Showing posts with label legal. Show all posts
Showing posts with label legal. Show all posts

Friday, March 28, 2014

What should agencies do when online services change their terms of use?

Governments around the world now rely on social media services to reach and engage citizens, disseminate information, to monitor what people are saying and source intelligence to help address crises.

Many businesses also rely on digital channels for revenue and engagement reasons.

So what happens when an online service that an organisation uses updates its terms and conditions in a way that gives them rights that are uncomfortable for an agency or business - such as when a service claims ownership over anything published on its service, or takes an unlimited right to people's personal information?

Organisations can choose to stop using such a service, however it can be difficult to do so.

Firstly the practicalities of removing all the legacy data you've saved on the service - be it posts, presentations or documents - can be tricky. Some services may not even allow you to delete, or keep copies in the background.

Secondly organisations will need to find another place - an acceptable place - to put all the content they removed - noting that they may have to move again if a second service changes its terms.

Thirdly there's the issue of abandoning the organisation's community. Both the people who were already using the service and used it to interact with the organisation and the people who joined the service specifically to interact with the organisation. How does the organisation access them if it's not using the service anymore?

If you think this is just a theoretical exercise, sorry - we've seen this type of issue before, when online services have modified their terms and faced a huge backlash from their users.

And I think we're about to see it again with the release of the new LinkedIn and Slideshare terms.

LinkedIn recently changed the Terms of Use for all of its properties (including SlideShare which they own) to state, in part (bold italics are mine):

2.2. License and warranty for your submissions to LinkedIn 
You still own what you own, but you grant us a license to the content and/or information you provide us. As between you and LinkedIn, you own the content and information you provide LinkedIn under this Agreement, and may request its deletion at any time, unless you have shared information or content with others and they have not deleted it, or it was copied or stored by other users.
Additionally, you grant LinkedIn a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to LinkedIn, including, but not limited to, any user generated content, ideas, concepts, techniques and/or data to the services, you submit to LinkedIn, without any further consent, notice and/or compensation to you or to any third parties.

What does this mean in plain English?

The first bit sounds OK "You still own what you own, but you grant us a license to the content and/or information you provide us." That's pretty standard for an online service. They need a license to publish the material online on my behalf, so no problems there.

However when an oganisation says that I am granting them "a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royalty-free right", red flags start to fly.

Anything that is irrevocable, global, perpetual and free is potentially likely to cause issues at some point down the track - but the term by its wording removes any ability to retract that right, such as by deleting a file or discontinuing my account.

The next part is even worse - the right LinkedIn and Slideshare is taking (on an irrevocable, worldwide basis) is to not only display my presentations or information, but to "copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize,  in any way now known or in the future discovered, any information you provide, directly or indirectly to LinkedIn".

In other words, I may own the original work, but LinkedIn can make a derivative work, publish it and then charge people for it and I can't do a thing about it. Suddenly any slides I've put up on Slideshare with useful data becomes a revenue stream for them - and I lost my recourse by publishing it on their service, even if I did so before they changed their terms.

Not only this, but they don't only get the right to take my slides, delete a few and sell the rest, they can also turn them into any any format and monetise them as well. If I told a good story in a slideshow, LinkedIn could publish it as a book, if I published a slide with the design for a cold fusion reactor, LinkedIn could build the reactor and sell it - paying me nothing in return.

Now that's scary - but it even gets worse... "including, but not limited to, any user generated content, ideas, concepts, techniques and/or data to the services"

So if I publish a presentation about my new start up concept to Slideshare, now LinkedIn can take my concept or technique and use it themselves, royalty-free, in any way they see fit.

And they never have to compensate me, or even tell me that they've done it (per "without any further consent, notice and/or compensation to you or to any third parties.")


Any organisation with intellectual property or data should carefully consider whether they're prepared to continue to use Slideshare or LinkedIn to publish information about their services, products, potential products or data - because simply by publishing it in one of these platforms, LinkedIn takes ownership.

Even worse, as their new terms came into force when they were published, anything you've already published on these platforms is now theirs.

I'm going to be far more careful about how I use Slideshare and LinkedIn in future - and will be advising the organisations I work with to similarly think carefully before they publish anything on these channels.

Any government agency or business who wants to retain control over their own content - including whether it can be copied, restructured and sold by an online service - should now be very careful about publishing in either LinkedIn or Slideshare.

Read full post...

Friday, September 21, 2012

How do you know that's really a government social media account?

On the internet, as they say, no-one knows if you're a dog - or a government agency.

This can become a problem when Facebook pages, Twitter accounts, even websites, are set up that look like government accounts, but aren't.

We've seen this issue in the private sector, such as with fake Shell accounts that took in the media and the public.

It has also happened in the public sector, most often in the US and the UK.

It happens here in Australia too. Do we really know whether, for example, @ACTGov is a government Twitter account, or a fake account? (in fact I'm not really sure, but don't think it is)

This can obviously create problems for citizens and for governments. What if citizens get taken in by a fake account and make a poor financial or health decision?

What responsibility does the government has to ensure that citizens don't get defrauded in this way?

The US government has now taken steps to address this in a proactive way (ie - before there's a media scandal).

As reported by the eGovernment Resource Centre, the US government is developing a new tool that verifies the authenticity of government social media sites.

The tool will require agencies to use a special system that only allows people with authentic government email accounts to register their official government social media accounts.

There will then be a public validation facility on leading US government sites where users can check whether a particular account in listed or not.

This turns the burden of proof around. If an agency fails to register its accounts, they will have lower authenticity because they won't be in the central database. This provides an incentive for agencies to register.

Users can check whether accounts are listed and feel secure that if one is then it is government operated.

Simple but smart. It protects citizens and also keeps track of government social media accounts, allowing a central directory to be crowdsourced.

I wonder if our government will consider similar steps to protect Australians and promote engagement with agencies?

It isn't a hard system to build, and it isn't expensive to operate.

Read full post...

Wednesday, July 18, 2012

How Facebook has become a risk for public servants, and what you can do about it

If you are one of the majority of public servants with a Facebook account, then it may be time to reconsider how you use the service.

As discussed in ZDNet's post, Is Facebook damaging your reputation with sneaky political posts?, Facebook is now posting messages in your timeline and saying you 'Like' the messages simply because you once 'Liked' the Facebook Page that posted them.

So what does this mean, and how is it a risk to public servants?  Here's how it works.

When you 'Like' a Page in Facebook, Facebook assumes this means you also like all the content, status updates, images and other material, that may be posted on that Page by its administrators.

To be 'helpful' Facebook will automatically place some of the Page's content in the newsfeeds of your Facebook friends, with a notice that you 'Like' the content.

Facebook calls this a feature, as quoted in the ZDNet article,

To help people find new Pages, events, and other interesting information, people may now see posts from a Page a friend likes. These posts will include the social context from your friends who like the Page and will respect all existing settings.

This may sound innocent enough, but what it means in practice is that if you ever 'Liked' a Facebook Page for any reason, any new content posted in that Page may now appear to your friends as explicitly 'Liked' by you.

As Pages can change administrator, content and focus, that innocuous Facebook Page on pet rabbits you liked two years ago may now start spewing controversial, obnoxious or otherwise inappropriate content into your Facebook friends' newsfeeds - with each piece of content indicating that you 'Liked' it.

This could merely be embarassing, or it could put your career at risk.

Say you 'Liked' a Facebook Page for a charity you support that works in a policy area covered by your agency. Due to a change in government policy, that charity loses funding and, as a result, begins posting messages on its Facebook Page which are strongly critical of the government's new policy to galvanise their supporters to write to the Minister. Even worse, one of the Page's administrators has been radicalised and frames some of these messages in very strong, almost abusive, language.

These messages begin appearing in the newsfeeds of your friends, complete with a notice that YOU 'Liked' them. Incidentally, you don't see them yourself because Facebook doesn't notify you that they're doing this and these messages don't appear in your own newsfeed.

