Porn Policy Collars a Million-Dollar Customer

The HR department bends some rules when offensive content comes in from the company's largest client.

A brief altercation this week with a staff salesperson gave me a new perspective on how pornographic e-mail can affect our business.

Like most companies with Internet access, we've had our share of employees who download inappropriate material. To eliminate the excuse that the porn came unsolicited, our most recent policy is quite strict: Anyone who doesn't report even inadvertent access to inappropriate material will be held accountable.

Because of this policy, the security staff has to field calls and e-mails about every offensive message. Still, I'm happy to accept those messages if it means that nobody can get away with downloading pornography by claiming that it was a mistake. But then we heard from Malcolm in sales, who reported receiving an inappropriate e-mail.

Comedy of Errors

I arrived at Malcolm's office with a set of floppy disks, ready to take a copy of the e-mail and its contents for investigation. This was the first time I'd done an investigation with the sales team, and I wanted to make a good impression, since we want them to stress to our customers how secure our company is.

My plan was simple: Copy the e-mail and message headers, delete the original to stop the content from spreading further and investigate the source. Case closed.

But it didn't exactly go well. My company gives Compaq iPaq desktops to most employees. The units are quiet, have a small footprint and work well, but they don't have a great deal of expandability and aren't designed to be upgraded or modified.

The next problem was that Malcolm's machine didn't have a floppy drive. I left him twiddling his thumbs and returned 10 minutes later with a removable drive. Then I discovered that iPaqs come with a locked assembly to stop users from removing the blank plate in order to insert a floppy drive. So I left again. Another 10 minutes later, I returned, this time with a key and the drive. At this point, I was slightly flushed and a little embarrassed.

I installed the drive without a problem and was getting ready to copy the e-mail when Malcolm asked what I was doing. When I started to explain the plan, he suddenly panicked. "Whoa," he screamed, as he tried to grab the floppy disk out of my hand.

Apparently the pornographic e-mail he received came from the key contact at our largest customer. Malcolm was terrified that any kind of formal complaint would alienate his contact. Our company might then lose the account, and there would be hell to pay.

I gave him our normal platitudes that the course of action is up to the human resources and legal departments and that we just carry out the investigations. However, I also knew that those departments tend to follow my team's advice because of our experience in these matters.

I returned to our lab and reviewed the material. It was adult content that was unlikely to be illegal but was certainly in breach of our policy -- and no doubt in breach of our customer's policy.

Moral Dilemma

Did I want to stand firm and help stamp out this kind of behavior, even if my company might lose its largest customer and millions of dollars in revenue? Or should I recommend that our company just ask Malcolm to drop a polite note to his contact saying he'd rather not receive anything like that and let the matter drop?

I must confess that I took the easy route and recommended to human resources that we let the matter drop as long as Malcolm told the sender informally that he should stop sending such stuff -- and that we would be forced to take a formal approach next time.

It would be much better if we could find a way to stop this kind of content from getting into our company in the first place. I've always been a little wary of content inspection products, particularly those that look for embedded images, because in my experience, they just don't work. Still, if we could catch even half the porn being sent in, we could block or warn off the top senders.

False Alarms

The reason these products don't work isn't because they can't identify pornographic images but because they tend to have a high false-alarm rate. Pictures of babies, the Mona Lisa and just random landscapes and business logos can be misidentified as pornography.

I did find one company making bold claims in this area. I didn't believe them, but it was willing to provide an evaluation copy of its software. The company did, however, warn me about the one area that the software has problems with: Pictures of elephants are known to cause false alarms. Apparently, the combination of two large round ears and a long trunk raises the red flag.

With this tool, we should be able to successfully block offensive content -- so long as that customer doesn't send Malcolm any photos of safari trips. I'll report back on how well the product works in a future column. In the meantime, if you know of any good ways to protect staff from e-mail with offensive content, drop me a line with your suggestions. What do you think?

This week's journal is written by a real security manager, "Vince Tuesday," whose name and employer have been disguised for obvious reasons. Contact him at vince.tuesday@hushmail.com, or join the discussion in our forum at QuickLink a1590.
To find a complete archive of our Security Manager's Journals, go to computerworld.com/secjournal.

Related:

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon