Proceedings 030702.pdf

NetSafe and Work in New Zealand
Ian Mitchell, FNZCS
What is Unacceptable Content?
We are talking about erotic content, pornography and racist, gender-biased and hate content here. The
definitions are irrelevant to this presentation. We shall group the above as Unacceptable Content.
When is Email and Web Access at Work Not Work?
We are distinguishing between work and personal email and web access from the workplace.
What is the difference? Work is activity for the benefit of the business.
Any inward content which is not for the benefit of the business is a personal activity being conducted in
working hours or in the workplace, possibly in lunch breaks or outside normal hours.
Any outward content which is about work but is not for the benefit of the business may be improper
disclosure of business information which may be confidential or have specific intellectual property
constraints on it.
This and any non-work related activity is personal.
What Rights do Employees Have?
The employee may have rights to use the corporate equipment and facilities for personal activities
particularly if there is no (marginal) cost involved and more so if they have been in the practice of doing
so and management knows and management has not said anything.
An employee may have been given specific rights to access training information or knowledge of general
value to work.
Management may wish to be tolerant of reading educational material, general news and hobby
information and of playing games in lunch breaks. However this does not confer a right on the employee.
What Rights do Employers Have?
Employers certainly have the right to stop corporate equipment being used by employees for activities not
directly relevant to work. This includes activities in breaks.
Employers must ensure guidelines for Occupational Safety and Health are published, repeatedly brought
to the attention of employees and enforced.
Volume of Unacceptable Content
It is reported by reliable sources that international telephone traffic may be as much as 30% unacceptable
content. So it is there in quantity and a lot of people access this content intentionally and others less so
and not necessarily intentionally.
[This means that telcos have a major role to play in stopping this content – but it is profitable to them!]
It is Really Extreme
Some of the images and particularly video clips are really extreme.
About 50% of men in NZ are comfortable about bare-breast and similar images.
But on the web there is every conceivable image – bestiality, violence, etc.
Sooner or Later You Will See It
As the level of spam increases generally your staff will get significant levels of spam – particularly if
their email address is on a web site or they service email generated from web sites. It takes about a year
for the volume to build up – 20 plus spams a day. About a third will be unacceptable content excluding
the viagra ones – the rest are mortgage/finance, multilevel marketing, etc.
Filtering will reduce the amount of spam but never 100% successfully and always at the cost of droppingsome valid messages. Some filters will remove images – including corporate logos etc and your printbrochure proofs.
So sooner or later an employee will get an image and call out “Hey guys, look at this!”And sooner or later an employee will subscribe to a site with unacceptable content.
Your policy will have to deal with incidents which are claimed to be “accidental”.
Unacceptable Use of Web and Email
Employees may use the web for their own entertainment – reading news, looking up sports results, game-
playing, watching sports videos, etc. This may be in working time or in breaks.
NZHerald subscribers spend about 45 minutes a day in working hours on the site – of course they are just“looking up the company’s share price and other essential business information”.
Your policies will have to deny any right to surf the web for non-work purposes or provide a mechanismfor managing this activity as sooner or later it will get out-of-hand.
Some Basics
Employment Conditions
You must have an Employment Contract to protect both your company and yourself from the actions you
will choose to take. Your actions may lead to litigation.
It must include or reference amongst other areas:
q E-Mail Policy
q Web Usage Policy
q Protection of Corporate Confidential Information (including customer’s confidential information)
q Protection of corporate personnel information
q Protection of intellectual property.
There are various classes of information that that will need to be explicitly mentioned:
q Corporate information which may affect the stock market
q Information about current negotiations with suppliers/customers
q Intellectual Property – computer programs, teaching materials
q Competitive information - corporate QA statistics, corporate processes
q Personal Private Staff Information.
Your employee must be specifically bound not to email this information to other than appropriate
persons.
Surveillance
The company needs to be able to implement surveillance to ensure this information is not being
improperly “leaked”.
