All posts tagged Email

By on May 19, 2011

The Hidden Security Danger- Don’t Let Email Be Your Downfall

Despite seeming like an age ago, InfoSecurity Europe has only just come and gone for another year… Boy this year is going fast!

I took the opportunity at InfoSec to update my take on Generation Gmail- Why are corporate email users flocking to webmail to get their job done?

Before you can answer that question, it’s important to ask why that’s even a relevant question?

  • It is believed around 80% of corporate Intellectual Property (IP) is contained within email- when it goes to personal webmail you lose control of this
  • If 80% of your corporate IP is in email- that means a lot of your trade secrets are in there too.
  • There are Data Protection and Data Sovereignty requirements to comply with, with legal bodies like The ICO, FSA etc to comply with.
  • Does Personal email comply with anti-malware requirements?
  • Password Policy?
  • Retention and audit policies to enable e-discovery?
  • Legal requirements- like disclaimers and notices (Company Number, VAT etc)
  • What about Data Leak Prevention?
  • Interception by third parties?

The answer, clearly is a resounding NO. And why should personal webmail providers comply? It’s personal webmail – not intended for corporate use.

This is creating a complete nightmare for corporate IT- and despite IT making individuals aware that this isn’t allowed and the risks involved: they’re still doing it….

What’s driving this?

Overwhelmingly, the evidence is pointing to the consumerisation of technology. The increasing use of technology in peoples personal life is making them aware of, and used to, what is possible, and they’re bringing (demanding?) the same technology in their work life. iPhones and iPads are a case in point though our research shows email is becoming the new battleground.

This represents a massive shift- is this the first time personal or consumer technology is driving the business technology agenda? Our Generation Gmail research suggests so- 65% of people say that home and work technology overlaps.

Yet despite this consumerisation- people keep saying “email is dead”. New data I got yesterday from Neilsen (via Hubspot) shows that time spent using email on mobile phones leads almost any other mobile internet use by nearly 4x, at 38.5%. Social Networking is second at a paltry 10.7%.

Clearly email is not dead- it’s the lifeblood of communication. And with mobile shipments surpassing PC shipments for the first time ever this year it’s going to continue it’s ascendence.

What should companies do about it?

It’s a complex answer, dependent on your particular technology situation, location and regulation you’re subject to. There isn’t a one size fit’s all answer. Typically we’ve seen that email hasn’t been a priority investment area through the last few years- with a lot of businesses remaining on Exchange 2003 and 2007 as a way to mitigate against the costs of migration. Users now feel like the corporate email doesn’t compare favourably with consumer webmail- which is right, since the technology is nearly a decade old in some cases. That’s why they’re finding innovative ways to work around perceived obstacles and becoming “workaround workers”.

Policies alone aren’t enough to stop them- they have to feel like corporate email is a better alternative to personal email. They have to want to use corporate email.

So what can companies do?

Typically the majority of migration costs aren’t the Exchange piece- it’s the environment that sits around it. Over the years IT has had to bolt on solutions such as Archiving, Security, Disclaimers, Secure delivery, etc. The list goes on. Managing this complexity through a migration adds to risk and complexity which creates cost. I think IT needs to put themselves in a position where they can migrate, when they’re ready, because Exchange 2010 for example, is a big step up from 2003. Night and day different actually, especially if users are on Outlook 2000 or 2003 and make the move to Outlook 2010.

Don’t let users put you on the back foot with personal email- start putting the steps in place today to get migration ready and get them wanting to use corporate email.

Here’s the deck:

The Hidden Security Danger – Don’t Let Email Be Your Downfall
View more presentations from Justin Pirie

Add your comment (0)

Cloud Strategist
Mimecast

Article Tags

, ,

By on April 1, 2011

Why is Email So Complicated? Part 409: Murky Ethics

I’m currently reading a fascinating book, Evolving God, by Barbara King.  Professor King uses her years of experience studying apes as a starting point to explore how humanity evolved religion and ethics.  It turns out that we share certain aspects of morality with apes, a sign that some of our basic morality evolved over eons, going back perhaps seventy million years.

