The wrong sort of radio
This post is about the madness of corporate web filters in the age of ubiquitous consumer devices with Internet connectivity.
I typically see three types of connectivity in any given corporate setting:
- The company network. Usually wired, but sometimes with a wireless adjunct, this network offers the same liberty as an oppressive Middle East regimes. This is a network where you can’t use social networks, check your webmail or see pictures (or business charts) uploaded by others. This network has been locked down for your own protection, and for the protection of the company.
- Guest WiFi. When coffee shops started becoming a better place for business than company meeting rooms something had to be done, and guest WiFi was that something. Sadly in many cases it’s locked down with many of the same measures and policies as the corporate network[2,3] – the only real change is that ‘foreign’ devices are allowed to connect.
- Mobile networks. Increasingly these come by default with some degree of nannyistic filtering, but in my experience it’s pretty benign – you can go to the places and ports that you want to and use the services that live there.
Trying to control where radio waves go
In 1 and 2 the legal and compliance department seeks to control what happens over the radio waves, in 3 they cannot – hence the title of this post.
I was recently at an event run by a large security software and solutions vendor where they said that ‘they too were having trouble with this stuff’ (referring to executives using iPads) so they’d had to ‘turn off some of the WiFi’. So what – the executives couldn’t afford the 3G iPad?
The nonsense of inconveniencing your own people
This whole thing is nonsense. Companies can’t control what employees access on the Internet, because nobody wants to become like a top secret military installation and take everybody’s phone away from them at the gate. The reality is that employees will have iPhones and iPads and other smartphones and other tablets and netbooks with 3G cards and MiFis and Kindle 3Gs and all manner of other stuff that can get to a (mostly) unfiltered web. For sure you can make life less convenient for your own people by making too many of them share a limited pool of bandwidth, but if you’re worried about people wasting time on social networking or personal email then do you really want to make it slower?
At this point it’s probably worth unpacking some of the concerns:
For a very long time we’ve had corporate networks that follow a confectionery design pattern – hard on the outside, soft in the middle. The whole point of hard on the inside is to stop damage to soft in the middle. Despite the best efforts of the Jericho Forum very few organisations have done deperimiterisation (or even my preferred ‘reperimiterisation’), which leaves them stuck with a model where you can only allow approved devices, software etc. An associated concern is that browsing the seedier parts of the Internet brings with it infections that may not be spotted by anti virus software and similar defences.
Security is probably a valid reason for the behaviour we see on company networks, but doesn’t justify controls on guest/employee WiFi, and of course the security guys don’t really have any say on what happens on mobile networks.
Not Safe For Work (NSFW)
One of the initial reasons for introducing web filters was a desire by HR to block porn. I don’t ever recall the epidemic of people surfing XXX rated material (and upsetting their co workers by doing so), but clearly enough people thought this was a problem and were willing to spend money on it.
What’s curious is that the arrival of broad(ish)band connected mobile consumer Internet devices with no filters hasn’t caused some catastrophic outbreak of inappropriate material being poked in the faces of inappropriate people. It looks like people are able to behave like mature adults after all.
Of course filters don’t always work, and I’ve seen an instance or two of objectionable spam make their way through. Somehow this is more of a problem when using Outlook (which renders images by default) rather than Gmail (which doesn’t).
The NSFW argument doesn’t hold up in my view, and HR were probably suckered into playing the paternalist in order to justify buying a bunch of kit that some IT folk wanted for other purposes.
Time is money
This is the one where employees shouldn’t be spending their valuable (company paid for) time checking their personal email and chatting to their friends on Facebook/Twitter/AIM or whatever the next flavour of the month is.
Firstly this expresses a very Victorian work ethic towards time management (that my US cousins still seem all too attached to). As we move from the industrial age to the information age we’re slowly seeing a shift from clocking in/out towards flexibility and ‘work/life balance’, but whilst we still have people around that we pay by the day (or even hour) then we will continue to fool ourselves that time is valuable rather than outcome.
I guess the quid pro quo here is that my wife hates me using my Blackberry at home just as much as most companies would hate me using Facebook at work (even if I’m using the Blackberry to check Facebook).
The information age is changing the nature of work and how it interacts with time. The productivity of ‘Knowledge workers’ can vary dramatically, with short bursts of great output set in a broader context of information gathering (and many seemingly aimless conference calls).
