Comment: Security in the silly season

18 Aug 2004

There was a time when the phrase Big Brother was understood to mean an insidious, threatening kind of society where constant surveillance was the norm and your every movement could be tracked. Now sadly when we hear the words we’re more likely to think of an annoying reality TV show. Both were in evidence this summer; both arguably for the wrong reasons.

Among the survey data that finds its way into our inboxes daily came news from the US that more than 30pc of companies monitor outbound email. The practice is even more widespread in large corporations, where the figure rises to 43pc, the survey found. An additional 9.3pc of companies said they intend to begin monitoring outbound email in the near future. Of the large companies surveyed, this percentage rises to 12.8pc.

One third of companies reported that they conduct regular audits of outbound email content. This practice is again more prevalent among larger organisations, with the figure rising to 38.5pc.

For me, all of this conjures the following scenario: picture any office up and down the country where staff open their morning email to find a message from the boss: “We’re pleased to welcome Dave, he starts work today and he’ll be reading your emails. Please drop by and wish him well…”

Summer frivolity aside, the survey was conducted on behalf of Proofpoint, a provider of anti-spam and virus protection software. It purports to reveal high levels of suspicion and concern among senior corporate executives in the US that sensitive company information is being passed to outsiders. Survey respondents cited confidential memos and intellectual property leaks as the main fears around outgoing email among large companies.

Reading between the lines, Proofpoint is trying to sell us something. In the guise of an industry report conducted by a credible, independent third party we have subtle clues that we ought to be really concerned at the lack of technology being used to solve the problem. It’s a classic tactic long employed in the IT industry and the security sector is a repeat offender: throw in a couple of attention-grabbing statistics at the top, while the meat of the report is the Trojan horse that offers a solution to the very problem that the report appears to highlight. Wouldn’t you know it, Proofpoint happens to have a product that mitigates the risks which it claims exist in outbound email.

You will hear very few arguments against technology on but there will and always should be notable exceptions. Earlier this year we documented the moves to bring e-voting to Ireland, which eventually foundered because the secrecy and accuracy of the system couldn’t be guaranteed. Biometric technology, which also got an airing on these pages, is increasingly coming into use in the area of airport security. But this doesn’t represent a perfect solution either; applicants in the UK recently were told not to smile for the cameras because the resulting alteration of the face significantly reduces the chances of a perfect match with the computer record.

I don’t think it’s a coincidence at all that security appears to be a recurring theme in these and other similar cases. IT may be able to solve certain business problems or automate tasks but it seems we remain uneasy about the idea that personal freedom can be curbed, managed and controlled by unaccountable technology.

In any case, where email is involved there’s a strong argument that technology can be applied but I would argue that there are better places to apply it without having to resort to spying on employee communications. For example, computer forensics techniques have been employed in cases of stealing company secrets, harassment or bullying. This works and the evidence it produces stands up in court. Because of a historical need to record data in a certain way, your average hard drive actually contains a lot of free space in the nooks and crannies, so that getting rid of files may not be as simple as moving them to the recycle bin. Pressing ‘delete’ won’t do it. If an employee is accused of sending something they shouldn’t have, it’s possible to find out whether or not they have a case to answer.

The presumption of innocence over guilt suggests we shouldn’t resort to policing emails simply on the off-chance.

By Gordon Smith