It is because of this evolutionary history that our society doesn’t struggle to manage a “Right to Eat Babies” movement, because nearly all of us have inherited a nearly instinctual morality that characterizes baby-eaters as sick, evil, or both.   Our moral battles instead focus on issues that have arisen relatively recently, in evolutionary terms.  Abortion, for example, didn’t become a battleground issue until it became a safe medical procedure in the previous century.

Email technology is younger than I am, and I don’t seem to have evolved one bit.  Our evolutionary heritage offers no guidance for many of the thorny ethical dilemmas email has created.  Our inability to agree on the definitions of right and wrong surely complicates email immensely.

Take spam:  everyone, save a few sociopaths, loathes it.  But I’ll go way out on a limb here and reveal that I don’t consider spam immoral.  It’s a bad idea that mucks up communication and creates incredible amounts of unnecessary work and expense.   In many ways, it’s more of an question of judgement and etiquette than morality. If you leave a big box of candy with a child and he eats it all, he’s shown bad judgement and perhaps greediness, but I wouldn’t call it immorality.

Now, I’m not trying to start a defense of spam.  I’m as happy as anyone to see spammers shut down, and the worst ones even jailed.  But I see spam as being in large part the fault of a communication system that has eliminated all possibility of regulating behavior through pricing.  Email is, in this sense, what the law calls an attractive nuisance.  A technology deserves some blame for the antisocial uses it facilitates.  Someone who is driving safely but over the speed limit deserves to get a ticket, but hasn’t acted immorally in my book.

This may seem like splitting hairs, but a difference of opinion over morality can easily grow into larger disagreements about laws and punishments.  A thousand  years ago, when abortion was a last resort because it usually killed the mother, discussions over its morality were largely academic, but they certainly aren’t today.  I have heard — though I still can’t believe it — people advocate the death penalty for spammers.  If that ever became a serious movement, the question of the morality of spam would take center stage for sure.

Because I believe that spam is caused by greedy, impolite people, I support filtering, voluntary authentication, moderate legal sanctions, and other countermeasures.  Someone who believes spammers violate the laws of God would likely support harsher measures.  Our evolutionary and cultural heritage gives us no guidance; there were no spammers in the savanna.

Each new technology gives us new ethical gray areas, further complicating our lives.  Email has brought us several more ethical complexities, most more subtle than the morality of spam, which I’ll discuss here in the future.  For now, though, I’ve got to go — there’s a chimpanzee who wants my help getting thousands of bananas out of Nigeria, and it seems like too good an opportunity to pass up.

Add your comment (1)

Chief Scientist
Mimecast

Article Tags

, ,

By on March 25, 2011

Part # 146: We’re Slaves to Our Attachments

The second of the Four Noble Truths, the most fundamental tenets of Buddhism, tells us that the cause of all suffering is attachments.  As one of the authors of the standard that defined email attachments (MIME), I bristle at this gross exaggeration.  Surely attachments are responsible for no more than 25% of human suffering.  (Most of the rest, I think, is caused by cancer, reality television, and okra.)

To understand why email attachments are such a problem, we must start in the 1980′s, the final days of the pre-MIME era.  Standard Internet email included 7-bit ASCII text, and nothing more, but three different kinds of experimentation were going on.

People in various non-English speaking countries had unilaterally adopted conventions that allowed them to send mail in their own languages, though none interoperated with each other.  You could compose a message in Hebrew, but if you viewed it with non-Israeli software it would be gibberish that differed with the language the software expected.

Meanwhile, several of us were experimenting with extending email in various ways.  I was part of a group that talked about “multimedia mail” which we prototyped at Carnegie Mellon as part of the Andrew system.  Email messages in Andrew included in-line images, audio, animations, even interactive pianos.  It was very cool, and we eventually interoperated with some folks at BBN who took a similar approach.  The word “attachment” wasn’t in our vocabulary.

Finally, several vendors were experimenting with the simpler goal of including files in email.  This they accomplished, in various mutually incompatible ways.  They called their achievement “attachments.”

All three groups soon recognized the need for a standard that would allow the features they cared about to work well across vendors and implementations.  But most had no interest in the features the other groups considered crucial.  (Even non-English text isn’t necessarily important, if you’re American!)

