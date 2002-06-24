The founders of the Internet, with their lofty ideals, must be a bit embarrassed to know that one of the Internet's most common uses is for accessing pornographic Web sites.

Porn surfing on the job wastes staff time, fills bandwidth and leads to a hostile work environment. Some of it is likely to be illegal, and it can get your company covered in the press in damaging ways.

The legal hassles from associated sexual-harassment lawsuits can also be very expensive. So, how do we reduce the risks introduced by Internet porn?

Porn Surfer Psychology

When asked to help control a problem, we normally start by imagining why users would want to do something and then try to alter the environment so that they don't even try. For example, some people are driven to commit fraud by problems with drinking, drugs or gambling. We can reduce fraud by offering access to confidential help lines and other services.

When it comes to porn, this understanding is hard to achieve. Why would anyone want to view it at the office? We pay our staff well enough that they can afford Internet access at home or even a monthly subscription to a variety of adult publications, so why would they risk their jobs by abusing systems at work?

Without an effective psychological fix, we are left with technological approaches. Many tools claim to block or filter downloads, but they don't really fix the problem.

The number and names of porn sites are constantly changing, so blocking-software can't stop all porn surfing. Once users realize that we block some sites, will they assume that unblocked sites are approved? If we block a domain name, then how do we stop staffers from accessing the direct IP address? Since the latest Web protocols allow multiple sites to share a single IP address and use Domain Name System names in Web site addresses to direct traffic, how do we avoid blocking legitimate content on shared sites? If we block Web content, then do we approve of porn embedded in e-mails, handed around on CD-ROMs or exchanged via file-sharing networks?

Blocking can also inconvenience legitimate Web users. For example, back when AltaVista Co.'s Web site was popular, our CIO stormed over to the security team, calling us idiots for blocking www.altavista.com. After much shouting, it became clear that he had mistyped the address as "alatavista.com," which, when unblocked, displayed "alata" porn.

However blocking is handled, it will annoy users, who will try to bypass the controls and complain about my department. Because the same controls protect us from hackers and viruses, any success at bypassing them will increase the risk to the company. The last things we need are personal modems or Secure Sockets Layer-based anonymous Web-browsing services.

Instead of blocking site access, we set a public policy and report on compliance with that policy through usage monitoring.

This approach allows us to report not only the level of abuse but also the level of legitimate use of the Web. Our reporting tool includes many Web site categories, such as finance and investing. By showing that the Web is useful, we can use these statistics to support upgrades.

Enforcement Tactics

I've heard of companies that publish a weekly list of the top 10 abusers, but we don't go that far. What happens when you accuse the wrong person? When people start a contest to get to the top of the list? Or when the press gets a copy?

Instead, we send an anonymous warning if the daily report highlights a level of abuse above a particular threshold. We also check the sites to ensure that the database is correct. Further abuse results in disciplinary action.

By getting a quick slap on the wrist with no specific reference to the Web site or activity that led to the warning, offending users are usually frightened away from these Web sites. The anonymous warning makes the process less emotional. And by using a published, agreed-upon process, we limit the risk of managers or human resources personnel making ad hoc responses based on how much they value the person involved.

When we first published our porn policy and process, the level of abuse dropped. Then, after a few weeks, it crept back up. Once we started sending the warnings, however, the level dropped to zero. People knew their Web use was monitored and assumed the same about their e-mail and file sharing and so perhaps avoided porn on all of them.

Unhappy Ending

We were very happy that the problem was solved, smugly thinking that there would be no more abuse once we sent warnings. But we were proved wrong this week, when an employee who had been warned in the past did it again.

He knew we would take disciplinary action. What would he do to protect himself, we wondered? He could claim he didn't do it. Perhaps he would say we had framed him. As the logs are in plain text, it would be our word against his.

Even if you trust the logs, all they contain is a Windows NT user ID and an IP address. The employee could claim that his account was used by someone else. Or that he was a victim of "sticky browsing" (when porn sites open new windows as you close others). This leads to many entries in the logs for one accidental visit. There are even viruses like JS/NoClose that make infected machines visit porn and other sites.

Alternatively, he might admit it all and throw himself on the mercy of human resources. However, this employee took a different approach. He did admit to surfing porn sites, but he explained that since he had looked only at the free samples and didn't pay for access, he had done nothing wrong.

Strangely, the "I didn't pay for it" defense didn't stand up, and he no longer works for our company. So it looks like we finally have an explanation for why people browse porn at work: sheer stupidity.

This week's journal is written by a real security manager, "Vince Tuesday," whose name and employer have been disguised for obvious reasons. Contact him at vince.tuesday@hushmail.com or go to the Security Manager's Journal forum.