Friday, March 25, 2011

Is it practical for government agencies to block web-based mail?

The Australian National Audit Office has just released a report 'The Protection and Security of Electronic Information Held by Australian Government Agencies' based on a review of the approaches to information security by four agencies, the Office of Financial Management, ComSuper, Medicare Australia, and the Department of the Prime Minister and Cabinet.

Amongst other recommendations was one which has been much discussed on Twitter this morning, "emails using public Web-based email services should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure."

This reflects the recommendation in the Defense Signal Directorate's Information Security Manual, the 'bible' for Australian Government agencies when it comes to ICT security, which states on page 100 that:
Agencies should not allow personnel to send and receive emails using public web-based email services.

The concerns are very clear and relevant - web-based email systems can easily be used, inadvertently or deliberately, to distribute large quantities of citizen's personal information, or an agency's In Confidence or other classified information rapidly and to large numbers of people, making it impossible to contain the spread of the information.

Web-based email is also a potential source of attacks against an agency, through viruses, worms and trojans in email attachments (which may not be able to be scanned at the same level as Departmental email can be) and through web-links in emails to compromised websites.

I don't dispute these real concerns. They are concerns for corporations as well.

However, I do ask - what is 'web-based email'?

Most people are aware of the classic web-based email services, Windows Live Hotmail, Yahoo mail and Gmail amongst many, many, many similar services (here's a list of 18 web-based email services - and that's just a start!)

These services follow a standard email model - an inbox, outbox, capability to send and receive email, with attachments and some ability to organise and file emails into folders. Most have automated spam-checkers too, some exceptionally good.

However while they LOOK like email software, they aren't really email software. They are simply web pages providing access to text, links, file upload/download and some buttons.

Any webpage can be designed the same way. In fact it would be hard to find any webpage without at least two of the same features.

In other words, while they look like email and act like email, they're really no different from going to any website which allows people to click on a link or download a file.

Regarding the risk of downloading or clicking on a link with a malicious payload (virus, trojan, etc), web-based email web pages provide no additional risk to standard web pages except, perhaps, that they have content targeted to an individual with a government email address.

There may actually be less risk in using popular and widespread web-based email services as they do employ sophisticated scanning techniques to limit spam and malicious payloads. It is in their interest to not allow their users to become infected with viruses as their business would suffer as a result.

In fact, in some cases the large web-based email providers may offer more security in preventing spam and viruses than a corporation or government agency can offer to its staff using official email accounts. The large web-based email providers have hundreds of millions of users and their business is providing web-based email, meaning they hire the best talent, employ leading edge solutions and invest far more into their email security than most corporations or government agencies can afford.


I've only talked about the identifiable web-based email systems so far, there's also several broader considerations.

More and more online services are implementing systems like web-based email for sending and receiving messages within a web browser.

This includes services like Facebook, LinkedIn, YouTube, Slideshare, Ning, Amazon, all forum systems and micro-blogging services like Twitter (allowing direct messages). Most ISPs offer web-based access to home email accounts. Even your bank probably does it.

In all cases these services provide you with the ability to send and receive messages, including links and sometimes also attachments.

They effectively act like web-based email services, without having the same name.

To block web-based email systems can be tricky without blocking access to the provider's other services, such as Google's analytics and webmaster systems. However it is (mostly) possible.

To block these other pseudo-web-based email services without blocking their service is most probably impossible in most cases. That would mean blocking staff from being able to monitor or interact (officially) over social media services, or even from accessing their bank accounts from work.


Another consideration is the vast array of services that could not remotely be described as having web-based email qualities but still allow people to share information online.

These services, like YouSendIt, DropBox, Scribd and a host of others (including web-based FTP services provided by ISPs and others) allow people to upload a file, or often many files, and share them widely. There are also services for making comments - every newspaper has one - and many services for anonymising where the data is coming from to prevent detection.


Now all of this may still be manageable if it were only defined organisations who provided all these services. However the barrier to setting up a new service that looks and performs like web-based mail, or allow files to be transferred is almost invisible.

Open source software exists to allow any person to create their own service in a matter of hours. Web-based systems allow you to create a web-based email facsimile in a matter of minutes. These services are widespread, easily discoverable and cheap.

People can set one up from home, or any public access computer and then access it at work. That's if they are not amongst the nearly 40% of Australians with personal smartphones, or the millions of others with laptops, netbooks and tablets and 3G connections to the internet. Personal internet connections at the office, every day.

I don't envy the job of ICT Security Advisors.