MIME came about because the great Einar Stefferud introduced me to Ned Freed, and suggested that we try to make all three of these groups happy.  Like most standards efforts, there were many compromises and some mistakes as well.  One of the bigger ones was that we didn’t, in the first incarnation of MIME, differentiate between attached files and included multimedia objects.  People thought of them as one or the other, which led to odd behaviors that persist to this day.

The problem was later addressed with the addition of a “Content-Disposition” header that explained whether or not the object should be displayed in-line, but not all MIME implementations have honored it.  The result is that in some mail tools, I can put pictures in line between stretches of text, and naively write about them as if they’re appearing in the order I see them.  But some of the recipients of the email may see all of them at the end of the message, not as pictures but as icons representing attachments.

Here’s how complicated this stuff really is:  Yesterday, I was sitting with a colleague, discussing an email topic far too complex for a blog post about the complexity of email, and we ended up discussing how attachments were represented by the two mail tools that we used.  Finding that we had completely different understanding of the facts, we did some experimentation and found that we were both wrong.

Let me reiterate:  A first-class email engineer was talking with the author of MIME about how email attachments are handled by the mail tools we use every day, and we were both wrong.

At this point, I’d love to follow the Buddha’s advice and free myself from attachments entirely.  Unfortunately, studies indicate that 85% of all business data is stored as email, and most of that is in attachments.  We appear doomed to continue enduring a certain amount of suffering.  But perhaps we can do something about okra?

 

Add your comment (2)

Chief Scientist
Mimecast

Article Tags

, ,

By on March 18, 2011

Encryption Follies, Infinitely Repeated

Some Hindu philosophers estimate that the universe repeats itself every 311 trillion years or so.  Modern scientists such as Sir Roger Penrose have lent credence to this basic idea, though with less precision.  Everything that  happens, it seems, is likely to happen again and again and again.  I find this vaguely comforting.

What I find less soothing is the many things that are endlessly repeating within the brief interval of my career in computing.  The problem isn’t one of reinventing the wheel — successful inventions like the wheel become a part of our lives, so we never need to reinvent them.  Instead, it’s the bad ideas that keep coming up again and again.  Their past failures are precisely what allows them to be forgotten until someone comes along a few years later and thinks they’ve got a great new idea.

What’s spurred me to such philosophical musings is the recent announcement that the German government has invented a new kind of secure email system.

The Register article does a good job of explaining several of the fatal problems with this scheme, so I’ll concentrate on the historical picture.

The basic idea is a fine one:  Help people to easily authenticate and/or encrypt their email messages.  Unfortunately, such tools haven’t caught on, despite decades of effort.  What’s new about the German system?  Mostly just another round in the endless cycle of time.

There are many reasons for the failure of secure mail in the marketplace, but the German government doesn’t seem to have bothered learning about them.  Instead, they intend to make it work by mandating its use for certain purposes.  And, as an added bonus, the government and your ISP’s can helpfully access copies of your cryptographic keys.

Now, I wouldn’t underestimate the capability of a strong government to mandate how its citizens behave when interacting with the state.  If the government only dispensed your tax refund if you asked for it via a webcam, wearing nothing but a funny hat, most people would comply.  But wherever the funny hat was optional, it would stay in its box, reviled, resented, and ridiculed.

This is what happened in the early 1990′s, when the Clinton administration developed a funny-hat encryption scheme known as the “Clipper Chip.”   Although envisioned as a hardware solution rather than a software one, Clipper had much in common with the German approach.  It provided users with encryption capability — the ability to hide your words and data from the world — but gave the government a back door to bypass the encryption.  After all, everyone trusts the government, right?

Clipper was first announced in 1993, and formally abandoned in 1996, but it never saw any real use.  Had the government absolutely mandated it for an important purpose, it might have been adopted for that purpose, but nothing more.  The concept of encryption is a tricky one, and requires some explanation for new users.  If you follow up your explanation with “but the government can bypass everything,” users will breathe a sigh of relief, knowing that they don’t need to learn it because they don’t have any use for it.

