The Internet offers every enterprise exciting opportunities to find timely information and to reach potential clients. This very power brings with it risks of damaging corporate and professional reputations. Nontechnical problems in cyberspace include bad information, fraud, loss of productivity, and violations of civil and criminal law as well as violations of the conventions of proper behavior established by custom in cyberspace.

In addition, widespread abuse of Internet access while at work is forcing recognition that clear policies are essential to guide employees in appropriate use of these corporate resources. The consensus in our profession—despite the dreadful lack of hard statistics—is that something like two-thirds of all the damage caused to our information systems is from insiders who are poorly trained, careless, or malicious. (For a detailed discussion of security statistics, see Chapter 10 in this Handbook.) For example, a study published in late 2005 reported that:

Sixty-nine percent of 110 senior executives at Fortune 1,000 companies say they are “very concerned” about insider network attacks or data theft, according to a study by Caymas Systems, a network security technology firm based in San Jose, Calif. And 25 percent say they are so concerned they can't sleep at night, Sanjay Uppal, a vice president at Caymas Systems, told eSecurityPlanet.²

A McAfee-sponsored survey in Europe showed that (in the words of the Department of Homeland Security Daily Open Source Infrastructure Report³):

Workers across Europe are continuing to place their own companies at risk from information security attacks. This “threat from within” is undermining the investments organizations make to defend against security threats, according to a study by security firm McAfee. The survey, conducted by ICM Research, produced evidence of both ignorance and negligence over the use of company IT resources. One in five workers let family and friends use company laptops and PCs to access the Internet. More than half connect their own devices or gadgets to their work PC and a quarter of these do so every day. Around 60 percent admit to storing personal content on their work PC. One in ten confessed to downloading content at work they shouldn't. Most errant workers put their firms at risk through either complacency or ignorance, but a small minority are believed to be actively seeking to damage the company from within. Five percent of those questioned say they have accessed areas of their IT system they shouldn't have while a very small number admitted to stealing information from company servers.⁴

Another topic of growing significance is saturation by floods of e-mail sent by well-intentioned employees who do not know how to use e-mail effectively.

Finally, some of the information in this chapter may help security administrators involve their users in a more active role by giving them take-home messages that can help them protect their own families and friends. Getting employees to care about security for their families is a good step to involving them in corporate security.

For more information on effective security awareness and corporate culture change, see Chapters 49 and 50 in this Handbook.

48.2 DAMAGING THE REPUTATION OF THE ENTERPRISE.

When someone posts information to the Net, the message header normally indicates who the sender is. In particular, all employees using a corporate e-mail account identify their employer in every posting. It follows that when an employee—for example, [email protected]—misbehaves on the Net, it is likely that everyone seeing the misbehavior will associate it with the employer, regardless of futile attempts to dissociate the employee from the employer by statements such as “The opinions above are not necessarily those of my employer”.

Employees can embarrass their employers by using their corporate e-mail identifiers in these ways:

Flaming. Launching rude verbal attacks on others.
Spamming. Sending “junk” e-mail, unsolicited advertising and sales promotions, to multiple, often unrelated, Usenet groups and mailing lists and to people's e-mail addresses without their permission. Often called “spam,” it should be spelled in lowercase or as “Spam” to respect the Hormel Corporation, owners of the SPAM− trademark (all uppercase is the luncheon meat).⁵
Mail-bombing. Sending many e-mail messages to a single e-mail address to annoy its user, or in extreme cases, to cause a denial of service.

In addition, employees can violate laws, send out embarrassing content via e-mail, implicate their employers in personal affairs, and spread falsehoods with actionable consequences.

48.2.1 Violating Laws.

Employees may engage in illegal activities that can seriously compromise their employer; examples include:

Industrial espionage
Stock manipulation
Criminal hacking, unauthorized penetration of other systems
Sabotage, denial of service attacks
Vandalism, defacement of Web sites
Creating, transmitting, or storing child pornography
Sending threats (e.g., of harm to the President of the United States)
Credit card fraud, using stolen or fraudulently generated credit card numbers for purchases made using corporate resources

Corporate Internet usage policies should explicitly forbid any of these actions.

48.2.2 III-Advised E-mail.

There have been too many cases of foolish use of e-mail in recent years. Employees have created a hostile working environment by sending internal e-mail with lewd or hateful jokes and images; staff members have insulted their bosses or their employees in e-mail that later became public; people have made libelous accusations about other workers or about competing companies. All of these uses are wholly inappropriate for a medium that takes control of distribution away from the originators and produces records that can be backed up and archived for indefinite periods of possible retrieval.

Common sense dictates that anything sent via e-mail should not be illegal or even embarrassing if it were published in a newspaper.

Users should also be aware that it is a poor idea to insult people using e-mail. Sending flames that belittle, ridicule, and demean other people is likely to generate more of the same in response, and flaming is an ugly practice that distorts standards for public and private discourse. If a user or employee chooses to respond to a rude or demeaning e-mail, he or she should refrain from replying with the same rude or demeaning tone. Employees should work to maintain the moral high ground by refraining from obscenity, profanity, and vulgarity in written as well as in oral discourse. Not only is this a good habit in general, but it also avoids the possibility of enraging total strangers who may be physically or electronically dangerous. These best practices also apply to the home and family life. Criminal hackers have been known to damage credit ratings, participate in identity theft to rack up large bills in the victims' names, and even tamper with phone company accounts. In one notorious prank, hackers forwarded all incoming phone calls for the famous security expert Donn Parker, who is quite bald, to a hair restoration business.

Anonymizers are services that strip identifying information from e-mail and then forward the text to the indicated targets. However, even anonymizers respond to subpoenas demanding the identity of people involved in libel or threats. The Web site called annoy.com consistently posts messages that will annoy a substantial number of people as an exercise of United States First Amendment rights; however, even that service once had a particularly clear message on its refusal to tolerate abuse:

WARNING

It has come to our attention that certain people have been using annoy.com to deliver what some might consider to be threats of physical violence or harm to others.

Do not mistake our commitment to freedom of speech for a license to abuse our service in this manner.

We plan to cooperate fully with law enforcement agencies in whatever efforts they make to find you and punish you—even if it's some renegade authoritarian dictatorship… Free speech and annoy.com are not about harassment and definitely not about harm or violence. If you think for a second we will allow cowardly idiots to spoil our free speech party you are making a mistake. A huge mistake.

In the case of USENET, a global Internet discussion system, a message is forever: There are archives of USENET messages stretching back for a decade. Sending abusive or degrading messages online may not permanently damage a person's reputation, but it is not likely to improve anyone's prospects for getting or keeping a good job, especially if the sender's e-mail address refers back to a corporate affiliation.

48.2.3 Inappropriate Use of Corporate Identifiers.

Considerable controversy exists as to whether corporate policy should forbid corporate IDs for any personal use on the Internet. There is little reason for posting messages to newsgroups in the .alt hierarchy, and especially not to groups catering to or sympathetic to criminal activity. If employees of an organization want to participate in vigorous political discussion, conversations about sexual activity, and any other topic unrelated to their work, they are free to do so using their own Internet identities. Employers pay for corporate e-mail identities; people who want to post opinions about, say, basket weaving techniques should pay for their own access and leave their employer out of the postings.

The risks of damaging an organization's reputation by violating netiquette are high. Some abusers have themselves been abused by angry and unscrupulous Internauts. In one notorious early case, back in 1994, a naive executive spammed the Net—he posted messages in a couple of dozen newsgroups. In retaliation, his company's 800-number was posted to phone-sex discussion groups in the .alt hierarchy, resulting in thousands of irate and expensive phone calls by seekers of aural sex. Regular customers were unable to get through, and some staff resigned because of the offensive calls. The executive nearly lost his job.

An additional risk is that employees will inadvertently post company-confidential information to what they erroneously perceive as closed, private groups. Competitors or troublemakers can then exploit the information for competitive advantage or publicize it to harm the enterprise. Even if a discussion group or mailing really is closed, nothing prevents a participant from using or disseminating confidential information without permission. By the time the breach of security is discovered, it can be too late for remediation.

48.2.4 Blogs, Personal Web Sites, and Social Networking Sites.

Should employers be concerned about the creation of blogs and personal Web sites by employees? There have been cases in which employees made unwise or frankly derogatory comments about their current employers, with predictable consequences. It is much better to prevent such conflicts by establishing clear policies for employees that explicitly ban mention of the employer's name in personal publications and media such as blogs and Web sites. A variation can require corporate approval by the public relations or communications departments before material is published. Such policies are commonplace for control over what employees publish in interviews, newsletters, and other publications.

Some employees likely have personal pages in social-networking sites such as Facebook, Friendster, and MySpace. The same issues arise when employees make reference to their employer by name: How do employers feel about seeing a half-naked engineer waving a bottle of beer pictured on a Web page that displays their corporate name? Employment agreements can, and should, stipulate limitations on the use of corporate identity. Further complicating the matter is the growth of professional social networking sites such as LinkedIn. These sites encourage posting a “digital resume,” which includes basic information about an individual's employment history. Much like personal networking sites, companies must set clear expectations on use and periodically monitor compliance through searches and visual inspection.

48.2.5 Disseminating and Using Incorrect Information.

The Internet and in particular the World Wide Web are in some ways as great a change in information distribution as the invention of writing 6,000 years ago and the invention of movable type 600 years ago. In all these cases, the inventions involved disintermediation: the elimination of intermediaries in the transmission of knowledge. Writing eliminated the oral historians; one could read information from far away and long ago without having to speak to a person who had personally memorized that knowledge. Print allowed a far greater distribution of knowledge than handwritten books and scrolls, eliminating an entire class of scribes who controlled access to the precious and rare records. The Net and the Web have continued this trend, with a radical increase in the number of people capable of being publishers. Where publishing once required printing presses, capital, and extensive administrative infrastructure, or at least relatively expensive mimeographs (1950s), photocopiers (1960s), and printers (1970s), today an individual can publish material relatively inexpensively, if not free. Many Internet Service Providers (ISPs) offer free Web-hosting services and places for people to join electronic communities of every imaginable type. Even if the individual does not have access to the Internet at home, and follows work policies on use, free access can be obtained from local libraries or the increasing number of free Internet hot spots.

Web pages can lead to visibility unheard of even a decade ago. For example, one young exhibitionist named Jennifer Kaye Ringley put up a Web site to display images of her home taken through Web-enabled cameras (Webcams); this “jennycam.org” site received up to half a million hits per day while it was in operation. Another young woman decided to put up a Web site devoted to one of her favorite literary characters, Nero Wolfe, in the mid-1990s. Within a few years, her site was so well respected that she was hired by a Hollywood filmmaker as a technical consultant on a series of Nero Wolfe movies. The fees she was paid, despite offering to help for free, helped her get through her Ph.D. studies in social psychology. It would have been virtually impossible for her to achieve this recognition by trying to publish her own hard-copy fan magazine; the paper might have reached a few hundred people, but the Web site reached many thousands.

Unfortunately, all of this disintermediation has negative implications as well as positive ones. Freedom from publishers has liberated the independent thinker from corporate influence, editorial limitations, and standards for house style. However, this freedom also liberated many people from responsible reporting, adequate research, and even the rudimentary principles of spelling and grammar. The dictum “Don't believe everything you read” is even more important when reading Web-based information. Individuals may publish incorrect versions of technical information (e.g., health sites that claim that massaging parts of the earlobe can cure many known diseases), unsubstantiated theories about historical and natural events (e.g., the Tungska Impact of 1908 was caused by an antimatter meteorite), and off-the-wall revisionist history (e.g., slavery in the United States was good for black people, and Hitler never persecuted Jews).

48.2.6 Hoaxes.

Pranksters have been using e-mail to fool gullible people for years using a particular sort of incorrect information: deliberate hoaxes. A hoax is a mischievous trick based on a made-up story. There are two major kinds of hoaxes circulating on the Internet: urban myths and false information about viruses. The archives in the urban myths Web sites are full of hilarious hoaxes, some of which have been circulating for years. Why don't they die out?

The problem is the nature of the Internet. Information is not distributed solely from a centrally controlled site; on the contrary, anyone can broadcast, or rebroadcast, any kind of data at any time. There is neither reliable creation dates nor obligatory expiry dates on files, so those receiving a five-year-old document may have no obvious way of recognizing its age, and they almost certainly have no simple way of identifying obsolete or incorrect information. All they see is that the document has been sent to them recently, often by someone they know personally.

48.2.6.1 Urban Myths

Here are some notorious examples of the bizarre and sometimes disturbing urban myths that are thoroughly debunked on the Snopes.com Web site:

Expensive cookies. Someone claims that a Neiman-Marcus employee charged $250 to a credit card for the recipe to some good chocolate chip cookies. This story has been traced to a false claim dating back to 1948 in which a store was accused of charging $25 for the recipe to a fudge cake.
Do not flash your car lights. In a gang-initiation ritual, hoodlums drive down a highway with their car lights off. Innocent drivers, flashing their lights as a reminder, would become the new target victims, usually resulting in their deaths by the gang.
Watch out for poisoned needles. Insane, vengeful druggies leave needles tipped with HIV+ blood in movie theater seats, gas pump handles, and telephone change-return slots.
Lose your kidneys. The victim visits a foreign city, goes drinking with strangers, and wakes up in the morning in a bathtub of ice with two neat incisions through which both kidneys have been removed.
Poor little guy wants postcards. Craig Shergold is just one of the many real or imaginary children about whom well-meaning people circulate chain letters asking for postcards, business cards, prayers, and even money. Shergold was born in 1980; whenhe was nine, he was diagnosed with brain cancer, and friends started a project to cheer him up—they circulated messages asking people to send him postcards so he could be listed in the Guinness Book of World Records. By 1991, he had received 30 million cards and an American philanthropist arranged for brain surgery, which worked: Shergold went into remission. The postcard deluge did not. By 1997, the local post office had received over 250 million postcards for him, and he was long since sick of the whole project.
Wish you would stop Making a Wish. Around the mid-1990s, some prankster inserted false information about the Make-a-Wish Foundation into the outdated chain letters concerning Shergold. The unfortunate organization was promptly inundated with e-mail and postal mail, none of which was in any way useful or relevant to its work.

48.2.6.2 Virus Myths

One category of hoaxes has become a perennial nuisance on the Net: virus myths. There is something wonderful about the willingness of gullible, well-meaning people to pass on ridiculous news about nonexistent viruses with impossible effects. One of the most famous is the Good Times “virus,” which appeared around 1994. The myth and numerous variants have been circulating uninterruptedly for years. Every few years, there is a new outburst as some newcomers to the Internet encounter an old copy of the warnings and send it to everyone they know.