If an agency wished to prevent staff from sending files and information online to unauthorised recipients, or prevent the possibility of staff clicking on links or downloading files from the web that may carry viruses, there are only three solutions.
  • Whitelist a bare minimum number of sites that staff can access,
  • turn off internet access completely, or
  • establish effective policy guidance and education for staff, have managers monitor use and ICT Security advisers provide support and training.
While it may be easier for organisations to pick one of the first two options, they will experience staff backlashes, have difficulty recruiting younger people (now including people in their 40s) and be unable to effectively engage and respond to changing global and national events.

These approaches won't necessarily limit the use of personal internet-connected devices at work, many more staff might bring them in to get around the security settings (so they can do their banking and respond to critical personal events). These approaches may even increase the incident of information leakage as disgruntled staff use the fax or photocopy and walk out the door.


The third option, which requires extensive senior leadership and support, is more effective in the long-run, however a harder sell due to the time and ongoing education commitment. However it is, in my view, the only approach to managing the use of web-based email and all similar services - in effect the entire internet - which serves the long-term interests of governments, agencies and staff.

Read full post...

Tuesday, March 22, 2011

Attorney-General's Department supports research into social media use during disasters

As reported in Mumbrella, the Attorney-General's Department is supporting research by the University of Western Sydney into how the public seeks and shares information via social media during natural disasters.

To complete the survey go here.

Read full post...

Monday, March 21, 2011

Why don't advertising budgets match audience behaviour?

For a very, very long time (more than ten years) I've been asking marketers and communicators in commercial and public sectors why they invest so heavily in producing and showing advertisements for channels which fewer and fewer people are watching and invest so little in the newer channels emerging.

In most advertising budgets there's still a massive amount for free-to-air television, moderate for radio and newspapers, a comparative small amount for online, cable or mobile advertising and virtually nothing for social media engagement.

Of course there's price differences - the cost of producing and screening a single television advertisement is far greater than that to produce and screen a web video for a month.

There's also a difference in how advertisements are developed. Television and radio are one-way mediums, with the focus on gaining attention and communicating a simple message in 1 minute or less - whereas cable advertising can be more interactive and online even more so (except for display advertising online, which doesn't have a good record of success in Australia).

The last few years of research on Australians have demonstrated that the internet is our number one medium, particularly for under 35s, however advertisers are still focusing their efforts on television - perhaps because that's what the older decision-makers watch.

This discrepancy has been brought home to me again by the Mumbrella piece, Natalie Tran: Bigger than free TV, on Natalie Tran, a 24 year old student on YouTube who, in the second week of March, received 876,106 views.

As Mumbrella pointed out,

If she’d been on free TV, she’d have been the 42nd biggest show of that week, based on OzTam’s data.

She had more viewers than Nine’s Customs (876,000), Sunday’s edition of ABC News (872,000), RPA (868,000), The Mentalist (863,000), RBT (856,000). And indeed Top Gear (818,000).

A couple more interesting figures comparing Top Gear's channel on YouTube with Natalie's Community Channel:
Top Gear’s YouTube channel uploads have delivered 193m views. Natalie Tran’s Community Channel channel 357m.

To Gear’s direct channel views – 15m; Community Channel, 47m.

Top Gear’s channel’s most viewed clip – 5.9m; Community Channel’s 34m. And no, I haven’t got the decimal point in the wrong place.
Surely it is time to begin shifting the budget a little further, and trialing out more interactive initiatives than Simply. More. Display. Advertising.

Read full post...

Saturday, March 19, 2011

BarCamp lineup (at 10am)

Here's the current line-up for BarCamp Canberra presentations today.

LT1 - Big Theatre
9.30 How to deliver a kick ass presentation
9.50 Make Hack Void Community Update
10.10 Interact, robotics, wearable computing
10.30 Minecraft
10.50 Communication Science and Skepticism
11.10 E-Dialogue
11.30 Possible Skeptitechnical Improv
11.50 Enabling Digital Society - the gov part
12.10 Web apps enabling social inclusion
13.30 Web typograph or Jeckyl
13.50 Agile business management
14.10 Tweeting for your country
14.30 ABS, Open Standards, Metadata and how to win an iPad
14.50 Open Transit in the ACT
15.10 Zombie preparation for Disastro

TR06 - Tute room
9.30 Architecture for collaboration
9.50 Designing big complex things
10.10 Finding better ways to develop standards
10.30 Startups
10.50 Convergence TransMedia and the whole shebang
11.10 what do you do with a hole in the ground?
11.30 Video accessibility and HTML with JavaScript
11.50
12.10 Drupal - what would you like to know
13.30 Legal liability of open wireless for users and providers
13.50 SigInt
14.10 Open data - discussion of data.gov.au
14.30
14.50 Mapping a datavis
15.10 Gov 2.0 - where are we heading?

