Friday, July 11, 2008

Web browser security - what is an agency's duty of care to customers?

Google recently released a report on web browser security, conducted in June 2008, which found that more than 630 million internet users were not using the most secure version of their chosen web browser.

Mainly this reflected Internet Explorer use - 577 million users were not using the most secure version of the browser - largely represented by those using Internet Explorer 6 (rather than upgrading to IE7, which was released in October 2006).

My agency also still uses Internet Explorer 6 as our default web browser.

Fortunately, as a large organisation. we do not rely on our web browser to provide network security. Our IT professionals employ a series of firewalls and other safeguards to mitigate the risks in using an older and more vulnerable browser.

However the majority of our customers do not have access to this level of IT skills and resources.

Home users either do not use firewalls, or rely on either the basic Windows firewall or one that came with their modem. Sometimes there isn't a robust anti-virus product in use either.

Based on our website statistics, about 27% of visitors still use Internet Explorer 6 and another 3-4% use old versions of other web browsers.

This means that more than 30% of our website users are more vulnerable to security risks than they need to be.

My question is, what is our agency's duty of care towards these people - 0ur customers?

I've identified the following options.

  1. No duty of care - it's a jungle out there, our job is to deliver government services not take on responsibility for the web browser choice of our customers.
  2. Warn - we should actively let people know that they should use the most current version of their web browser to protect their own security, but take no action to enforce the use of current browsers.
  3. Warn and inform - we should both actively warn people and show them visibly when they are not using the most secure version of a web browser, with a path to upgrade if they choose.
  4. Warn, show and take action - we should first warn and then block anyone not using the most secure browser versions, forcing our customers to upgrade.

Which is the best option?
I tend to disregard the first option - doing nothing is a poor solution when customer security is at risk.

The last option, take action, is a dangerous path to walk. For customers accessing our sites from within corporate environments there is generally no option to upgrade their browser. Forcing an upgrade would simply stop the sites being usable for these people - including our own staff (who use IE6).

We currently apply the second option - telling people they should use the most secure web browser, but stopping short of telling them whether they are using the most secure version. The shortcoming here is that many people do not know how to check if their web browser is the most current version, so may place themselves at risk unknowingly.

The third option - warn and inform
The report from Google recommends the third option - both warning the customer about the risk and telling them whether they are using the most secure version - with a path to upgrade if needed.

This approach is the most satisfying for me. It covers the duty of care I feel our agency has and supports customers who are not technically literate.

Which approach does your organisation take, and why?

Read full post...

Thursday, July 10, 2008

US campaign to allow congressmen to use social media launches

Following from my post yesterday regarding the US senate debate over the use of social media by congressmen, several congressmen have launched a campaign to remove restrictions on internet use by the US congress.

The campaign is entitled Let Our Congress Tweet and, as you'd expect, makes extensive use of social media to put across its views.

Read full post...

How do you judge if a government intranet is a success?

I regularly struggle with how to best evaluate the success of my agency's intranet.

In generaly there are six different sets of metrics I use, grouped into 'hard' and 'soft' as follows:

Hard (numerical)

  • Statistics - traffic (visits/pageviews),
  • Content (age/timeliness/findability),

Soft (subjective)

  • Design - usability/accessibility/attraction (task completion, screen reading),
  • Development - standards (code validation)
  • User satisfaction (what do staff, contributors and managers tell us formally?),
  • Word-of-mouth (what do staff, contributors and managers say informally?)

Overall I'm happy with our intranet's performance.

However I don't have a consolidated measure that combines these measures into a single number I can track over time as an Intranet Success Index.

How do you go about rating your intranet's success?

Read full post...

Using social networks to support youth education

Digizen have conducted a project and produced a report looking at how young people use, and could use social networking services to support their learning experience.

It's a fascinating read with some very practical examples of how to utilise these networks to engage young people and enrich and extend the learning experience.

The report is available both online and as a downloadable document from Digizen at Young People and Social Networking Services.

Read full post...

Is it time for a government mobile broadband guarantee?

The Australian government has an opportunity to expand its support for national fixed line broadband to include mobile broadband, spearheaded by the release of the Apple iPhone this week.

The phone is a revolutionary device and reports out of the US indicate that people using the phone are using internet data services 50x as frequently as on other phone handsets.

However with the release of telecommunications plans by Optus, Vodaphone and Telstra, there has been considerable backlash within online communities.

The general theme is that the data allocations are too small, and the cost of data much too high.

The view is stated sucinctly by Stephen Collins of Acidlabs in his post, The iPhone as social umbilical cord (and how Australian telcos don’t get it).

Mobile internet has to-date been largely a non-event in Australia. With the rollout of 3G networks, telecommunications providers have focused on providing content via walled gardens from selected media services. Data usage has been low as the cost of data has been high - often 10x the cost of fixed broadband.

The release of the iPhone and similar multi-channel handheld devices changes the game.

Services such as Twitter, Plurk, Friendfeed, instant messaging clients and other 'stream of consciousness' communications technologies are easily accessible via the device.

This turns the publisher -> consumer walled garden of current mobile internet services into a conversation - a multi-user <-> multi-user always-on social and business experience.

Unfortunately the launch plans for the product from all three telecommunications players do not support this type of product use, pricing data out of the reach of an always-on experience.


The Australia government has its Australian Broadband Guarantee program poised to roll-out for 2008-2009 in August. This program is admirable - it helps ensure that Australians have access to fixed wire broadband in ever growing numbers.

However much of the world is now beginning to substitute fixed broadband for more mobile solutions, via mobile phone or dedicated wireless networks.

In many developing countries expensive fixed networks are not being rolled out - instead they are rolling out wireless, which is cheaper and easier to deliver to remove areas.

For Australia to stay in the game, let alone remain an innovator, there is the need to take a longer-term view and support the mobile broadband industry.


How to do this
The first step is to understand the seachange occuring overseas and review what can be done in Australia to reduce the cost of mobile data.

The second step is to take steps - quickly - to reduce those costs, encouraging Australians to use handheld devices for the uses they are being put to overseas.

This will establish the environment for greater innovation in mobile broadband. These innovations will have global potential, helping Australian companies to competitively play on the world stage.

It will also, though increasing usage, deliver greater profits to the telecommunications companies.

Finally it can also be used to address some of the inconsistencies and inequitites in the fixed broadband market.


What's the alternative?
The alternative is for the government to let the market take the lead, locking in expensive mobile broadband solutions and leaving Australia a 'follow-me' country that adopts overseas technologies rather than innovating locally.

This outcome would be extremely detrimental to Australia's long-term future.

The internet is the nervous system of the world, allowing individuals and organisations to come together to create and share ideas, solve problems and build new businesses regardless of their geographic location.

If Australia is not embedded firmly in this nervous system it will become increasingly uncompetitive over time.

What's your view on the steps the government should take?

Read full post...

Bookmark and Share