The original very short warning was as follows, including the incorrect punctuation:

Here is some important information. Beware of a file called Goodtimes.

Happy Chanukah everyone, and be careful out there. There is a virus on America Online being sent by E-Mail. If you get anything called “Good Times”, DON'T read it or download it. It is a virus that will erase your hard drive. Forward this to all your friends. It may help them a lot.

The Good Times virus claimed that downloading a document or reading a document could cause harm; at that time, such a claim was impossible. Ironically, within a couple of years, it did in fact become possible to cause harm via documents because of the macro-language capabilities of MS-Word and other programs enabled for scripting. Over the rest of the 1990s, foolish people modified the name of the imaginary virus and added more details, sometimes claiming impossible effects such as destruction of computer hardware.

By 1997, the warnings were so ridiculous that an anonymous author distributed the following Monty Pythonesque satire:

It turns out that this so-called hoax virus is very dangerous after all. Goodtimes will re-write your hard drive. Not only that, it will scramble any disks that are even close to your computer. It will recalibrate your refrigerator's coolness setting so all your ice cream goes melty. It will demagnetize the strips on all your credit cards, screw up the tracking on your television and use subspace field harmonics to scratch any CDs you try to play.

It will give your ex-girlfriend your new phone number. It will mix Kool-aid into your fish tank. It will drink all your beer and leave dirty socks on the coffee table when company comes over.

It will put a dead kitten in the back pocket of your good suit pants and hide your car keys when you are late for work.

Goodtimes will make you fall in love with a penguin. It will give you nightmares about circus midgets. It will pour sugar in your gas tank and shave off both your eyebrows while dating your girlfriend behind your back and billing the dinner and hotel room to your Discover card.

It will seduce your grandmother. It does not matter if she is dead, such is the power of Goodtimes, it reaches out beyond the grave to sully those things we hold most dear.

It moves your car randomly around parking lots so you can't find it. It will kick your dog. It will leave libidinous messages on your boss's voice mail in your voice! It is insidious and subtle. It is dangerous and terrifying to behold. It is also a rather interesting shade of mauve.

Goodtimes will give you Dutch Elm disease. It will leave the toilet seat up. It will make a batch of Methamphetamine in your bathtub and then leave bacon cooking on the stove while it goes out to chase gradeschoolers with your new snowblower.

Unaware people circulate virus hoaxes because they receive the hoax from someone they know. Unfortunately, a personal friendship with a sender is no guarantee of the accuracy of their message. Some awfully nice people are gullible, well-meaning dupes of social engineers. Transmitting technical information about viruses (or any apprehended danger) without verifying that information's legitimacy and accuracy is a disservice to everyone. It makes it harder for experts to reach the public with warnings of real dangers, and it clutters up recipients' e-mail in-baskets with alarming information of limited or no use whatever.

48.2.6.3 Junk E-mail.

Unsolicited commercial e-mail (UCE) is derisively known as junk e-mail and also as spam. Junk e-mail is spawned by foolish (in the early days) or criminal (today) people who send out thousands or millions of identical messages to unwilling recipients. Junk e-mail clogs victims' in-baskets and wastes their time as they open these unwanted messages and take a few seconds to realize that they are junk. Junk e-mail containing pornographic images or advertising pornography may be highly offensive to the recipients. Junk may even push people's e-mail systems over their server limits if they are not picking up their messages regularly; in such cases, wanted e-mail may bounce because the mailbox is full. Today, junk e-mail is the primary vector for social engineering attacks such as phishing designed to trick recipients into compromising their privacy or their identification and authentication codes. (See Chapter 20 in this Handbook for more details of spam, phishing, and other tricks.)

Most junk e-mail uses forged headers; that is, the senders deliberately put misleading information in the From and Reply fields to avoid receiving angry responses from the victims of their criminal behavior. Forging e-mail headers is illegal in the states of Massachusetts, Virginia, and Washington. In these states, if the perpetrators are identified, it can lead to court cases and financial penalties for each message involved in the fraud.

In one famous, groundbreaking case, college student Craig Nowak sent out a few thousand junk e-mail messages and followed the instructions in his spam kit by putting a made-up Reply address using “@flowers.com” without checking to see if there really was such a domain. Indeed there was, and the owner of this reputable floral delivery service, Tracy LaQuey Parker, was none too pleased when her system was flooded with over 5,000 bounce messages and angry letters from customers saying that they would never do business with her again. She sued the student for damages and was awarded over $18,000 by a judge who said he wished he could have been even more punitive.⁶

In general, spam has become a mechanism for tricking unaware vendors into paying for illusory marketing services. It is sad to see e-mail advertising for Chinese industrial piping being sent to North American university professors; the victims are the hardworking Chinese industrialists who have been cheated by assurances from criminals promising to send their advertising to willing and well-qualified recipients.

Much of the remaining junk is sent out in the hope that a significant proportion of the recipients of the misspelled, absurd claims will be gulled into sending money—or their e-mail addresses—to drop boxes. For more information about such social engineering attacks, see Chapters 19 and 20 in this Handbook.

If you are involved in an e-mail discussion group, especially an unmoderated group, about a specific topic, do not post e-mail to members of the list on a subject that is outside the topic area. A typical class of inappropriate posting is an appeal for support of a worthy cause that has no, or only a tenuous, relation to the subject area. For example, someone might appeal for support to save whales in a discussion group about gardening: bad idea. The reasoning is “They like plants; probably environmentally sensitive; likely to be interested in conservation; therefore they will be glad to hear about whales.” The problem is that such reasoning could be extended to practically any topic, disrupting the focus of the group. Such messages often cause angry retorts, which are typically sent by naive members to the entire list instead of only to the sender of the inappropriate mail. Then the angry retorts cause further angry responses about burdening the list with useless messages and soon the gardening group is mired in dissension and wasted effort, generating bad feeling and distrust.

As suggested in the preceding paragraph, if you see inappropriate messages on an e-mail list you care about, do not reply to the entire list; reply nicely and only to the sender, with possibly a copy to the moderator, if there is one. The reply should be temperate and polite.

48.2.6.4 Chain Letters and Ponzi Schemes.

A particularly annoying form of junk e-mail is the chain letter. Some chain letters include ridiculous stories about terrible diseases and accidents that have befallen people who refused to forward the message. Others focus on getting victims to send money to someone at the top of a list of names, while adding their names to the bottom of the list, before sending it on to a specified number of recipients. Depending on the length of the list and the amount to be sent to the person on top, the theoretical return could be in the hundreds of thousands of dollars. In practice, only the originators of the scheme profit. After a while, all possible participants have been solicited with disappointing results, and the chains are broken in many places.

Another type of pyramid is known as a Ponzi scheme, which is an investment swindle in which high profits are promised and early investors are paid off with funds raised from later ones. The scam is named after Charles Ponzi (1882?–1949), a speculator who organized such a scheme in 1919 and 1920. The Ponzi scheme tricked thousands of people in Boston when Ponzi guaranteed a 50 percent profit on contributions in 45 days and a doubling of value in 90 days. The con man claimed he was redeeming 1-cent Spanish postal certificates for 6-cent U.S. stamps—a claim ridiculed by financial analysts at the time. Nonetheless, Ponzi took in around $15 million in 1920 dollars and stole around $8 million, paying out the rest to the early participants in order to develop credibility. Six banks collapsed because they invested their depositors' funds in the scheme. Ponzi eventually served over three years in jail but escaped in 1925.⁷

The modern-day e-mail Ponzi scheme typically includes passionate assurances from vaguely identified people about how skeptical they were about the scheme, but how they succumbed to curiosity, participated in the scheme, and earned vast amounts of money (e.g., $50,000) within a couple of weeks. The letters often include assurances that everything is legal and point to nonexistent postal information phone lines or claim “As Seen on TV” at various points in the letter.

These letters instruct the victim to send a small amount of money (typically $1 or $2) to a short list of about four people to receive their “reports.” The victim is then instructed to add his or her name and address to the list, while removing the first one, before sending a copy of the new letter to as many people as possible. Some letters go through computations involving such assumptions as “Imagine you send out a hundred, a thousand, or ten thousand messages and get amere 1%, 2%, or 10% response” and then promise enormous returns. In fact, the “reports” are nothing but one-page, meaningless blurbs about chain letters. The scammers are trying to get around regulations such as the U.S. Post Office's bar against fraudulent uses of the mail.

Here is the exact text of a letter sent on December 1, 2000, by V. J. Bellinger of the Operations Support Group of the United States Postal Inspection Service in Newark, New Jersey. It has some interesting information that should be helpful to readers attempting to convince employees (or family and friends) that such chain e-mail involving postal addresses is illegal.

A chain letter or a multi-level marketing program is actionable under the Postal Lottery, False Representation, and/or Mail Fraud Statutes if it contains three elements: prize, consideration and chance. Prize is usually in the form of money, commissions, or something else of value that the solicitation claims you will receive. Consideration is the required payment to the sponsor in order to obtain the prize. Chance is determined by the activities of participants over whom the mailer has no control. These types of schemes constitute lotteries are barred from the mails because they violate the following statutes: Title 18, United States Code, Sections 1302 and 1341 and Title 39, United States Code, Section 3005.

In attempts to appear legal, many chain letter or multi-level marketing mailings offer, for a fee, a product, or “report.” However, since the success of the program is dependent on the number of people willing to participate, all three elements that constitute a violation continue to be present.

The promoter of this scheme has been advised of the potential violations involved and has been requested to discontinue this type of mailing activity….

A superficially similar phenomenon is known as multilevel marketing. In this non-fraudulent, legitimate system of selling products and services, people are encouraged to recruit distributors from among their friends and acquaintances, but the emphasis is on the value of the products. No one claims that anyone is going to become wealthy without work, and there is no demand for investments. The products have an established market, and the company makes money through sales, not through recruitment.

48.2.6.4.1 Practical Guidelines

Do not participate in any scheme that relies on forwarding large numbers of letters or e-mail messages to everyone you know or to strangers.
Differentiate between pyramid frauds and legitimate multilevel marketing systems: The former emphasize enrolling participants, whereas the latter emphasize the value of products and services.
Do not participate in alleged multilevel marketing systems if they require substantial investments.
If you are interested in a multilevel marketing operation:
- Check out the owners and officers.
- Talk to people who have bought the products to see if they are happy with their purchases.
- Contact your local Better Business Bureau to see if there have been any complaints.
Do not send money to suspected pyramid frauds.
Work with your colleagues to demonstrate how a pyramid fraud takes money from a growing number of later victims and shifts it to people who participate earlier in the fraud. Reinforce the fact that fraud is illegal, even though the prospect of early participation might seem to yield results.

48.2.6.5 Get-Rich-Quick Schemes.

Other get-rich-quick schemes on the Net play on the victims' wishful thinking, their lack of skepticism, and usually on a lack of common sense. There have been claims that you can earn a quarter of a million dollars a year by grooming poodles in your home. Or that you can become a millionaire by working four hours a week, sending out promotional literature for products you do not even have to sell. Often, dangerous people promulgate some such schemes; for example, some extremist militia groups have been charging people hundreds of dollars to learn how to defraud the government by claiming liens on government property and then pledging the nonsensical liens as collateral for loans. Other criminals circulate programs for generating fraudulent credit card numbers and using them to steal goods. In other cases, criminals charge money to teach victims how to falsify their bad credit records so they can obtain yet more fraudulent credit, all the while claiming that their criminal methods are 100 percent legal.

From a corporate standpoint, such chain letters and schemes waste bandwidth and pose a potential for serious embarrassment when enterprise resources are used to spread the nonsensical material. However, corporate security can win favor with users by helping them avoid the pitfalls of such fraud, even when using their own computer systems. The benefits are particularly strong when helping employees to teach their own children how to avoid this kind of trouble.

To illustrate the trouble kids can get into using these techniques, consider the case of Drew Henry Madden. In 1996, this 16-year-old Australian boy from Brisbane, just after leaving school, started defrauding businesses using stolen and forged credit card numbers. He stole $18,000 of goods and, in February 1997, pled guilty to 104 counts of fraud and was sentenced to a year in jail. However, investigators uncovered additional fraud, and it turned out that he had stolen an additional $100,000 in goods and services. In October 1997, he pled guilty to another 294 counts of fraud and was given an additional suspended sentence. His defense attorney blamed poor security for the losses: “Madden started with very minor credit card fraud, but it escalated alarmingly, because the safeguards were so inadequate.” Despite the youngster's unusual revenue stream, his mother appeared to have accepted his globetrotting ways and massive purchases of lottery tickets without comment. At one point, she told reporters, “If we were a wealthy family he'd be at a private school, where his talents could be directed properly”.

A relatively new kind of fraud on the Internet is the diploma mill. These organizations pretend to be educational institutions; actually, they are one or more fraudulent individuals who sell bogus diplomas purporting to represent recognized degrees but that fool no one but the purchaser. While diploma mills are not accredited, the lack of accreditation does not automatically implicate a school as a fraudulent entity.

48.3 THREATS TO PEOPLE AND SYSTEMS.

One particular class of e-mail deserves a special mention: threats. Threatening e-mails may target people, systems, organizations, or the processes that these entities rely on. As with the other types of illegal activity on the Internet, proper education, awareness, and response can limit the number of future victims.

48.3.1 Threats of Physical Harm.

Anyone who receives threats through e-mail has a right, and possibly a duty, to inform local law enforcements officials. In today's climate of fear and violence, any threat warrants attention. In addition to the distress such messages can generate, they may be warning signs of serious trouble. In particular, threats about violence at work, at school, or against any definable group may be the early warning that allows authorities to step in to defuse a potentially explosive situation.

Sending threatening e-mail is not an acceptable joke or a minor prank, especially if the threat involves violence. Some people, believing that they can mask their real identity, have foolishly sent death threats to the White House; because the Secret Service is obligated by law to investigate all threats to the president and the first family, agents show up within a few hours to interrogate the miscreants. For example, youngsters in the tenth grade at Profile High School in Bethlehem, New Hampshire, sent death threats to the White House Web site from their school computers. The messages were traced within minutes by the Secret Service, the children were suspended from school, and they lost their Internet privileges for the next two years.

48.3.2 Pedophiles Online.

This section applies primarily to training users for protection of their children.