Read full post...

Friday, March 18, 2011

The coming open data battle - government versus commercial interests

I'm a big fan of opening up as much public sector information as possible in easily discoverable and reusable ways (taking into account privacy, security and commercial-in-confidence considerations).

The data allows citizens and organisations to build a more informed view of their government's activities, a good accountability measure.

It also allows the development of useful applications and services at low cost and even lower (frequently free) prices. Sure they may not be as polished as multi-million dollar services developed by governments or big business, however they allow citizens to choose the tools that work best for them. Government or big business can always use these learnings to build on.

Open data also allows government agencies to see what data other agencies have, and lets them use it to improve their models, understanding and policy. While often overlooked in the rush to provide data to citizens, often agencies have as much trouble discovering and accessing data from other agencies as citizens do.

However as more public sector data gets released, losers are also emerging, some with deep pockets and effective lobbyists.

Who loses when government data is released for free? Several groups spring to mind.

First are companies that make their living from licensing public information and selling it on (often with value-adds) at a mark-up. These companies allow agencies to extract a market price for their data without having to contend with the complexities of the open market. They often have a monopoly position, controlling access to a source of public data, and can be very resistant to losing their monopoly or seeing the data 'devalued' through free release.

Second are companies that rely on getting data first to build their edge. This includes stock market traders, where having information a few hours earlier than the market may be worth millions. It can also include the media, who thrive on 'exclusives'. Where data is released to specific journalists under Freedom of Information or through other channels ahead of others they have an informational edge over their rivals.

Next are organisations who prefer to obscure the true cost of goods and services in favour of complexity. Where customers can't compare prices effectively they can't make the best price decision, therefore they may choose expensive services based on brand and never realise they are paying more than they should. Sound like any industry you know?

Finally there's groups within government who prefer to keep citizens at arms length. Those who do not want too much scrutiny of their decisions or who believe the public won't understand the broad context under which they were made. This group believes in only telling the public what they think the public needs to know.

We're starting to see some of these groups flex their muscles in jurisdictions that are releasing a great deal of public sector information, or who are legislating for organisations to become more transparent.

One group currently resisting openness in the US are airlines. In the New York Times article, This Data Isn’t Dull. It Improves Lives, the journalist reports that,

...the Department of Transportation is considering a new rule requiring airlines to make all of their prices public and immediately available online. The postings would include both ticket prices and the fees for “extras” like baggage, movies, food and beverages. The data would then be accessible to travel Web sites, and thus to all shoppers.

The airlines would retain the right to decide how and where to sell their products and services. ...
The approach would make markets more transparent and efficient - allowing consumers to make a decision on flights based on complete knowledge.

So do airlines support this approach? Well, not completely. They wish the right to choose when and how they display their fees - choosing to control the flow of information and force consumers to continue to make sub-optimal decisions on partial information.

This reflects the situation in Australia with the Rudd Government's attempt to launch Fuelwatch and GroceryWatch websites. Petrol and grocery companies weren't particularly supportive of having the true cost of their products visible to consumers before they were at the service station or in the store. Once consumers were there it was far less likely they'd leave and shop elsewhere because of price. Of course the reason given was the complexity of exposing the prices publicly, although they don't seem to have this issue at the checkout.


Another example I have been watching is in Canada, where there's been an active discussion of the decision of BC Ferries to release FOI requests online at the same time they are released to the requester (where the request doesn't involve personal information).

Journalists have complained that the approach means they won't get an exclusive, removing their financial incentive for requesting government information in the first place. One journalist in particular, Chad Skelton, has written a series of pieces detailing why it is so important that governments allow media to profit off FOI requests, as otherwise they are unlikely to ask for this information and it won't be exposed for the public good. One of his articles worth reading is Why David Eaves is wrong about BC Ferries' Freedom of Info policies.

It is an interesting point, however I tend to sympathise with David's view - government information laws should not be designed to support the financial goals of media outlets, or any other organisations, over the goals of public openness and transparency. These laws should be designed to ensure that public information gains public scrutiny, not so that journalists can 'make' their careers with exclusives.


As we see more public sector information released by governments I expect we'll see more battles over its release. Some forms of opposition will be passive, providing information in the least usable formats possible or hidden away in websites; other forms will be active, direct refusals to release information (because it is incomplete, the context wouldn't be understood, or it isn't useful), court cases from commercial interests asking for information to be suppressed, or even active information sabotage where data is destroyed rather than published.

Reputations and fortunes can be made and lost over access to information. It is unlikely that entrenched interests will support changes to the playing field without putting up an ongoing fight.

Read full post...

Bookmark and Share