One of your friends (a colleague at your agency) is horrified that you'd act so unprofessionally and sends screenshots of the messages with your 'Like' to HR, notifying them that you've broken the public service code of conduct by publicly criticising your agency and the government.

You get called in for a discussion with your manager and a HR representative, who shows you the screenshot and asks you to explain your conduct...

Will they believe you when you claim ignorance?


Now compound this issue by thinking about every single Facebook Page that you've every Liked.

Any of them could begin posting messages which could embarrass you, or threaten your job and, thanks to this Facebook feature, indicate automatically that you 'Liked' each message.

Even worse you don't even know when they're doing it because you don't see these messages in your own newsfeed.


So what should you do to deal with this?

Assuming that you're not prepared to close down your Facebook page or, at least, unLike all pages that you have liked, I recommend that public servants look at their 'Likes' page (accessible from their Favourites page) and cast an eye over the pages they've Liked to see if any are likely to post content that will get them in trouble in their friends' newsfeed.

Then make this a regular habit - check all your pages every month to see what they're saying.

Finally, bring this issue with Facebook to your agency's attention, so you'll not be accused of 'Liking' content you didn't.

Read full post...

Sunday, July 15, 2012

Are Australia's web developers failing to deliver accessible websites?

In a recent story in ITNews, Accessibility checker surfaces errors, John Hibbert claimed that a new Mental Health website, www.mindhealthconnect.org.au, operated by the National Health Call Centre Network and funded by the Department of Health and Ageing, didn't meet the Australian Government's minimum web standards.

Based on a review using the ACheck tool for the minimum WCAG 2.0 'A' level of compliance, John reported that the checker:
highlighted two known problems, 245 "potential problems", 20 HTML validation errors and 115 cascading style sheet problems on the site.
I tend to always take the results of these tools with a grain of salt. Many of the reported validation errors and style sheet issues are often repeats of one single issue, or are not really issues at all, and the two known problems would take a couple of minutes to fix and do not pose direct accessibility risks at all.

However this article does highlight a concern I've had for several years - whether Web Developers, contracted to produce these sites for government, always have the appropriate skills and knowledge to develop accessible websites.

I've seen this type of issue repeated a number of times. A policy or program area, possibly with support from a central communication or IT area, goes out to tender for a website. Web Developers respond, get assessed and the successful tenderer goes about creating the site.

A few months later the site is complete with days to spare before the Ministerial launch - but fails accessibility testing by the agency.

"We didn't understand how important accessibility was to you" says the Web Developer. Note that I was in the room when these exact words were said to an agency by a reputable web developer regarding a website which was developed iteratively and we'd been giving them feedback about accessibility for a number of weeks.

So what happens next?

If accessibility was not explicit mentioned in the contract, the Web Developer asks for more cash to meet the requirement, even though it is a baseline requirement for all government websites across Australia, and says it won't be ready for launch.

If an accessibility level was explicitly agreed to in the contract, the Web Developer grudgingly assigns a junior developer to 'sort it out' - with a vague promise that it will be done in a few weeks or months.

The agency is left having to launch a website which doesn't meet the minimum and fix it as soon as possible afterwards - all because the Web Developer didn't recognise and act on the legal requirement for accessibility.

Of course there's many examples where Web Developers have done exceptional accessibility work for agencies, however I have seen and heard too many issues where professional Web Developers didn't understand the accessibility requirements of governments.

Delivering an inaccessible website to a government agency will cause that agency to break the law and expose it to enormous risks of legal damages. No vendor should ever put their client in this type of position knowingly, particularly where it is so easily avoidable.

My view is that any Web Developer that doesn't deliver a government website to at least the minimum accessible standards (unless otherwise explicitly agreed to by the agency in question) should not receive any payment until they have addressed all accessibility issues.

They should also lose their right to bid for other government business until they can prove they have fully trained their staff on accessible web design.

These may be harsh and strong measures, and I doubt they will be considered due to contractual and practical issues.

However if a vendor contracted to sell a government agency a car that turned out to not be street legal or rent them a building that turned out to not meet the building code, government would walk away without paying and ask for damages, plus be very cautious about working with that vendor again.

Why should it be any different with illegal websites?

Read full post...

Friday, May 04, 2012

Is it theft if you personalise & retain an official social media account when you leave an organisation?

One of the legal and ethical dilemmas organisations are beginning to struggle with is the ownership of social media accounts.

When a staff member creates and uses a social media account solely or mainly for official organisational purposes they can build a large following over months or years based entirely on their paid work activities.

However are they entitled to take that account, and the accumulated goodwill it holds, with them when they leave?


This might seem like a trivial question, however the followers and reputation built by a social media account may be no different to the brand name value that organisations such as Google and Coca-Cola count on their balance sheets.

Almost every organisation that deals with the public values its name and reputation with the public as an asset alongside the physical property of the business.

Whether you think of Starbucks, Microsoft, Ford or Joe's Mowing Service, the name and reputation of the business, as well as its contact list (like followers or Likes), has an asset value.

I believe this is also true for digital accounts, and there are cases going to court at the moment around the world where individuals who took an official social media account with them are being sued for the asset value by their employers.

One such case last year, as reported in Sean Clark's blog, involved a company called Phonedog, where a former employee, Noah Kravitz, tried to take a Twitter account with him by changing the name of the account from @Phonedog_Noah to @NoahKravitz.

The account had 17,000 followers and Phonedog took him to court for the value of $2.50 per follower per month ($42,500/mth), calling the followers a customer list, with the value attributed to the cost associated with growing and maintaining the list.

You can read more about this at What's a Twitter follower really worth.


So let's consider this in an Australian context. There are several senior public servants who use Twitter for official purposes - using their actual name in the account.

In particular Hank Jongen (@HankJongen) from the Department of Human Services and Sandi Logan (@Sandihlogan) from the Department of Immigration, whose accounts were primarily established and are operated as official communications channels for their agencies.

Besides these is another senior public servant, John Sheridan from AGIMO in the Department of Finance, whose Twitter account (@sherro58) is used for official purposes, but also for personal use - it was not primarily established or is operated mainly as an official communications channel.

My view would be that both Hank and Sandi's accounts are organisational assets, whereas John's account is his personal asset that he lends to the agency - similar to how, when I worked in government, I occasionally retweeted official agency tweets to bring them to the attention of a wider audience (my larger follower base), but my account was never an official agency channel.

Based on the model used by PhoneDog ($2.50 per follower per month), the value of Hank and Sandi's accounts are as follows:

Account Followers Value/month Value/year
@HankJongen 807 $2,017 $24,210
@SandiHLogan 3,912 $9,780 $117,360

Now the values are based on the number of followers remaining static, which is unlikely, and the actual value of a follower may vary based on the customer relationship. However there is a real value for these relationships, which is a real asset for their organisations - particularly when trying to communicate or defend complex positions.

In all the cases I've illustrated above the public servants behave very ethically, and I would not expect this to change, so I don't see them as risks to their organisations of leaving and taking their followers with them.

However this will not always be the case for all social media accounts.


In fact there is a recent example I can think of where I think the ethics are much grayer and which may even require an investigation.

This is in relation to the former QLD Labor Premier, Anna Bligh.

Anna was an enthusiastic adopter of social media for engaging citizens - and I applaud her for this - however I don't know if there has been much consideration of the asset value of the account she used to Tweet as the QLD Premier, or whether she had the right to rename this as '@AnnaMBligh' and take it with her when she resigned from politics.

Let's run through the history....

Anna became premier in 2007 and continued to use the Twitter account she'd been using up to that point, renaming it ''.

My view is that the language and manner of the launch of this account makes it clear that it was to be the property of the Government of Queensland. An official Twitter account to be used by Anna and all Queensland Premiers following her. It was not to be the personal account of Anna Bligh (who already had one) or the property of the QLD Labor party.