“Pedophilia” is defined as sexual arousal in response to contact with or images of prepubescent children. Some pedophiles misrepresent themselves as youngsters in chat rooms or via e-mail and trick children into forming friendships with what they believe are peers. In one notorious case, Paul Brown Jr., a 47-year-old man, misrepresented himself as a 15-year-old boy in e-mail to a 12-year-old girl in New Jersey. The victim's mother stumbled onto the long-range relationship when she found sitting on her own doorstep a package from her daughter to a man she did not know; the child had put the wrong postage on it and the post office had sent it back. Opening the package, she found a videotape that showed her daughter cavorting naked in front of the family video camera. The distraught mother searched her daughter's room and discovered a pair of size 44 men's underpants in one of the child's bureau drawers.

Brown was arrested in February 1997. Police found correspondence with at least 10 other teenage girls across the country, through which Brown convinced his young victims, some as young as 12, to perform various sexual acts in front of cameras and to send him the pictures and videotapes. He pleaded guilty in June to enticing a minor into making pornography. In August 1997, at his sentencing hearing, one of his many victims told the court that she had suffered ridicule and humiliation as a result of her entrapment and had left her school to escape the trauma. She accused Brown of emotional rape. Displaying an astonishing interpretation of his own behavior, Brown said at his sentencing hearing, “It was just bad judgment on my part.” Using good judgment, the court sentenced him to five years of incarceration.

In March 2000, Patrick Naughton, a former executive of the INFOSEEK online company, pled guilty to having crossed state lines to commit statutory rape of a child. In August, FBI officials said that Naughton had been providing help in law enforcement investigations of pedophilia on the Net. In return for his cooperation, prosecutors asked the court for five years of probation (instead of a possible 15 years in prison), counseling, a $20,000 fine (instead of the maximum $250,000), and an agreement not to have “unapproved” contact with children and to stay out of sex chat rooms online.

The problem of Internet-enabled pedophile stalking has reached international dimensions. In January 1999, police forces around the world cooperated to track and close down a worldwide ring of pedophiles trafficking in child pornography through the Net. In June 2000, child safety experts warned the U.S. congressional committee on child online protection that with the average age of online users declining (children between the ages of two and seven are among the fastest-growing user cohorts on the Internet), children increasingly are put at risk by their careless or ignorant online activities. Parry Aftab, a children's advocate, told committee members that 3,000 children were kidnapped in the United States last year after responding to online messages posted by their abductors. A recent survey of teenage girls found 12 percent had agreed to meet strangers who had contacted them online.

48.3.3 Viruses and Other Malicious Code.

As of 2008, the WildList (www.wildlist.org) reports over 2,000 distinct forms of malicious program code commonly circulating in cyberspace. There are many more types recorded by antivirus researchers, but they have not been seen infecting significant numbers of user computers. Most of these harmful programs are limited to antivirus laboratories and to the computers of virus hobbyists—people who derive pleasure from playing with danger. For more information about viruses and other malware, see Chapters 16, 17, 18, and 41 in this Handbook.

Employers should have policies clearly forbidding the creation, exchange, and storage of malicious software on corporate systems.

48.3.4 Spyware and Adware.

In December 1999, computer scientist, cybercrime investigator, and writer Richard Smith became curious about a program called zBubbles that he had installed on his system to improve online shopping. Created by Alexa, a subsidiary of e-tailer Amazon.com, the program provided competitive information about alternative and possibly cheaper sources for particular products. However, Smith discovered that there was more going on than met the eye.

Smith monitored his own Internet traffic while he was using zBubbles by using a packet sniffer, a tool that displays details of every piece of information being transmitted through a network connection. He found that zBubbles was sending a steady stream of information about him and his surfing habits to Alexa, including his home address, the titles of DVDs he had browsed on Buy.com, and the details of an airline ticket he had verified online. In addition, the program even continued to send information regularly to Alexa's servers even when Smith was not using his browser. It was learned that zBubbles was not the only program sending information back to its makers.

Many programs are available that, once installed, report on the Web sites you visit, which banner advertisements you click, what products you search for, and any other information the programs have been designed to acquire. Even widely used downloading software, such as NetZip, has been shown to report to its providers on the names of every file downloaded by each user.

Sometimes these programs are informally known as “E.T.” applications, in a reference to Steven Spielberg's movie of that name, in which an extraterrestrial strives to “phone home”—exactly what the spyware programs are doing.

The term “spyware” is applied to any technology that transmits information without the knowledge of its user. Several programs distributed without charge through the Internet secretly collect information about the user, monitor user behavior, and then send those data to advertisers. The more general class of monitoring software that collects information for use by advertisers is known as advertising-supported software or adware. These programs allow freeware to make money for its creators by generating revenue based on how many users transmit information to the advertisers about their habits.

Although defenders of the advertising-supported programs claim that they are harmless, privacy advocates argue that the issue is control: Do users know what these programs are doing, or are they collecting and transmitting information covertly? Some adware comes with complicated contracts containing complex legal language to bury the fact that they will monitor and report user behavior. Worse yet, many such contracts explicitly authorize the software supplier to alter the privacy conditions without notification and, preposterously, instruct the user to check the contracts on the Web frequently. No one has the time to monitor countless suppliers to see if privacy conditions have been altered, especially if there is no attempt to highlight changes.

Another issue is that some spyware modules have used stealth technology characteristic of viruses, Trojan horses, and other malicious software. For example, some adware (e.g., TSADBOT) installs itself as a system process and is not listed in the Windows task list. Therefore, it cannot easily by aborted by a user. TSADBOT also resists removal; even if the carrier product is uninstalled, TSADBOT persists. If a user's firewall blocks outbound transmission by the TSADBOT process, the spyware initiates attempts to reach its target at a rate of 10 per second, potentially leading to central processing unit (CPU) and network resource overload.

Spyware, like any software, can contain errors that cause system problems. In particular, components of the Aureate/Radiate spyware have been shown to cause system instability and crashes.

One of the most egregious cases of spyware erupted in 1999, when it was discovered that CometCursor, a supplier of cute cartoon-character cursors aimed at children, was sending information back to its servers about what the children were browsing on the Net. According to some attorneys, this kind of covert data gathering about children may be a violation of the U.S. federal Child Online Privacy Protection Act.

Several free software programs have been written to help users identify and remove spyware. In addition, personal firewalls can usually identify and block unauthorized outbound communications; the free version of ZoneAlarm, for example, does so effectively. Today's antimalware programs (e.g., Norton Antivirus) include antispyware functions. There are also many specialized programs available that run in the background to monitor and thwart attempts to install spyware and adware; examples include Lavasoft's Ad-Aware and Computer Associates' PestPatrol.

48.4 THREATS TO PRODUCTIVITY.

Some activities and phenomena are nuisances to employers principally because of their noxious effects on productivity and their abuse of corporate resources. Junk e-mail and mailstorms, for example, are a problem because they saturate resources, not because they cause specific harm to the organization or to its employees. However, chain letters, get-rich-quick schemes, online auctions, online gambling, excessive online shopping, and Internet addiction can be directly harmful to employees and others.

48.4.1 Inefficient Use of Corporate E-mail.

The next sections focus on problems caused by mistakes in the use of e-mail—mistakes that can cause annoyance, inefficiency, and potential disruption of critical business processes.

48.4.1.1 Forwarding E-mail to Personal Accounts.

Employees may be tempted to forward their corporate e-mail traffic to their personal e-mail addresses for convenience, or when they have no convenient way of accessing their corporate e-mail system from outside the office. Such forwarding should be forbidden by policy unless virtual private networks (VPNs) or other strongly encrypted channels are used for the employee's private e-mail.

E-mail and other traffic on the Internet have no inherent confidentiality. In theory, anyone capable of intercepting TCP/IP packets anywhere during transmission can breach confidentiality. Thus, again in theory, anyone with access to the equipment of Internet Service Providers, Internet backbone transmission lines, and even to the public switched telephone network can intercept packets. With downlink footprints from satellite relays amounting to square miles, practically anything can in theory be intercepted from much of the traffic circulating on the Internet.

However, in practice, reported breaches of confidentiality have almost all resulted from data access at the end points, not in transit. Insider attacks and breaches of server security have been responsible for most of the data interceptions that have reached the press and the courts.

A practical impediment to effective interception of meaningful data in transit is the datagram routing that underlies the Internet: Datagrams are packets of information with origin and destination information; store-and-forward transmission allows these datagrams to be sent through the Internet via different routes from other packets in a message stream. Routing tables can be updated in real time to reflect changes in traffic density or availability of specific links to other destinations on the Internet, so there is no guarantee that packets from the same message will travel the same route or arrive in the proper sequence (sequence numbers allow reassembly of the original message). Therefore, seizing individual packets at random anywhere other than the origin and destination of packets is unlikely to result in very much result for the effort.

Nonetheless, best practices do recommend that encryption be used for communication of sensitive data; therefore, many organizations install Virtual Private Networks (VPN) for communication with established trading partners. VPN software is also available for “tunneling” through the Internet from a remote workstation over nonsecure communications lines. A simple example of such a link-encryption function is the Web-based e-mail services that use SSL to establish a secure link to the e-mail server (i.e., they use https instead of just plain http). The user can pick up e-mail from the corporate server without having it forwarded in the clear to an insecure external e-mail service. Some of the e-mail products include facilities for direct communication between a secure e-mail server and the users' e-mail client.

Using “VPN tunneling software” as a search string in the Google search engine brings up hundreds of hits, many of them for specific products and data sheets, so readers will be able to find a solution that fits their needs.

48.4.1.2 Mislabeling the Subject Line.

Many people make the mistake of creating new messages to a correspondent by finding any old message from that person and replying to it. The problem is that these people usually leave the old subject intact, resulting in ridiculous situations such as finding a critically important message in July in an e-mail labeled “Birthday party 12 May.”

Not all e-mail messages are created equal; some are destined for the trash heap, if not of history, at least of the e-mail system. That decision is sometimes made automatically as a function of the subject line. For example, a user adds the subject line of a joke to an e-mail filter, resulting in future messages with that subject ending up in the junk mail folder. Someone replies to the joke message with important information, and the mail filter sees the subject and automatically moves the message to the recipient's junk mail folder. The recipient may never see the important information, as most people do not actively monitor their junk folders.

Another problem with mislabeled subjects occurs when someone embeds more than one distinct topic in an e-mail message whose subject line implies otherwise. For example, suppose an e-mail message subject reads “Next week's meeting” but the sender includes an urgent request for action today on some critical issue; there is a good chance the receiver may not open the message right away if other messages seem more important.

Employees should make their subject line as descriptive as possible without turning it into a paragraph. Some e-mail systems truncate subject lines in the display of messages that a user sees; it makes sense to put keywords at the front of the subject. Encourage staff to use prefixes such as “MSIA:” or “SGS:” to help organize their messages. Using standard formats in subject lines can help too. For example, faculty and staff in the MSIA program at Norwich University refer to an issue in a particular seminar by using the form “MSIA c.s” in their subject line, where c represents the class (e.g., 24 for students starting in December 2009) and s represents the seminar number.

As for confidentiality, consider that using the To and CC (“carbon copy”—a bit of historical detritus) fields in e-mail makes all recipient addresses visible to all recipients. This situation is usually helpful in internal e-mail because team members can see who has gotten the message, but it can be annoying in external e-mail. Why should a list of dozens, or even hundreds, of names of strangers be distributed freely among them, without the explicit permission of all concerned? Who knows where that information will end up? Use of the BCC (“blind carbon copy”) field can eliminate the ability of recipients being able to see all of the intended recipients for the original message. This extra step is a good piece of e-mail etiquette, whether the message is business or personal. The BCC field is also useful for internal e-mail when the list of recipients is very large, but it is not important for people to know exactly who received the message.

These simple suggestions can make e-mail more effective as a communications tool.

48.4.1.3 First e-Impressions.

When you receive an e-mail message from a stranger, do you care whether it has spelling mistakes and grammar mistakes? What about offensive language and off-color humor? Does the context matter? For example, do you apply the same standards to e-mail referring to business matters as to informal communications about a hobby?

Researchers at the University of Chicago have been investigating the effects of e-mail on perceptions of character. Psychologist Nicholas Epley and colleagues examined oral exchanges on conversational topics by phone between randomly selected people using six assigned questions. They then transcribed the oral conversations and used exactly the same answers for the written, e-mail version of the question and answer sessions.⁸

Their results were interesting. The questioners had been given false biographical sketches of the people they were communicating with, indicating substandard intelligence or normal intelligence, as well as different pictures showing neat people or slobs. Subjects who used the phone to listen to the prescribed responses had favorable impressions of their interlocutor's intelligence, regardless of the bios and pictures. In contrast, “Via e-mail, however, students held onto their first impressions, continuing to assume their partners had substandard intelligence, for example, if that's what the biographical sketch indicated”.

If this research is confirmed, the lesson is that when using e-mail, first impressions really do count. Professionals should carefully review e-mail messages for acceptable writing, including word choice, punctuation, capitalization, and spelling.

48.4.1.4 E-mail Disclaimers.

Author MK recently received a 30-word e-mail message from a very nice reader in Britain and noticed that his e-mail system added the following astonishing disclaimer, which is quoted in its sonorous totality, including British spelling, after scrubbing it of identifying details:

This e-mail, its contents and any files or attachments transmitted with it are intended solely for the addressee(s) and may be legally privileged and/or confidential. Access by any other party is unauthorised without the express written permission of the sender.

If you have received this e-mail in error you may not copy or use the contents, files, attachments or information in any way nor disclose the same to any other person. Please destroy it and contact the sender on the number printed above, via the <Name of Bank> switchboard on +44 (0) nnnn nnnnnn for <place1> and + 44 (0) nnnn nnnnnn for <place2> or via e-mail by return.

Internet communications are not secure unless protected using strong cryptography. This email has been prepared using information believed by the author to be reliable and accurate, but <Name of Bank> makes no warranty or representation, express or implied, as to its accuracy or completeness and is not liable to you or to anyone else for any loss or damage in connection with any transmission sent by the Bank to you over the Internet. <Name of Bank> makes no warranty that any information or material is free from any defects or viruses.

In particular <Name of Bank> does not accept responsibility for changes made to this e-mail after it was sent. If you suspect that this e-mail may have been amended or intercepted, please contact the sender in the manner stated above. If this transmission includes files or attachments, please ensure that they are opened within the relevant application to ensure full receipt. If you experience difficulties, please refer back to the sender in the manner stated above.