Secondly there’s the assumption that social interaction is somehow utterly unrelated to work. That people shouldn’t be able to ask their ‘friends’ for help.
Once again we see that employees are using this stuff anyway (at work) on their own devices, and the time that’s being ‘wasted’ isn’t hurting.
The common sense approach
What I think companies should be doing here is protecting their corporate networks where that is still necessary (and moving towards reperimiterisation around the data centre core) and offering their employees, partners, clients and other parties an otherwise unfettered path to the Internet (via unfiltered WiFi). This should simply be a question of cost and convenience where for very good infrastructure reasons mobile data costs more (and is often less convenient) than WiFi built on a wired bearer.
Why is this so hard?
 Hardly surprising as the companies that sell lists of stuff to be blocked have these countries as their primary customers, and business users just tag along for the ride.
 To stop employees from sidestepping the policies on the corporate network, and doing the stuff that they want to do on the Internet.
 I’ve come across some cases where companies have invited in telcos to provide WiFi. I think this is a win-win – guests (and employees) get the connectivity that they want (and more reliably than a mobile connection), the telco gets paid for an hour/day/longer subscription, and the legal and compliance people get to sleep at night knowing that they’ve passed a potential liability on to a third party. I’ve also come across some legal and compliance people (mostly in the US) who take the view that this can’t be done because liability for what happens (on the Internet) within the boundary of a company’s premises can’t be passed on. Don’t ask me what happens if you have an on site Starbucks in a leased building.
 Canary Wharf is an awful place for mobile devices given the poor ratio of infrastructure to people based there.
 I recall a frustrated network engineer one day recounting how he’d presented a business case to the executive board and they come back at him with ‘you want us to spend $5m on a better porn filter?’ – clearly there was some kind of communication issue and somebody was missing the point.
 One of the insane arguments here is that people surfing Internet porn at work were costing the company money (by using the precious resource of their Internet connection) and therefore it was worth spending even more on web filters to stop this from happening.
Filed under: security, technology | 5 Comments
Tags: 3G, data, filter, filtering, HR, mobile, policy, security, social, time, web, wifi
Raspberry Pi Downloads
- Raspberry Pi GPIO Joystick
- Making an image file from an SD card on Windows
- Using Overlay file system with Docker on Ubuntu
- AirPlay on Raspberry Pi the easy way
- Gen8 Microservers
- Raspberry Pi Satellite TV
- Review - Dell PowerEdge T110 II
- Boot2Docker on Hyper-V
- Using Amazon EC2 as a web proxy
- Howto stunnel from HTTPS to HTTPS
John Greenan on Bad data will make you sell th… Bad data will make y… on An enterprise Ultrabook Correy Voo on Bad data will make you sell th… Bad data will make y… on Laptops – two wrongs, wh… Bad data will make y… on Review – Lenovo X23…
- Ga. cops shoot homeowner, kill his dog, wound fellow officer
- How to rip your music CDs to FLAC
- How to Talk to Your Keynote Speaker
- Charles Web Debugging Proxy • HTTP Monitor / HTTP Proxy / HTTPS & SSL Proxy / Reverse Proxy
- Hookup culture isn’t the real problem facing singles today. It’s math.
- Netflix Is Dumping Anti-Virus, Presages Death Of An Industry
- Adam Khan on Twitter: "All public park benches should do this 👇🙌 http://t.co/NATuwRjQgh"
- Amazon and the last man standing
- Send PM from command line
- Netflix's "Context, Not Control": How Does it Work?
- How did I miss Moviecode moviecode.tumblr.com when I was interviewing @jgrahamc earlier this year infoq.com/interviews/Joh… 18 hours ago
- RT @cohesivenet: Want to use the @AWScloud VPC DNS from outside of the VPC? Here's how: ow.ly/Rv9qk new on the Cohesive blog by … 19 hours ago
- @DanHushon I'm good - back to software after a weekend of more manual labour It's interesting to see you using CrowdChat for your town hall 20 hours ago
- RT @DanHushon: someone asked me what it took to be a CTO... curiosity and impatience was my answer #csctechtalk via-cc.at/337mj 20 hours ago
- @milosgajdos then (if your gists are anything like mine, and I'm betting they're probably worse) you might want blog.thestateofme.com/2015/07/29/sea… 21 hours ago