However, following the recent Queensland election, where the Labor party lost government and Anna, while retaining her seat decided to resign from the QLD parliament, Anna did not hand this account over to the incoming Premier, Campbell Newman.

Instead she renamed the account to @AnnaMBligh and has continued to use it as her personal account since the election.

Meanwhile her former personal account (currently named @Premier_Bligh) has remained inactive since May 2009.

The incoming Premier has repeated the initial and, in my view, quite legitimate steps taken by Anna Bligh. His personal account @Campbell_Newman is now inactive, and he created a new Twitter account on March 26, naming it the same as former official QLD Premier account @theqldpremier.

So it all balances out - or does it?

The Twitter account that Anna Bligh designated the "official Queensland Premier's twitter account", that she now operates as a personal Twitter account, currently has 30,773 followers.

The new official Twitter account that Campbell Newman has designated for the Premier has only 4,496 followers.

That's a difference of 26,277 followers that Anna accumulated over three years while tweeting officially on behalf of the government.

Let's go back to the Phonedog case... If we consider these Twitter followers as a 'customer list' (for the purposes of official government engagement), we can attribute a lost value to the QLD Government - and thereby QLD citizens - associated with the costs of growing and maintaining the list.

Let's use that $2.50 value per month again - noting that a court would have to test whether this is the right value for each follower of any particular official Twitter account.

On this basis the difference of 26,277 followers is worth  $65,692 per month to the QLD Government.

Ergo, the cost to Queensland of Anna Bligh taking the official Premier's Twitter account home with her for personal use, and denying its use to the Government of Queensland, is currently running at a rate of $65,692 per month.

The maximum potential cost to Queensland to-date, assuming the official QLD Premier account has had the same level of followers since start of May 2009 to end of April 2012 (36 months), would be $2,364,930.

I estimate a more reasonable cost would be in the $1-$1.5 million range - based on $2.50 per follower per month.

So is this actually theft?

Should it be considered similar to a Minister taking home their office furniture for personal use after they lost office?

That's for governments and courts to decide for certain.

However it is undeniable that the 'official Queensland Premier's twitter account', its followers and their relationship with the Government have been removed from Government control and now reside in the hands of a private citizen, to do with as they will.

Other organisations, both public and private sector organisations really do need to think about this example in their own context:
  • Are your official social media accounts assets?
  • What asset/brand value should you place on them?
  • What should you do if a staff member leaves and takes one, or more, accounts with them?
  • What guidance or policies do you need in place to prevent and manage this?

Read full post...

Friday, February 17, 2012

Victorian government launches inquiry into the use of social media in the house to reflect on the office of Speaker, by parliamentarians and public

Reading the eGovernment Resource Centre's newsletter this morning, the Victorian government has launched an inquiry into the use of social media to reflect on the office of the Speaker, looking at use while parliament is sitting by both parliamentarians and the public galleries.

The Legislative Assembly Standing Orders Committee is considering:

(1)    Should any restrictions, or guidelines, apply to members’ use of hand-held electronic devices in the Chamber and committees, including accessing social media to comment on the proceedings?

(2)    Should any restrictions, or guidelines, apply to the public and media using social media from the galleries to comment on proceedings or committee hearings?

(3)    Do the Assembly’s procedures and rules need modernising to reflect the opportunities and challenges provided by social media?

(4)    Is the current rule, preventing any reflections on the Office of Speaker, other than in a formal motion, still appropriate? If so, should the rule still apply to reflections made outside the House and to reflections made on social media?
The inquiry raised some interesting questions for me. Firstly whether it is actually practical or worthwhile to attempt to prevent comments regarding a particular individual or office, when they can be made worldwide, by anyone at any time.

Also whether any jurisdiction can place any kind of global gag in place. Certainly the parliament may be able to require anyone physically present in the chamber at the time to not use social media. However if the proceeds are broadcast, or if anyone in the chamber communicates with anyone outside the chamber, preventing comments placed in social media by those not in the room and potentially not in the same country is impossible.

It will be intriguing to watch this inquiry unfold and how its outcomes will influence other jurisdictions and, potentially, how technology will develop to 'route around the damage', to bypass any laws or procedures put in place to limit the spread of information.

If you wish to contribute to the inquiry, for details visit the Parliament of Victoria's website.

Read full post...

Wednesday, February 08, 2012

Many national laws are increasingly irrelevant - how will governments adapt?

Facebook decides whether photos of nursing mothers are allowed to be displayed in its site (including in Australia and other nations where such photos are legal).

Google leaves China to avoid complying with its national censorship laws.

Gaming and gambling websites base themselves in jurisdictions where they are legal while attracting most of their customers from nations where such services are regulated or illegal.

Shoppers flock to buy online from countries where prices are cheap and the range is good, incidentally avoiding paying GST or sales taxes on goods and, to compete, retailers, such as Harvey Norman, open online stores based in foreign jurisdictions to avoid charging GST.

People at home use proxies to bypass copyright restrictions on viewing certain content on services like Hulu and establish overseas postal addresses with mail forwarding services to avoid copyright restrictions that only allow certain physical products to be sold in some jurisdictions.

Online pharmacies sell cheap drugs from Canada or Mexico to the US and pornography distributors sell their wares to consenting adults anywhere in the world, regardless of local laws.

Optus in Australia is legally allowed to distribute free coverage of sports events, provided they are received by customers' televisions, delayed 90 seconds and rebroadcast to customer mobile phones - meaning that mobile sports rights have almost become worthless overnight.

Electronic games, books and movies banned in Australia are available for purchase online.

People in countries with restrictive media laws use online proxies and software freely distributed by the US government to learn what is happening in their own country and the world.

Movements even work together globally to circumvent government ordered internet shut-downs or strong censorship in nations, such as Egypt and Burma to allow protesters to organise and citizens to remain informed and inform the world.


Around the world many laws created by governments are under pressure from the growth of the internet.

Laws were originally designed by societies as formal codes to guide, manage or restrict the behaviour of people, conduct of organisations and disposition of assets attached to a particular geographic location.

These 'laws of the land' worked well in a world where the majority of people lived, worked and played in a geographically limited area, where movement between areas was tightly controlled and where assets were easy to recognise and tax but hard to transport.

This remains true in many respects. Minerals, animals and offices are found in geographic locations and can be difficult, if not impossible, to relocate. We largely live and work in geographically defined areas, allowing geographically based laws to be implemented and enforced.

However with the arrival of the internet and mobile technologies certain assets, cultural values and behaviours began to drift beyond the control of any geographic nation.

Any content that can be digitalised or product that can be transacted online may fall outside of national borders, or cross many nations between creation and consumption.

Content that was previously scarce and controlled by national interests, such as news, education and research, can now be made freely available online for anyone anywhere in the world. Products that were previously shipped enmasse by a relatively small number of agents (import/exporters) are now transported by millions of individuals in much smaller quantities, making taxation and border control checkpoints difficult to enforce.

Movies, music, books and electronic games are easy and cheap to replicate, transport and share, despite the wish of copyright owners to lock them in vaults and dole them out to keep prices artificially high, as deBeers has managed diamonds.

Governments and courts are struggling to understand and re-interpret old laws in light of new technologies. Some laws and precedents date back hundreds of year, before the creation of the internet, television, radio, planes, cars or trains - all of the technologies that shape modern life.

Some of these laws and precedents remain influential in legal decisions, square blocks twisted and jammed into round holes to band-aid the legal system in the face of modern technology.

How should government and society reconcile discrepancies between new technologies, modern life and law-makers, law enforcers and laws that have demonstrably not kept up with the pace of change?

Should policy makers ignore reality in favour of legislation shaped to favour aspirational ideals? Should police forces consider all citizens guilty of crime unless they can prove their innocence?

This struggle keep broadening, from copyright, to retail, to gambling and human rights.

