Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Monday, April 09, 2018

How modern democracies face destruction if they can't stop building digital Maginot Lines

The recent revelations in the media about the collection of personal information from up to 87 million Facebook users by Cambridge Analytica and its use to influence political outcomes (successful or not), should be sending chills down the spines of everyone involved in information security, privacy and governance.

That people's data can be appropriated and used to manipulate democratic processes is a clear threat to the basis of democracies around the world - and governments appear to be flailing on what to do about this.

Now certainly corporations, such as Facebook and Google, have both legislative and business reasons to protect personal data. It's their lifeblood for making profits and without a sufficient level of public trust to keep people using these services these companies would largely disappear overnight.

However governments also have a responsibility to safeguard their citizens, and their own institutions, from external manipulations of their democratic systems - whether this come from foreign states, corporations or even particularly influential groups in society.

While Facebook is responsible for allowing a researcher to create an app that could such down the personal data of many people, even without their consent, it may not have been illegal for Cambridge Analytica to do this (although their subsequent use of this data for electoral manipulation may have been), and while Facebook may be investigated for privacy breaches, the consequences to Facebook and Cambridge Analytica appear to be more social than official to-date.

For me the spotlight is more on governments than the corporations involved. Laws exists to provide a legal basis for managing anti-social behaviour and power imbalances (such as between large organisations and individuals) such that the basic unit of the state, the individual citizen, has their personal rights protected and has clarity about their obligations as a citizen.

In this case governments did not have the laws and frameworks in place to detect, limit or even rapidly prosecute massive breaches of personal privacy or attacks on their own institutional validity.

Governments that cannot protect themselves or their citizens from external influences - whether these be physical or digital - do not remain governments for long.

I see the Cambridge Analytics scandals as another in a long series of examples as to how modern democratic governments have failed to put appropriate mechanisms in place to protect citizens and themselves from modern threats.

Like the Maginot Line built by France in the 1930s, governments are investing in expensive, unwieldy and inflexible infrastructures for past threats. And, like the Maginot Line in 1940, these infrastructures have proven again and again that they fail in the face of modern agile opponents.

Thus far the reaction by governments has largely been to acknowledge failure, promise to do better and then return to investing in legacy infrastructure, attempting to modify it as cheaply and as little as possible to address modern threats.

From the cascading series of security breaches at scale, rising digital interference in western elections and undermining of democratic institutions - I think the evidence is clear that the strategy is failing.

So what are governments to do? How do they adapt their approaches to address a threat that can come at any time, through any channel and often targets civilian infrastructure rather than state-controlled infrastructure?

The first step is to recognise that their current approach is not working. The political and commercial opponents seeking to weaken, influence, manipulate and destroy western states do not limit themselves to playing by western rules.

The second step is to recognise that this isn't a problem that governments can solve alone. Protecting government infrastructure is pointless if power grids and financial sectors are manipulated or destroyed. If a hacker wants to shut down a government office it is often easiest to cut their power or payroll than attack the government's servers directly. In the longer-term the public can be turned against a government through social media engagement using fake news and slanted reports.

The third step is to redefine what constitutes the state and what it values. Government is a tool used to govern a population. It is a component, but not the only, or even the most essential, in defining a nation's character or values.

Then, we need to rebuild our thinking from first principles. What do we value, and what do we not value? What conduct is appropriate, and by whom? How do we protect freedoms for citizens while defining their responsibilities? How do we educate citizens to understand that they have an active ongoing role and responsibility to help maintain our freedoms - that their obligation doesn't stop at a ballot box every few years? How do we redefine the role of corporations and other organisations (including government agencies) as good organisational citizens in a society? What are their rights and obligations towards citizens, stakeholders and shareholders?

This doesn't mean turning western democracy into security states. In my view the growth of state security apparatuses is a poor solution, part of the Maginot Line of centralised control that is failing so badly to protect democracy from a swarm of diverse threats. Indeed, the idea of decentralising security in favour of emphasising personal responsibility through education is, in my view, the best course to protect our nations' values.

We need an inclusive approach, backed by sound principles and collective values, that preserves what is important to our societies and inoculates us from unwanted external influences.

Without this we will lose who we are in protecting what we want - turning us into authoritarian states, the mirror of our enemies.

Read full post...

Tuesday, January 24, 2017

You've Been Hacked - how far should governments go to protect against the influence of foreign states?

Like most people with a broad digital footprint I've been hacked multiple times, usually in fairly minor ways.

Around ten years ago I had my PayPal account hacked through malware in the Amazon site, costing me $300.

PayPal staff insisted this was a legitimate payment for goods (which I hadn't ordered) being delivered to my legitimate address in Norway (despite having provably never visited the country). I've been very cautious & limited in my PayPal use since, and never recommend them.

Over Christmas last year my Social Media Planner site was hacked and seeded with malware. Fortunately my IT team was able to identify, isolate and address the matter, without affecting visitors, but costing me financially (two weeks downtime). It's fine now BTW, with extra protections in place.

I've had a Skype account taken over by someone in Eastern Europe, who used it for phishing before I could reclaim it, had basic account details stolen in Yahoo, LinkedInDropBox and a range of other large-scale hacks of commercial services over the last five years - excluding the Ashley Madison hack (I've never been a member).

I'm not the only one affected by any means, well over 10 billion accounts were hacked in 2016 alone, with Australian politicians, police and judges outed as affected in at least one of these hacks (and a few in this one too).

Much of this widespread hacking results in the theft of limited personal information. On the surface it may appear to pose little risk to individuals or organisations. 

However the individual reuse of passwords and usernames can turn these hacks into a jackpot. This allows hackers, and clients they sell hacked data to, to access a wider range of accounts for individuals, potentially uncovering richer information that is useful for identity theft, economic theft, intelligence gathering or for influencing decisions and behaviour.

Despite all the reports of hacking, it seems many people still treat this lightly - the world's most popular password remains '123456'.

Most governments, however, do not. Securing their networks is a major challenge and a significant expense item. The data agencies hold has enormous political and economic value that could be easily misused to the detriment of the state if it falls into the wrong hands, or into the right hands at the wrong time.

It's not simply about troop movements or secret deals - early access to economic or employment data, access to the 'negotiables' and 'non-negotiables' for a trade deal, or even to the locations and movements of senior political figures (to know who they meet and for how long) can be used for the financial and political advantage of foreign interests at the expense of a state's own interests.

For the most part, Australia's government is decent at managing its own network security. This isn't perfect by any means, but there's a good awareness of the importance of security across senior bureaucrats and largely effective ongoing efforts by agencies to protect the secure data they hold.

However in today's connected world national interest goes far beyond the networks directly controlled and managed by governments. As we've seen from the US (and now Germany), political parties and individual politicians have also become hacking targets for foreign interests,

This isn't surprising. Politicians, potential politicians and even academics have long been targets for funding assistance and free or subsidised study trips to nations hoping to cultivate influence in various ways. In fact these approaches provide some positive benefits as well - by creating personal relationships between powerful people that can lead to improved national relationships, trade deals and even avert wars.

Hacking, however, has few of these positives, as we saw in the release of Democratic National Congress emails by Wikileaks, which were most likely obtained through Russian state-sponsored hacking and likely was designed to influence the US's election outcome.

Whether you believe the cumulative findings of the US intelligence community or not, it is certain that foreign states, and potentially large multi-nationals corporations, will continue to target political parties, and individual politicians, seeking insights into how they think and levers of overt and covert influence for economic and political gain.

Hacking will continue to grow as one of the major tools in this work.

The Australian Government is taking this seriously - and kudos to them for this.

However even this focus on political parties neglects a wide range of channels for influencing current and potential future politicians. What about their other memberships and personal accounts?

