Tuesday, September 09, 2008

What's the legal liability in (hyper) linking?

The Securities Exchange Commission (SEC) in the US is investigating the legalities of website linking, putting forward a policy proposal stating that companies should be held liable for linking to other sites containing information related to their share value.

Basically, if a link from a company's website pointed to false or misleading information about the company's prospects, it could be held responsible (under the proposed policy), leading to a fine or more severe action.

Why is this important in Australia?

Because it could be the thin edge of the wedge for linking. If a company cannot link to certain sites for fear of share information related liability (such as a public forum where opinions are aired, or a media publication which accidentally gets a story about the company wrong), it's not too many more steps to a situation where any hyperlinking may contain a legal risk.

If there was a risk for companies, there would also be a risk for government. What if that family-friendly site your agency linked to (even with a warning interstitial) was bought out by an adult products company, who promptly repointed it to one of their adult shops?

Would the agency linking to it become liable for the link? Or would extra legalese be required to discourage anyone going from one site to another, just in case.

This would make one of the fundamental foundations of the internet - linking - a very risky business.

Reported in WebProNews in the article, SEC Looks Into Hyperlink Liability, the SEC's approach does take into account the situation described above - where a clear warning exists, or the intention was not to cause offense or harm, so it's not really the thin edge of that wedge after all.

However I can see greater probity on linking leading to the kind of situation I described above - on the basis that by walling in the garden the customer is protected from 'bad' influences. It was the business model used with considerable success for a number of years by AOL.

Can you see a time coming where linking to other websites (other than trusted .gov.au sites) becomes too risky for your organisation to chance legally?

Is this a real option or should it be considered alongside foil hats?

Read full post...

Safeguarding egovernment networks - what if you had over 1,000 unauthorised web servers connected to your network?

I'd feel concerned if I was the CIO of a government agency that found it had over 1,000 unauthorised web servers connected to its network.

This is the position the US's Internal Revenue Service is in at the moment, having identified 1,150 unauthorised web servers connected to its network .

As the servers are unauthorised, they are not regularly security patched, making them potential intrusion points for hackers.

As reported in Nextgov, in the article, IRS finds unauthorized Web servers connected to its networks, the IRS is now in the process of creating policies and procedures to prevent the unauthorised servers from accessing IRS data and will be undertaking quarterly reviews to measure compliance with security standards.

Read full post...

Monday, September 08, 2008

Facebook for US intelligence forces launching this month - time to revisit a whole-of-government intranet?

A-Space, an online collaborative space for US intelligence operatives, is planned for launch this month, giving all 16 US intelligence agencies a streamlined and effective tool for sharing information and collaborating - activities that have been criticised as previously lacking across US intelligence initiatives.

As reported in FCW.com, in the article, A-Space set to launch this month, after logging in,

analysts will have access to shared and personal workspaces, wikis, blogs, widgets, RSS feeds and other tools. To log in, analysts will need to prove their identity using public key infrastructure, and their agencies must list them in the governmentwide intelligence analyst directory.

Like many social-networking sites, each analyst will create an online personal profile, and colleagues can see what others are working on and the A-Space workspaces that they are using. In addition, much like Facebook, users can also post notes on one another’s profiles


The A-Space social network will include a search tool and data sets from six agencies at launch, with more to be progressively added.

We've seen several other western jurisdictions introduce cross-agency or whole-of-government intranets (such as Singapore), and there was a commitment made in Australia to establish a whole-of-government intranet by the end of 1998, which never came to fruition.

Perhaps it is time to revisit this.

Read full post...

Getting the basics right - US presidential hopefuls fail website navigation

Forrester Research has released a report critiquing the navigation of the websites of John McCain and Barack Obama, claiming that both fail basic navigation tests by potential voters.


Nextgov reported in the article, Web sites of both presidential candidates fail to connect with users, that,

Forrester used five criteria in its evaluation: clear labels and menus; legible text; easy-to-read format; priority of content on the homepage; and accessible privacy and security policies. McCain's site passed two of those benchmarks: clear and unique category names and legible text. Obama's site succeeded in one area: straightforward layout making it easy to scan content on the homepage.

Neither site gave priority to the most important information on the homepage, or posted clear privacy and security policies, Forrester concluded.
This came on the back of another report by Catalyst, which tested seven criteria. The Nextgov article quotes that,
Catalyst asked individuals to perform seven tasks while evaluating each campaign site, including donating money, reading the candidates' biographies and finding their positions on specific policy issues. Obama's site stood out for its design and navigation, but users were confused about certain labels on the homepage, such as "Learn," which contained links to information about the Illinois senator's background and policy positions.

What were the lessons for all government sites?
  • A modern professional look is critical for drawing in users and making them want to use the site.
  • Effective prioritisation of information (most important at top) and clear, simple navigation are important for the success of a website, but if the look isn't right users won't stay long enough to use it.
  • Focus on the most important information and reduce the clutter, direct users to the most useful information, activities and tools for them.