The German effort was born of a real need:  to give electronic documents and communications a legal status strong enough to underlie important transactions.  This can be done with many existing cryptographic schemes, including the venerable PGP and S/MIME.  It’s hard to see how sabotaging the security of cryptographic keys can make such systems more popular. Recent research conducted by Mimecast shows that users will always find ways to work around systems that are restrictive or difficult to use. I expect that in a few years, the German government will quietly give up, and it’s the last we’ll hear about government-mandated key-compromised cryptography.

Until the next time.

 

 

Add your comment (0)

Chief Scientist
Mimecast

Article Tags

, ,

By on March 11, 2011

Why Is Email So Complicated? Part 362: Too Many Lazy Idiots

I’m probably going to spend the rest of my life completing this series of essays about why email is so complicated, but I’d really hate to go to my grave without mentioning one of the deepest, least soluble, and most frustrating reasons:  lazy idiots.  I rarely call anyone names, so let me explain.

As is probably clear to anyone reading these essays by now, email is inherently very complicated.  The best minds in the email world — and some others — have worked tirelessly and endlessly to figure out how to make it work well.  This has resulted in a host of standards, most of them well specified in excruciating detail.  They’re not perfect, but if everyone complied with them fully, the world of email would be much more reliable and significantly less complicated.

Unfortunately, a remarkable number of people who write software that sends email not only don’t follow the standards, and not only don’t read the standards, but don’t even know that the standards exist.  They look at a few messages, say “I can do that,” and write software that produces things that look, from a distance, like email messages.  The myriad ways such software violates the standards is a significant, ongoing, and probably permanent factor in the complexity of email.

Consider, for example, the hotshot young programmer building a web site for his uncle.  He designs an HTML form that includes a box to input an email address, and when he gets one, he sends his uncle’s information to that address in the form of something with a From, To, Subject, and Date field, but which only follows the standards if he gets extremely lucky. This happens all the time, every day.

A few such messages are an annoyance.  But now and then, the kid and his uncle get lucky.  Whatever it is they’re doing, it catches on, and soon they’re sending out tens of thousands of malformed messages every day.  What happens on the receiving end?

To a certain type of person, it might seem obvious that a mail server should simply reject or discard any malformed mail.  That, surely, would teach the offending party to pay more attention to the standard.  But traditionally, the Internet has been built on the philosophy of “be liberal in what you accept, and conservative in what you send.”  This is the philosophy that has made the net function, and many implementors take it as gospel.

Even if this weren’t the case, the marketplace forces mail servers to race each other to the bottom.   Consider the case of a third party that regularly sends out malformed mail that the recipients actually want.  If mail server A accepts it, and the customer changes to mail server B, the customer will be outraged if mail server B doesn’t also accept the message.  They will consider mail server B’s attempts to enforce the standard to be a bug, and inevitably B will be changed in order to keep the customer happy.  This happens all the time, every day.

The result is that every mail server in the world has to take its best guess about what certain messages mean.  Is an incorrectly wrapped line supposed to be part of the previous header, a new header, or the beginning of the body?  Is an incorrect newline indicator supposed to be a newline or part of the previous line?  (I’ll write more about these specific cases later, if I live long enough.)  Inevitably, different servers make different guesses; once you’re outside the standard, there’s no right answer.  And also inevitably, sometimes these guesses are wrong, and result in messages that appear malformed or unreadable to the end user.

This happens all the time, every day.

It’s unlikely that the world will ever run out of lazy idiots.  But it’s relatively rare for one of them to decide to start naively spewing poor imitations of TCP/IP packets.  Unfortunately, sending email is such a user-visible function, and the format looks sufficiently simple, that email generation seems to be the project of choice for the protocol-challenged.

We can do our best to educate them, but I think there’s an endless supply.  We can cope with it, of course.  But it does make things more complicated.

Image via Robbo-Man and CHRISTOPHER MACSURAK on Flickr

Add your comment (0)

Chief Scientist
Mimecast

Article Tags

,

By on March 9, 2011

Generation Gmail: 10 tips for keeping corporate email users happy

At Mimecast we discovered a new type of corporate user, the Generation Gmail user; and they are really making a splash. We’ve already written a blog post on who they are and why they exist. The research backing up our discovery can be found here (registration required).