Law in this area of surveillance is still being developed in our courts.
A major guideline is that the employee must know that you are watching them (except when by police).
So keep them aware of the issue – say, by publishing, statistics regularly.
If an employee has acted against corporate policy you must say so – every time.
Sexual Harassment
Sexual harassment is really defined in law so that if a person feels they have been harassed then they
probably have been.
In practice do not even try to make a judgement that an image is “ok”.
Ensure all employees in their employment contracts are given clear guidance that if another employee
complains and certainly if they complain again it is probably grounds for dismissal.
So What To Do
Have a Corporate Policy in Place
Have a quality Employment Contract.
Have an Equipment Use Policy appendix.
Make sure employees sign every page and re-initial every change and again at every 6-monthly review.
In the Policy say that private use of corporate equipment is not allowed.
Make it clear that all email and web accesses result in the traffic being held on the servers.
That these log files are readily available to system administrators.
That these log files can be legally read by management and other staff with delegated responsibility.
That management has a need to read them to optimise use which requires determining usage by type of
use and to verify that corporate communications are correct, timely and of a high quality and hence it will
be normal practice to read these files.
Define Private Use
Make clear that non-business use is banned or restricted.
Make explicit that secret, confidential and IP information must not be sent over email or posted to web
sites except where, when and how specifically directed by documented corporate processes. This clause
may be very prominent in some businesses, such as software houses.
Make it clear that the traffic will be monitored to ensure this security requirement is met.
Make it clear that unacceptable content when shown to others may result in Harassment claims.
Include a clear statement that if employees do use the corporate facilities for private purposes and even ifmanagement does not specifically object, this practice does not confer a right to continue such usage forprivate purposes.
Make it clear that management can block any email and web site access it wishes and at any time withoutprior notice; that management can change the filtering conditions at anytime without prior notice.
If staff receive content which is unacceptable they should explicitly advise their immediate manager or toa person such as a systems administrator who carries responsibility for managing the filtering andblocking tools.
Ensure “other employees” includes contractors or visitors to the premises.
Long Term Solutions
Email
Spam needs to be handled at the ISP or firewall level. They can detect high volumes of emails from one
source particularly to multiple recipients saying the same thing to them all. They can filter on that basis
rather than on content. [Distributed Checksum Control]
Filtering is now being based on content which is typical of what is sent out rather than on fixed content.
[Bayesian filtering].
Local mail servers can trap new senders and selectively apply filtering and can refer some traffic to a
PostMaster.
Emails from new senders can have any images filtered out or directed to the PostMaster.
Many emails will only have links embedded in them. These links can be checked against positive lists.
Thus one-off emails with list words in the content and links to unknown sites are highly suspect and may
be passed to a PostMaster.
Web Pages
Web Pages can be checked against a stop list of sites. Such lists can be obtained by subscription to
international sites.
But much porn will come through temporary web sites. Many of these will have webcam videos. Such
videos can be disabled. But the same technology is used for NetMeetings.
There is some progress with image recognition that can identify nude images.
Because of the traffic size associated with videos it is practical to say that such videos may be routinely
inspected by management. This inspection may be a simple scan of the list of URLs which contain video
images.
Note – Advertising
Spam filters must allow through Unsolicited Bulk Emails where they come from organisations emailing
members or valid targeted advertising.
Your suppliers will send you emails – possibly at your request. Subscribed lists must be recorded.
Bodies such as the NZCS or the Employers Association must be identified.
Thus a positive list of sources must be recorded.
Conclusion
To be NetSafe at Work management must ensure that the formal documentation and procedures
mentioned above are implemented and rigorously followed by management.
On a positive note my experience in managing software houses has not found this area a problem giventhat senior management clearly express that they are persons of principle and integrity and that theypersonally consider accessing such material below their personal standards and hence have correspondingexpectations of their staff.

Source: http://www.netsafe.org.nz/Doc_Library/netsafepapers_ianmitchell_work.pdf