There is no doubt that Web 2.0 technologies bring many benefits. For example, the viral nature of Web 2.0 technologies such as social networking is an extremely powerful tool, which can be used to engage a large number of Web users very quickly for collaborative, knowledge sharing and networking purposes.
However, the interactivity and openness of Web 2.0 technologies in themselves also create risks. Sophos have reported that there has been a phenomenal growth in web threats over the last year[1]. Malware is present not only on malicious websites, but there is also a growing number of trusted and reputable websites which are compromised. For example, in April 2008 the Cambridge University Press website was compromised[2]. Visitors to its online dictionary were subject to attempts to run an unauthorised hacker’s script on their computers.
The risks from Web 2.0 technologies are compounded by the exponential growth in the volume of web-based personal data. In addition, the time lag between the fast moving pace of Web technology development and the speed at which legislation evolves means that complying with legislation can be complex and unclear.
The business benefits of Web 2.0 technologies include:
The central, online storage of documents enabling increased collaboration and group knowledge in real time and across geographic boundaries.
Improved and more interactive relationship with customers.
Increased vertical networking among colleagues in larger organisations.
Improved communication.
Improved partnership working.
Incentivised working conditions for the younger members of the workforce.
The following sections detail the ways in which Web 2.0 technologies can be used to provide benefits in specific business areas.
Product innovation: increased efficiency and cost savings derived from the speed of sharing, combined with enabling a central location for sharing files and drawings. Collaboration tools also enable employees to be tapped for ideas which are then hosted and developed in a single virtual location.
Sales, marketing and market research: the main benefit of these tools for sales and marketing and market research is in lead generation and brand awareness.
Video, blogging, social networking, forums and videoconferencing all enable customers to be tapped for ideas, feedback, preferences and recommendations which can then in turn be used to advertise products and feed the marketing and sales process. For example, Amazon has a function on their website that suggests, based on one’s previous purchases, ‘other products which you might like to buy’.
Production: Web 2.0 tools such as wikis and collaboration tools can be used to gain and generate input from a wide number of employees, which is available to view in a central place.
HR processes: Web 2.0 technologies, particularly interactive videos, can also be used for employee training. Younger employees (under 30) are far more familiar with Web 2.0 technologies. For example, they may be more used to communicating using social networking sites rather than e-mail. There are many organisations who suggest that organisations must ‘adapt and embrace Web 2.0 technologies such as wikis and social networks’ to attract and retain younger employees[3].
An organisation’s use of up-to-date technologies increases an employee’s sense of pride in working for that organisation and may make them feel much more engaged.
Finance: Web 2.0 technologies can be used to share management information reports so that they are available in a single, shared area, accessible through a browser, and capable of interrogation with interactive and graphical tools.
Procurement: Web 2.0 technologies can be used to improve the procurement or purchasing process for an organisation. They provide a low cost method for finding the best priced goods. . Traditionally, procurement officers for organisations generate separate quotes from preferred suppliers they have identified. Web 2.0 technologies enable the process to be centralised and potential suppliers to find and inform them about their products and services. Suppliers can upload information about their products, including photographs, videos and reviews from other customers.
Education and training: Web 2.0 tools can be used in an interactive manner in education to enhance the learning experience. In addition, the same arguments that are being used for the introduction of Web 2.0 technologies for younger employees in companies are relevant to schools. Children as young as 7 or 8 are using Web 2.0 technologies such as instant messaging and interactive websites at home.
There are, however, risks associated with Web 2.0 technologies which need to be managed. The technologies and trends which are helping to revolutionise the way in which we use the web, also create security risks. Trends such as user-created content, synchronous communication, openness and transparency, online collaboration and the viral nature of Web 2.0 all create security risks.
The following table summarises the security risks associated with the Web 2.0 trends:
Table 1. Types of security risk associated with Web 2.0 trends and technologies
Web 2.0 trend | Web 2.0 technologies | Type of security risk |
|---|---|---|
User-created content | Blogs Wikis Social networking Collaboration tools Video sharing, photo sharing | User created content input to a website creates a website entry point for hackers and malware. |
Instant messaging Live blogging, e.g. Twitter | Outbound data leaks and inbound malware. Technologies such as Twitter and Instant Messaging, unlike e-mail, do not have any automatic backup facility. The speed of the communication means that it is possible to download or export files without leaving any trace or record of having done so. | |
Mashups Technologies that enable music, video and photo sharing. Social networking Open source software | Copyright and Intellectual property. Opponents of open source software have expressed concerns about the methodology, project documentation, the rigour of the testing method, risk assessment, project management, security, quality, implementation and maintenance in respect of Open Source[4]. | |
Many collaborative tools provide file sharing capabilities, a vector through which confidential information could be exported or malware imported. | ||
[4] Achieving Quality in Open Source Software, Mark Aberdour, IEEE Software (2007). | ||
The uploading and downloading of files, particularly media files such as video and music, also creates high bandwidth requirements, which can slow down an organisation’s network.