The gist of the story so far is as follows: Our research has identified a new type of user within the corporate network; a user who is happy to use his or her personal accounts outside of the organization to work around restrictive or productivity-sucking policies. We call this user a Generation Gmail user, as they are likely to be under 25, and jump out to Gmail in order to get their work done when their business email account doesn’t deliver the goods.

We seem to have caused a stir as many of you have emailed us to say this is exactly what has been happening within your own organizations; some have told me that they are the prime example of a Generation Gmail user and have gone into great detail when telling me why. Thank you – it’s always great to hear your real life stories.

So we put our brains together, including the huge brain of our top email scientist Dr Nathaniel Borenstein, and came up with ten handy hints to help you keep your users happy, contented and, importantly, working inside your network and the systems you have worked so hard to provide.

Mimecast’s Ten Top Tips

1.       Look for clever ways to keep your users ‘on the reservation’ and inside the corporate email environment. The steps below will help, but so will motivating them in the right direction. By clever ways, I mean think of things like the ‘Deals of the Day’ websites that deliver enticements directly to users’  inboxes. Doing this internally isn’t that much of a stretch and would have many other knock-on benefits.

2.       Keep your business email up and running. One way or another this is getting cheaper and easier to do. Tolerating downtime is very old fashioned these days, as the technology exists to keep your email up and running at 100%.  So why not use it?

3.       Educate your users away from the ‘controlling and enforcing’ position. Let them know that the odd personal email isn’t a problem. Of course explain what you mean by “appropriate use” and what’s generally bad, but also explain the benefits of the business system.

4.       In the same conversation, don’t just tell your employees not to use external or personal email systems for work. Explain to them the real-world risk, use a few demonstrations or case studies and make this a story that resonates, rather than another plain old policy update.

5.       Make mobile access work. Decide on the mobile platforms which will work and then make them work! If you support one type of mobile device, consider what users of the other device will do. If this means providing your users will a common mobile platform, consider this a goodwill gesture to them.

6.       Make mobile access really work. Do your users really need a cumbersome VPN solution with pin and token code? Is it realistic to expect them to fire up their laptops and login to the network just to send an email? See number 5.

7.       Make your corporate email system better than the personal solutions your users are going to. Give them the tools they need, the technology is out there you just need to deploy it.

8.       Importantly don’t limit email storage. See number 7. This is something the IT department has had to do in the past because of the limitations built into core email platforms, but those problems are slowly disappearing and the cloud is a great way to offer a bottomless mailbox integrated with your corporate inbox. This includes finding a solution that allows you to eliminate PSTs too.

9.       Update your systems. Keep the platforms fresh, review on an annual basis, and make a change. Too many businesses get stuck in the past. Technology moves at such a pace, if you don’t keep up you’re often left, at best, incubating your own workaround-workers, and at worst being uncompetitive in your market.

10.   Above all; listen to your users. They vote with their mouse and keyboard. If they argue that their personal system outperforms the work email find out why. Fix the problem rather than fob them off. See number 9.

From here it is really going to be down to you. I’ll bet that you know you already have a few workaround Generation Gmail workers? That’s nothing to panic about, but does give you a focus for how you develop your email systems in the future.

Good luck!

Add your comment (0)

CISSP, CCSK
Mimecast, North America.

Article Tags

, ,

By on March 7, 2011

Assessing the Appalling Austin Enterprise Email Events

Today’s news brings the announcement of a legal case that will test whether it is permissible, in Austin, Texas, for government officials to use private email to conduct public business.  None of us at Mimecast are authorities on Texas law, which will (properly) decide the case.  But we know a lot about the purposes, strengths, and weaknesses of enterprise email systems, and we’ve recently been studying the startlingly widespread use of personal email for company business.  Some of what we’ve found may be relevant to the Austin case.

There seems to be an assumption, in the articles about this case, that the officials in question used private email for the express purpose of hiding what they were doing from the public, and avoiding various laws about open records and document retentions.  Having known a few politicians in my day, I certainly wouldn’t rule out that possibility, and I understand why it might be one’s first guess.  However, our study of what’s been going on in business suggests that there could be a less sinister explanation.