Any opinions expressed in this transmission are those of the author and do not necessarily reflect the opinions of the Bank and may be subject to change without notice.

Please note that for the purposes of this document all references to <Name of Bank> or the Bank shall be taken to mean <Name of Bank> (place) Limited or any other member of the <Bigger> Bank Group. Nothing in this transmission shall or shall be deemed to constitute an offer or acceptance of an offer or otherwise have the effect of forming a contract by electronic communication.

MK commented in his response, “Did you know that your message has 30 words (152 bytes including spaces) whereas your disclaimer has 367 words (2,177 bytes)? That's the lowest signal-to-noise ratio (6.5 percent useful information out of the total and a 1:73 signal:noise ratio) I've ever seen outside a copy-of-copy-of-copy chain. Please congratulate your attorneys on using maximum of bandwidth for minimum content!”

Cluttering up e-mail messages this way is a waste of bandwidth. It is worse in offices where people copy entire messages without editing the contents, resulting in copy-of-copy-of-copy chains that spread like cancerous eruptions through in-baskets throughout the organization. Some well-meaning folks even include the detailed headers in their copies.

As a matter of courtesy and good sense, when one replies to a message, it is a simple matter to strip nonessentials out of the copy of the original. Senders can use ellipses (…for cuts within a sentence, .... for cuts crossing sentence boundaries) to signal gaps, but usually one or two snips are enough to clean up the copy so that the reader can get the gist of the conversation without having to wade through reams of superfluous stuff. Unfortunately, this recommendation does not seem to be used much in practice.

48.4.1.5 Centralized Distribution Lists.

Organizations may grow large enough that there is significant turnover among the staff. Not only do new staff members periodically join the group, but also staff members move from one functional group to another; for example, a staff member may change from being an assistant director in one program to being an administrative director in another. Occasionally, staff members may leave the group altogether.

A primitive way of maintaining distribution lists is to name a “Keeper-of-the-Lists” to maintain the list of all staff members; however, there is no link between the file and the mailing lists that each member of the group must maintain to be able to distribute e-mail to appropriate individuals or groups. The independent files are almost certain to diverge from a centralized and accurate list. For example, a message that should be sent to all current employees may end up missing several new members and including staff members who no longer work in the target group.

Trying to make many people maintain their own copies of several distribution lists is a hopeless cause: Even with the best will in the world, people will inevitably forget to update their lists and therefore:

Some mailings will miss legitimate recipients.
Some people will receive messages they have no business reading.

There are at least four solutions that would rectify such a problem.

One can implement a central e-mail sever (e.g., Microsoft Exchange Server), switch all users to a centrally controlled e-mail client (e.g., Microsoft Outlook), and define corporate distribution lists maintained by the Keeper-of-the-Lists. All users will automatically access the one and only distribution list for each group without manual intervention.
One can install widely available list-server software to allow centralized creation and maintenance of specific lists; for example, SGS-ALL, SGS-DIRECTORS, MSIA-STAFF, MSIA-INSTRUCTORS, and the like create lists that all employees can use in addressing e-mail.
One can switch all users to any e-mail client that supports exportable mailing lists. Updated corporate distribution lists can then be sent to all users. However, this solution still requires manual intervention by users: Everyone has to replace an old list by the new list.
One can create a discussion group on a public server (e.g., Yahoo Groups) to define closed groups. These groups provide automatic access to mailing lists. Unfortunately, this approach has serious problems:
- There are security concerns about using such groups for corporate communications.
- It seems inappropriate to put a necessary production application on a free resource completely out of the control of the organization.

48.4.1.6 HTML E-mail.

One of the six fundamental attributes of information that we protect is integrity, one aspect of which is consistency with the originally stored data (see Chapter 3 in this Handbook). When someone goes to the trouble of producing an elegantly formatted memorandum, or other document, and sends it out to recipients, everyone would like to preserve data integrity by seeing the same appearance on all the systems sharing that document.

Unfortunately, sending formatted messages as e-mail messages (as distinct from attachments) does not guarantee preservation of the exact appearance of the source material.

Attractive, well-formatted e-mail messages with boldface, italics, different point sizes, and the like usually get transmitted as HTML (hypertext markup language) to recipients' mailboxes, where most people's e-mail clients (Eudora, Netscape, Outlook, etc.) allow the funny-looking code to be reconstituted into something similar to the original.

The word “similar” is mentioned rather than “exactly like” because HTML does not necessarily control the final appearance of text on a recipient's system. The codes refer to types, not exact matches, of fonts; thus a sender might want to use, say, 24-point Arial as a Heading 1 display but a particular recipient might have defined Heading 1 as, say, Times Roman 14 point. A two-page original document may appear to be a three-page document to one recipient and a one-page document to another.

More significantly, though, many people turn off HTML e-mail for security reasons. All such formatted e-mail gets converted automatically into plain ASCII text. A correspondent once sent author Kabay a message that read: “Note: The on-line course evaluation system may be used from room, lab and home—anywhere Internet access is available. / Overview:…. Failure to complete a course evaluation will result in a ‘hold’ being placed on the student's final grades”.

The fragment of message that follows shows the result of MS-Outlook auto-conversion of the original formatted HTML message to ASCII:

Note: The on-line course evaluation system may be used
from room, lab and home ? anywhere Internet access is
available.

Overview:. . . . Failure to complete a course
evaluation will result in a ?hold? being placed on the
student?s final grades.

In the conversion process, the original apostrophes turned into question marks (“?hold?”) because the sender was using “curly” quotation marks instead of the straight ones in the word-processing package or e-mail editor. If one cares to prevent this peculiarity when using MS-Word, one has to turn off the option in the {Tools | AutoCorrect | AutoFormat As You Type} screen by unchecking the box labeled {“Straight quotes” with “smart quotes”}.

In addition, it looks like a dash character may have been in the text in the first section (labeled “Note”). One can turn that conversion off in the same menu by unchecking {Hyphens (–) with dash…}.

A much simpler solution to prevent the mess is simply to send unformatted ASCII text in all outbound messages by selecting that option in one's e-mail package.

Some people try to send files that should look the same on a recipient system and the originating system by attaching word processing documents: for example, Word DOC files, WordPerfect WPD files, or Rich Text Format (RTF) files (and so on). Unfortunately, even these attempts do not necessarily work as planned, since lack of shared fonts, different default paper sizes (different countries may use different sizes), and different printing margins (resulting from installation of different printers) may cause the documents not to look precisely the same on all systems.

So if the exact appearance of a message one is sending via e-mail is critically important, one should send the content and its format in a way that is (largely) platform independent; for example, Acrobat PDF (Portable Document Format) files. Although even they do not necessarily result in perfect rendition of the author's intentions across systems, PDF files are far more likely to succeed than the other methods mentioned. One can create PDF files in a number of ways; some systems have Adobe Acrobat installed so that one can either “print” to an Acrobat driver to create the PDF files or even just click a toolbar button to do so from within the word processor. MS-Office 2007, for example, provides the ability to Save as PDF in all of its major components. Other packages exist that are less expensive (and generally less feature-rich) than the full Adobe Acrobat software, but nonetheless allow users to create PDF files easily. One can type “create PDF” into a Web search engine to find lots of choices.

48.4.1.7 Distribution Lists in E-mail.

Recently a nice lady in the human resources (HR) department at our university sent out a note to a dozen people reminding us that we had not yet finished signing up for our new medical insurance coverage.

Unfortunately, she put all the e-mail addresses into the CC (carbon copy) line where they were visible to everyone in the list. Predictably, someone on the list composed a response to her, hit Reply All, and sent some mildly personal information about the state of her medical concerns to all the recipients on the original list, none of whom had any interest in her problems.

Luckily, there was not a lot of private information in that message, but it did prompt the realization that many people unthinkingly use the CC line for addresses to a distribution list and that many people unthinkingly use Reply All for replies to every e-mail message.

The combination can lead to embarrassing violations of confidentiality; when the HR department staff use CC instead of BCC (the Blind Carbon Copy function that conceals the distribution list), the Reply All function can inadvertently violate privacy.

In this case, there was no particularly sensitive material revealed, but a different case could easily violate HIPAA (Health Information Portability and Accountability Act) and the university's rules on employee confidentiality.

Once employees understand the issue, they will learn not to use CC for distribution lists when the intention is to communicate with individuals; by default, everyone should use the BCC list unless there is a need to stimulate group discussion of an issue or it is important for the members of the group to know who received the message.

It is important not to dismiss this issue as too easy or too obvious to bother with. “Against stupidity, the gods themselves contend in vain,” wrote Friedrich von Schiller in his Maid of Orleans (Die Jungfrau von Orleans) in 1801. Nonetheless, the CC + Reply All habit becomes a covert channel for release of confidential information for people who refuse to keep an address book, and simply look up any old e-mail and Reply All to it as a lazy way of sending a new message.

If you doubt the seriousness of the problem, take some time to look through your own archives of e-mail and count how many obvious cases there are of e-mails with inappropriate subject lines and inappropriate distribution lists sitting in your received folders. Unfortunately, you may be dismayed by the results of your research.

48.4.1.8 Effective Use of BCC.

As discussed, the problems caused by CC are worse when the recipients do not know each other. One often receives messages from technically unsophisticated correspondents who put dozens of e-mail addresses in the CC field even though many of the recipients are total strangers to each other. Such exposure of e-mail addresses always makes security staff nervous; who knows whether everyone on the list is trustworthy? Even if the list is not misused for outright spam, people often Reply All with useless information, effectively adding people to discussion lists that they never wanted to be on.

One particularly annoying habit is to Reply All with a comment stemming from some initial message. People then generate a series of increasingly long messages including copies of all the previous copies of the ostensibly clever repartee, driving some users to generate an addition to their junk mail filters.

The habit of using Reply All is annoying enough when a reply does not in fact have to go to everyone on the original distribution list. However, Reply All is a positive menace if it is coupled with the abhorrent practice of using an existing e-mail message as a shortcut to creating a new one with a completely different topic, as discussed in Section 48.4.1.2.

48.4.1.9 Managing Private E-mail at Work.

What is wrong with using corporate e-mail for jokes, invitations, and the like? One issue is the waste of bandwidth. Some people find the quality of the jokes, hoaxes, and cheering sessions low enough to be irritating. Worst yet, the tolerance level for what is considered appropriate in the workplace may vary by individual, requiring the utmost care and consideration for everyone. Another problem arises with politically sensitive messages, such as announcements or viewpoints that some members of a group may find offensive. Why should everyone in the group be subjected to a barrage of unsolicited e-mail just because they work somewhere?

The question also raises some valuable and instructive points about appropriate-use policies for e-mail. Corporations must have a formal written policy on appropriate use of official e-mail. Managers should frame clear written policies that any of the staff members can easily consult for guidance about suitable and unsuitable content for personal messages using corporate mailing addresses. Such policies will reduce possible disappointments and resentments resulting from decisions based on unwritten expectations. In addition, any hint of discrimination based on particular political or religious biases will have to be scrutinized to ensure that the organization is not subject to legal repercussions.

An easy tool that employees can develop is a voluntary mailing list of nonwork e-mail addresses for nonwork e-mail. A Yahoo group http://groups.yahoo.com/, for example, offers many benefits over an informal list in the CC: or To: field. Jokes and the like can thus be distributed only to willing recipients, since joining can be purely optional. However, employees must always remember that any activities occurring on company equipment, or using company computing resources, may be viewed by authorized parties and could potentially hurt their reputation or, even worse, set them up for legal problems.

48.4.2 Mail Storms.

A peculiar kind of junk e-mail is sent by accident. These flurries of unwanted messages are called mail storms.

Most of us belong to mailing lists; many of us have more than one e-mail address; some of us use autoforwarding to shift e-mail from one address to another automatically; and a few of us use automated responses on our e-mail accounts to let correspondents know when we are out of the office or unable to respond quickly.

All of these factors can contribute to mail storms.

48.4.2.1 Autoforwarding.

A mail storm occurs when computers begin sending mail to each other without human intervention. Sometimes mail storms can become a denial of service by saturating communications channels and other resources. The e-mail–enabled worms such as Melissa, the I-love-you message, and others, are examples of malicious software programs whose authors deliberately wrote them to create mail storms.

In a simple situation, an employee leaving on vacation decides to receive company e-mail using a personal account on an ISP with a global presence. By setting an auto-forward command on the company account, all incoming mail was sent to the personal e-mail account. Unfortunately, on the remote tropical island where the vacationer spent two weeks, it was impossible to access the worldwide ISP without paying a surcharge of $6 a minute for long-distance service to the nearest dial-up node. This proved too expensive, and no e-mails were received or sent.

Meanwhile, the company account dutifully forwarded every message it received to the proper personal account—which had a tiny storage limit of 250 messages. That limit was reached within a few days. At that point, every inbound message generated a bounce informing the sender that the recipient's mailbox was full.

The very first full-mailbox message sent to the company account was autoforwarded back to the vacationer's personal mailbox. That copy of the full-mailbox message generated a second mailbox-full message, which then got bounced back to the company account, and so on without letup. Eventually, even the company mailbox filled up, and then the two e-mail systems continued chattering at each other indefinitely. The number of e-mail messages that can be generated by this kind of infinite loop is a function of the latency of the positive feedback system that the user has accidentally created. For example, if it takes exactly one minute for a bounce message to be returned to the originating site, then each message causing an initial error can create 60 additional messages per hour. However, every new message from another sender that arrives at the originating mailbox will generate its own new set of bouncing messages in infinite loops. It is not uncommon to see tens of thousands of messages accumulating in the recipient's mailbox if nobody notices the loops with traffic mounting steadily into hundreds or thousands of messages per hour bouncing between the accounts. Eventually the mail servers can crash because of the overwhelming traffic; system administrators then have to turn off the autoforwarding and block mail from the affected accounts.

An out-of-office message can inadvertently create mail storms through a race condition (see Chapter 39 in this Handbook). For example, two employees both enable out-of-office messages, and one sends an e-mail to the other before leaving the e-mail client. A mail storm will result.

48.4.2.2 Poorly Configured List Servers.

The user of an autoresponder may belong to a list where the From address is actually the broadcast address that sends a response to the entire list. The very first automated out-of-office response to the list will generate a message to everyone on that list, producing an infinite sequence of to-and-from messages. This situation is very embarrassing for the list administrator and intensely annoying for everyone else.