Read full post...

Sunday, September 07, 2008

Addressing customer service for the email channel

From my experience in government, both as a customer and as a public servant, I've discovered that when addressing emails from citizens, government agencies often treat email as surface mail rather than as a phone call.

This means that citizens who choose an electronic communications route can often expect response times measured in weeks or months, rather than in minutes or hours.

Personally I find this unacceptable.



In asking why this was the case I have been told that government cannot discriminate based on mode of contact. That we cannot respond faster to customers choosing to use email rather than surface mail - even though a wait of even a few minutes is considered unacceptable for phone calls.

I have also been told by some departments (by phone or via their websites) that they cannot respond by email at all. That to protect my privacy they must send messages via surface mail - that post is more secure, more convenient or more official - even if I am happy to accept the risks and choose to email them.

I saw a similar situation in the private sector five years ago. Companies were unsure whether to treat emails as a postal medium or a a telephonic one.

They did not have a clear understanding of how email worked technically and did not trust its reliability or security (compared to other mediums).

They did not have staff trained or processes in place to handle a high-speed written medium.

Fortunately, at least in the private sector, many organisations are now more mature in their understanding and application of email.


Treat email as a phone call, not as a letter


My solution to ensuring emailing customers get the right level of respect and service in both public and private organisations has remained the same - treat emails as phone calls.

Email is perceived by the community as a nearly instant form of communication, like the telephone or face-to-face.


None of us would let a phone ring for a month before answering it, so why subject customers choosing email to this?


Address security and privacy concerns in a positive manner


Email is often treated with suspicion by organisations, due to perceived security issues in how it is transmitted from place to place and the concern that it is easy to intercept.

However people have adopted email regardless of perceived risks due to its benefits - high speed and low cost with a fast response time. Today, throughout western countries, people send many times more emails, often of a personal nature, than they make phone calls.

Given that government organisations have a greater obligation to protect citizen information than do our customers themselves, how can this be addressed?

I have a three point plan I have successfully used in organisations (including my current agency) to begin to address these concerns.


Three steps to better customer service (by email)


1. Formally assess the risks of email alongside telephony and surface mail


Many organisations have a defacto email security policy, one that has grown from personal opinions, interpretations and often from misunderstandings about the medium rather than through an objective and formal risk assessment process.

This is easy to address - get the legal, technical and customer service people together in a room and assess the risks of each form of customer contact.

It is particularly important to assess relative risk, for example:

  • Are the security risks of email greater than for mail, fax, telephony or face-to-face?
  • Is postal mail guaranteed to be delivered?
  • Is it easier to steal letters from a mailbox than emails from a computer?
  • If people choose VOIP telephony, is this treated as email for security purposes?
  • Can different levels of privacy be enforced for different mediums/security levels?

Consider different scenarios, for example:

  • Are privacy considerations different when the customer initiates (email) communication (with personal information).
  • Can customers explicitly provide permission to receive responses (by email) for a set period (even if done by phone or signed fax/letter), accepting responsibility for security?

Consider organisational capability, for example:

  • Are staff adequately trained to respond to emails?
    Just because people are good on the phone doesn't mean they are good at writing emails! An appropriate etiquette level may have to be taught.
  • Is the organisation appropriately resourced to address emails in a timely fashion?
    International benchmarks indicate that optimally emails should be addressed in less than four hours, with two days the maximum timeframe people are prepared to wait for adequate service. Can your organisation achieve this - and if not, what mitigations does it put in place to communicate this to customers (who will email anyway!)

Assess customer expectations, for example:

  • What do customers expect in terms of privacy in email and other mediums?
  • Do they expect the same detail level in responses?
  • How fast a response do they expect?
  • Do they expect organisations to answer as much as they can can and then refer the customer to another channel?

Out of this it becomes possible to correctly understand the medium's characteristics, the real risks, what customers expect and then determine the mitigations which diminish, remove or defer any critical risks.

 

2. Change internal policies that do not reflect law

Often side-effect from not having conducted a formal risk assessment, internal email policies may not always reflect the current laws of the land (policy is often stricter).

Once a formal risk assessment has been conducted, you should review and rewrite internal policies on customer communications to reflect the risk assessment outcomes.

These policies should include details on when and how a customer can choose to accept the risks and take ownership of the security of the process.

If you find that there are no written policies, write them down and communicate them widely. They should include the background and 'myth-busters' as well as the code of (email) conduct.

 

3. Review laws to meet community expectations

Sometimes it's the actual laws themselves which are out-of-step with community sentiment and concerns.

Laws are living things, frequently being amended and adjusted to address new situations and changes in social norms.

Privacy and security laws  are no different to other laws in this and require regular review to match citizen expectations - there is no 'right' level of privacy, it is dictated by public opinion.

As such, if your customer sentiment reflects a different view and acceptance of (email) security than do Australia's laws, feed this information back into the policy process.

Change is possible, and it will allow your organisation to provide better customer service as a result.

Read full post...

Bookmark and Share