In particular, poorly-administered enterprise email systems are notorious for driving away users.  I’ve found that cash-strapped governments are extremely likely to have their IT staff spread so thin as to make first-class administration almost impossible.  If that’s the case in Austin — and again, I have no familiarity with the specific systems and organizations in the case — then the users of the system may have been struggling with a host of problems that they know — from their own experience with systems like gmail and hotmail — needn’t be a part of a modern email system.  They may have been struggling with low storage quotas, frequent downtime, and poor remote access, for example.  That sort of thing used to be an inevitable part of email systems, but the current generation — “generation gmail” — knows better.

We’re in a transitional era in computing in general, and email in particular.  Applications that used to live on mainframes, and then on local servers or clusters, are migrating to the cloud.  The cloud computing paradigm is frightening to some — Can I rely on my critical services being available?  Will I lose control of my proprietary data?  But as more companies test the waters, the answers have been resoundingly positive.  In fact, cloud-based applications are by and large more reliable than locally hosted applications, and do a better job of protecting your data, because that’s the cloud provider’s whole business.  A record of failure in such basic measures of performance would be a cloud company’s epitaph.

If the problem is one of corrupt politicians seeking to avoid disclosure of damaging information, it’s unlikely that any technology will solve the problem.  Technology rarely, if ever, succeeds in improving human ethics.  But if the politicians were — like 85% of the youngest workers in our study — avoiding their enterprise email for the relatively laudable goal of doing their jobs better, then technology can help.  A well-run, state-of-the-art, high-availability enterprise email system might be all they need.  And these days, the first place they should look for such a thing is in the cloud.

 

Add your comment (1)

Chief Scientist
Mimecast

Article Tags

, , ,

By on March 4, 2011

Why Is Email So Complicated? Part #1: We Don’t Even Know What It Is

If you’re looking for simplicity, it helps to start out with some well-defined terms.  Where email is concerned, however, we seem to have skipped that step.  We all think we know what email is, yet our impressions differ in subtle ways that inevitably create complexity.

Isn’t it just sending asynchronous messages over a network?

The first time I encountered email was in 1978, at Grinnell College, in Iowa.  Grinnell was very advanced, possessing a computer all its own.  It was accessible only from a single terminal room, with a glass wall that let us see the front of the computer itself, the size of multiple refrigerators.

One day, a friend showed me a new program he had gotten off a software tape.  It let you send asynchronous messages — “email” — to any other user of the computer.  Since the computer could only be used from one room, “email” was about as useful as — but less flexible than — a truly exciting new invention, the Post-It note.  With no inkling that I would devote my career to this technology, I quickly dismissed email as a useless toy.

A third of a century later, in preparing this essay, I found that Wikipedia takes over 6000 words just to summarize “email,” with lots of links to more detailed articles.  The first sentence defines email as “a method of exchanging digital messages from an author to one or more recipients.”  (The second sentence tells us that “modern” email uses computer networks — something my 1978 self would have found truly innovative.)

I like that definition, but I doubt that it corresponds to your intuition.  For starters, it means that fax and voice mail are email.  I think that’s correct: nowadays they are often gatewayed to Internet mail, so that I receive both fax and voice mail in my email inbox.  So what’s the difference between a fax going from one machine to another and a fax encoded as a MIME message for email transmission?  Formatting details, mostly.  Yet when people talk about email, they rarely seem to mean fax as well.

We’ve also seen, in recent months, some talk about the “death of email” — generally in relation to increasing use of messaging facilities on social network sites.  But if you send a message to a fellow user of LinkedIn, or Facebook, how is that not an email message?   In a sense it is a throwback to the pre-Internet version of email, where there were many email “closed gardens” such as AOL and Compuserve, but it’s certainly email by Wikipedia’s definition.

All of this may sound like splitting hairs, but it’s important.  Without a clear understanding of what we mean by email, we can’t have a coherent discussion about claims that email is dead, or that email should be regulated by governments, or that email is more popular with some demographics than others.  And when a company sets its email policies, but doesn’t apply them to fax or voice mail, what does that mean when a fax is gatewayed to email?  What if you use (as I do)  a machine that sends faxes to you as MIME-encapsulated PDF files?  Do your corporate email policies apply to every such fax?