48.4.2.3 Human Error.

Something analogous to a mail storm results from thoughtless behavior when using a public list. A typical instance occurs when a list member posts to an entire list comments relevant only to one individual. For example, a member asks for a reprint of an article and another answers on the list: “I'll send you a reprint tomorrow.” Several thousand unwilling readers now know about this projected e-mail message. One of these irritated people posts a message saying “Did you really have to post that message to the entire list?” This second message is so irritating that at least one other person posts a third message to the entire list, criticizing the originator of the second letter for criticizing the writer of the first. This useless tempest of e-mail continues via the public list, creating thousands of copies of useless information.

Another form of inconsiderate behavior is to quote entire messages when responding to e-mail. Only the fragments of text that have elicited a response should be copied to the new message. This principle is particularly important on public lists, where messages have been observed containing the entire text, including Internet headers, for up to seven levels of previous messages. Often the amount of new information contained in messages posted to Usenet groups is extremely small; the rest was quotations of quotations of quotations.

48.4.3 Buying on the Web.

Employers may decide to allow reasonable (however they decide the term) use of corporate resources for non-work-related activities, including buying services and products through the Internet. However, it is in the interests of employers to educate employees to avoid becoming victims of criminals. An employee distraught over the loss of significant sums due to foolish credulity will not be as productive as usual; in any case, no one wants to see friends and colleagues cheated.

Buying from known merchants through the Web can be as satisfying as buying in their stores. If you know the organizations selling goods and services, there is no more reason to be worried about buying from them through a Web connection than buying from them over the phone or in person at a store. Web sites belonging to recognized merchants or organizations, such as nonprofit charities, are trustworthy, especially if they show any of several symbols representing compliance with various standards of security for customer data. Some of the safety seals in common use include:

Network Solutions

Network Solutions is an independent, initiative dedicated to building users' trust and confidence on the Internet and accelerating growth of the Internet industry. Potential buyers won't spend time on a site unless they know from whom they're getting information or who's really selling the goods and services…. Big stores and long-recognized brands are recognized in the physical world, but what about online? In the anonymous world of the Web, consumers want to be certain about the site they're visiting, to know that the business behind the site is real. Identity is the foundation for trust…. Without identity, legitimacy will always be suspect. Network Solutions validates the status of a business before issuing an SSL SiteSafe Certificate. This authorizes the business to display a closed padlock, the https secure designation, and a clickable seal for more information. Under limited circumstances, the company guarantees up to $1 thousand for a single loss due to a mis-issued SSL Certificate or Site Confirm Seal. The program is intended to alleviate users' concerns about online privacy and security, while meeting the specific business needs of each licensed Web site.⁹

48.4.3.1 Dynamic Pricing.

One controversial technique that some firms have been studying is dynamic pricing. Dynamic pricing presents different prices to different customers. By building a profile of a specific customer's buying habits, vendors can inflate prices for people who appear to be more willing to buy higher-priced goods and lower prices for those who are cost-conscious. Many brick-and-mortar stores do the same, in that stores in some parts of town may cater to richer people than in other areas; similarly, some chains of stores have been documented as charging higher prices to poor people in ghettos than in suburbs, in part because there is less competition in poor neighborhoods and the cost of doing business may be higher there. A different kind of dynamic pricing occurs in the airline industry, where seats on planes vary in price according to when they are booked and how many seats are expected to be sold. However, unlike these examples, dynamic pricing on the Web resembles traditional automobile sales, where research confirms that women and racial minorities are consistently offered higher prices than the deals for white males. In both automobile sales and dynamic pricing on the Web, the fundamental difference from the normal free-market model is that the prices are varied secretly so that only the victim of the predatory pricing sees the offered price. Without mechanisms for sharing information among purchasers, this model of pricing seems to put the buyers at an immense disadvantage with respect to the seller. It will be interesting to see how it develops over time.

48.4.3.2 Privacy.

Another key area of concern when buying products on the Web is privacy. Many consumers prefer their buying habits to remain their own business. Receiving unwanted paper mail or e-mail, because of past purchases, seems intrusive and irritating to them; they classify all such promotions as junk mail. Other consumers appreciate the convenience of receiving targeted information about new products and special sale prices for items they have previously bought. In either case, it is important to pay attention to the privacy policies offered by online vendors. Marketers must decide whether to set up their systems on an opt-in or opt-out basis. If marketers choose the former, then all individuals actually must agree to have information about themselves included on lists that may be used within the organization or sold to or traded with third parties. If the system is set up for opt-out, then everyone's information may be freely disclosed, except for those who specifically state that they do not want the list keepers to do so. These are broad general outlines; the privacy policy of each organization must be spelled out in detail. Some sites such as online bookstores and music services may keep detailed records of what each person buys from them and even what items are simply looked at. These Web sites can then tailor their sales presentations to products that are appropriate to each customer's interests. Amazon.com, for example, tries to be helpful to visitors by suggesting books that may interest the returning visitor based on previous behavior. However, one of the unexpected consequences of customer profiling is that the practice may reveal more than users would wish; if you watch one of your employees enter such a Web site and discover that the predominant theme is, say, weapons and techniques of terrorism, you might want to have some serious discussions with your human resources staff. A less positive application of profiling caused a flurry of interest when information about the purchasing habits of employees of specific companies was accidentally made available to those companies' competitors.

Another issue often raised in discussions of privacy involves “cookies.” Cookies are small text files that a site stores on a visitor's hard disk to store information that can be used the next time the user visits the site. Properly defined cookies can be used only by the site that deposited them. The information stored can include the sequence of Web pages the visitor saw, or personal identifiers that allow the Web software to recognize the visitor so that the Web site can build up a preference profile for each visitor or client and to enable those cheery greetings like “Welcome back, Bob! We have a special deal for you on the newest title in The Real Man's Guide to Heavy Artillery series!” Cookies also may be used to accumulate items in a shopping cart; without cookies, each purchase would have to be concluded separately.

In general, cookies are harmless. If you do not like the idea of having identifiers stored on your system, you can block cookies in your browser settings, block them globally or on a site-by-site basis using a personal firewall, or install cookie sweepers that get rid of all cookies whenever you activate them.

For a review of legal aspects of privacy in cyberspace, see Chapter 69 in this Handbook.

48.4.3.3 Online Auctions.

The theory behind an auction is that the competition for an object or service helps participants determine a fair price. This process can be corrupted in a real-world, physical auction if the seller conspires with confederates to bid up the price artificially. Unfortunately, this is even easier online, where anyone can have as many identities as he or she wants. The ease with which browsers and email systems allow forged headers and forged identifiers means that sellers can inflate the price of their own offerings.

The Federal Trade Commission of the United States reports that online auctions cause the largest number of complaints they receive annually about fraud.

This theoretical discussion does not even begin to address such questions as whether the auctioned items really exist, are as described, or will ever be delivered. A case of such fraud occurred on eBay, where Robert Guest of Los Angeles admitted in court in July 1999 that he defrauded victims of about $37,000 by offering goods for auction via eBay but failed to deliver anything. The customers of Mr. Guest certainly found out the hard way that they were being cheated, but it appears that they could not have known in advance that he was untrustworthy. Although eBay maintains a system whereby potential bidders can see reviews and comments posted by earlier customers of each seller, new sellers such as Mr. Guest have no record, and anyone with a bad record can assume a new identity.

eBay has further responded to these concerns by suggesting the use of escrow services and by warning its users that it does not guarantee the legitimacy of the transactions it facilitates.

There are also concerns about the legality of some of the items put up for auction. Someone offered items made from endangered species, in violation of the Convention on International Traffic in Endangered Species. The products included dried feet of elephants and gorillas caught in snares and allowed to die excruciating deaths before being hacked into pieces. In the United States, buying, selling, and possessing such contraband can lead to arrest, prosecution, fines, or imprisonment.

More ludicrously, someone put up a human kidney for sale through eBay in September 1999 and received bids of up to $5.8 million. The auction service canceled the sale because selling human organs is a federal felony punishable by up to $250,000 in fines and at least five years in jail. A week later eBay had to shut down an auction for an unborn human baby. Prices for the supposed baby had risen into the $100,000 range before eBay shut down that auction. Finally, a fool or a prankster—it is unclear which—tried to sell 500 pounds of fresh marijuana online. The auction was shut down after 21 hours, during which prices offered had reached $10 million. In August 2001, a couple offered to name their baby in accordance with the wishes of a high bidder. That auction, too, was ended prematurely.

Most of the bids probably were not legitimate. It is unlikely that everyone who bid for kidneys, pot, and babies really expected to pay for what they were bidding on. They may have been treating the auction like a video game, with no element of reality. Situations such as these invite other abuses, and ordinary users are often at a loss as to how to proceed.

Even if the items being offered for sale online are ordinary things such as software or physical products, they may have been obtained illegally. Online auctions are a frequently used channel for fencing stolen goods.

Corporate users should probably not be using Internet auctions to buy or sell products, except in those closely guarded, industry-specific sites that have proven their worth. Certainly, employees should not be using corporate Internet access to engage in such activities for their private purposes.

48.4.4 Online Gambling.

It is hard to imagine that any enterprise would authorize employees to gamble online using corporate resources, but providing employees with the following guidance may be a valuable service.

48.4.4.1 Fraud and Error.

In 1998, the Arizona lottery discovered that no winning number in its Pick 3 game had ever included even one numeral 9.¹⁰ It turned out that the pseudo–random number generator algorithm had an elementary programming error that generated only the digits 0 through 8. All those who had used a 9 in their lottery numbers felt justifiable anger—especially when they were told they could have a refund, but only if they had kept their old losing tickets.

The Arizona lottery used a simulated random process to provide the illusion to gamblers that they were betting on a physical process such as balls mixing together in a barrel and falling out of a tube. One of the problems with the Arizona simulation is similar to a genuine vulnerability in proprietary (i.e., secret) cryptographic algorithms. As cryptographers have stressed over many decades, the security of an encryption scheme should not depend on the secrecy of its algorithm. Had the lottery algorithm been exposed to public scrutiny, its flaws would have been detected sooner. For example, in the 1980s, there was much excitement over a new encryption scheme called the knapsack algorithm; after extensive examination by cryptographers, it proved to be flawed. It is conceivable that someone detecting the flaw in the Arizona lottery might have made bets with a higher probability of winning than those of uninformed people, but exposing the algorithm and its implementation to scrutiny before it went into production would have made that less likely.

These examples demonstrate that electronic gambling, as in older, conventional types, is subject to more than the rules of chance. Lack of conformity to good security practices lays both the gambler and the “house” open to abuse and to inadvertent errors.

48.4.4.2 Lack of Control.

Physical gaming devices are located in real-world establishments under the nominal control of regulatory and law enforcement officials. Even so, they are always adjusted for a certain predetermined payout. Gambling based on the results of actual sports events or contests is validated by external news reports, although the contests themselves can be rigged. But there is no basis for a gambler to trust the results of computer-generated pseudo–random numbers displayed on a browser screen.

Most individual gamblers will never know if a long-range analysis of the pseudo–random numbers would support their hopes for fairness in the odds. No one is keeping track of these data except the people making money from the participants, and they are not distributing the results.

The disclaimer at one Internet gambling portal, findinternetcasino.com, is not very encouraging:

Although every attempt has been made to ensure fairness and security toward the player at each of the links that can be found in the directories, FindInternetCASINO® cannot be held responsible if discrepancies occur between an Online Gambling operation and you, the player, after following a link from this WWW site. Consult your local authorities prior to registering with any online wagering service. U.S. Citizens: The information at this site is for entertainment and news purposes only. Use of this information in violation of any federal, state or local laws is prohibited.

48.4.4.3 Legal Issues.

In some jurisdictions, betting online is illegal. In the United States, for example, it is already illegal to use interstate telecommunications to place bets; in addition, Internet betting is illegal in the United States even if the host is outside the United States. At the same time, due to ambiguities in the current laws and the inability to clearly enforce them, the use of overseas betting sites has driven this business to a total of over $15.5 billion a year, over half of that income coming from the United States. The ambiguities stem from a lack of a clear definition on what constitutes “illegal online gambling.” This resulted in certain groups of individuals believing that they were exempt from the law, poker players being the most common. In addition, online horse-racing receives a specific exemption from the law, but without accompanying clarification on whether the wagering process constitutes online gambling.

Unfortunately, in the United Kingdom and many other countries, online gambling is for the most part legal. This creates numerous conflicts of interest, and international tension, between various betting companies in legalized countries, all advertising to Americans eager to risk their money for a chance at a big payout. It appears that until clear definitions are included in the law, the blurred line between legal and illegal gambling activities using online resources will continue.¹¹

48.4.5 Internet Addiction.

Any activity can become the basis of compulsive exaggeration. A small proportion, around 5 percent, of Internet users may qualify as addicted to any of these computer-mediated activities:

An uncontrollable desire to find and organize more and more information about an enormous range of topics
Excessive involvement in games, gambling, and buying things on the Internet
Excessive concentration on relationships mediated through e-mail and chat rooms, to the detriment of real-life relationships
Involvement in long sessions of viewing pornography, or of being sexually stimulated via e-mail, chat rooms, pornographic sites, or sexual-fantasy games

None of these activities is a suitable use of corporate computing resources, and employees should be alerted to the policies prohibiting such activities at work. In addition, everyone should be aware of the dangers of Internet addiction.

The issue here is what constitutes excessive involvement in these activities. Professional psychologists such as Dr. Kimberly Young have identified some of the diagnostic criteria for these disorders, including these based on her Internet Addiction Test:¹²

Regularly staying online longer than intended
Often neglecting obligations to spend more time online
Consistently preferring to spend time online instead of with one's partner
Frequent complaints by friends and family about excessive Internet use
Suffering consequences at school or at work because of time spent online
Giving e-mail a higher priority than other important issues
Concealing the extent of Internet usage
Turning to the Internet as a substitute for dealing with disturbing issues
Feeling that life without the Internet would be devoid of meaning and pleasure
Getting angry when disturbed during Internet usage
Losing sleep due to late-night Internet activity
Yearning to be back online

Those who feel uncomfortable about their level of involvement with the Internet would do well to take this test offered by Dr. Young, and, if several of their answers are positive, to seek counseling to prevent possibly tragic consequences of untreated addiction.

48.4.6 Online Dating and Cybersex.

As in other topics in this chapter, it is unlikely that corporate policy would allow users to engage in online dating and cybersex. Nonetheless, in line with the overall orientation of this chapter, the next sections will help employees understand the issues in these online activities.