The sheer volume of data stored in organisations today also creates additional compliance difficulties. The amount of personal data which is stored and aggregated electronically is greater now than ever before. Examples include:
Companies increasingly use personal information to better target products and services and to try and establish a relationship with customers through learning key pieces of personal information. For example, Amazon uses information about previous purchasing, and previous Web activity in order to target products that the customer might be interested in purchasing in the future.
The public sector increasingly holds personal data electronically. Examples include driving licence information, tax, national insurance, child benefit and electoral roll. The data held often includes bank account numbers and personally identifiable information.
Credit companies such as Experian hold records of financial transactions and credit card ownership to provide comments on customer creditworthiness.
Transport operators will use information from travel tickets purchased online to develop a picture of an individual’s travel patterns.
Search engines such as Google store volumes of personal data which is cached in Google’s memory and therefore available in searches.
Governments use personal data for crime detection and surveillance purposes. For example, government agencies may mine personal data such as phone, medical, travel records or websites visited[5]. The National Research Council say:
Each time a person makes a telephone call, uses a credit card, pays taxes, or takes a trip, he or she leaves digital tracks, records that often end up in massive corporate or government databases ... Agencies use sophisticated techniques to mine some of these databases – searching for information on particular suspects, and looking for unusual patterns of activity that may indicate a terrorist network ... Although some laws limit what types of data the government may collect, there are few legal limits on how agencies can use already-collected data, including those gathered by private companies8.
The rate at which IT technology, and in particular Web technology, has changed, has meant that the corresponding legislation has been unable to keep pace. There are no binding international treaties or law around information security, which means that complying with local legislation around matters that have both a local and international aspect, such as data protection, privacy and electronic communications, can be complex.
In the US, much of the data protection and privacy legislation is still at a state level, rather than a federal level, which means that multi-state compliance can be complex and difficult.
The European Data Protection Directive, 95/46/EC, is now 13 years old and was written at a time when information requirements were different from those today. It was established in a context where data sharing and reuse were considered threats rather than realities, and where the fear of all-encompassing electronic databases was very dominant. The Rand Corporation express this as follows:
While the Directive should not necessarily be considered backdated, it is important to realise that it was written in a very specific societal context, and that it is the result of extensive negotiations between countries with differing legal traditions. The outcome is a compromise text, containing a mixture of provisions and obligations which were almost invariably considered essential in some countries, but barely acceptable in others…
The protection of privacy is coming under strain due to the increasing availability and ability to process large quantities of data; the growing use of and demand for personal information, by the public and private sectors; how this personal information is used and its accountability and finally the way that this pressure is managed – or how people are reacting to this pressure. Finally technology presents opportunities to use and abuse personal information in many ways[6].
However, the EU Data Protection Directive established the legal definition of personal data, the definition of data subjects and their rights and the definition of sensitive personal data.
There has been some legal action by the governments of Canada, the US, Australia and the UK, much of which is driven by concerns for children’s safety, rather than the protection of personal data and corporate information. There has been a significant dearth of legal cases involving data protection legislation and websites employing Web 2.0 technologies. There have not been any reported cases in the UK of prosecutions by the UK Information Commissioner’s Office (ICO) involving social networking sites. Privacy is legally a difficult concept to define; the legislation is historically based on human rights legislation.
It is entirely possible that many of the companies providing Web 2.0 services may breach current privacy and data protection legislation.
[1] Mid-Year Report: Malware, Spam and Web Threats in 2008, Mike Harris, Sophos (2008).
[2] Security threat report update, Sophos (July 2008).
[3] Web 2.0 technologies are seen as vital to attracting younger employees, Nextgov (23 October 2008).
[5] All Counterterrorism Programs That Collect and Mine Data Should Be Evaluated for Effectiveness, Privacy Impacts; Congress Should Consider New Privacy Safeguards, The National Academies (7 October 2008). http://www8.nationalacademies.org/onpinews/newsitem.aspx?RecordID=10072008A
[6] Review of EU Data Protection Directive, Inception Report, Robinson et al, RAND corporation (2008). http://www.rand.org/pubs/working_papers/WR607/