Article for IMIS Column in ComputingMarch
The new Regulation of Investigatory Powers Bill,
however much amended in the course of debate, contains clear liabilities
for IT managers to help the police if their systems have been
used to handle criminal traffic. Such abuse can take many forms.
Were your systems among those "hijacked" over the past
month to help mount "denial of service" attacks on major
e-traders (from Amazon to e-Bay)? Meanwhile it has been reported
that analyses from some of the main US portals show that over
40 per cent of searches are initiated by adult males in search
of pornography. This raises issues of privacy as well as the question
of how much of this is being done at your expense.
"Spamming" (automated, unsolicited,
mass e-mailing, including to school groups) and the doctoring
of search engines (including to promote material offensive to
much of the population) cause concern among those who wish to
see the Internet become a mass-market medium for education and
entertainment. But the issues go well beyond pornography, paedophilia
and censorship through hacking and the "laundering"
of transmissions hacking to electronic fraud, both large and small.
The image of the Internet as being outside the
law is as misleading as is that of untraceable anonymity. "They"
may not know you are a dog but "they" may well know
that you are a dirty dog. It is said that over 60 per cent of
software and video/music sold over Internet auctions sites is
pirated and that the main reason for auctioning is to build lists
of those in the market for such material and to collect their
payment authorisation details, so that they can be charged whether
or not they buy again. This again raises the issues of responsibility
when pirated material is bought via your Corporate network.
Those whose facilities are used to access content
that is already illegal under existing UK law can (under a variety
of circumstances) be held to the publishers. They may also share
liability for breach of copyright, libel and slander. Ignorance
as to what is being carried may not be sufficient defence for
the Corporate IT Manager, let alone Internet Service Provider(s)
The collation of analyses of Internet usage
with personal information falls under the new Data Protection
Directive but the routines for agreeing what is acceptable over
the Internet with regard to services based in nations without
equivalent Data Protection legislation are still unclear. Those
who plan to use US-based services to analyse the traffic to their
websites should talk to their lawyers, whether or not they have
obtained the consent of their customers and also check the security
of the services they plan to use. Even communications with reputable
sites are not necessarily as private as you might think. One Portal
has already been sued in the United States for copying and analysing
the traffic it forwards to another.
The different approaches of the various current
and prospective EU Directives which might be applicable to e-commerce
transactions, let alone the differences between these and the
US, including state law and regulators, further complicate matters.
(Visit www.eurim.org for an update). Most regulators (Advertising,
Financial Services etc) apply the same rules to products and services
promoted over web-sites as they do to those advertised on paper
or promoted over radio or TV. As far as Financial Services are
concerned the rule of thumb is simpledo not put anything
on your web site that you would not put in an advert in the International
Edition of the Financial Times or Wall Street Journal.
Security issues also need to be addressed. A
number of large US organisations which used to provide direct
Internet access from corporate systems have withdrawn it and now
make unauthorised access a disciplinary offence. The reasons range
from concerns over security to concerns over the waste of corporate
time. The security concerns also cover personally owned systems
which are used for corporate work. Audits of the sources of virus
infection on controlled networks (which supposed used only centrally
procured software and have no Internet access) have shown that
file transfers from domestic systems are the most common residual
The position of the Institute for the Management
of Information Systems is simple. Its guidelines (e-mail email@example.com
for a copy) state:
that those responsible for corporate
IS policy review which members of staff, if any, need access from
their place of work to the Internet, as opposed to prot4ected
that the installation or use of any
unauthorised software by employees on systems owned by the employer
or used for corporate work be an explicit disciplinary offence;
that unauthorised access to the Internet
and the unauthorised transmission or receipt of messages or traffic
on systems owned by the employer or used for corporate purposes
be an explicit disciplinary offence.
This need not conflict with the call by MSF
for employees to be given similar access to the Internet from
the place of work as they have to a phone. In locations where
telephone calls are recorded for audit or regulatory purposes
(eg call centres or dealing rooms) the solution is to provide
facilities for personal calls in the rest area. Similarly facilities
for personal e-mails or web-access, bypassing the corporate systems,
could also be provided in rest areas.