48.4.6.1 Dating Online.

Thousands of sites on the Web specialize in helping people meet each other. In a sense, chat rooms and bulletin board systems are ways for people with similar interests to communicate about their hobbies and lifestyles. There are also sites that specialize in helping people find others who match particular profiles. Some of these sites are free; others charge fees for participation. Dating service sites usually explicitly restrict participation to people over 18 years old, and most of them depend on possession of a credit card as their sole mechanism for authenticating age. It is very difficult to exclude teenagers, or even younger children, from such sites if they have access to credit card numbers.

Parents, teachers, and employers who want to get a sense of what is going on can type “online dating” in the search field of a search engine such as Google (www.google.com) and then visit a few of the sites. If children post information about themselves in such a cyberspace locale, even with false information claiming that they are adults, there is a real risk of attracting unsavory characters or perhaps ordinary people who can become angry at being tricked into exposing their feelings to an imposter.

48.4.6.2 Sex Talk Online.

In addition to matchmaking, users of the Internet also can get involved in cybersex. People chatting online can describe themselves or each other in sexual interactions that are inappropriate for youngsters. Such online chat also has been implicated in a number of divorces, since many spouses find it wholly inappropriate that their beloved is getting sexually excited with a stranger via the Internet.

In August 2001, a 15-year-old girl from Massachusetts was alleged to have been kept captive for at least a week during which she was repeatedly sexually abused by the couple who had brought her to Long Island. According to the criminal complaint, she was also “loaned out” for two days to another man and further abused. The couple had met the teenager in an Internet chat room, where their conversation was explicitly sexual.

Employers should ensure that no one in their employ, none of their colleagues or employees, and none of their children could engage in these activities, whether using corporate resources or home computers.

48.4.6.3 Traffic in Women.

A number of sites on the Web, particularly some situated in the former Soviet bloc, advertise services for introducing men to willing candidates for marriage. The evidence is strong that much of the information communicated about the supposedly nubile and marriage-oriented women is false. Many of the pictures are taken from public Web sites and include actresses and people who have posted their photos on social networking groups. Sometimes the same picture has dozens of names associated with it. Much as in the phone-based sex-talk services, people claiming to be youthful, attractive, persons of marriageable age may be nothing of the sort, and may be copy/pasting responses from prepared scripts. When men travel to visit their potential mates, they can be charged high rates for the privilege of taking their dates to expensive restaurants. Some of the women who actually do go through with marriages later divorce their hapless victims in what appears to be a systematic fraud.

48.4.7 Games and Virtual Reality.

Some enterprises allow their employees to play games at various times during the day—usually low-usage times such as lunch, or before and after the normal workday. However, some Internet-enabled multiuser games can consume enormous bandwidth; the shoot-'em-up (“first-person shooter,” or FPS) game called Quake was notorious in its day for saturating all available connectivity.

When helping employees understand how to negotiate the perils of the Internet, you might recommend that parents read reviews of video games before allowing their young children to play them. Some games have astonishing levels of graphic violence (“Brilliant Bleeding! Detailed Decapitations!”) and unusual values (“Win points by burning as many residents to death as possible!”). This latter example is based on a notorious case in which a video-game vendor was apparently surprised by the public wave of revulsion over a game that glorified arson. Some military and police shoot-'em-up games explicitly take points off for hitting innocent bystanders; others do not. Some games use graphic nudity; others are more modest. The main point is that relying on the judgment of eight-year-olds to choose their own entertainment may be unwise.

From a corporate perspective, it would be unusual to find employers encouraging the use of local or networked games during working hours; however, some may allow use of their resources in off-hours, assuming the corporation does not maintain around-the-clock operations. However, issues of suitability persist; some games may contribute to a hostile work environment and lead to complaints and lawsuits from offended employees.

A development that started in the 1990s has become a potentially valuable tool in the first decade of the 21st century: virtual reality or virtual worlds such as Second Life (http://secondlife.com/) or Gaia (www.gaia.com/). These services use controllable representations called avatars, which allow some degree of expressiveness when communicating. Participants see a representation of a three-dimensional world, complete with viewpoint and perspective, that includes their interlocutors in a shared virtual reality that can be creative and fun. Some companies are using resources in these virtual worlds for advertising, delivery of services (e.g., training and education), and internal remote meetings or training. Organizations must determine appropriate policies about the use of such services.

48.5 LEGAL LIABILITY.

This section briefly reviews some of the legal issues that may arise as a result of misuse of e-mail and Internet resources. For more detailed information, see Chapters 63, 64, 69, 70, 71, and 72 in this Handbook.

48.5.1 Libel.

Some people have taken advantage of the freedom to publish whatever they want by crossing the boundaries of libel. For example, the self-styled “reporter” Matt Drudge went too far in postings on his electronic scandal sheet in 1997, when he made unsubstantiated accusations about White House advisor Sidney Blumenthal's marriage. Professional journalists pounced on him for shoddy journalism. Blumenthal and his wife filed a $30 million libel suit against Drudge even after he apologized for failing to verify the gossip he disseminated. Drudge then claimed that public White House support for Blumenthal amounted to a threat against free speech.

In another notorious case, Walter Cronkite, whom polls revealed to be the most respected man in the United States in the 1980s, was appalled to discover a page of lies about him on the Web in 1997. A 28-year-old programmer, Tim Hughes, invented and posted a scurrilous story about Cronkite's becoming enraged at the author, shrieking imprecations at Hughes and his wife, boasting about his own infidelity, and spitting in their spice cake at a Florida restaurant. In addition, the anti-Cronkite Web page included falsified photographs purporting to show Cronkite at a Ku Klux Klan meeting. Cronkite threatened to sue for libel; Hughes took the page down and weakly protested that it was all a joke.

The effect of this kind of misinformation on children or immature employees, untrained in critical thinking and lacking in skepticism about information on the Internet, can be damaging.

Another source of information is the Usenet—that collection of thousands of discussion groups on every conceivable topic. These discussion groups fall into two major classes: moderated and unmoderated. In a moderated group, messages are passed through a moderator who decides either to post them for participants or to delete offensive or otherwise inappropriate messages. Not all moderated groups are reliable, and not all unmoderated groups are unreliable. However, many unmoderated groups distribute unsubstantiated information from people who appear to derive their major pleasure in life by insulting other participants and by making outrageous statements about any topic that comes up. Everyone should be trained to recognize emotional and inflammatory language, and should be encouraged to apply skeptical analysis to all statements, especially to those published in rants.

In the first decade of the 21st century, blogs—commentaries published on the Web by individuals or groups—have exploded into common awareness. The same principles of critical evaluation apply to blogs as to any other source of disintermediated information.

48.5.2 Stolen Software, Music, and Videos.

Organizations cannot permit employees to download and make illegal copies of intellectual property of any kind. Security policies must explicitly address these issues; security monitoring must explicitly control for abuse of corporate resources in such activities. The risks to organizations by tolerating such violations of law are severe. For more details of intellectual property law, see Chapter 11 in this Handbook.

48.5.3 Plagiarism.

A different kind of fraud involving intellectual property occurs when people misrepresent someone else's work as their own. Older students know intellectually that this is supposed to be bad, but for young children, the issue is completely abstract. The problem today is that plagiarism is easier than ever and harder for teachers to detect.

Academic guidelines try to make it clear to students that copying other people's work without attribution is called plagiarism and is severely frowned on. Plagiarism includes not only direct quotation without indications of origin but also paraphrasing that merely shuffles the ideas around a little or substitutes synonyms for the original words. In many institutions, plagiarism is grounds for suspension or expulsion. In all cases, plagiarism defeats the purpose of writing assignments by eliminating the opportunity for critical thinking and creative expression. Few plagiarists remember what they have copied from others after they hand their material in.

Assuredly, students have traded term papers and other assignments for centuries. However, the availability of electronic documents and of the World Wide Web has enormously increased both the fund of material that can be plagiarized and the ease of copying. Worse still, some people are profiting from easy accessibility by selling papers specifically for plagiarism and even writing papers to order. In one study by Peggy Bates and Margaret Fain of the Kimbel Library at Coastal Carolina University, the authors easily located over 100 sites on the Web selling or donating papers to students for plagiarism.¹³

To combat this problem, science has come to the aid of beleaguered instructors by providing automated similarity analysis of any paper submitted electronically. The system uses a bank of more than 100,000 term papers and essays as well as documents located on the Web; analysis uses pattern recognition to measure similarities among different documents and to estimate the probability of plagiarism. According to the turnitin.org documentation:

Our system is now being used in the majority of universities in the United States and the U.K., as well as a large number of schools around the world. Many of these institutions, among them UC Berkeley and the fifty-eight member schools of the Consortium of Liberal Arts Colleges, an association of the most respected liberal arts schools in the US, have chosen to ensure the academic integrity of all their students by selecting institution-wide subscriptions to our service. Other universities, such as Harvard and Cornell, have elected to make use of our system on a departmental or single-instructor basis.

Plagiarism is also a risk to the enterprise; having employees misuse other people's or other organization's materials without attribution can lead to lawsuits, embarrassing publicity, and serious financial penalties.

48.5.3.1 Practical Guidelines

Discuss plagiarism clearly at work, at home, and at school.
Use examples to illustrate the difference between plagiarism and a legitimate use of other people's work.
Encourage children to practice summarizing information in their own words.
Practice writing references to quoted material.
Have a student submit a sample term paper to the turnitin.org analysis program for an automatic Originality Report.
Discuss how antiplagiarism sites analyze documents to measure similarities and help teachers identify plagiarism.

48.5.4 Criminal Hacking and Hacktivism.

As discussed in Chapter 45 in this Handbook, it is important that all employees understand and agree that using corporate systems for unauthorized access to computers and networks is grounds for dismissal, and possibly criminal prosecution. In particular, no employee should ever imagine that testing for security weaknesses in the enterprise's systems without authorization is a contribution to security.

The motivation for illegal actions does not mitigate the seriousness of computer trespass. Employees should be informed explicitly that regardless of the excuse, no violations of law will be tolerated. For example, hacking into systems in another country to support a war effort is not excusable; nor is destroying child pornography sites a good idea. Cybervigilantes can destroy evidence needed for prosecution.

48.5.5 Creating a Hostile Work Environment.

In today's society, there are numerous activities and language constructs that individuals of a certain race, gender, sexual orientation, national origin, religious affiliation, or other legally protected characteristics may find offensive. Any type of harassment, most especially comments or actions based on these protected characteristics, toward another employee may create a hostile work environment. The two most common situations created by a hostile work environment are:

A reduction or loss of productivity due to the harassment, whether physical, verbal, or psychological
A reduction in salary, bonus, job level, responsibilities, or other components of compensation due to one or more of the legally protected characteristics

Although there are no formal laws barring “hostile work environments,” Title VII of the Civil Rights Act of 1964 covers these types of situations. These laws are written in such a way that an individual comment or action does not usually constitute harassment. Rather, a pattern of frequent, severe, and pervasive abuse may constitute a hostile work environment. It is important to distinguish between “quid pro quo” harassment, where an employee is required to tolerate such harassment in order to maintain job status or compensation levels, and a hostile work environment. Both are very serious and potentially illegal activities, but this section focuses on the hostile environment.¹⁴

Employers are obligated by law to set appropriate expectations around employee behavior, and confidentially and swiftly to investigate any complaint of harassment from an employee. Employees are granted some legal protections such that retaliation by an employer for “sounding the alarm” on a hostile environment is illegal.

These issues become even more important when office romances occur. Although many employers forbid couples from working together in the same department, in part to avoid any perception of favoritism or future harassment cases, should the romance fail, there is still the potential for romantically linked coworkers to create a hostile environment for others. In this case, employers have an obligation to define in policy that coworkers should maintain a professional relationship while on company business. Even though two individuals may feel that their words or actions are seemingly innocuous, it is the perception of others around them that creates the basis for a harassment complaint. The best solution is to keep personal lives out of the office, which is a difficult but appropriate recommendation for everyone.

48.5.5.1 Hate Groups.

Another source of concern for employers and parents is the easy accessibility of hate literature on the Web. Hatemongers have taken full advantage of the largely unregulated nature of the Net to spread their pernicious messages. One can find Web sites devoted to hatred of every imaginable identifiable group. Race, ethnicity, religion, gender, sexual orientation, immigration status, and political ideology—anything can spark hatred in susceptible personalities. Unfortunately, some of the hate groups have been quite successful in recruiting young people through the Web; they publish propaganda such as pro-Nazi revisionist history that may fool uncritical people into believing their rants. Neo-Nazi and racist skinhead groups have formed hate-rock groups that take advantage of kids' enthusiasm for very loud music with aggressive lyrics.

Employers cannot tolerate the slightest involvement of their employees in such activities using corporate resources. Aside from their possible personal revulsion at such hatemongering, managers also should be aware that toleration of intolerance can lead to a hostile work environment in which targets of hate or contempt can legitimately appeal to the courts for compensatory and punitive damages. Employees must understand and agree that using any corporate resources for participation in hate groups is a serious infraction of Internet usage policy.

According to the Simon Wiesenthal Center, there are over 2,300 Web sites advocating hatred, of which over 500 are extremist sites hosted on American servers but authored by Europeans; most European countries have strict antihate laws. Using more stringent criteria, the Hate Watch group estimates more than 500 extremist hate sites on the Web; it distinguishes between hate propaganda and those pages that consist largely of racial epithets, dismissed as mere graffiti.

The Southern Poverty Law Center monitors 500 active hate organizations in the United States. It has regularly reported on the growing number and stridency of such sites. In comments about the center's paper for the United Nations Commission on Human Rights, spokesperson Mark Potok said at a conference in 2000:

A few years ago, a Klansman needed to put out substantial effort and money to produce and distribute a shoddy pamphlet that might reach a few hundred people. Today, with a $500 computer and negligible other costs, that same Klansman can put up a slickly produced Web site with a potential audience in the millions.¹⁵

A fundamental reality is that human beings are gregarious. They find it very easy to affiliate with others to form in-groups, groups to which they feel entitled to belong. Unfortunately, defining in-groups naturally means it is equally easy to define out-groups: groups to which we do not want to belong. Grade school and high school cliques are examples of in- and out-groups. A wealth of study in social psychology confirms the validity of the universal impression that we tend to inflate our esteem for in-groups and to reduce our respect and liking for out-groups. However, research also shows that social norms against discrimination can reduce hostility toward out-groups; thus it seems likely that parental and teacher articulation of norms of tolerance can significantly reduce children's susceptibility to the blandishments of hate groups.