Politicians and potential politician are well-advised to position themselves in various community and business groups to improve their networks, build relationships and future support. They are also just as likely as other Australians to use the internet - for work and personal reasons.

This means they're likely to have numerous online accounts with both domestic and foreign-owned services, with varying levels of security and access control. 

On top of this, it's not simply politicians who may be the targets of influence. Political advisors and activists often shape and write party policy positions, despite never being publicly elected. Influence an advisor and you can influence policy, as the many registered lobbyists know only too well.

Equally bureaucrats across government often are exposed to material that could, if shared with foreign interests, cause some form of harm to a state. We've seen this in insider trading by an ABS staff member, where the economic gain to the individual public servant outweighed his good judgement and public duty.

While bureaucrats are security assessed to a significant degree (unlike our politician) and selection processes are in place, backed by rules and penalties, to screen out the 'bad eggs', the potential for public servants to be influenced through hacking their personal accounts has risen along with their internet use.

Right now we're in an environment where the number of attack vectors on a politician, an advisor and on individual public servants, is much higher than at any past time in history - while our tools for protecting against foreign influences have not kept up.

Of course this goes both ways - our government also has the capacity, and often the desire, to influence decisions or negotiations by other states. We've seen ample evidence of this, although it isn't really a topic our government wants to discuss.

The question for me, and I don't have a solid answer yet, is how far technically should a government go to limit the influence of foreign states.

Should governments merely advise political parties on how to secure themselves better?

Or should governments materially support parties with trained personnel, funding or even take over the operation of their networks (with appropriate Chinese walls in place)?

What type of advice, training or support should agencies provide to their staff and Ministerial advisors to help them keep their entire footprint secure, not just their use of work networks, but all their digital endeavours?

And what can be done to protect future politicians, advisors and bureaucrats, from wide sweeps of commercial services collecting data that could be useful for decades to come?

We need to have a more robust debate in this country about how foreign states and commercial interests may be seeking to influence our policies, and decide as citizens the level of risk we're prepared to accept.

Until this occurs, in a mature and informed fashion, Australia is hurtling forward into an unknown future. A future where our political system may be under constant siege from those who seek to influence it, in ways that are invisible to citizens but more wide-reaching and dangerous to our national interest than any expense scandal.

If this isn't the future that we want, then it is up to us to define what we want, and work across government and the community to achieve it.

Read full post...

Wednesday, August 31, 2016

Have you been pawned? What could Australian governments do to reduce the frequency of data breaches

Data breaches at major organisations have become a weekly event, but don't always make it into the public eye for months, or even years, after they happen.

This is both because it can take some time for an organisation to become aware it has been breached and because few organisations are forthcoming about security concerns.

This lack of willingness to communicate breaches can be because many fear a loss of respect or trust if they admit a breach has occurred, and in certain cases companies may even be liable for fines or damages in a class action.

Of course, not declaring breaches can also come with a sting in the tail. Individuals might find some of their other accounts become compromised, or experience monetary or identity theft - in extreme cases people can find themselves in debt, their property sold, or even be gaoled.

Governments in Australia have been slow to put measures in place to protect citizens in these circumstances - even forcing citizens to take them to court to rectify these situations, as a Canberra homeowner recently had to do.

Unfortunately in Australia it's not even mandatory for data breaches to be reported, so there's limited information about how widespread the threat or cost actually is, making the situation even harder to deal with.

I subscribe to a service (Have I Been Pawned?) that alerts me when a service I use is reported as hacked - but even this is largely limited to international online services and it remains very slow to discover when these hacks occurred.

The example below shows how Dropbox has only in the last few weeks acknowledged a hack in 2012 which exposed the details of over 60 million people - that's more than twice Australia's population. Their information (including mine) has been traded online by the hackers.
Dropbox breach

Now some people might consider this a normal part of living and doing business in the internet age - but should we?

There's a number of steps that both governments and commercial organisations can take to reduce the impact of these types of breaches and help ensure they occur far more rarely.

The first step is a mandatory requirement to publicly notify everyone who may be affected by a breach within a week of it being detected, with a mandatory public announcement of the breach within two weeks.

If the notification is made on a timely basis, organisations should not face a significant fine from the government, but if notification is late, they should face a fine equivalent to a significant portion of their gross income for the previous year.

Where organisations are breached, they should be legally required to, at their own cost, identify the cause and rectify it, putting in place appropriate security measures to prevent recurrence and fix any other identified security issues with their system.

Organisations should also be put on a three-year watch list, where if they suffer another breach and cannot demonstrate that they maintained their security infrastructure to a sufficient standard, are subject to that very significant fine detailed above.

This should apply across both private and public organisations - with government agencies held to the same high standard of conduct. In fact it could be argued that government should be held to an even higher standard due to being required to maintain public trust and how certain agencies may compel information from individuals and store it for their lifetime.

Governments should also set up positive security regimes, where people are rewarded for identifying and reporting security holes in government properties. Corporations could also be provided with incentives to do the same, such as subsidising rewarding and rectifying appropriate security issues in a similar way to R&D subsidies.

The government needs to work with governments around the world to ensure that laws punishing identity theft - fraud - are sufficiently strong to create a strong disincentive for anyone who might be caught either perpetrating a hack or benefiting from it. There's already a base in place for this, but there's ways to strengthen it and treat identity theft with the degree of severity it requires.

Finally governments need to ensure they are appropriately educating citizens through a variety of channels - providing educational content, ensuring that no government agency allows users to create weak passwords, training their own staff (essential for national security), training police forces to understand and engage appropriately with citizens who report identity theft and rewarding companies who educate their staff and customers for reducing the overall risk.

Now it is important to be realistic about the situation. Australians use a variety of foreign online services and it is impossible to secure them all, all of the time. Hackers will find ways in via mistakes in ICT configurations, slow maintenance, zero day exploits and social engineering.

However the incident and severity of the data breach risk can be greatly reduced if Australian governments stop turning a blind eye to the issue and begin seriously engaging with it.

At minimum governments need to broaden their cyber security policies to recognise that it's not just the government itself at risk. From here, there's many opportunities, such as those described above, for governments to be more proactive about protecting their citizens from the risk of data breaches, from enemies both domestic and foreign.

Read full post...

Friday, August 26, 2016

How to shut down the easiest path for hackers into your organisation

In the news today is a story about how the Department of Prime Minister and Cabinet has issued guidance to staff on how to manage their personal profiles on Facebook.

According to the The Age's article, 'Nanny state!' New crackdown on public servants' Facebook the department "now insists its public servants lock their personal Facebook accounts with the tightest possible privacy settings and tells them how to configure their passwords".

Based on The Age's article the policy states that "Profiles must use a robust and secure password to protect the account from brute-force hacking attempts".

"This password must be at least seven characters long and contain a mixture of punctuation and alpha-numeric characters".

The policy apparently threatens disciplinary action and even dismissal for non-compliance for both staff and contractors.

I've not yet read the policy so can't comment on the details, and there's also apparently some other parts of the policy dealing with what public servants can comment on, which I don't expect to agree with.

However, I find the advice on security and passwords as fair, long overdue, and something that all organisations should consider providing to their staff.

Hacking is fast emerging as one of the most significant commercial risks for corporations and public agencies, with organised crime and nation-states mobilising sophisticated teams of computer hackers in the search for commercial and political advantage.

Few weeks go by without a major international company or online service being hacked for data, and alongside this the growth of ransomware - where hackers lock organisations out of their own systems and demand money for access - is proving to be a challenge worldwide.

Many large organisations have extensive security provisions in place to protect their data and services against hackers and security advisors are working as hard to keep their system protected as hackers are to find new ways in, in a cyber cold war.