To attempt to retain control, governments have filled their streets with cameras to watch for criminal activity, legislated for ISPs retain an online history of website visits for their customers (just in case law enforcement agencies might need it, regardless of privacy risks), maintained secret blacklists of content that their citizens are not entitled to see, or even know what is on the list and secretly develop legislation to protect corporate copyright owners at the expense of citizens.

All of these steps have occurred in liberal western democracies. Autocratic regimes have gone even further to harass and arrest online commentators and shut down parts of the internet.

Many nations appear to have become obsessed with watching their own citizens to catch the slightest infringements at the behest of the fearful, the political and the corporate interests.

I have not yet seen discussions over the relevancy and enforceability of national and state laws in the face of new technology occurring broadly in Australian society or public service in a measured and thoughtful way. There are hall corridors and conferences but little research and mixed knowledge.

The question of how to reconcile the geography of the physical world with the expanding frontiers of limitless and jurisdictionally challenged cyberspace should be integral to many policy conversations. Even seemingly unaffected industries and people are touched, subtly, but profoundly, by modern technologies as their impact continues to ripple outwards.

Just as we require the human rights of citizens and the needs of Australia's region to be considered in legislation, we need to begin considering the workability of geographical laws in the face of modern technology.

In some cases our police and courts will need to work closely with other jurisdictions, even those with diametrically opposed views, in order to detect crimes and detain criminals

In other cases we need to debate how far legislation needs to restrict our own citizens in order to protect corporate non-citizens.

We need to review all of our laws in the face of modern technology to decide which remain workable, cost-effective and practical and determine which require improvement, international agreements or are just plain unenforceable.

And we need to do this regularly as technology keeps moving.

For any geographic state to retain pre-eminent in meeting the needs and wants of its citizens, constraining behaviours that society does not wish propagated and protecting the body, person and interests of individuals, governments need to move to the front-foot regarding modern technology, to stop treating it as the 'other' or a special case.

Governments need to recognise and internalise that our civilisation is technological by its nature. Our culture, values and behaviour are continually shaped by what is possible with technology and what technology has unlocked. 

Read full post...

Friday, February 03, 2012

How should agencies moderate their online channels?

While government agencies often have limited options in the approaches they choose to use for moderating third-party social media channels, there's a number of ways they can choose to moderate channels under their control, including blogs, forums and wikis.

There's limited official guidance, and no real mandates or instructions for particular moderation approaches available across Australian government (no my knowledge). This is partially a good thing, as agencies need to consider what works for their goals and the sensitivity of their engagements, not merely follow a central line.

I have been asked a number of times by various people about the best approaches to moderation and how other agencies choose to moderate, however I only recently put together a quick review, based on a request in my job.

As this is public information - something that can be observed when visiting any particular blog or forum, and there is widespread interest as agencies look at what each other is doing and why to help inform their own decisions, I thought it worth publishing the list and allowing other agencies to add to it, so government agencies can both share this important information and collectively learn from it.

The spreadsheet, Australian agency moderation of online social channels, is available for viewing and editing here.


I also thought it worthwhile to provide some basics on moderation, what is it, how it can work and why it's done.

In my mind moderation differs from censorship or approval, it is a conversation management technique based on used to influence conversations to keep them on track and at a 'Goldilocks' temperature - not too hot (for example people yelling at the top of their voices) nor too cold (for example people speaking in icy tones).

Other purposes for moderation include risk management, particularly around legal considerations of defamation, copyright and the publication of inappropriate/offensive material and guiding the culture of an online space. Just as organisations develop cultures, so do online spaces. These may be positive, supportive, respectful and engaging or abusive and demeaning, depending on the management approach.

Where an owner or manager of an online space fails to have mechanisms like moderation and community guidelines in place upfront to help shape and underpin the culture they wish to support, there is significant risk of the culture developing in unintended directions and being difficult to manage once a given audience moves in.

Censorship and approval, on the other hand, are control techniques used to enforce the owner's views and beliefs over those of the community. Both provide broader control over conversations, not simply influencing them but actively constraining them to what the online space's owner feels is appropriate.

In these regimes often the reasons behind why comments are not published are highly subjective or based on the internal beliefs of the online space's owner rather than on objective guidelines for conversation. Censorship in particular is about prohibition of content, which can limit conversations to politically correct lines of thought - not good for a robust discussion or the debate of 'left field' ideas - whereas approval of content risks enshrining a user's views as being somehow being endorsed or supported officially by the space's owner, which may not be the case.

As the owner or manager of an online space, when moderating you have to allow views that disagree with you be published, provided they are not abusive or defamatory. However when censoring or approving you may choose to only selectively publish views which disagree with you or not publish them at all.

Obviously moderation can be more uncomfortable, particularly in political environments, as you can be more readily challenged. However the outcome is far more inclusive, encourages a broader level of participation and provides opportunities to influence and be influenced.

When it comes to how organisations moderate, there are several different approach to choose from.


Pre-moderation
The first place people commonly go is pre-moderation. This means that, as the manager or owner of an online space, you read and review every comment as it comes in against your moderation guidelines before you allow it to be published. As this process suggests, it becomes resource intensive in active communities and doesn't scale well, hence it is not used by the owners of services such as YouTube, Facebook, TripAdvisor or other large community or social sites.

Pre-moderation offers the illusion of greater control and lower risk, as you check everything, however there are often legal factors at play which mean that a court could hold the online space's owner to a higher standard and consider therefore that, by pre-moderating, they are more responsible for the comments from users than if they explicitly did not pre-moderate.

Therefore unless you have highly trained moderators (with an in-depth understanding of defamation, copyright, discrimination and other applicable laws) pre-moderation can risk greater legal liability for an organisation. However don't take my word as a non-lawyer on this (I am not offering legal advice), please consult your lawyers regarding your agency's circumstances.

Pre-moderation has another major negative - it kills conversations. While it may be a suitable technique for a blog, where comments are usually in reaction to the original post, in forums, wikis, social networks and other conversational online spaces, pre-moderation is usually the kiss of death for a community. It is simply not possible to have a timely or coherent conversation when a minder at your shoulder is screening each of your words before they are heard.

I like to compare this to the process for holding town hall meetings. Sure you may vet who is allowed in the door and manage the flow of conversation in the room by laying down ground rules and limiting time per statement or question, even closing down or ejecting abusive or defamatory speakers. However you cannot effectively have a spontaneous open discussion if each speaker is required to pre submit all of their questions or comments for moderation - why hold the town hall at all?

Post-moderation
The other main approach to moderation is post-moderation. This involves establishing a clear and publicly available set of moderation guidelines (which should be public even when pre-moderating) and reviewing comments after they are published and publicly visible within your online space.

While this may sounds risky, it hasn't proven to be in practice where a community is well-managed and it is made clear that at times comments will appear which may be inappropriate, but they will be removed once detected or reported. If necessary risks can be further reduced by pre-registering users and holding their first comment for pre-moderation (which is also a spam control approach - more on that later).

Post-moderation is used by the vast majority of large community sites, often with mechanisms for users to report content they feel is inappropriate so that the owner can take any appropriate steps.

The benefits of this approach include reduced resourcing and the ability to scale quickly to any size community, important for organisations who don't know ahead of time how large a community may become. Post-moderation also offers support for free flowing conversations, meaning that forums and wikis actually work and may deliver the outcomes you seek - provided you have built and promoted the community effectively and the topic is of interest to your audience.

Post-moderation can also reduce- but not totally avoid - potential legal risks that pre-moderated communities face. However it remains important to have a level of trained moderation capability on hand to respond to reports of inappropriate commenting quickly.

Best moderation approach
In my view in most cases post-moderation is the preferable approach, however organisations need to be ready to shift temporarily to pre-moderation where events dictate. Pre-moderating the first post of new users, where users register or otherwise have a persistent identity, is a useful additional technique where it is not likely to alienate users enmasse and having clear methods for participants to report poor behaviour is a must.

