so the decision of the High Court released on the 16th November is something you need to be aware of.

A bit of background; an employee, who identified his employer on his Facebook page, posted some comments following a news story about gay marriage. The comments reflected the employee’s strongly held religious convictions. Some co-workers complained and the employer determined the posts amounted to gross misconduct and imposed strong sanctions.

The English High Court considered the case and finally decided that the employer had been wrong to class the employee’s personal facebook pages as representing the views of the organisation. On this basis the action taken over the “gross misconduct” was unfounded and the employer was in breach of contract.

You might like to think that this decision was on the basis of the principles of freedom of expression, the human rights act or some equivalent legislation – you would be mistaken. What it came down to was the balance of the posts that could be seen to be related to work and those that were purely personal.

In other words, if you freely mix posts about your work and social life, you could be opening up your social media account to considerably stronger scrutiny that you imagined. There has been a rash of cases recently that demonstrate how the “written” character of social media transforms the responsibility you bear for firing your views into the ether.

So what should we do – either you need to keep your work and personal profiles separate, or recognise that anything you say could be seen in a bad light by your employer, other players in your industry or regulatory bodies. It’s worth spending a few minutes thought on the matter. Personally, I’ve just taken any reference to work off my Facebook account!