However IT systems are not the only way into an organisation's data heart. 'Social engineering', a term referring to coercing staff to create a chink in an organisation's security armour, is increasingly one of the easiest ways for hackers to sidestep security professionals.

Social engineering takes many forms.

Leaving USBs with malware at a location where staff might pick them up and unsuspectingly put them into an organisational system, sending them email attachments supposedly containing cute kittens (with a cyberworm inside), fooling them with a fake email from security into believing they need to reset a system password by clicking on a link - which gives a hacker access.

There are many many ways in which employees can be fooled, even the most highly intelligent people, and used to evade or break their organisation's security.

Even if people can't be fooled, there's ways to get critical information about them which can provide clues to passwords, or provide blackmail opportunities.

For example, many people still use memorable passwords - children's names and dates of birth, anniversaries, pet and street names, achievements and more. With a little digging through publicly available information, or even information compromised from a weaker external service, hackers can quickly create a potential password list which might give them a route into a more secure system.

Unfortunately many organisations have been slow to address this threat by educating and supporting staff on protecting ALL their information online - from their secure employee logins, to their Facebook accounts and random mailing lists they sign up to.

This education is important not simply for the organisation's security, but for the personal security of individual staff members, who are also at risk from hackers who simply want to steal from them.

In fact there's every reason to believe that well constructed advice to an organisation's staff on protecting themselves online will be well received. It not only protects the organisation, it protects each individual staff member and often their families as well.

So what PM&C is doing with suggestions on passwords and locking down Facebook isn't a 'Nanny State' act - it's a sensible step that every organisation should be doing to protect their commercial information and client data, and to protect their employees.

Now a 'policy' may not be the best structure for this education - I strongly recommend that every organisation should have a 'security awareness' module in their induction program, and ensure that all existing staff receive regular training on how to protect themselves and the organisation they work for from external hacking threats.

This needs to be regular, not once-off, because of the rapid evolution of hacking and IT systems. New threats emerge regularly, as do new social engineering attacks.

Training all staff on how to secure ALL their online accounts is becoming vital for organisations that are serious about security.

In fact I believe that organisations who lose control of personal, private or confidential client, staff or government data should be penalised more harshly if they've not taken steps to guard against social engineering through staff training.

So if your organisation wants to continue to improve your security, don't simply invest in new IT systems and security advisors. Regularly train your staff on how to protect themselves online and they'll help you protect your organisation.

Read full post...

Friday, August 05, 2016

Is it time for governments to extend digital security protections to all parliamentary candidates & parties?

Over the last few years we've seen increasing attention on the use of personal technology by politicians.

From our current Prime Minister, Malcolm Turnbull, who uses Wickr, to Hilary Clinton's use of a personal email server, and even the struggle President Barack Obama faced to use an iPhone, politicians - like the rest of us - are increasingly using a diverse range of technologies to conduct both personal and official business.

Not all of these technologies are officially approved or secured. Many are newer technologies with both known and unknown security concerns.

However politicians, like the rest of us, continue to use them either because we perceived the benefits (convenience, flexibility, speed, utility) far outweigh the risks we accept, or because the risks are not clearly understood by non-technical people.

This becomes a particular issue for politicians, political parties and individual candidates for parliament when state-sponsored agents, organised crime or unscrupulous businesses attempt to access their information.

There's many motivations for 'political hacking' - commercial advantage where particular information or decisions are obtained before the market knows, political advantage, blackmail or an improved capability to 'groom' politicians to a given perspective supportive of a particular desired goal or outlook, or opposing an undesired reform or initiative.

In fact I think it can be said that political power doesn't only originate from the muzzle of guns, but now political power also emerges from the keyboard.

Information is power, and the best source for information about an individual's views and decisions can be their private email and social accounts.

With the revelations of Russian state-sponsored hackers penetrating the Democratic National Convention and Clinton's Presidential campaign data stores, it's clear that state-sponsored and other organised hackers are increasingly seeing unelected potential parliamentarians as targets.

This is a logical development. It's in the interest of foreign nations to understand the views and decision-making approaches of powerful national leaders. Combine this with the likelihood that the security deployed by a political party is far easier to penetrate than the security deployed by a national government, and the fallout if caught is far less and it becomes a no-brainer for nations and large commercial interests to conduct hacking before an election locks away leaders behind tighter firewalls.

So, now we know that there's a reasonable to high risk that electoral candidates and parties will be hacked - particularly if they have a good chance at election - there's a question for governments to consider.

Should governments extend their security expertise and protections to all electoral candidates, placing them behind state-supported firewalls and security provisions, as soon as candidates nominate for electoral roles? And should this protection be extended to all political parties as well?

Given that even medium-sized governments, such as Australia's, secure hundreds of thousands of devices and people through their security regime, extending this to a few hundred more would be a technically manageable exercise.

The approach would help protect more of Australia's governance institutions from foreign and commercial influence, though likely would only be a partial measure as traditional intelligence gathering and governance influencing methods (background research, infiltrators, electoral donations and hosted trips and tours) would still be available to interest groups and countries.

Individual politicians and candidates would still have personal digital accounts vulnerable to hacking, with which they may engage with the public, the media, each other, business partners, friends, family and, occasionally and hopefully discreetly, with potential sexual partners.

So perhaps the step would provide partial protection - avoiding situations like the one the US Democrats have found themselves in, where the long-term ramifications are as yet unclear.

However even government systems are not totally impervious to cyberattacks, and the limitations of working within a government firewalled system might be too invasive or restrictive for some in the political world.

Also in a world where no security is perfect, partial protection can provide an illusion of security where none should be assumed, with the potential that protecting candidate correspondence could lead to more significant information theft or leaks from either hacking or internal disgruntled staff - or the misuse of candidate data by a future unscrupulous government to influence an electoral result.

On balance I think we're going to have to take our changes over whether political parties and individual candidates are hacked by foreign or corporate interests.

No security solution will ever be perfect and so Australia, and other nations, need to focus less on hiding potentially damaging information and focus more on developing transparent and fair agendas, with individual candidates and politicians being as honest and forthright as they claim their opponents should be.

Read full post...

Wednesday, November 26, 2014

Liveblog for Govinnovate 2014 Day 2

We're into day 2 of GovInnovate, with a focus on IT security.

Keep an eye on the liveblog below and the Twitter hashtag #govinnovate

Live Blog GovInnovate 2014 liveblog Day 2
 

Read full post...

Tuesday, September 23, 2014

What penalties are there for agencies and individuals who breach government security and accessibility policies for websites and online channels?

I regularly hear stories from people in government agencies and councils about how their organisation isn't meeting mandated security and accessibility requirements for their websites and broader online presence.

Often this is because there's insufficient time, money or a lack of understanding of the mandated requirements by either the business owners or the vendor doing the work. I still remember an experienced developer at a web development company claiming that in his ten years of working on government websites he'd never understood that accessibility was a legal requirement.

Sometimes I can understand and accept these reasons. 

Ministers set deadlines, as do real world events, this can constrain the full process of testing the security and accessibility of a website. 

Equally some campaigns are spread across different channels, and the budget allocated to online doesn't always allow for the best possible outcomes - or there's some 'bling' requested by senior management that eats the budget of the project very quickly. Again these can make it difficult to find the money to do any necessary testing and adjustment. 

In a few cases I get told that security or accessibility was simply "not important" to senior management, the business owner or the ICT team/vendors doing the work. 

These cases I could never condone, and it did affect my public service career when I stood up to senior people who held this attitude - even when I 'won' the point and was able to ensure websites were delivered to government-mandated minimum requirements.