There are cases where it is better to pre-moderate, such as for highly emotive topics or where there is significant risk of politically motivated groups deciding to enmasse invade and take control of a space for their own goals.

Government agencies do have special circumstances that can require pre-moderation to be used at certain times, such as during caretaker period before an election, during a national emergency or when significant machinery of government changes are taking place. Public companies may also need to consider it during share freezes or prior to major public announcements.

If you establish your system effectively, switching from a post-moderation to a pre-moderation environment ( or vice versa) should take no more than a few minutes to achieve technically - provided any changes in community guidelines or moderation policy are prepared ahead of time. In fact if you are running a post-moderated space I would strongly suggest that it is worth pre-preparing the guidance for pre-moderation just in case you ever need it.

Spam management
Another area worth touching on is spam - the bane of all system administrators. It is estimated that up to 90% of all email transmitted over the Internet is spam, unsolicited commercial messages designed to make people buy, or sometimes carrying malicious code with the hope of infecting systems for use in bot armies (for sending more spam or hacking secure systems).

Spam is also a persistent issue for online communities, though increasingly a manageable one. I recommend using one of the global anti-spam filters such as Akismet or Mollom, which are rated at over 95% effective at preventing spam from being published (that's at least blocking 95 of every 100 spam messages).

Other techniques also assist in spam management such as using honey traps on registration or submission (forms that spam bots - automated systems - see but human users do not and using the first post pre-moderation approach. Tools such as CAPTCHA can also help (where you must read and type in letters or phrases from an image), however there are techniques to circumvent these in use and they tend to frustrate some users as often up to 20 percent of legitimate human users cannot successfully complete a CAPTCHA challenge - I sometimes struggle with reading them myself.

One thing I strongly advise against is using pre-moderation as an anti-spam technique. Generally the goal of preventing spam should not outweigh the goal of having an effective and flowing conversation. Stopping the community's discussion in order to protect against unsolicited commercial messages is a very big trade-off, similar to requiring all car drivers to submit to breath analysis EVERY TIME before they can drive on a public road. Sure this approach would reduce drink driving (though heavy offenders would find a way around it), but it would unduly punish the majority of drivers doing the right thing.

In conclusion...
With no clear guidance or mandated approach for moderation from any Australian government (that I am aware of when writing this), agencies all have a choice on how they wish to moderate online spaces they manage.

I think this is a good thing as moderation will always be horses for courses. However I strongly recommend that agencies seek legal advice and consider the choices and reasoning of other agencies before striking out in a particular direction.

I also strongly recommend that you share your approach and moderation guidance with other organisations so, collectively, agencies improve by building on each others' experience and expertise.

One way you can do this is by adding your moderation approach to this spreadsheetAustralian agency moderation of online social channels.
.

Read full post...

Monday, January 23, 2012

New Inside Story policy: provide your full name for publication or your comment won't be published

I have had a great deal of respect for the Australian Policy Online (APO), produced by the Australian National University and University of Swinburne.

For several years the site has been a fantastic venue for serious discussions of public policy options, and a very useful source for policy resources and research. The site also, without prompting from me, republished several posts from this blog.

However, after commenting on an article in the Inside Story section of APO late last week, I received an email from the editor pointing out a change in their commenting policy.

Now anyone who submits a comment to Inside Story, as part of APO, must provide, and be prepared to have published, their full name. This new policy is detailed following their full articles using the text as below (highlight is mine):

Send us a comment

We welcome contributions about the issues covered in articles in Inside Story. Well-argued and clearly written comments are more likely to be published, and we’re now asking all contributors to provide their full name for publication. Because all comments are moderated, they will not appear immediately. Your email address is never published or shared. Required fields are marked *.
Now while I appreciate the sentiment of an editor who wishes to avoid spurious comments from people using pseudonyms or commenting anonymously, I found myself uncomfortable with the prospect of a website that forces anyone who comments to publicly reveal their real name in full.

I wrote a piece about this very topic a few months ago for Mumbrella, Toughen up - we need online anonymity, which discussed the various pitfalls involved in forcing people to reveal their real identity.

While I am sure it isn't the intent of this policy, one major risk - particularly relevant to a policy discussion site - is that of excluding certain groups from the conversation.

This includes people who, if their identity is published, may face physical or financial risk, those in witness protection programs, people who fear online attack if their views are taken the wrong way, those involved with policy making who have suggestions or questions, those under the age of 18 and more.

In many policy areas there are people who need to be cautious about revealing their real names publicly for legitimate reasons - whether the topic be health, law and order, immigration, development, gambling, climate change or something else.

While it is the right of each publication or website to define its own moderation and publication policies, the effect of this policy may be to silence people who have valid and important contributions to make, reducing the richness, robustness and usefulness of discussions.

If the primary concerns of Inside Story's editor and publisher are inappropriate comments, defamation, personal attacks and the like, these can be handled through pre-moderation (which they do already), backed up by a public moderation policy and community guidelines (which I cannot find in their site).

Alternatively Inside Story could require people to register and provide their real name in their account details, then publish comments under a name or pseudonym that the user selects. This would ensure they had real names if needed and allows regular contributors to maintain a consistent identity while still providing them with sufficient room to make valuable comments that otherwise they may not feel comfortable doing.

When Inside Story's editor, Peter Browne, (also credited as the Commentary Editor of Australian Policy Online) emailed me last week to ask if I was happy to have my comment published under my full name I thought about it for a few minutes and then decided that while I didn't mind my name being connected to my comments, it was time to take a stand, the damage to the public conversation could be too great. So I said no.

I won't be commenting further on Inside Story or Australian Policy Online while their current policy is in force, nor will I spend as much time reading the site. They remain welcome to republish my blog posts (which are licensed under Creative Commons, so I can't really stop them even if I had wanted to).

This decision may make me slightly poorer, however I believe Inside Story's decision significantly weakens their effectiveness and inclusiveness. The unintended consequence of forcing people to have their full name published alongside their comments is to make all of Australia poorer by stifling public policy discussion, particularly amongst those whose views most need to be heard.

I hope government agencies do not follow the same course on fulll names. It would severely restrict the value of the online channel to collect input on policy consultations and thereby make good policy harder to develop.

For the record, I've included a copy of my email exchange with Peter Browne, Commentary Editor of Australian Policy Online and Editor of Inside Story:
From: Peter Browne
Dear Craig, 
I’m not sure whether you noticed, but we now ask people commenting on articles to provide their full name for publication. Are you happy for your full name to appear with this comment? 
Cheers,
Peter Browne
Editor
From: Craig Thomler

Hi Peter, 
I didn't notice this policy change. I have now looked through your 'about' pages and see no mention of this - nor of your moderation policy. 
I would normally be happy for my full name to appear on my comment, and all my comments online are made on the basis that people can track down and find out who I am if they wanted to. 
However I'm not comfortable with a site that forces people to provide their full name publicly. This requirement prevents many people from commenting - those in witness protection programs, minors (such as 17yr olds), those concerned about stalkers, bullying, identity theft, privacy and so on. 
I see your policy as reducing the potential for open public dialogue without providing any safeguards. A backward step that only damages your reputation. 
It is also impossible to enforce anyway - people can use fake names and email accounts, thereby making your policy useless.
If your concern is around identity, have people register and use a unique username (which may or may not be their full name) - you still have their full name in the background, however they are not exposed publicly. 
If your concern is around inappropriate content, this should be managed through anti-spam and moderation techniques, potentially using the registration process above to allow you to identify and manage persistent offenders (where IP address isn't enough). Your moderation policy should be published so that commenters understand the basis on which they will be assessed. This is simply a matter of respect and setting the context of a discussion - similar approaches are used in face-to-face meetings. 
So in this case, I decline the publication of my comment and will not comment further on APO until your policy is adjusted to not require the publication of full names and is made easily accessible in your site along with your moderation guidelines. 
I will also be publishing this email in my blog to show the perils of requiring full names and linking to my post for Mumbrella: Toughen up - we need online anonymity (http://mumbrella.com.au/toughen-up-we-need-online-anonymity-58441). 
Cheers,
Craig
From: Peter Browne

Dear Craig,
My view is that if writers use their own names then responders should too. The policy is at the bottom of each article, just above the comment field. 
Cheers, Peter

From: Craig Thomler
Hi Peter,
Thanks for pointing this out. I had looked for dedicated 'Community guidelines' 'Comments policy' or 'Moderation policy' pages and looked at your summary articles, where I can still register or log-in to comment, but do not see the same message.
I now have looked at a full article and can see the text. It remains unclear on what basis you moderate.
Here's an example of what I mean by a moderation policy: http://myregion.gov.au/moderation-policy
I appreciate you believe that writers and commenters should have the same rights - although writers are often contributing for different reasons and have different agendas for expressing their views, some are even paid to do so, directly or indirectly (aka not necessarily by you). 
It will certainly be interesting to see how you decide to represent the writer when you receive an article from someone in a witness protection program or a whistleblower, and how you will treat comments. 
Cheers,
Craig

Read full post...