48.5.5.2 Pornography.

Pornography—even with the most restrictive definitions—is widespread on the Internet. Observers of Net culture have commented that the sure-fire way of telling if new technology is going to be a success on the Internet is to see how quickly pornographers can apply it. For example, the appearance in July 2000 of the first WAP (wireless application protocol) pornography sites signaled the adoption of WAP technology into the mainstream. Although the sites offered only tiny grainy images of naked Japanese models, sociologists said that the same expected sequence of rapid technological advances had occurred with photography and video cameras.

48.5.5.2.1 Prevalence of Porn.

Some studies of Internet traffic have claimed that more than half of the total Net bandwidth is used for transfer of pornography or solicitations for purchase of pornography.

48.5.5.2.2 Trickery.

Pornographers use various tricks to get people onto their Web sites:

Using a different domain, like the old whitehouse.com, which used to take advantage of interest in “whitehouse.gov” by showing porn (it is now a site for political commentary).
Misspellings, such as the now-inactive micosoft.com, which traded on the likelihood of mistyping “Microsoft.com”.
Junk e-mail invitations with innocent-looking labels for URLs that do not match the actual link but instead take the viewer to a pornography site.
Padding porn-site metatags (normally invisible text used to describe a Web site) with inoffensive keywords that place the site high on search engine lists where they can appeal to children.
Disabling normal features of a browser to trap victims in the porn site. One perpetrator who was shut down by the Federal Trade Commission (FTC) actually ran Java applets that disabled the back arrow and defeated the ability to close the browsers. People trapped in porno-hell had to reboot their computers to get out.

Porn sites are notorious for using deceit to defraud their victims. One widely used scam is to demand a credit card number from a visitor as proof of their age (it is nothing of the sort), then to charge the card even though the site clearly states that there is a period of free use.

In 1996, viewers of pornographic pictures on the sexygirls.com site were in for a surprise when they got their next phone bills. Victims who downloaded a special viewer were actually installing a Trojan horse program that silently disconnected their connection to their normal ISP and reconnected them (with the modem speaker turned off) to a number in Moldova in central Europe. The long-distance charges then ratcheted up until the user disconnected the session—sometimes hours later, even when the victims switched to other, perhaps less prurient, sites. Some victims who stayed online for a long time paid more than $1,000 in long-distance charges. In February 1997 in New York City, a federal judge ordered the scam shut down. An interesting note is that AT&T staff spotted the scam because of unusually high volume of traffic to Moldova, not usually a destination for many U.S. phone calls. In November 1997, the FTC won $2.74 million from the Moldovan telephone company to refund to the cheated customers—or the ones willing to admit to having been cheated.

Both of the scams just described relied in part on the reluctance of porn-seeking victims to admit to their socially disapproved interest. Few victims were willing to pursue the matter until the damages mounted into the thousands of dollars.

48.5.5.2.3 Filtering.

An entire industry has grown up to try to shield (or block) children from seeing pornography or other materials deemed offensive by their parents or by the makers of the blocking software. The popular blocking systems are reviled by many free-speech advocates, and often ridiculed for what are described as clumsy, keyword-oriented algorithms. The classic examples of ludicrous blocking include trapping access to any site that uses the word “breast”—including even possibly this very page if you are reading it on the Web. Other simple-minded traps have blocked users from accessing information pages for geographical locations ending in the old British suffix “-sex” such as Wessex, Sussex, Middlesex, and so on. The village of Scunthorpe in England was blocked by software used by a major Internet service provider because its internal filters prevented anyone from using “vulgar” words in their mailing address.

Some of the blocking software products use hidden assumptions about the unsuitability of a wide range of topics, including abortion rights, civil rights, political ideology, and gay liberation. Any parent is entitled to express opinions about any topic; however, parents will want to check on whether a particular program is imposing its makers' political agenda by stealth. In the workplace, employers who use broad-spectrum blocking software may interfere with legitimate research by their employees.

48.5.5.2.4 Monitoring.

A different approach to interfering with the nefarious deeds of pornographers is to install monitoring software on the computers that employees use at work or that children will use at home. These products keep a log, or audit trail, that allows employers and parents to see exactly what users have been doing with their computers.

In the family context, most important, however, is the principle that machines and programs cannot by themselves teach values. Instead of relying only on passive barriers or on snoopware, parents would do well to make surfing the Internet a family activity rather than a private hobby. When kids express interest in pornography—because our popular culture is full of sexual innuendo that children read, hear, and see—it makes sense to discuss the issues rather than try to pretend that they do not exist. One approach for reducing the power of the forbidden fruit offered by pornographers is to explain to children in a supportive and nonpunitive way why sexual exploitation and degradation are bad for people. Children who stumble on porn sites by accident or at their friends' houses may be better prepared to cope with the sometimes disturbing images and words if their parents have prepared them for this aspect of today's world.

48.5.6 Archiving E-mail.

Organizations must remember that e-mail may be demanded as evidence in court cases. There is a fiduciary duty to maintain business records appropriately for each type of business, and that obligation extends to electronic records. Policies should stipulate how long e-mail records should be maintained. Destruction of e-mail should never be selective, especially if there is an anticipated threat of legal action. Selective destruction of particular records, or premature wholesale destruction of e-mail, may be interpreted by the courts as grounds for charges of interference with the judicial process.

For details of backup and archiving policies, see Chapter 57 in this Handbook.

48.6 RECOMMENDATIONS.

This section summarizes some practical recommendations for employees and their families.

48.6.1 Protecting Children

Explain the dangers of communicating with strangers via the Net in the same terms that you discuss the dangers of talking to strangers anywhere else.
Alert children to the questionable identity of anyone they meet exclusively through the Net or via e-mail. Discuss the possibility that people are not what they claim to be in their online persona.
It is important that children feel confident of a supportive response from their parents when raising these issues. Establish a calm atmosphere so that children will not fear your reactions if they are troubled by what they encounter online. Worst of all would be to punish a child for reporting a disturbing incident.
Tell children not to give their address to strangers they meet electronically.
Children should not send pictures of themselves to strangers.
Make a practice of discussing online relationships in a friendly and open way at home. Show interest in the new friends without expressing hostility or suspicion; ask to participate in some of the online chats and e-mail correspondence. Invite your children to sit in with you during your own online interactions.
If a child feels that another child met online is becoming a good friend, parents should contact the child's parents by phone and, eventually in person, before allowing contacts.
If a child wants to meet someone encountered on the Internet, be sure that a parent is involved at all stages. Never let a child meet anyone in the real world whom he or she has met only on the Net. Any attempt to induce a child to meet the correspondent alone or secretly should be reported to local police authorities for investigation.
Make it clear that anyone who suggests hiding an online relationship from the child's parents is already doing something wrong.
Make it clear to your children that no one has the right to send them age-inappropriate, sexually suggestive, or frankly pornographic materials, whether written or pictorial. Suggestions on the Internet that children engage in virtual sex play or sexual fantasies should be reported to parents right away. Making, transmitting, and storing child pornography is a felony; report such cases to local police authorities at once.
Children receiving a request for anything unusual (e.g., a request for a piece of clothing or for nude pictures) should immediately report the incident to their parents. Teachers and other caregivers can adapt these principles for the specific circumstances of their relationship with the children they are taking care of.

48.6.2 Threats

Employers, parents, and teachers should clearly enunciate policies preventing anyone—including children—from uttering threats of violence or other harm, even in e-mail messages or chat rooms.
Employees should be instructed to report all threats directed at them, or at others, to the security officers in their organization; similarly, parents, teachers, or librarians should ensure that children know to report any threats immediately to the appropriate adult.

48.6.3 Hate Sites

To protect children against the wiles of these hateful people, the most important step is to discuss the issue of hate speech and hate groups with them openly. Parents may even want to visit some of the sites listed below with your kids to give them a sense of the problem and possible countermeasures.
Discuss your children's feelings about out-groups in their own lives; for example, encourage them to speak freely, without fear of punishment or reprimand, about whatever groups they do not like. Then pursue the discussion with explanations of such issues as cultural differences, history, or whatever else you feel will help your children gain perspective on their own feelings and behavior. Of course, this positive attitude cannot be applied to hate groups or similar outlaws.
Provide positive social role models for children with respect to hate groups. Speak out firmly in opposition to intolerance rather than sit silently by when bigots display their hatred for other groups.

48.6.4 Pornography

Place young children's Internet-access computers in a family area of the home rather than in their bedrooms.
Interact with your children while they are using the Internet; treat the Web browser like a window on the world, and be present to help your children interpret that world in a way consistent with your values.
Talk with your children about the existence and nature of pornography; as they reach puberty, assure them that there is nothing wrong with being interested in sex but that pornography is not a healthy way of learning about wholesome, loving relations.
Warn your children about some of the tricks used by pornographers to get traffic on their Web sites, such as telling them to download special readers. Tell them about the Moldovan porn scam.
Discuss the issue of junk e-mail that advertises porn sites. Warn children that no one should ever click on a URL from any kind of junk e-mail because it can easily be a trick to get them into dangerous territory.
Teach your children to keep an eye on the actual URL that appears in the browser window; any discrepancy between the visible URL shown on a page and the actual URL should alert them to the possibility of fraud.
Explain that pornographers sometimes charge for access to their sites without permission; be sure your children understand how dangerous it would be to give your credit card number to these people for any reason.

48.6.5 Internet Addiction

Know the warning signs of Internet addiction and self-monitor.
Discuss Internet addiction and its warning signs with your employees and your children.
Encourage open discussion of feelings about the Net, so that children feel free to turn to you for help if they become uncomfortable or unhappy about their own experiences on the Net.

48.6.6 Online Dating

Do not build online profiles or give out addresses, phone numbers, or school names.
Do share e-mail accounts with your children, and oversee their messages.
Keep the computer in a family room where children's activities can be monitored.
Remember that people may lie when describing themselves online.
Do not allow children to meet online users without permission, and make all meetings in public places with adult supervision.
Forward copies of suggestive or obscene messages to your Internet service provider.
Find ways to block objectionable material.
Discuss online dating with kids so they understand what is involved.
Ensure that kids understand why it is inappropriate and even dangerous for them to masquerade as adults in online dating services.
Do not rush into face-to-face contact; you need to be sure that you are meeting someone who is on the level, not an imposter who has ulterior motives.
You may want to take advantage of anonymizing services offered by some dating sites to avoid handing out your real e-mail address to complete strangers.
Be suspicious of anyone who tries to pressure you in any way, including demanding money or insisting on a meeting, before you feel confident of the person's good intentions.
As you are getting to know someone online, ask questions about lots of things you are interested in—for example, hobbies, politics, religion, education, birth date, family background, and marital history and status.
Keep the answers you receive and beware of people who provide inconsistent or contradictory information as they are communicating with you—any lie is a danger signal.
Be suspicious of anyone who seems to be too good to be true; if someone matches you on every single preference or interest you mention, try mentioning the very opposite of what you said earlier in the communications and see if the person agrees with that too. Trying too hard to please by lying may mark a manipulative and potentially dangerous personality.
Be honest about yourself; state your own interests and characteristics fairly, including things you think might be less attractive than stereotypes and cultural norms dictate. A mature, good person will not necessarily be turned off if you do not look like a movie star, or if you do not play four musical instruments perfectly, or if you lisp.
If you get to the point of exchanging pictures, be sure that you see the person in a wide variety of situations and with other people; some online daters send false pictures to misrepresent themselves.
Talk to the person you are getting interested in over the phone; be suspicious if the person resists such a request for a long time or always has excuses for not being available when you have agreed to talk.
Listen carefully to how the person sounds on the phone, and be suspicious if you now receive information that contradicts something the person wrote to you about. Any lie should alert you to potential problems.
Before you agree to meet, get your date's full name, address, and telephone number. Be suspicious if the person refuses to give you a home number: Could he or her have a spouse or a current live-in friend that he or she is trying to deceive? Call the home number a couple of times to see if someone else answers.
Give the person's information, and the exact details of where and when you are going to meet, to friends and family. Do not ever accept a date with someone who wants to keep the location and time a secret. Be sure the meeting place is well lighted and in a public place such as a coffee shop.
Do not allow a stranger to pick you up at your house, and be sure you can get home by yourself.
Before considering further involvement, for safety's sake think about having a background check done on the person you like, using a professional service such as whoishe.com or whoisshe.com.

48.6.7 Online Games

Learn to play some of the games your kids are enthusiastic about. Take the time to immerse yourself in the imaginary worlds they play in, and study the underlying values that are being communicated by the game creators.
Use published reviews from online or other media that reflect your own family's values before allowing games into your home.
Accompany your children to the stores when buying video games. Check for parental warning labels. Talk to the salespeople if you think they are reliable.
Know the characteristics of your hardware and software before buying recently released games. Do not buy a new game only to discover that it does not run on your obsolescent system. A disappointed child can apply intense pressure to spend money on a new system. Some games are computationally intensive and require expensive, advanced computer hardware and modern sound systems, complete with a high-powered amplifier driving woofers and subwoofers.
Try making game playing an opportunity for family fun or parent-child bonding instead of the isolating experience games can sometimes be. See if you can all have fun with puzzle- and exploration-oriented games such as Myst and Riven, neither of which involves violence, and both of which are visually beautiful.

48.6.8 Online Purchases

Before spending a considerable amount of money on a new online merchant's site, do some basic research into the site's reliability. Check the company's reputation; see if it belongs to the Better Business Bureau (BBB), and contact the appropriate chapter of the BBB to see if there have been complaints about the vendor.
Do a Web search using a good search engine, such as Google, to see if there are any up-to-date reports about customer experience on the site you are interested in.
Pretend that you already have a problem and look for the customer service pages. Are there clear instructions on how to communicate problems? Would you have the choice of e-mail, letters, or phone communications? If you have the time, you may even want to try calling customer service and find out just how they handle calls. If you hit a company that hangs up on you when its lines are busy (“We are sorry, but all our agents are busy; please call back later”. ), you might want to give serious thought as to whether it is safe doing business with them.
Read the company's return policy; how does it handle breakage in transit, or defective goods? Does it offer guarantees on delivery time? What happens if the company is out of stock on a specific item—does it ship partial shipments or wait for everything to be ready? When out of stock, does it charge your credit card immediately, or only after the shipment is made? If it splits your shipment, does it charge extra for delivery of the later parts?
Read the site's privacy policy. If the text is practically invisible 6-point yellow on white, be suspicious. Look for weasel-words in the clauses that say, for instance, that their policies can be changed at any time without notice. You must check the site regularly to see if the policy has changed, but this is unrealistic. Instead, look for firm, clear assurances that your personal information will not be sold, traded, or given away without your permission. Usually Web site owners state that they may have to divulge information to partnering organizations that handle such normal functions as billing and order fulfillment. There can be little objection to this provided the partners are bound by acceptable security policies.
Keep a detailed record of your transactions. Use the browser functions to save copies of, or print out, the relevant Web pages with descriptions of the products, prices, a summary of your order, the order number, promised delivery date, and method of shipment.