This last group still worries me - and I've heard several new stories in the last month along the same line.

The fact these people are still around is disheartening, and raises a major question for me:

What penalties exist for agencies or individuals who deliberately go against the government's mandated policies and standards for websites, on topics such as security and accessibility?

I'm not aware of any public servant ever being investigated, sanctioned, retrained, demoted, moved or sacked after making a decision to ignore or water down website requirements.

In fact I can recall a few times where they were promoted and rewarded for their work in delivering outcomes cost-effectively and quickly.

Of course there's potential legal ramifications for ignoring both security and accessibility requirements - however it is generally the agency that takes on this risk, rather than the individual who exposed them to it.

In some cases the individual may not even have been the business owner, or has moved on to a different role, even a different agency.

This type of behaviour is generally picked up and addressed when an individual breaches finance, procurement or HR guidelines.

I'd like to see the same apply for websites - the front door of the modern government.

Whether a federal agency or local council, you serve citizens through your online presence, and putting them at security risk, or creating sites that a significant proportion of your audience can't access by not meeting mandated standards and policies is simply not on.

Read full post...

Tuesday, March 05, 2013

Pre-pubescent hackers - what are governments doing to protect their systems?

Hacking is child's play - or so it seems as young people, some aged only 11, are beginning to use various tools and instructions online to hack into online games (as reported by Mashable).



The rise of state-based hacking (whether for political or commercial reasons) has profoundly changed  challenges facing government agencies, both in terms of their own security and in terms of how they protect the citizens and businesses that exist under their jurisdictional protection.

It is interesting to consider that if foreign troops or terrorists invaded a business's building in central Melbourne, or Sydney's north shore the government would be expected and obliged to respond with its own armed police and troops, however if the same business's computer systems were invaded by a similarly malicious foreign power, terrorist group or criminal syndicate, the business is almost alone, held almost totally responsible for their own security and protection - despite the potential for severe economic disruption or damage to the national interest.

That situation becomes even more complex if the foreign troops behind the digital attack are children.

With a seven year old first grader now the youngest person to develop a mobile app, with other children around that age now developing coding skills and with potential motivations, such as unlocking special pets, levels or privileges in online games and social networks, how long will it be before young children are trained and put to work as hackers by criminal or state organisations?

Not too long, in my view, which comes back to the main question - what should governments be doing to protect their systems, and the systems of citizens and businesses, from a rising tide of state-sponsored hacking, particularly as it becomes child's play?

Read full post...

Friday, November 16, 2012

Are organisations failing in their use of social media and apps as customer service channels?

Guy Cranswick of IBRS has brought my attention to a media release about a new report from Fifth Quadrant, a leading Australian customer experience strategy and research consultancy, on social media and smartphone app customer service enquiries.

The report looked at how many Australian consumers had used these channels for customer service enquiries and why they'd used, or not used, them.

The figures are quite dim reading...

The study (of 520 participants) indicated that only 16% of Australian consumers have ever used social media for a customer service enquiry and less than one in 10 Australians had used this channel for customer service in the last three months. Gen Y ran 'hotter', with 29% having ever used social media for a customer service enquiry.

Why didn't people use social media for these enquiries? The survey broke down the reasons as follows (multiple reasons allowed):
  • 32% said it isn't personal, 
  • 30% said they did not know that they could,
  • 30% said they were concerned with security issues,
  • 22% said they thought it would take longer than a phone call, and
  • 20% said they did not think it would be a good experience. 
The research also looked at smartphone apps and their use in customer enquiries. Here the figures were even lower. Only 15% of Australian consumers had ever used a smartphone application for a customer enquiry (20% amongst Gen Y), and only 8% of consumers had used this channel in the last three months.

The reasons for not using apps were similar to social media:
  • 41% said they did not know they could,
  • 21% said they thought it would take longer than a phone call,
  • 16% said they thought it would make the process slower to talk to a customer service representative,
  • 15% said they did not think it would be a good experience, and 
  • 13% said that they did not think it would be easy to use.
My immediate reaction was to say that, well, social media and smartphone apps are still very young and immature, both effectively five or less years old as mass communication and engagement channels. It takes time for organisations and customers to adopt their use for customer service.

However, other research suggests that this may not exactly be the case.

Fifth Quadrant’s 2012 Customer Service Industry Market Report (with 120 business participants) found that 69% of Australian based organisations had implemented social media and 23% had implemented smartphone apps for customer service. This is a small sample, but still statistically significant.

In other words, while 69% of organisations will accept customer service enquiries via social media, only 16% of Australians have used this approach and while 23% accept these enquiries via smartphone apps, only 15% of Australians have used these channels.

So if organisations are offering these channels, why do so few Australians use them?

More of Fifth Quadrant's research offers a clue...

How many times should a customer have to contact an organisation to resolve a customer service issue?

Fifth Quadrant reports that the level of 'first contact resolution' (where a customer only needs to contact an organisation once to have their query resolved) is much lower for social media or smartphone app than for phone contacts.
  • Phone: 78% of queries handled in one contact
  • Social media: 59%
  • Smartphone app: 51%
In other words, 41% of people attempting to use social media and 49% of those using smartphone apps will have to contact the organisation multiple times (often resorting to phone) to resolve their query.

This significantly increases the cost of the interaction to the organisation and the customer and reduces customer satisfaction.

So what's the issue? Poor organisational implementation of social media and app channels.

Fifth Quadrant's Director, Dr Wallace said,
“There is no question that social media and mobile channels will be important in the next few years as the percentage of consumers who use these channels for customer service doubles year on year. Rather, it is a question of how effectively organisations address the supporting business processes and skill levels of social media customer service representatives.

The challenge for Australian business is that they typically do not consider Multi-channel Customer Experience as a strategy, hence these new channels lack integration, they do not have accurate revenue and cost models and there is poor data analytics. This has resulted in a sub-optimal channel deployment and as the research shows, ultimately, a sub-optimal customer experience.”

So let's go back to the reasons again...
  • There was an awareness issue (social media: 30%; apps: 41%).
    Organisations need to integrate information about the ability to engage them through social media and apps in their promotion, packaging and engagement.
  • There was a speed/perceived speed issue (social media: 22% (take longer); apps: 21% (take longer) and 16% (slower)).
    Organisations need to integrate these channels with their other customer contact points, building the protocols and processes to make it faster and easier to engage online than by phone.
  • There was an experience/usability issue (social media: 30% (not personal), 20% (experience); apps: 15% (experience) and 13% (easy to use)).
    Organisations need to codesign their channels with customers, putting extensive work into the upfront experiential design to make them an easy to use service with a great user experience. The investment in design is more than offset by the long-term cost savings in moving people from high-cost phone to low cost online service channels.
  • There was a security issue (social media 30%).
    Organisations need to take the same actions as ecommerce companies did to reduce this to a minimum, providing context, clear security measures and escalation and rectification mechanisms that assure users that they won't be disadvantaged by any security problems.
Overall, organisations need to run these channels as part of their customer service framework, not remotely via communication, marketing or IT teams.

Want to learn more about the research and report?

See Dr Wallace's blog, Your call.