Monday, October 24, 2011

Cannot defame with a hyperlink - Canadian Supreme Court ruling

In the spirit of actually being in Canada, I learnt last Thursday that in a groundbreaking case the Canadian Supreme Court has supported two lower courts in ruling unanimously that hyperlinking to defamatory information is not the same as defaming someone, unless the information is replicated in the link or on the hyperlinker's site or page.

Learn more about the ruling (in a case originally brought in a British Columbia court by a Vancouver business person and political volunteer against a local website) in this BBC article, Canada Supreme Court: hyperlinks cannot libel. Yes there is a certain irony about reporting in Vancouver on a Vancouver case by referring to a British website - however I read the original story in a local (paper) newspaper.

This ruling may have flow-on influence to Australian courts, who do take some note of rulings in other Westminster jurisdictions, particularly in Common Law areas where precedents are important in clarifying grey areas in law.

The Canadian ruling, where the Court considered hyperlinks as "content neutral" (as hyperlinkers have no control over the content they link to), may even extend further to cases where links point to prohibited, but not necessarily illegal content, such as some Refused Classification (RC) content under Australia's classification for content deemed offensive but not necessarily illegal under Australian law.

Currently it is an offense to link to RC-rated content, or even to know what is rated RC - which poses a challenge for all individuals and organisations who may not realize that content they are linking to is prohibited in Australia. There has been at least one case where an Australian government agency has inadvertently linked to RC content (in a published user submission to a consultation) - which was certainly not the agency's fault.

Also as the destination content of links can change rapidly, or even appear different to users from different IP addresses, there is an ongoing risk under current Australian regulation that individuals or organisations might in good faith link to valuable relevant content which is later changed. I have seen this happen myself in a book on kids' websites with links where after publication several kids' sites were sold to adult content organisations who changed the content significantly. This could affect both defamation and RC related situations.

While I am drawing a bit of a long bow from a Canadian Supreme Court ruling to other manifestations of hyperlink-related law in Australia, it is an area that requires ongoing careful consideration and adaptation to reflect what is sound and practicable, not simply what may be popular or reflect an ideal state without recourse to technical facts.

Read full post...

Thursday, September 29, 2011

The role of social media during the Arab Spring

John Sheridan posted a link on Twitter to a very interesting analysis of the impact of social media on the revolutions across the Arab world over the last year.

The paper provides strong evidence that social media was one of the key causes of these revolutions due to its ability to place a human face on political oppression and had a critical role in mobilising dissidents to organise protests, criticise their governments, and spread ideas about democracy.

The report claims that social media had a central role in shaping political debates, for example,
Our evidence shows that social media was used heavily to conduct political conversations by a key demographic group in the revolution – young, urban, relatively well educated individuals, many of whom were women.
Both before and during the revolutions, these individuals used Facebook, Twitter, and YouTube to put pressure on their governments. In some cases, they used new technologies in creative ways such as in Tunisia where democracy advocates embarrassed President Zine El Abidine Ben Ali by streaming video of his wife using a government jet to make expensive shopping trips to Europe.
The report also provides evidence that online conversations about liberty, democracy and revolution on Twitter often immediately preceded large protests. This supports the use of social media as a civic organising tool.

Governments that attempted to shut down the internet, or specific social media services, were clearly also of the view that these were key channels for public dissidence outside their direct control, unlike  government-run or influenced newspapers, radio stations and television channels.

Finally, the paper demonstrates how social media was used to open up internal discussions to the world, helping spread democratic ideas across borders, providing global support networks for local dissidents and informing the media, which then fuelled awareness, interest, engagement and support for the Arab Spring through media reports.

The paper is an excellent read and quantifies a number of the effects of social media during the Arab Spring, which could be used by political 'dissidents' in other countries to help influence local debate.

Note that like all research, it is a little of a two-edged sword, as the paper could also be used by governments seeking to minimise debate to pre-empt online dissidence by establishing frameworks that can be extended to allow strict control of online discussion.

These frameworks  include national firewalls, broad-based and readily expandable online censorship regimes, internet kill switches and approaches that place the control of national internet infrastructure into government-controlled monopolies.

Often justified as beneficial initiatives designed to protect people from international cyberattacks, online fraud or inappropriate online content (which they may also do), these frameworks, if implemented without appropriate legal and privacy checks and balances, can be repurposed to restrict citizen access and quash undesired public debate, exclude certain individuals or organisations from participating online or even identify specific troublemakers for incarceration or worse.

I have embedded the document below for easy reading, or it can be downloaded in PDF format here, Opening closed regimes.
Opening closed regimes - What was the role of social media during the Arab Spring?

Read full post...

Monday, June 27, 2011

Turning open government petitions into policies in Latvia, using online banking to authenticate citizens

It can be difficult to get a perspective on the Government 2.0 activities in non-English speaking countries.

However thanks to Francis Irving, who posted an account in the My Society email list in the UK, forwarded to the OpenAustralia Community list in Australia, here's a very interesting mini case-study on one initiative in Latvia.

In this case the initiative was created outside of government, however has become part of their parliamentary and law-making process.

It involves using online banking accounts to identify users, in partnership with the major local banks. This is an approach I've not seen used anywhere else in the world.

It is a well-structured open government initiative and one that I think Australia could do well to model similar activities on.

I've quoted Francis' email below. To learn more, join the OpenAustralia Community list.

Francis Irving (posted 24/6/2011):
I just met Kristofs Blaus, who spent a year researching petition / online initiative projects across the world. i.e. things where citizens propose and vote on new laws.

He launched ManaBalss.lv (Eurosay.com) in Latvia two weeks ago. Already two laws are going into force entirely because of the site.

Six things you ought to know about it:
  1. 2 days after launch, the president of Latvia promoted an initiative on the site because 20,000 people had signed it. It is to open the owners of offshore companies. Within 1 week of launch (i.e. last week!) it was passed in to law.  http://eurosay.com/atveram-of-orus/show

    You can watch for future ones being signed into law on this page: http://eurosay.com/initiatives/signed

    (What self respecting e-democracy site doesn't have a specific, high profile page, just showing things it has got passed into law!) 

  2. Within 2 weeks, a second initiative got enough support that both major groups in Parliament now support it (it'll become law after the recess in September). It's a meta-law - it makes the platform itself mandatory, so if any petition gets 10,000 authorised signatures, then the creator gets 5 minutes in Parliament to present it.
    http://eurosay.com/atveram-saeimu-/show

  3. There is a workflow process for making sure the initiatives that get through are sensible (rather than tabloidy stuff that tends to be popular on the UK's no. 10 petition site)
    1. You write an original draft
    2. Comments by skilled volunteers tell you what is wrong with it.
    3. You can fix it up.
    4. Then you gather support. You get a URL. The initiative doesn't appear in an index on the site, you have to promote it yourself.
    5. When you get 100 people (they're going to up it to 1000 due to popularity)
    6. Some real volunteer lawyers make it into a proper, viable legal text in a PDF on the initiative page.
    7. It goes on the public site, where large numbers of people can back it.

