Anonymous Posting on the Internet: Privacy vs. Defamation vs. Information Security
Over the past few months I've discussed with several different organizations the issue of their personnel posting on Internet sites, to blogs, within Internet communities, and various other locations. The issues are many, but few organizations have really thought about them all; the implications of employees posting from the corporate network, using their corporate email address within online postings, the time used while at work to post, the possibility of libelous statements being made that the corporation may have to ultimately end up paying for, and many assorted other issues.
Some of my CISO and CPO buddies have found troubling statements their personnel have made, on their own time and from their own home accounts and computers, about their organizations. Some have posted sensitive information. The issues are related to information security and privacy of their customers, and are likely considered as being covered by the respective organization's non-disclosure agreements (NDAs). The troubling thing involved with some of these situations is that several of the postings were made anonymously, but the information posted led the organizations to believe they were likely made by some specific individuals who would be the only ones with the access to the information divulged.
I started thinking about these discussions again when I read about a recent case in which Reunion Industries, Inc. claimed that anonymous defendants posted libelous statements and committed defamation through the Yahoo! Financial Bulletin Board.
Reunion Industries tried to force AOL (the ISP for the posters) to provide the identity of the defendants. However, on March 5, 2007, the judge denied the motion until the corporation presented sufficent prima facie evidence (generally enough evidence to establish a fact, and if not rebutted, becomes conclusive of that fact) to meet the defamation standard. The court ruled that to meet the defamation standard for a corporation, Reunion Industries would need to prove actual damages.
Could your organization prove actual damages if someone posted anonymous libelous or defamation messages? What documentation would you have to demonstrate the damage? What kind of logs do you keep to validate such damages? What would happen if someone anonymously posted a customer database to a website? What if they had good reason to suspect a certain person, but no hard evidence? These types of incidents are starting to occur more frequently.
As we become a more online society, with more people keeping not only personal blogs but also posting to others' blogs, chat rooms, bulletin boards and so on, this is something to consider. Information security, privacy, legal and HR leaders need to go to lunch together and talk about what issues their organizations face with regard to what needs to be done when information from or about their organization is posted, and what, if any, logs or other documentation exists that would help them in any subsequent court case.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
Comments
I think an entire month of really long posts could still not cover how big this topic really becomes. Some people may see opinions to be something that needs squashing while others may see them as indications of unrest in a company or even just a person.
I take pains to make sure there are "three" pseudo-layers between me and anything I say about a company I work for or have worked for. I try not to use my real name in very many places, which is a layer circumvented by someone dedicating themselves to Google for a day, really. Not a huge deal. I don't talk about where I work, which means only a few people I know in person or from work would be able to put two and two together. And I try not to say anything that would even be misconstrued as defamatory.
Granted, all of those are not hard-and-fast layers. Yeah, my name can be found quite readily, yeah some people know about subjects I might otherwise want obfuscated, and I am on my own judgement about the weightiness of my opines.
If I have one failing that is posting/blogging while at work (I'm at work right now). But thankfully I do try to make sure I blog or read only stuff pertinent to my career anyway. That is just a part of me just like others younger than me have text messaging as part of their everyday social network. It's a fabric of our social/cyber culture that I am very sympathetic towards (e.g in regards to IM I can argue as a network security dude on the dangers of it, but I can also argue for the personal happiness that can be imparted by allowing it for employees).
Tough, tough topics that really go deeper than many people realize when they breach them in the company...
Posted by: LonerVamp | April 19, 2007 11:14 AM
I think a real danger is posts are given much more credence by default in Web 2.0 (your posts are excluded, of course. I can personally attest to your expertise and the excellence of your work). If an inappropriate entry about an organization is made in a blog, the entry may take on a life of its own if other folks repeat the entry in their blog. The more blogs that have the entry, the more credibility the entry is given (i.e., reality by consensus).
I recommend inviting Public Relations to the luncheon. That department should understand when and how to respond to malicious postings.
Posted by: Alec | April 21, 2007 11:50 PM
Thanks for your thoughts, LonerVamp and Alec!
Indeed, this is a complex topic and we could probably talk about this on an ongoing basis for an indefinite period of time.
On one hand there are situations in which anonymous postings should and need to be allowed. Otherwise important thoughts and ideas may never be shared. However, as you indicate, there are issues such as using time your employer is paying you to work to do these postings, which can very easily expand into hours of writing. Along with the real risk of not only having inappropriate things posted about the business, but also having personally identifiable information (PII) of customers or employees posted, purposefully or without realizing it.
Freedom of speech and expression of ideas is definitely a great right, and an important right, but people need to be sure they are not squashing the rights of others in the process, or putting others' PII at risk.
And yes, I agree, the things that can be the most fun and greatest tools personally can also pose some very great risks to business, employees and customers.
I, too, love using txt messages...but I only use them with 2 other people for non-work purposes. Same goes for IMs. This is just one way I keep these fun and handy tools from taking up too much of my time, and also keep them from becoming part of my way of doing business, or encroaching into the time I need to be doing business work.
Posted by: Rebecca | April 26, 2007 10:59 AM
BTW, an interesting article about the related issues was published today at the CSO site; see http://www2.csoonline.com/blog_view.html?CID=32881
Posted by: Rebecca | April 27, 2007 12:01 PM
Hi all if you truly want to protect your internet identity and mask yourself when surfing, chatting and the like you need a real VPN service like tiptunnel.com and not just a proxy service. Give it a go.
Then you can express yourself with freedom and ease.
www.tiptunnel.com
Tom
Posted by: Tom | June 8, 2007 2:11 AM
Great board, I just like it... sorry for offtop, but how do you connect to Internet ?
Through Internet provider's gate, which is closely monitored by almost anyone from technical personel to third party hackers, packets sniffers, cache servers, and so on - you wouldn't feel secure commiting your business in the center of the stadium, wouldn't you ?
That's exactly how you should feel using insecure connections from public Internet Service providers. But you can fix it with VPN encryption ! Since your connection is encrypted nobody (none!) can actually de-cipher your traffic and whatever passes through your internet connection stays completely hidden.
Did you hear about Patriot act? Since then - nothing is private anymore in States and major part of Europe. Most free private proxy servers and gateway can only pass your data with out encryption, hence make it visible for almost whole world - the trick called "packet sniffing" when the traffic captured analysed and extracted. But when your data is encrypted - it's impossible to decipher what is going in and out your computer, sensitive data, password and other impostant information.
I found this service, and feels better now.. http://www.step-host.com when I send my messages and letters, surely none will know.
btw, they even have a week test drive!
Posted by: Andy Ko | August 12, 2007 1:37 AM
Hi All,
Just new not sure where to post. Having a look around.
Nice too see all the good stuff. I'll be back for more soon.
Regards,
Aaron
Posted by: zzaaronzz | October 4, 2007 1:09 AM
Hi
What do you think about this? When it happens?
Posted by: Eskimosik | November 15, 2007 11:09 PM
Hello,
I'm Gerry.
Just saying hey - I'm new.
Posted by: oOgerryOo | December 16, 2007 5:49 AM
Hey
Just stopping in to say hi to y'all as a new member.
Aaron
Posted by: aABeckerkoo | December 24, 2007 7:16 AM
Hi
Roy here and just saying hi (new).
Roy
Posted by: roybaronoo | December 27, 2007 11:43 PM
Good afternoon. I the first time at a forum. Very much at you it was pleasant to me.
Posted by: Emoriareecife | December 29, 2007 11:28 AM
Regardless of which type you have, it's important to properly care for your laptop battery, in order to get as much life out of it as possible.
Posted by: VadvarellaJal | January 3, 2008 12:28 PM
Hi everyone. I just joined the site and wanted to say hi.
Interesting Facts
Posted by: superbrian | June 25, 2008 2:03 AM