And here are some of the key findings from Fifth Quadrant’s 2012 Customer Service Industry Market Report (n=120):

Social Media:
  1. In Australia, the predominant share of the 22 million daily customer interactions handled by contact centres is still handled by live agents (52%). Despite industry increasing the implementation of social media as a customer service channel, Share of Contact Handling by Social Media channels is 0.2%
  2. Amongst organisations that offer social media as a channel for customer service, 67% report that the marketing department is responsible for managing it.
  3. 63% of organisations in the study have only had social media as a channel for customer service implemented for 1 to 2 years.
  4. Amongst organisations that currently have social media as a customer service channel only 29% reported their contact centre has the ability to escalate a social media query through to a customer support application that links through to an agent.
  5. Past three months usage of social media as a customer service channel has doubled in the past 12 months (4% 2011; 8% 2012).
  6. The proportion of consumers who believe they will be using social media more often in the future has also nearly doubled from 4% in 2011 to 7% in 2012. 
  7. When asked whether they had received a response from an organisation via a Social Media network to comments they had made through Social Media, only 7% of consumers reported that they had. About 5% of consumers claim to have received essential information posted via a Social Media network. 14% of consumers report they have received information from an organisation via social media about new products and services. 
Smartphone Apps:
  1. Amongst organisations that offer smartphone apps as a channel for customer service 50% report that the marketing department is responsible for managing it, with a further 33% reporting that IT is responsible.
  2. 50% have only had smartphone apps as a channel for customer service implemented for one to two years, with 33% reporting smartphone app has been available for less than 12 months. 
  3. Amongst organisations that do not currently offer smartphone app as a channel for customer service, 25% report they have no plans to. 
  4. Further to the existing 8% of consumers who have used a smartphone app for customer service, a further 33% of consumers report that they are likely to use a smartphone app for a customer service enquiry in the next 12 months. 
  5. Amongst Gen Y consumers, 29% report that they will be using smartphone apps for customer service issues more often in the next 1-2 years. This is significantly higher compared to Baby Boomer (8%) and Silent (4%) generations.

Read full post...

Monday, March 05, 2012

Who is your Marketing or Communications CIO?

I was struck by a comment from Dan Hoban (@dwhoban) at GovCamp Queensland on Saturday, which resonated with me, and with others in the audience, that organisations now need a CIO (Chief Information Officer) in their marketing or communications teams.

This is a person who understands the technologies we use to communicate with customers, clients, citizens and stakeholders and can provide sound advice and expertise in a manner that traditional ICT teams cannot.

The role of this person is to understand the business goals and recommend approaches and technologies - particularly online - which are a best fit. Then it may be this person and their team, or an ICT team, who build and deliver the solutions needed.

When Dan named this role I realised it fit absolutely the role I had been performing in government for my five years in the public service, and for a number of years prior in the corporate sector.

Where ICT teams were focused largely on reactive management of large critical ICT systems - the SAPs, payment frameworks and secure networks - it has long been left to Online Communications, or similar teams or individuals in other parts of the organisation, to proactively introduce and manage the small and agile tools communicators use in public engagement.

No organisation I've worked in or spoken to has ICT manage their Facebook page, Twitter account, GovSpace blog or YouTube channel. Few ICT teams are equipped to cost-effectively and rapidly deliver a focused forum, blog, mobile app or data visualisation tool. They don't recruit these skills or, necessarily, have experience in the right platforms and services.

When Communications teams seek advice on the online channels and technological tools they should use they ask ICT, but frequently are told that ICT doesn't understand these systems (even when individuals within ICT might be highly skilled with them), doesn't have the time or resources to commit in the timeframes required (due to the need to focus on critical systems), doesn't have the design skills or that it would take months (sometimes years) to research and provide an effective opinion - plus it will cost a bomb.

So Communications teams, who have their own deliverables, have no choice but to recruit their own social media and online communications smarts.

It is this person, or team's role, to understand Communication needs, make rapid and sound recommendations of channels and tools, design the systems and the interfaces, integrate the technologies (or manage the contractors who do) to deliver relevant and fast solutions on a budget.

So perhaps it is time to recognise these people for what they actually are for an organisation - a Marketing or Communications CIO.

I expect ICT teams will hate this. Information has long been their domain even though their focus is often on technology systems and they do not always understand the information or communication that feeds across these systems - the reason these systems actually exist.

Perhaps it is time for them need to rethink their role, or let go of the agile online and mobile spaces and focus on the big ticket systems and networks - remain the heart, but not always the adrenal glands or, indeed, the brains, of an organisation's ICT solutions.

Read full post...

Wednesday, February 15, 2012

The perils of legislating channels (and the issue of website filters)

The Australian Parliament House recently released their new website - a major step-up from the previous site.

However in reading an article about it on ZDNet I discovered that the APH had, in the process, decided to block an entire top-level domain (.info) from view by the Parliament and the thousands of people working at Parliament House in order to prevent access to potentially malicious websites.

I haven't been a fan of the internet filtering systems used in government. At varying times I have seen the websites of all the major Australian political parties blocked, preventing access to their media releases, blog posts and announcements - often vital information for public servants writing policy or briefs.

These filters can be quite indiscriminate and are often controlled by commercial parties outside government. That's right, commercial entities, often foreign owned, can be broadly controlling what is allowable for Australian public servants to view online. This could affect government information inputs and potentially influence policy decisions. This is a situation that leaves me vaguely uncomfortable.

Some of the individual categories of content blocked can be equally problematic. For example many filters block access to generally to 'blogs', which may include the Australian Public Service Commission's blog-based consultation of public servants last year, 'video sites', including, for Immigration, their own YouTube channel, social networks (including those used by citizens to discuss specific policies) and, in a range of other cases, 'political' content from citizens and stakeholder groups that could otherwise be influential in the development and implementation of good policy.

One of the biggest issues I have personally found is that you don't know what you don't know. Could a blocked site be vitally important for the decision you need to make? You cannot assess this if you can't look at it.

Some systems allow specific blocking by group of employee - which sounds useful and often is (for example when I worked at ActewAGL I was one of the few allowed to view adult (soft porn) sites, needed in my role of preparing website schedules and analysing the competition for the adult channel TransACT displayed). However when implemented poorly staff may not be able to access the information their managers direct them to use.

In certain cases public servants may be required to use their personal devices to rapidly access critical content blocked by these filters. This is one reason why, for the last four years, I have carried my own Internet-connected device with me while working in government agencies. It makes me more productive in meetings and in preparing business cases when I can access and refer to critical material immediately, rather than not being able to even see if a site may be valuable or not and then waiting for a site to be unblocked so I can access it on a work PC.

It can be time consuming and, in some cases, impossible to request opening sites up. In many cases public servants can ask for specific exceptions, however when you have 48 hours to finish a minute to your Minister in response to public stakeholder or citizen comments on an important piece of proposed legislation, it can be impossible to do the job properly. Identifying which sites you need to see, receiving senior approval, requesting and having IT teams or filtering companies make access available, can take weeks, or even months.

This damages the ability for departments to do their jobs for the government and the public and, quite frankly, delegitimizes those citizens and stakeholders who choose to use forums, blogs, Facebook, YouTube and similar social tools or sites to discuss their views.

Blocking an entire top level domain, as in the APH case, comes with additional risks.

A little known fact is that Australian legislation requires the use of info.au for the Quitnow website, an ongoing major component of the Australian Government's campaign to reduce the instance of smoking.

Quitnow.info.au is advertised on all material for the quit campaign, including on all cigarette packets in Australia.

Now in practice the Department operating this site automatically forwards anyone who types 'Quitnow.info.au' to 'Quitnow.gov.au', so it is not noticeable to citizens. However this is a technical translation (if x go to y) - the domain that citizens see on advertising material still says Quitnow.info.au

If .info.au domains, as well as .info domains, were automatically blocked by the APH (I don't know if this is the case), anyone who tried to go to Quitnow.info.au would arrive at a "you cannot access this site" page and not be forwarded to the Quitnow.gov.au site.

Fortunately the APH does allow staff to request access to specific sites (apparently at least 60 have been opened up to access) and I don't have specific information on whether the APH blocked .info.au sites alongside .info sites, so this specific problem may not exist. However it does demonstrate the risks of blocking entire top level domain groups.