  4. That process ensures that:
    - It is a real proposal rather than aspirational
    - It can regulated by legislation
    - Technical details, such as if it requies a constitutional change it is written in the right form

  5. It's social. The GroupOn/PledgeBank nature of gathering support, and then later the petition nature of getting people to back finalised initiatives, both encourage spread. It links to your Facebook/Twitter so the initiatives can have a montage

  6. To ensure it can't be gamed, you authenticate yourself to the site using your online bank account (via your social security numebr). It launched (undemocratically!) with just one bank, but the others were then deseparate to be added.

  7. The site is now wildly popular. It trends all the time on Latvian Twitter. Politicians fall over themselves to back it. The media love it, as articles they publish about it get traffic from the site.
An article in English about it, but rare. Nobody has heard of this thing yet. Except you for being smart enough to be on this list ;) http://bnn-news.com/latvia%E2%80%99s-society-enormous-power-30587

Notably the two people who made it are businessmen rather than programmers. The coding was done by staff at Kristofs's company.

Kristofs Blaus - business strategy, inventing new products
Jānis Erts - marketing (he made this fake metorite http://news.bbc.co.uk/2/hi/8326483.stm)
 
Obviously, the above formulae is easy to critique in the UK. But I'm not really interested in that kind of stop energy.

What is extraordinary is that the right combination done in the right way can be wildly successful. That is almost certainly true here.

If anyone on the list wants to help Kristofs do that, please email me privately.

Francis

Read full post...

Thursday, May 19, 2011

21st Century society vs 19th Century laws and policing

Laws have always struggled to keep up with society, however rarely in such a vivid and public way as in Wednesday's arrest of Sydney Morning Herald journalist, Ben Grubb, and the confiscation of his iPad.

The incident, well reported in the SMH, occurred when Queensland Police responded to a complaint regarding a photo hacked from one security expert's private Facebook page and displayed in a presentation at the AusCERT conference in Brisbane as an example of a major security hole in Facebook's system.

Grubb was attending the conference and received a briefing about the security hole. Seeing the public interest in telling the community that their supposedly private Facebook photos could be easily accessed, Grubb reported the matter in an article featuring the image, which I can no longer find on the SMH site.

The following day police questioned Grubb about the matter and then demanded he hand over his iPad on the basis that police wanted to 'search' it for evidence of a crime. When he was unwilling to do so, he was arrested and his iPad confiscated for a complete image of its content to be taken and analysed by police (let's not even explore the potential conflict with Australia's Shield laws, which incidentally also cover bloggers and tweeters).

The basis of police concern was that the image retrieved by the security expert and used in the SMH article was 'tainted material', stolen from a Facebook account and then passed on to others.

What is more worrying is that the Queensland police, in a press conference, then equated receiving an email containing a stolen image as 'like taking stolen TVs'. To quote:

Detective Superintendent Hay used an analogy to describe why Grubb was targeted.

"Someone breaks into your house and they steal a TV and they give that TV to you and you know that TV is stolen," he said.

"The reality is the online environment is now an extension of our real community and if we go into that environment we have responsibilities to behave in a certain way."

Let's think about this for a moment.

Firstly, when someone 'steals' an image - or music, movies, books or other online content - it isn't stealing if the content remains at the point of origin for the original owner to continue using. It may be a copyright infringement or privacy breach, but unlike stealing a television, where the owner of the television is left without it, there is no theft, simply replication.

On that basis any laws around theft simply don't apply online. You can copy my idea, my words, my images. However unless if you somehow delete the originals, you are not stealing them, you are breaching my copyright.

Secondly, when an email is sent to our email address it gets delivered regardless of the legality of its contents. We have no say in whether we receive legal or illegal messages and images. Sure there's spam blockers and the like, however these automated tools can't tell if content is legal or not, only if it violates certain rules, such as containing certain four letter words or phrases.

However, according to the QLD Police, if someone sends you an email containing a 'stolen' image, you are breaking the law. This is even though there is no way possible for you to refrain from receiving the email in the first place. You don't even have to open the email. If it has been stored on your device, based on the QLD Police's interpretation of Commonwealth law, you are a potential criminal.

This has enormous ramifications for society. Anyone can frame someone else by sending them an email. As it is relatively easy to set up a disposal email account, you can do so anonymously. This could be used against business rivals, political opponents, or even against the police themselves simply by sending them an anonymous email and then making an anonymous complaint.

Equally, if the person receiving the email is a potential criminal, then what about all the organisations whose mail servers were used to transmit the message?

When an email is sent from one person to another it can pass through a number of different systems on its journey. At each stop, a mail server copies and saves the email, checks the route then sends the email on.

In most cases these mail servers delete these emails again for storage reasons, however at a point in time each of them has received the email, making the organisations and individuals who own them liable, again, under the QLD Police's interpretation of the law.

Given the number of emails sent each day in Australia it's clear from the QLD Police's legal interpretation that most ISPs must be operated by criminals, receiving, storing and transmitting illegal content all day and night.

Applying this type of 19th Century policing and legal approach clearly isn't going to work in the 21st Century.

When everyone can publish and illegal content can be received without your consent or knowledge, laws need to change, as does police training and practice.

Without these changes government bodies will become more removed from the society they are meant to serve, unable to function effectively and efficiently in today's world.

By the way, the security analyst who originally 'stole' the Facebook images hasn't been questioned, arrested or charged. And Ben Grubb still hasn't received his iPad back.

Read full post...

Friday, March 25, 2011

Is it practical for government agencies to block web-based mail?

The Australian National Audit Office has just released a report 'The Protection and Security of Electronic Information Held by Australian Government Agencies' based on a review of the approaches to information security by four agencies, the Office of Financial Management, ComSuper, Medicare Australia, and the Department of the Prime Minister and Cabinet.

Amongst other recommendations was one which has been much discussed on Twitter this morning, "emails using public Web-based email services should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure."

This reflects the recommendation in the Defense Signal Directorate's Information Security Manual, the 'bible' for Australian Government agencies when it comes to ICT security, which states on page 100 that:
Agencies should not allow personnel to send and receive emails using public web-based email services.

The concerns are very clear and relevant - web-based email systems can easily be used, inadvertently or deliberately, to distribute large quantities of citizen's personal information, or an agency's In Confidence or other classified information rapidly and to large numbers of people, making it impossible to contain the spread of the information.

Web-based email is also a potential source of attacks against an agency, through viruses, worms and trojans in email attachments (which may not be able to be scanned at the same level as Departmental email can be) and through web-links in emails to compromised websites.

I don't dispute these real concerns. They are concerns for corporations as well.

However, I do ask - what is 'web-based email'?

Most people are aware of the classic web-based email services, Windows Live Hotmail, Yahoo mail and Gmail amongst many, many, many similar services (here's a list of 18 web-based email services - and that's just a start!)

These services follow a standard email model - an inbox, outbox, capability to send and receive email, with attachments and some ability to organise and file emails into folders. Most have automated spam-checkers too, some exceptionally good.

However while they LOOK like email software, they aren't really email software. They are simply web pages providing access to text, links, file upload/download and some buttons.

Any webpage can be designed the same way. In fact it would be hard to find any webpage without at least two of the same features.

In other words, while they look like email and act like email, they're really no different from going to any website which allows people to click on a link or download a file.

Regarding the risk of downloading or clicking on a link with a malicious payload (virus, trojan, etc), web-based email web pages provide no additional risk to standard web pages except, perhaps, that they have content targeted to an individual with a government email address.