48.6.9 Online Auctions

Before becoming involved with online auctions, research the value of goods you are interested in buying. Check bricks-and-mortar stores, online retail outlets, and comparative shopping sites that provide you with specific prices.
Examine the policies and costs on shipping, warrantees, and refunds.
Set your upper limit before you get involved in an auction. Do not be influenced by the value other people appear to place on a particular product or service, and certainly do not be caught up in a bidding frenzy.
Do not treat online auctions as a competition you have to win.
Look for auction services that provide a guarantee of support if you are cheated in a transaction. For example, check for language in the terms of service that covers losses up to a suitable limit. Check for insurance policies, costs, terms, and limits. Use search engines to evaluate the trustworthiness of the service you are thinking of using.
If possible, use a service that provides an escrow function so that you pay money to the service and then release it only when the product is received in good condition.
Use the browser functions to print documents, and save Web pages to disk at every stage of each transaction.

48.6.10 Online Gambling

Do not gamble with money you cannot afford to lose.
Do not gamble online, except at well-known sites.
If you do gamble online, do not gamble with money at sites hosted outside your own country.
Do not give your credit card number to online gambling centers that are outside your own country.
Before you gamble online, do some research to find out if there have been complaints about that casino. Contact your Better Business Bureau, or equivalent, and see if you can find friends or acquaintances who have played on the site you are considering.

48.6.11 Preventing Malware Infections

Keep your virus strings up to date (automatic daily updates are good).
Do not download or use software that purports to help you break the law or cheat people and businesses.
Do not download or use software that has been copied without permission or in violation of license restrictions. That is software piracy, copyright infringement, or plain theft.
Do not execute software that anyone sends you through e-mail even if you know and like the person who sent it to you. Just because the person is nice does not mean he or she is qualified to inspect programs for safety.
Before sending someone an attachment such as a picture or any other kind of file by e-mail, let your recipient know what to expect via a preliminary message; if you do not know the person personally, send an e-mail requesting permission to send the attachment.
Never open attachments you have received without advance notice, regardless of who sent them or what the subject line or text says. Be especially suspicious of generic subjects such as “FYI” without details or “You'll like this.” If you are really curious about the attachment, phone or e-mail the supposed sender to find out whether it is legitimate. However, remember that you should not run programs you receive as attachments, regardless of what the sender thinks.
Do not forward programs, even reliable programs, to anyone; instead, tell your friends where to download useful programs from a trustworthy source, such as a legitimate Web site.
Before sending anyone an MS-Word document as an attachment, save the document as an RTF file instead of as the usual DOC file. RTF files do not include document macros and therefore cannot carry macro-viruses.
Disable automatic execution of macros in MS-Word using the Tools | Macros | Security menu and select the High option, which restricts macro execution to digitally signed macros from trusted sources. If the default value is not changed, there is no security against macros.
Use the options offered by your e-mail client to shut off automatic opening or execution of attachments.
Do not circulate virus warnings; if you insist on doing so, personally check their validity on any of a number of virus-information and hoax sites on the Web.

48.6.12 Guarding against Spyware

Before installing freeware or adware, read the terms and conditions carefully to see if they currently include language permitting automatic transfer of information to the supplier or to third parties. Be aware that these contracts often include language authorizing the supplier to change the terms and conditions at any time and without notifying you.
Install and use a spyware scanner and removal program, such as the free Ad-Aware program from Lavasoft, PestPatrol from Computer Associates or ZoneAlarm firewall.
If you are particularly irritated by spyware, install a real-time spyware monitor and blocker such as those just mentioned.
Support legislative attempts to force software manufacturers to disclose their use of spyware.

48.6.13 Junk E-mail

Do not buy products or services from anyone who has sent you junk e-mail. If the company is unprofessional or inconsiderate enough to use such methods of advertising, it does not deserve either your business or your trust.
Do not assume that the From address is correct, because often it is either nonexistent or, worse, fraudulently misrepresents the origin by pointing to a legitimate business that is completely innocent of wrongdoing. Never bombard the owner of a From address with multiple copies, or even one copy, of abusive e-mail. Such messages, known as mail-bombs, will probably reach the wrong target—some innocent addressee.
Never respond to the address listed for removal from an e-mail distribution list unless you initiated the contact or are confident that you know the organization that sent you the message (e.g., publications you already subscribe to). Since bounces (returned e-mail due to bad addresses) never reach them and there is no incremental cost for sending out addresses to unwilling people, these operators really do not care how you feel about the junk they send. Therefore, the unethical people who send junk e-mail use the REMOVE function primarily to harvest correct e-mail addresses so they can sell them to someone else.
Even if you trust the organization that sent you a junk e-mail, never click on a link contained in the message. Instead, visit the company's Web site and request removal from their official contact address, which any reputable company has.
Do not visit the URLs listed in junk e-mail messages. Some of them are deliberately mislabeled and may bring you to offensive Web sites.
If you really feel angry about a particular e-mail and it has a dropbox (a real address in the body of the message where you are supposed to reply), then if you have nothing better to do, you may want to send a copy of the spam to the appropriate address (usually in the form [email protected] where you have to fill in the variables ISPname and domain) address running the dropbox. However, the chances are high that your message will be one of hundreds or thousands of similar reports.
Do not send any junk e-mail yourself. Encourage those around you (friends, neighbors, children) not to send junk e-mail either.

48.6.14 Mail Storms.

Here are some simple suggestions for reducing the likelihood of mail storms:

Minimize the use of automated responses on your e-mail accounts.
If you do autoforward your e-mail, do not let your target mailbox fill up.
If you are receiving autoforwarded e-mail from your primary mailbox, do not autoforward back to the original mailbox.
E-mail system administrators should receive exception reports identifying ac-counts with excessive numbers of e-mail messages or excessive traffic, so that they can investigate for mail storms.
Firewalls that inspect the content of e-mail messages should be able to react to an excessive number of bounce messages from a single originating address by deleting the traffic or informing the system administrator of a likely mail storm.
Managers of unmoderated lists should configure a From address different from the address that participants use to post messages to the list.
Users of list servers who want to send personal messages should reply to the sender, not to the entire list.

48.6.15 Detecting Hoaxes.

Key indicators that a message is a hoax:

Use of exclamation marks. No official warning uses them.
Use of lots of uppercase text, typical of youngsters.
Misspellings and bad grammar.
No date of origination or expiration.
Inclusion of words like “yesterday” when there is no date on the message.
References to official-sounding sources such as Microsoft, Computer Incident Advisory Capability (CIAC), Computer Emergency Response Team Coordination Center CERT-CC) but no specific document URLs for details. URLs for a site's home page do not count.
No valid digital signature from a known security organization.
Requests to circulate widely. No such request is ever made in official documents.
Claims that someone is counting the number of e-mail messages containing copies of the hoax.
Threats about dire consequences if someone “breaks the chain” by refusing to forward the message.
Claims of monetary rewards that make no sense. For example, the Disney organization will send you $5,000—for forwarding an e-mail message.
Use of complicated technical language such as “n-th dimensional infinite complexity control loops” that do not make sense.
Claims of damage to computer hardware from viruses or other computer software.

48.6.16 Get-Rich-Quick Schemes

Remind everyone to use common sense: Earning lots of money with little or no effort usually results in uncovering something impossible or illegal.
Teach users the mantra of the skeptic: “If it sounds too good to be true, it usually is”.
Explain how dangerous it is to get involved with criminal schemes like using stolen or falsified credit cards. Talk about the victims of such fraud: Everyone who pays higher interest rates on unpaid credit card bills and innocent shopkeepers who lose merchandise to e-commerce crooks.
Especially when talking to children, discuss Internet-mediated theft in the same terms as you discuss shoplifting. Explain how commerce works; point out that everyone suffers from all kinds of theft, including electronic shoplifting.

48.6.17 Hacking

Contact your local FBI office and find out if they can send a speaker to your company or to a local meeting of a professional security association for a discussion of computer crime.
If you or specific authorized staff (e.g., from the security group) do visit Web sites that support criminal hacking, be sure to use a personal firewall and set the parameters to deny access to personal information and to refuse cookies and active code (ActiveX, Java) from such sites.

48.7 CONCLUDING REMARKS.

This chapter focuses specifically on the use and abuse of Internet and e-mail resources. However, it becomes clear that both of these technologies are simply extensions of the human being behind the computer. Whether it is pornography, online gambling, deceitful e-mails, or simply posting inappropriate material to a public Web site, the potential for damage to an individual, family, or organization is high. Taking a proactive stance through education and awareness is one major tool to combat these deceptive and unethical practices.

Employers have an ethical, and in many cases legal, responsibility to develop and implement policies around the appropriate use of the Internet and e-mail at work. Unfortunately, simply putting the policies out for employee consumption is not enough. Employers must continually remind employees about both the dangers of misuse and the potential consequences to their employment. And when an employee chooses to violate the policy, employers must have a clearly defined process for encouraging proper behavior.

The scope of impact for these issues does not simply end when the employees leaves the office. Because of the widespread use of Internet and e-mail into nearly every facet of our lives, taking the message home to the family is an important responsibility for everyone. Child predators use the Internet to prey on unsuspecting or naive children, in an effort to exploit them for whatever immoral activity they wish. Parents then have an obligation to put their own family policies in place regarding what is, or is not, acceptable use of the Internet and e-mail in the home.

Unfortunately, there is no easy answer to the problems described in this chapter. Both the Internet and e-mail are neither good nor bad. They only become good or bad by the users and their actions. As technology continues to increase in speed, and in the ability to store more data in less space, everyone must take an active role in protecting each other at the corporate level and in the home.

48.8 FURTHER READING

Blanpain, R., and M. Van Gestel. Use and Monitoring of E-mail, Intranet, and Internet Facilities at Work: Law and Practice. The Hague: Kluwer Law International, 2004.

Cavanaugh, C. Managing Your E-Mail: Thinking Outside the Inbox. Hoboken, NJ: John Wiley & Sons, 2003.

Criddle, L. Look Both Ways: Help Protect Your Family on the Internet. Redmond, WA: Microsoft Press, 2006.

Flynn, N., and R. Kahn. E-Mail Rules: A Business Guide to Managing Policies, Security, and Legal Issues for E-Mail and Digital Communication. New York: AMACOM, 2003

Goldsmith, J., and T. Wu. Who Controls the Internet? Illusions of a Borderless World. New York: Oxford University Press, 2006.

Holtz, S. Corporate Communications: A Guide to Crafting Effective and Appropriate Internal Communication. New York: AMACOM, 2004.

Jovin, E. E-mail Etiquette for Business Professionals. New York: Syntaxis Press, 2007.

Spinello, R. A. Regulating Cyberspace: The Policies and Technologies of Control. Westport, CT: Quorum Books, 2002.

Willard, N. E. Cyberbullying and Cyberthreats: Responding to the Challenge of Online Social Aggression, Threats, and Distress, 2nd edition. Champaign, IL: Research Press, 2007.

48.9 NOTES

1. Parts of this article are based on materials originally published by M. E. Kabay in his Network World Security Strategies column and in older writings. To avoid cluttering the text with nonessential endnotes, no quotation marks or references are provided for such material.

2. Gaudin, “Insider Threats Giving IT Execs Nightmares,” eSecurityplanet, November 4, 2005; www.esecurityplanet.com/prevention/article.php/3561761.

3. www.dhs.gov/iaipdailyreport.

4. J. Leyden, “The Enemy Within: Geeks, Squatters and Saboteurs Threaten Corporate Security,” The Register, December 15, 2005; www.theregister.co.uk/2005/12/15/mcafeeJnternal_security.survey/.

5. There are several copies of the Monty Python SPAM skit available on YouTube. The skit shows two customers overwhelmed by a menu consisting largely of SPAM—with Vikings singing a rousing chorus of “spam, Spam, SPAM!” in the background.

6. Parker v. C. N. Enterprises Order, District Court of Travis County, Texas. Final Judgment; http://legal.web.aol.com/decisions/dljunk/parkero.html.

7. Information on the Ponzi scheme is taken from The People's Chronology copyright ©1995, 1996 by James Trager; published by Henry Holt & Co. andmade available through the Microsoft Encarta 2007 CD. All rights reserved.

8. C. Tran, “Reading Is Believing”. ScienceNow, July 19, 2005; http://sciencenow.sciencemag.org/cgi/content/full/2005/719/1 (by subscription only).

9. From the NetworkSolutions Web site: www.networksolutions.com/ssl-certificates/index.jsp OK now.

10. A. Hamilton, “Arizona Lottery Pick 3 Random Number Bug,” RISKS ForumDigest19, No. 83 (1998); http://catless.ncl.ac.uk/Risks/19.83.html#subj5.

11. E. Werner, “Feds Say Vague Law Makes Ban on Internet Gambling Tough to Enforce,” Associated Press, April 2, 2008; www.startribune.com/politics/national/congress/17227309.html.

12. K. Young, “Internet Addiction Test,” 2008, Center for Internet Addiction Recovery, www.netaddiction.com/resources/internet_addiction_test.htm.

13. P. Bates and M. Fain, “Cheating 101: Paper Mills and You,” 2000; www.coastal.edu/library/papermil.htm.

14. A. Larson, “Sexual Harassment Law,” Law Offices of Aaron Lawson (September 2003): www.expertlaw.com/library/employment/sexual_harassment.html#FN1.

15. M. Potok, “Internet Hate and the Law: The First Amendment Protects Most Hateful Speech on the World Wide Web, but There Are Exceptions,” Southern Poverty Law Center Intelligence Report 97 (Winter 2000); www.splcenter.org/intel/intelreport/article.jsp?aid=288.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for CHAPTER 48: E-MAIL AND INTERNET USE POLICIES

Create new playlist

Sign In

Sign Up

CHAPTER 48

E-MAIL AND INTERNET USE POLICIES

48.1 INTRODUCTION.1