Personally I don't think legislation should specify domains or specific communication channels, in most cases. Technology changes too fast and governments don't want to be caught spending exorbitant funds in supporting defunct channels after the community moves on.

For example, the tabling of documents in parliament should not specifically require a paper copy to be presented and there should be no legislation that requires that a citizen present their claims or complaints via a particular device - postal, phone, fax or web.

Equally governments should not be constrained by legislation to communicating with citizens via postal mail, email, fax or a specific form of written communication (as some legislation does now).

The information transmission and reception mechanisms should simply need to meet levels of modern usage and veracity.

This would prevent agencies from having to spend large amounts of money on preserving and using old technologies where communities have moved on and reduce the time and cost of updating legislation to meet community needs.

Is there a downside of not specifying channels (such as that Quitnow.info.au domain) in legislation? I don't think so. Specification, where required, can happen at the policy level, making it easier and more cost-effective to review and change when the environment changes.

This would remove any potential embarrassments, such as if a government agency does block staff access from an entire domain group (such as .info.au) and accidentally block access to its own legislated websites.

Read full post...

Friday, December 23, 2011

Is inappropriate social media use really an issue for government?

With some of the concerns and processes I've witnessed in government it would be easy to draw the conclusion that hundreds or even thousands of public servants are using social media daily in ways that damage the reputations of their departments and the government.

Fortunately, a couple of articles I saw yesterday have given me a place to start to look at the realised level of risk of inappropriate social media use by trained and well-governed public servants.

The Australian reported Public servants' pay docked over Facebook comments and SmartCompany followed up with Bureaucrats disciplined over work-related comments on Facebook made on home computers.

Both articles referred to information from the Commonwealth Department of Human Services (DHS). Over the 2010-2011 year four DHS employees had been investigated and found to have made inappropriate use of social media (well, one case referred to private email use, but let's let that one go).

I was intrigued by these articles as, to my knowledge, they represent the first time that inappropriate social media use by public servants at a Commonwealth level has been reported in the media.

To quote the Smart Company article,

The Department of Human Services says there were four code of conduct cases involving the inappropriate use of social media in 2010-11 - three related to work-related comments posted on Facebook from the individuals’ private computers. 
The other case was about material sent from the employee’s private email account.
“The incidents all involved work-related misconduct that contravened their Australian Public Service obligations,” the department said.
 
According to The Australian, one worker had had their job classification cut, the second was given a 5% pay cut over 12 months, and the third was reprimanded.
The fourth employee no longer works for the department.
I am very glad to see that this inappropriate conduct was managed effectively using existing business policies in government - noting that the DHS has made great steps forward in the social media space, establishing a social media policy and working to ensure staff are aware of it and how it aligns with the APS Code of Conduct.

I am not quite sure what the staff concerned did, this wasn't explained, however as there's been no major media blow-outs from the actual incidents, I'm going to assume that the transgressions were relatively minor - bullying, inappropriate language about work colleagues or similar breach activities, rather than leaks of Cabinet-In-Confidence documents, naked photos of colleagues released online or similar major public indiscretions.

Given we now have a public incident at Commonwealth level, I decided to use it to do some evidence-based analysis on the actual risk of inappropriate use of social media to agencies.

Let's start from the top.

It has been reported that DHS had four employees go through a formal code of conduct investigation based on their personal social media activities in 2010-2010 (and again we're letting go that one of these four was actually related to email use - not social media).

Now I happened to have been able to find out from IT News that the DHS conducted 197 formal code of conduct investigations in 2010-11. These four social media-related investigations accounted for 2% of these investigations by the DHS in that year.

Broadening this out, DHS has about 37,000 employees, so the four employees who were investigated equals 0.0108% of their staff. Note that's not 1% of staff, that's one-hundredth of one percent.

In Australia around 59% of people use social media personally in some form (62% of internet users, with internet users being 95% of the population). Let's be conservative and estimate that only 40% of DHS staff use social media personally - well below the average for all Australians.

On this basis there are about 14,800 DHS staff members using social media personally. Of these, four were reported to be using it inappropriately and investigated. That's 0.027% of the staff at DHS using social media personally. Again, that's not 2.7%, it's 27 thousandths of one percent.

So  27 thousandths of one percent of DHS staff estimated to be using social media personally during 2010-11 were investigated for code of conduct breaches.

That's not many, but let's go deeper...

Nielsen has reported that Australians are the most prolific users of social media out of all the countries they measure. We spend, on average, 7 hours and 17 minutes using social media each month.

Let's assume, again, that DHS staff are below average for Australians, that those DHS staff using social media are only spending 5 hours using it each month. On this basis, with an estimated 14,800 DHS staff using social media, their personal use for 2010-2011 would be 888,000 hours (37,000 days or just over 101 year of continuous use).

In those 888,000 hours there were four reported code of conduct investigations - that's 0.00045% of the time spent online through the entire 2010-11 year, assuming they each were an hour in duration.

If you assume DHS staff are average Australians, the percentages shrink dramatically further.

To sum up, the information from the DHS suggests that the risk of social media misuse by public servants is extremely low.

There were no indications of significant impact due to the four incidents, therefore I assume that the consequences were minor.

So on the basis of an extremely low risk and minor consequences, the risk of social media to a government Department (such as DHS) is negligible - and easily mitigated through appropriate management procedures (a policy, guidance and education).

So for any agencies still hanging back from social media, consider the evidence, the mitigations you can put in place, the potential benefits of engagement AND the risks of not using social media (reduced capability to monitor key stakeholders/audience views, inability to engage citizens in the places they are gathering, no ability to counter incorrect information or perceptions and so on).

You might find that your current strategy of non-engagement is far more risky.

Read full post...

Tuesday, December 13, 2011

Reflection on Mia's Facebook presentation from Day 1 of Social Media in Government

I'm only here for a few presentations today at Informa's Social Media in Government conference, so are blogging rather than liveblogging the presentations.

First up this morning is Mia Garlick, now at Facebook and previously with experience in Commonwealth Government and with Google.

She's talking about using Facebook in government.

Mia has started by talking about how Facebook is a social graph for for connections between people & between people & organisations.

She says that researchers recently tested the six-degrees of separation

Mia says there are 800 million users globally of Facebook - counting users as those who check into Facebook at least once per month. Over 10 million Australians are in that group and over 50% of these users (globally and in Australia) access Facebook daily.

Mia says that Facebook has several valuable uses for government including for identity, engagement and advertising.

Identity refers to representing agencies online. Mia says the best approach is to create a page. She says that the page mechanism includes an option for government organisations via the Corporate and Organisation option.

Mia says it is important to understand the difference between a profile and a page - profiles are for persons, pages are for organisations. Profiles are multidimensional, when people friend each others' profiles they see each other's information.

Pages are unidimensional, when people fan a page the page owners don't get to see the fan's details.

Mia says it is important to curate pages. She says that Page administrators cannot turn off comments as Facebook is about engaging in social behaviours, not avoiding them. However people can create blacklists of words and profanity filters to manage comments and develop a policy and terms of use for the page. Mia says that administrators can also mark comments as spam or abusive.

She also says it is important to get senior executives across what is acceptable commenting. She says she has had senior government officials contact her asking for pages to be taken down as someone commented that "the government was stupid". She essentially said - let it go, people say this kind of stuff from time to time, does it really hurt you or reflect on them?

Due to the nature of Facebook, people don't often see your page - they see snippets of content in their newsfeed. Mia says it is important to ensure these snippets are interesting and engaging to make a Facebook page effective.