There may actually be less risk in using popular and widespread web-based email services as they do employ sophisticated scanning techniques to limit spam and malicious payloads. It is in their interest to not allow their users to become infected with viruses as their business would suffer as a result.

In fact, in some cases the large web-based email providers may offer more security in preventing spam and viruses than a corporation or government agency can offer to its staff using official email accounts. The large web-based email providers have hundreds of millions of users and their business is providing web-based email, meaning they hire the best talent, employ leading edge solutions and invest far more into their email security than most corporations or government agencies can afford.


I've only talked about the identifiable web-based email systems so far, there's also several broader considerations.

More and more online services are implementing systems like web-based email for sending and receiving messages within a web browser.

This includes services like Facebook, LinkedIn, YouTube, Slideshare, Ning, Amazon, all forum systems and micro-blogging services like Twitter (allowing direct messages). Most ISPs offer web-based access to home email accounts. Even your bank probably does it.

In all cases these services provide you with the ability to send and receive messages, including links and sometimes also attachments.

They effectively act like web-based email services, without having the same name.

To block web-based email systems can be tricky without blocking access to the provider's other services, such as Google's analytics and webmaster systems. However it is (mostly) possible.

To block these other pseudo-web-based email services without blocking their service is most probably impossible in most cases. That would mean blocking staff from being able to monitor or interact (officially) over social media services, or even from accessing their bank accounts from work.


Another consideration is the vast array of services that could not remotely be described as having web-based email qualities but still allow people to share information online.

These services, like YouSendIt, DropBox, Scribd and a host of others (including web-based FTP services provided by ISPs and others) allow people to upload a file, or often many files, and share them widely. There are also services for making comments - every newspaper has one - and many services for anonymising where the data is coming from to prevent detection.


Now all of this may still be manageable if it were only defined organisations who provided all these services. However the barrier to setting up a new service that looks and performs like web-based mail, or allow files to be transferred is almost invisible.

Open source software exists to allow any person to create their own service in a matter of hours. Web-based systems allow you to create a web-based email facsimile in a matter of minutes. These services are widespread, easily discoverable and cheap.

People can set one up from home, or any public access computer and then access it at work. That's if they are not amongst the nearly 40% of Australians with personal smartphones, or the millions of others with laptops, netbooks and tablets and 3G connections to the internet. Personal internet connections at the office, every day.

I don't envy the job of ICT Security Advisors.


If an agency wished to prevent staff from sending files and information online to unauthorised recipients, or prevent the possibility of staff clicking on links or downloading files from the web that may carry viruses, there are only three solutions.
  • Whitelist a bare minimum number of sites that staff can access,
  • turn off internet access completely, or
  • establish effective policy guidance and education for staff, have managers monitor use and ICT Security advisers provide support and training.
While it may be easier for organisations to pick one of the first two options, they will experience staff backlashes, have difficulty recruiting younger people (now including people in their 40s) and be unable to effectively engage and respond to changing global and national events.

These approaches won't necessarily limit the use of personal internet-connected devices at work, many more staff might bring them in to get around the security settings (so they can do their banking and respond to critical personal events). These approaches may even increase the incident of information leakage as disgruntled staff use the fax or photocopy and walk out the door.


The third option, which requires extensive senior leadership and support, is more effective in the long-run, however a harder sell due to the time and ongoing education commitment. However it is, in my view, the only approach to managing the use of web-based email and all similar services - in effect the entire internet - which serves the long-term interests of governments, agencies and staff.

Read full post...

Friday, March 18, 2011

The coming open data battle - government versus commercial interests

I'm a big fan of opening up as much public sector information as possible in easily discoverable and reusable ways (taking into account privacy, security and commercial-in-confidence considerations).

The data allows citizens and organisations to build a more informed view of their government's activities, a good accountability measure.

It also allows the development of useful applications and services at low cost and even lower (frequently free) prices. Sure they may not be as polished as multi-million dollar services developed by governments or big business, however they allow citizens to choose the tools that work best for them. Government or big business can always use these learnings to build on.

Open data also allows government agencies to see what data other agencies have, and lets them use it to improve their models, understanding and policy. While often overlooked in the rush to provide data to citizens, often agencies have as much trouble discovering and accessing data from other agencies as citizens do.

However as more public sector data gets released, losers are also emerging, some with deep pockets and effective lobbyists.

Who loses when government data is released for free? Several groups spring to mind.

First are companies that make their living from licensing public information and selling it on (often with value-adds) at a mark-up. These companies allow agencies to extract a market price for their data without having to contend with the complexities of the open market. They often have a monopoly position, controlling access to a source of public data, and can be very resistant to losing their monopoly or seeing the data 'devalued' through free release.

Second are companies that rely on getting data first to build their edge. This includes stock market traders, where having information a few hours earlier than the market may be worth millions. It can also include the media, who thrive on 'exclusives'. Where data is released to specific journalists under Freedom of Information or through other channels ahead of others they have an informational edge over their rivals.

Next are organisations who prefer to obscure the true cost of goods and services in favour of complexity. Where customers can't compare prices effectively they can't make the best price decision, therefore they may choose expensive services based on brand and never realise they are paying more than they should. Sound like any industry you know?

Finally there's groups within government who prefer to keep citizens at arms length. Those who do not want too much scrutiny of their decisions or who believe the public won't understand the broad context under which they were made. This group believes in only telling the public what they think the public needs to know.

We're starting to see some of these groups flex their muscles in jurisdictions that are releasing a great deal of public sector information, or who are legislating for organisations to become more transparent.

One group currently resisting openness in the US are airlines. In the New York Times article, This Data Isn’t Dull. It Improves Lives, the journalist reports that,

...the Department of Transportation is considering a new rule requiring airlines to make all of their prices public and immediately available online. The postings would include both ticket prices and the fees for “extras” like baggage, movies, food and beverages. The data would then be accessible to travel Web sites, and thus to all shoppers.

The airlines would retain the right to decide how and where to sell their products and services. ...
The approach would make markets more transparent and efficient - allowing consumers to make a decision on flights based on complete knowledge.

So do airlines support this approach? Well, not completely. They wish the right to choose when and how they display their fees - choosing to control the flow of information and force consumers to continue to make sub-optimal decisions on partial information.

This reflects the situation in Australia with the Rudd Government's attempt to launch Fuelwatch and GroceryWatch websites. Petrol and grocery companies weren't particularly supportive of having the true cost of their products visible to consumers before they were at the service station or in the store. Once consumers were there it was far less likely they'd leave and shop elsewhere because of price. Of course the reason given was the complexity of exposing the prices publicly, although they don't seem to have this issue at the checkout.


Another example I have been watching is in Canada, where there's been an active discussion of the decision of BC Ferries to release FOI requests online at the same time they are released to the requester (where the request doesn't involve personal information).

Journalists have complained that the approach means they won't get an exclusive, removing their financial incentive for requesting government information in the first place. One journalist in particular, Chad Skelton, has written a series of pieces detailing why it is so important that governments allow media to profit off FOI requests, as otherwise they are unlikely to ask for this information and it won't be exposed for the public good. One of his articles worth reading is Why David Eaves is wrong about BC Ferries' Freedom of Info policies.

It is an interesting point, however I tend to sympathise with David's view - government information laws should not be designed to support the financial goals of media outlets, or any other organisations, over the goals of public openness and transparency. These laws should be designed to ensure that public information gains public scrutiny, not so that journalists can 'make' their careers with exclusives.


As we see more public sector information released by governments I expect we'll see more battles over its release. Some forms of opposition will be passive, providing information in the least usable formats possible or hidden away in websites; other forms will be active, direct refusals to release information (because it is incomplete, the context wouldn't be understood, or it isn't useful), court cases from commercial interests asking for information to be suppressed, or even active information sabotage where data is destroyed rather than published.

Reputations and fortunes can be made and lost over access to information. It is unlikely that entrenched interests will support changes to the playing field without putting up an ongoing fight.

Read full post...

Bookmark and Share