The wrong sort of radio
This post is about the madness of corporate web filters in the age of ubiquitous consumer devices with Internet connectivity.
I typically see three types of connectivity in any given corporate setting:
- The company network. Usually wired, but sometimes with a wireless adjunct, this network offers the same liberty as an oppressive Middle East regimes. This is a network where you can’t use social networks, check your webmail or see pictures (or business charts) uploaded by others. This network has been locked down for your own protection, and for the protection of the company.
- Guest WiFi. When coffee shops started becoming a better place for business than company meeting rooms something had to be done, and guest WiFi was that something. Sadly in many cases it’s locked down with many of the same measures and policies as the corporate network[2,3] – the only real change is that ‘foreign’ devices are allowed to connect.
- Mobile networks. Increasingly these come by default with some degree of nannyistic filtering, but in my experience it’s pretty benign – you can go to the places and ports that you want to and use the services that live there.
Trying to control where radio waves go
In 1 and 2 the legal and compliance department seeks to control what happens over the radio waves, in 3 they cannot – hence the title of this post.
I was recently at an event run by a large security software and solutions vendor where they said that ‘they too were having trouble with this stuff’ (referring to executives using iPads) so they’d had to ‘turn off some of the WiFi’. So what – the executives couldn’t afford the 3G iPad?
The nonsense of inconveniencing your own people
This whole thing is nonsense. Companies can’t control what employees access on the Internet, because nobody wants to become like a top secret military installation and take everybody’s phone away from them at the gate. The reality is that employees will have iPhones and iPads and other smartphones and other tablets and netbooks with 3G cards and MiFis and Kindle 3Gs and all manner of other stuff that can get to a (mostly) unfiltered web. For sure you can make life less convenient for your own people by making too many of them share a limited pool of bandwidth, but if you’re worried about people wasting time on social networking or personal email then do you really want to make it slower?
At this point it’s probably worth unpacking some of the concerns:
For a very long time we’ve had corporate networks that follow a confectionery design pattern – hard on the outside, soft in the middle. The whole point of hard on the inside is to stop damage to soft in the middle. Despite the best efforts of the Jericho Forum very few organisations have done deperimiterisation (or even my preferred ‘reperimiterisation’), which leaves them stuck with a model where you can only allow approved devices, software etc. An associated concern is that browsing the seedier parts of the Internet brings with it infections that may not be spotted by anti virus software and similar defences.
Security is probably a valid reason for the behaviour we see on company networks, but doesn’t justify controls on guest/employee WiFi, and of course the security guys don’t really have any say on what happens on mobile networks.
Not Safe For Work (NSFW)
One of the initial reasons for introducing web filters was a desire by HR to block porn. I don’t ever recall the epidemic of people surfing XXX rated material (and upsetting their co workers by doing so), but clearly enough people thought this was a problem and were willing to spend money on it.
What’s curious is that the arrival of broad(ish)band connected mobile consumer Internet devices with no filters hasn’t caused some catastrophic outbreak of inappropriate material being poked in the faces of inappropriate people. It looks like people are able to behave like mature adults after all.
Of course filters don’t always work, and I’ve seen an instance or two of objectionable spam make their way through. Somehow this is more of a problem when using Outlook (which renders images by default) rather than Gmail (which doesn’t).
The NSFW argument doesn’t hold up in my view, and HR were probably suckered into playing the paternalist in order to justify buying a bunch of kit that some IT folk wanted for other purposes.
Time is money
This is the one where employees shouldn’t be spending their valuable (company paid for) time checking their personal email and chatting to their friends on Facebook/Twitter/AIM or whatever the next flavour of the month is.
Firstly this expresses a very Victorian work ethic towards time management (that my US cousins still seem all too attached to). As we move from the industrial age to the information age we’re slowly seeing a shift from clocking in/out towards flexibility and ‘work/life balance’, but whilst we still have people around that we pay by the day (or even hour) then we will continue to fool ourselves that time is valuable rather than outcome.
I guess the quid pro quo here is that my wife hates me using my Blackberry at home just as much as most companies would hate me using Facebook at work (even if I’m using the Blackberry to check Facebook).
The information age is changing the nature of work and how it interacts with time. The productivity of ‘Knowledge workers’ can vary dramatically, with short bursts of great output set in a broader context of information gathering (and many seemingly aimless conference calls).
Secondly there’s the assumption that social interaction is somehow utterly unrelated to work. That people shouldn’t be able to ask their ‘friends’ for help.
Once again we see that employees are using this stuff anyway (at work) on their own devices, and the time that’s being ‘wasted’ isn’t hurting.
The common sense approach
What I think companies should be doing here is protecting their corporate networks where that is still necessary (and moving towards reperimiterisation around the data centre core) and offering their employees, partners, clients and other parties an otherwise unfettered path to the Internet (via unfiltered WiFi). This should simply be a question of cost and convenience where for very good infrastructure reasons mobile data costs more (and is often less convenient) than WiFi built on a wired bearer.
Why is this so hard?
 Hardly surprising as the companies that sell lists of stuff to be blocked have these countries as their primary customers, and business users just tag along for the ride.
 To stop employees from sidestepping the policies on the corporate network, and doing the stuff that they want to do on the Internet.
 I’ve come across some cases where companies have invited in telcos to provide WiFi. I think this is a win-win – guests (and employees) get the connectivity that they want (and more reliably than a mobile connection), the telco gets paid for an hour/day/longer subscription, and the legal and compliance people get to sleep at night knowing that they’ve passed a potential liability on to a third party. I’ve also come across some legal and compliance people (mostly in the US) who take the view that this can’t be done because liability for what happens (on the Internet) within the boundary of a company’s premises can’t be passed on. Don’t ask me what happens if you have an on site Starbucks in a leased building.
 Canary Wharf is an awful place for mobile devices given the poor ratio of infrastructure to people based there.
 I recall a frustrated network engineer one day recounting how he’d presented a business case to the executive board and they come back at him with ‘you want us to spend $5m on a better porn filter?’ – clearly there was some kind of communication issue and somebody was missing the point.
 One of the insane arguments here is that people surfing Internet porn at work were costing the company money (by using the precious resource of their Internet connection) and therefore it was worth spending even more on web filters to stop this from happening.
Filed under: security, technology | 5 Comments
Tags: 3G, data, filter, filtering, HR, mobile, policy, security, social, time, web, wifi
Raspberry Pi Downloads
- Making an image file from an SD card on Windows
- Raspberry Pi GPIO Joystick
- Raspberry Pi TV/PVR
- Connecting Docker containers between VMs with VXLAN
- Raspberry Pi sous vide water bath
- Docker Networking
- Using Amazon EC2 as a web proxy
- Boot2Docker on Hyper-V
- Raspberry Pi Satellite TV
- AirPlay on Raspberry Pi the easy way
Chris Swan on Review – Fujitsu ScanSna… Foster on Review – Fujitsu ScanSna… OpenWRT on TP-Link W… on OpenWRT on TP-Link TL-WR2… Chris Swan on Re-energising Pleo Marco Salvemini on Re-energising Pleo
- Police stats inflate the number of guns actually stolen in Blighty
- Raspberry Pi VPN Gateway
- Freifunk freedom fighter box
- Everyone knows it’s broken
- Alfred Anaya Put Secret Compartments in Cars. So the DEA Put Him in Prison
- SWAT team murders burglary victim because burglar claimed he found meth
- Evolution of Docker and Its Impact on AWS
- British Judge Rules Against Bayes’s Theorem
- UK Matias Quiet Pro for PC : FK302QPC-UK : The Keyboard Company
- MariaDB & Trademarks, and advice for your project
- @IanMmmm @ChrisPurrington won't be there either. The @cohesiveft re:invent line up is @ryankoop @therealsamalam @marciemal @MargieWalker 11 hours ago
- @IanMmmm I won't be at re:invent as we decided to send 'the young and the beautiful' from CohesiveFT. I'll be at the thing tomorrow. 11 hours ago
- @IanMmmm if only it was an option for the MBA. My fingers are still crossed for a 12" retina MBA with option for 16GB RAM and 1TB SSD 11 hours ago
- @IanMmmm It's a shame that so few laptops offer the option of 16GB 12 hours ago
- RT @michfire: Can finally announce our Dr Who game which also teaches programming skills #drwho #coding theguardian.com/technology/201… 13 hours ago