Mia says that the number three thing talked about in Australia on Facebook for 2011 was "Census" and number six was Victorian floods" (in their "memeology" list) - showing that government cannot ignore the channel as people are using it to discuss topics and issues that government is deeply invovled with.

She's now talking about South Australia's Strategic Plan and how they used Facebook to support engagement and feedback.

She says that while in government we are used to writing a large report and releasing it in a consultation with a list of questions, many people don't engage well or respond in this approach as it is overwhelming and they have limited time. The South Australian government broke the Strategic Plan into bitesize chunks they wanted feedback on and released them individually for people to respond to. Mia says this was very effective for South Australia, with over 1,300 comments received for one particular chunk and over 500,000 citizens reached via Facebook, with 10,000 participating.

Mia says that the South Australian government recognised that they engaged a new group through Facebook that they could not reach through traditional engagement mechanisms.

She's also given an example of Facebook advertising in Canada and how it can target specific demographics or geographic locations quite effectively.

Finally, Mia is highlighting the Facebook 'Coming together' page on peace which provides a view of how people are connecting and engaging across wars.

Mia also says that around 80% of Facebook users are using privacy setting in Facebook, which helps to create a separate between work and personal identities.

Read full post...

Tuesday, May 24, 2011

Crowdsourcing serious government policy - now not only thinkable, but desirable

Crowdsourcing is often used in government for 'light' topics, such as selecting a logo or sourcing audience-created videos or photos.

However it also offers enormous potential for informing and developing government policy in areas that are considered both sensitive and serious - such as security.

About a year ago the Atlantic Council released its recommendations report from the 2010 Security Jam.

Unlike previous closed-room security discussions, the Security Jam ran on an open basis, bringing 4,000 military, diplomatic and civilian experts from 124 countries together online to thrash out the challenges facing global security.

Held from 4-9 February, the Jam, run by Security and Defense Agenda in partnership with the Atlantic Council and with support from IBM, was supported by both the European Commission and NATO.

The thousands of participant included defense and security specialists and non-specialists in order to broaden the security debate beyond purely military matters.

According to Robert Hunter, former US Ambassador to NATO, "The Security Jam has done something that NATO's Group of Experts has not - to reach out beyond the ‘usual suspects’, to people who have truly original ideas and a range of analysis that goes to the heart of today's and tomorrow's security issues."

Imagine applying the principles of the Security Jam to Australia's Commonwealth and state policy issues.

With the comments in Terry Moran's speech last week it is clear that this type of approach is not only becoming thinkable, but desirable.

Read full post...

Thursday, May 19, 2011

21st Century society vs 19th Century laws and policing

Laws have always struggled to keep up with society, however rarely in such a vivid and public way as in Wednesday's arrest of Sydney Morning Herald journalist, Ben Grubb, and the confiscation of his iPad.

The incident, well reported in the SMH, occurred when Queensland Police responded to a complaint regarding a photo hacked from one security expert's private Facebook page and displayed in a presentation at the AusCERT conference in Brisbane as an example of a major security hole in Facebook's system.

Grubb was attending the conference and received a briefing about the security hole. Seeing the public interest in telling the community that their supposedly private Facebook photos could be easily accessed, Grubb reported the matter in an article featuring the image, which I can no longer find on the SMH site.

The following day police questioned Grubb about the matter and then demanded he hand over his iPad on the basis that police wanted to 'search' it for evidence of a crime. When he was unwilling to do so, he was arrested and his iPad confiscated for a complete image of its content to be taken and analysed by police (let's not even explore the potential conflict with Australia's Shield laws, which incidentally also cover bloggers and tweeters).

The basis of police concern was that the image retrieved by the security expert and used in the SMH article was 'tainted material', stolen from a Facebook account and then passed on to others.

What is more worrying is that the Queensland police, in a press conference, then equated receiving an email containing a stolen image as 'like taking stolen TVs'. To quote:

Detective Superintendent Hay used an analogy to describe why Grubb was targeted.

"Someone breaks into your house and they steal a TV and they give that TV to you and you know that TV is stolen," he said.

"The reality is the online environment is now an extension of our real community and if we go into that environment we have responsibilities to behave in a certain way."

Let's think about this for a moment.

Firstly, when someone 'steals' an image - or music, movies, books or other online content - it isn't stealing if the content remains at the point of origin for the original owner to continue using. It may be a copyright infringement or privacy breach, but unlike stealing a television, where the owner of the television is left without it, there is no theft, simply replication.

On that basis any laws around theft simply don't apply online. You can copy my idea, my words, my images. However unless if you somehow delete the originals, you are not stealing them, you are breaching my copyright.

Secondly, when an email is sent to our email address it gets delivered regardless of the legality of its contents. We have no say in whether we receive legal or illegal messages and images. Sure there's spam blockers and the like, however these automated tools can't tell if content is legal or not, only if it violates certain rules, such as containing certain four letter words or phrases.

However, according to the QLD Police, if someone sends you an email containing a 'stolen' image, you are breaking the law. This is even though there is no way possible for you to refrain from receiving the email in the first place. You don't even have to open the email. If it has been stored on your device, based on the QLD Police's interpretation of Commonwealth law, you are a potential criminal.

This has enormous ramifications for society. Anyone can frame someone else by sending them an email. As it is relatively easy to set up a disposal email account, you can do so anonymously. This could be used against business rivals, political opponents, or even against the police themselves simply by sending them an anonymous email and then making an anonymous complaint.

Equally, if the person receiving the email is a potential criminal, then what about all the organisations whose mail servers were used to transmit the message?

When an email is sent from one person to another it can pass through a number of different systems on its journey. At each stop, a mail server copies and saves the email, checks the route then sends the email on.

In most cases these mail servers delete these emails again for storage reasons, however at a point in time each of them has received the email, making the organisations and individuals who own them liable, again, under the QLD Police's interpretation of the law.

Given the number of emails sent each day in Australia it's clear from the QLD Police's legal interpretation that most ISPs must be operated by criminals, receiving, storing and transmitting illegal content all day and night.

Applying this type of 19th Century policing and legal approach clearly isn't going to work in the 21st Century.

When everyone can publish and illegal content can be received without your consent or knowledge, laws need to change, as does police training and practice.

Without these changes government bodies will become more removed from the society they are meant to serve, unable to function effectively and efficiently in today's world.

By the way, the security analyst who originally 'stole' the Facebook images hasn't been questioned, arrested or charged. And Ben Grubb still hasn't received his iPad back.

Read full post...

Tuesday, March 08, 2011

Doing good while improving security with ReCAPTCHA

There's still many government online forms and consultation systems that don't make use of 'human recognition' tools such as CAPTCHA to help verify that the people filling in the forms are humans and reduce the attractiveness of online government forms to large-scale automated attacks by bot-armies.

However, even where government has added CAPTCHA security, I've yet to see an instance where this has been used for good, as well as security.

CAPTCHA, for those unfamiliar, is a technology whereby, when completing an online form, the user is asked to type in one or more words or calculate the product of a sum before submitting their response. The words or sum are presented in an image with 'background static' designed to make it hard for a computer to read.

In most cases, humans are able to decipher and type in the correct response whereas automated form completion systems, often used for spamming, are not.

Many CAPTCHA systems are also enhanced with audio CAPTCHA (where words are read out, amidst static and background noises), supporting vision-impaired people.

These systems are not perfect, however they do increase the barriers to hackers, reducing the prospect for spam submissions or attacks.

They also add a little time to each submission attempt - possibly ten seconds. This is negligible to an individual (in most circumstances), however as millions of people complete CAPTCHA forms each day, this adds up to a lot of time overall.

Initially CAPTCHA tools just presented random words, however a system supported by Google is supporting organisations to 'do good' as well as improve their security.

Named ReCAPTCHA, the system has integrated the work being done to digitalise books and documents. Rather than using random words, users are presented with words that computers could not understand during the document digitalisation process.

Each time a user completes a ReCAPTCHA, they are helping to decipher and digitalise the world's literature and records - preserving it into the digital age.

Assuming an average of two words per ReCAPTCHA, and each being repeated many times in order to validate the entry, there's a miniscule contribution by any particular individual.

However if, for example, 50 million people each verify themselves using ReCAPTCHA each day, with each set of two words presented ten times on average, a total of 10 million words in old documents and books that have been deciphered and correctly digitalised. Each day. That's 3.6 billion words per year.

So if your organisation isn't using CAPTCHA security on forms, or even if you are using a custom CAPTCHA technology, you might wish to consider exploring the use of ReCAPTCHA - which is free to reuse from Google.

Alternatively, of course, Australian institutions could develop their own type of CAPTCHA approach (for old newspapers, for example - or archival records). It would be a meaningful extension to the work the National Library of Australia is already doing.

Below is a video on the work being done with ReCAPTCHA.

Learn more about ReCAPTCHA.

Read full post...

Thursday, March 03, 2011

What is muting Australian public servants online?

Over the last two years we've seen a concerted effort by governments across Australia to increase the level of online engagement, debate and discussion involving public agencies.

In 2009 the Government 2.0 Taskforce, commissioned by then Finance Minister Lindsay Tanner and chaired by Dr Nicholas Gruen, conducted a six month process of engaging public servants via online channels, pioneering the use of blogs, Twitter and Facebook to demonstrate how it was possible for the public service to effectively communicate, engage, consult and be consulted online.

Late in the same year the Australian Public Service Commission replaced its Interim Protocols for Online Media Engagement (originally released in late 2008, with the updated Circular 2009/6: Protocols for online media participation.

Early in 2010 the Australian Government released its response to the Government 2.0 Taskforce's final report, agreeing with all except one of its recommendations (and simply deferring the remaining recommendation to after another related review was completed).

Since then we've seen the MAC innovation report, Empowering change: Fostering innovation in the Australian Public and the Ahead of the Game report from the Department of Prime Minister and Cabinet, outlining steps to reform the public service.

There's been the Declaration of Open Government, the initiation of the Government 2.0 Steering Committee, the launch of GovSpace (a blogging platform operated by the Government and open to all agencies to use).

We've seen more than 260 government agencies and councils join Twitter, wide ranging activity on Facebook and a proliferation of social media policies at local, state and Commonwealth level.

Agencies in Australia are using social media in ways that would have been unacceptable and unachievable even two years ago, some demonstrating world class engagement online. Some states have comprehensive action plans in place and official usage of social media by agencies in some places is approaching one hundred percent.

I don't have the same level of information about Commonwealth agencies (there is no central register of activity or survey results, as there are for some states), however most have established some form of social media beachhead in support of campaign or corporate needs.


With all this official usage you might expect to see vibrant and active online communities of public servants discussing shared issues and best practice, or to see public servants listening to and contributing actively to online policy discussions.

Many groups set up for public servants seem to have reasonable memberships - several hundred people at least - however most of these members are silent, with at most 10% carrying on a halting conversation.

Blogs and forums established to discuss public issues are dominated by the same regular contributors, providing valid and thoughtful views for the most part, however still representing a fraction of the more than 100,000-strong Australian public service.


So what is going on? If over 75% of the Australian online public are actively using social media (as Neilsen has reported), what makes public servants different, what is muting Australian public servants from participating online?


There are a large number of public servants who keep their personal lives very separate from their work lives. They happily connect to their families and friends via social media channels, but don't perceive them as professional development or business tools.

I also still encounter public servants unaware of the Australian Government's Government 2.0 program. They either have never learnt about it through their usual newsgathering channels, dismiss it as an IT initiative, or are simply uninterested as they don't perceive Government 2.0 as having any direct relevance to their work or career.

There's also a number of institutional barrier in place. Despite the growing official adoption of social media in government, the 2009-2010 State of the Service report indicated that only 31 percent of APS staff and 28 percent of service delivery employees have access to social media and networking tools in the workplace.

Where there was access to social media and networking tools, the report indicated that the tools are being under-utilised for various reasons, including lack of staff awareness or interest (similar to my point above), or there was a lack of resources and agency policy restrictions.

In addition, only 10% of agencies reported that they had technical guidance available to employees on how to use social media and networking tools. Staff may not always feel they have the permission or the education required to use social media in a professional manner at work.

This is compounded by the use of adaptive filtering tools which do a fantastic job of blocking inappropriate websites, however may also block appropriate and important websites and social media channels used actively in agency business. As these tools work on the basis of blocking categories rather than individual sites, a simple misclassification by a vendor can limit a department's access to key sites for days or weeks. Social media channels - with a wide range of fast changing material - are often prone to being blocked.

There's also pressure on staff due to workload. There's limited time to innovate, experiment or improve work practices via social media and Government 2.0 approaches when staff are flat-out getting their jobs done the 'old' way.


So where does this leave Government 2.0 and social media adoption?

We have a strong and growing core of activity, with a small number of engaged participants and a wider group adopting these tools as their agencies recognise that the changes in Australian society preclude them continuing to use old approaches.

In many cases public servants engaged in communications and consultation activities simply have to include social media in their mix to generate effective outcomes.

Cost pressures are also taking their toll. As budgets tighten, public servants look for more cost-effective means to engage. I've often seem the most enthusiastic adoption of social media channels when budgets have been cut or in crisis situations where traditional media channels aren't responsive. Albeit this is sometimes constrained by a lack of expertise or shortages in manpower.

However many public servants still haven't made the link between social media and their jobs. They haven't had the time to reflect or consider - nor been presented with compelling cases of why they should adopt new tools - particularly where old ones continue to work reasonably well.

We haven't yet reached a tipping point, where the argument for and knowledge of the new approaches now available has overcome the resistance and systems geared towards more traditional approaches.

So in my view it is simply a matter of education, example, clear political and senior will and time - but how much time? No-one can really say.

Read full post...

Tuesday, March 01, 2011

Should an employer ever require your social media passwords as an employment condition?

At least one state agency in the US, Maryland Division of Correction, recently started requiring employees to provide their personal Facebook password and allow their employer to scrutinise their account as a condition of continued employment.

Apparently this request wasn't illegal - although it breaches Facebook's usage policy (which could mean the employee loses their account).

The rationale given by the employer was that they needed to review the contents of the account as part of the employment contract.

A video of one staff member asked to provide his personal Facebook password is below.




Now this isn't the first time an employer has required their employees to provide personal passwords as a condition of employment. The city of Bozeman, Montana might live in history as the first government to ask all of its staff to provide all their social media passwords - although they quickly dropped the policy when media scrutiny became too high, on the basis that the community "wasn't ready yet".

A number of law enforcement agencies have also apparently begun requesting this information as part of their recruitment process, as reported by USANow in the article, Police recruits screened for digital dirt on Facebook, etc.

There are also stories of financial services companies and other organisations similarly requesting access to personal social media accounts before hiring new staff.

Should employers be allowed to request your passwords?
So are there situations where an employer should be able to access their employee's private social media accounts?

Is this a breach of privacy, or an appropriate step forward for background checks, given how much background people today store in their social media accounts?

Often, for security clearances or in highly sensitive roles, staff in both public and private sector organisations are asked for all kinds of personal information as a requirement of employment. Are requiring your social media accounts details - and passwords - much of a stretch?


Here's some articles discussing the topic:

Read full post...

Bookmark and Share