I would claim that the only coherent way to think of email is inclusively:  it is, as Wikipedia says, the exchange of digital messages.  Its fundamental characteristics include the fact that the sender can’t control the form in which the receiver views it, or what he does with it; that it requires no authentication; and that it creates network effects that raise its value exponentially with the number of connected users.  But as long as some people see it otherwise, the reality of our apples-and-oranges definitions will confuse and complicate every discussion we have about email, and everything interesting we try to extend it to do.

Add your comment (0)

Chief Scientist
Mimecast

Article Tags

,

By on February 25, 2011

Why Is Email So Complicated? Part 127: There’s No Central Authority

 

Recently, Facebook announced a 95% reduction in certain kinds of spam.  Taken at face(book) value, that sounds like a tremendous breakthrough, but there’s less here than meets the eye, because the “certain kinds” are basically only those that are internal to Facebook, and the solutions are hard to generalize to the broader spam problem.

What Facebook has done is essentially allow users to provide feedback about which messages from Facebook applications are unwanted.  By consolidating such feedback, Facebook can block further unwanted messages to most other users, and even sometimes completely block an antisocial application.   If Facebook can be clever enough to learn like that, why can’t your email reader?

The answer is that it could, if only email weren’t so darned complicated.  In the Facebook situation, all the offending messages are being both generated and read from within Facebook.  The good folks at Facebook have complete control of the entire lifespan of such messages.  They know exactly who sent the message, how many such messages were sent, and so on.  None of this is true for your email reader.

The idea of letting users vote about spam is a good one, and not a new one; researchers at IBM and elsewhere have demonstrated the value of letting users vote about which messages are spam, and using those votes to decide which similar messages to block in the future.  But those experiments have also highlighted the difficulties.

The world of email is one of many independent actors, interacting according to well-specified standard protocols, all of which are often ignored or misunderstood.  If your mail reader gives you a button to click on when you think a message is spam, what should happen when you do so?  Obviously your mail reader needs to send your vote (which may itself be wrong or accidental) to some server that collects it, consolidates it, and feeds the result into your spam filter.

But all of the actors in this scenario are heterogeneous.  Your organization may have any number of mail reading interfaces, each of which needs to provide a button and behave similarly when it is pressed.  You might be using any of a number of spam filters, which may or may not be prepared to accept voting data, for which there is no standard representation.  Worst of all, the server that collects the spam votes can’t necessarily trust all the information it gets; your machine may be compromised by a virus, for example, that deliberately corrupts the antispam voting database by labeling good messages as spam or spam messages as good.

Facebook doesn’t have any of these problems when it deals with mail from Facebook applications to Facebook users.  It can watch exactly what users do with messages, and map that back directly to the applications that send them.  For similar reasons, spam wasn’t a big problem back in the day when email was often a closed garden, and AOL users could only send to other AOL users.  A single authority in charge of everything makes it easier to enforce rules and policies.  But who wants a single authority in charge of the whole Internet?  The cure would be worse than the disease.

The lack of a central authority is one of the defining features of the Internet, and reflects its origins in the effort to build a network that could survive nuclear war.  The result is a net that is remarkably decentralized, democratic, and chaotic.  The only way to end the chaos would be to regiment the net to an unprecedented degree, essentially to guarantee strong authentication for everyone who sends an email or does anything else on the net.  This would be nice for anyone who hates spam, but more importantly, a boon for any government that wants to crush dissent, or any corrupt organization that wants to halt all leaks and criticism.  That’s a terrible tradeoff, but I’m not terribly worried about it ever happening.  The net’s design favors the most powerful force in the universe:  chaos.  I wouldn’t bet against it.

CC Image via jurvetson on Flickr

Add your comment (2)

Chief Scientist
Mimecast

Article Tags

, ,

By on February 23, 2011

The Hidden Menace of ‘Generation Gmail’

Back in July last year, an analyst report was published that suggested that the use of webmail – or ‘personal’ – email accounts inside businesses presented a potentially huge risk to corporate intellectual property (IP). While CIOs and their IT teams focus their attention on what goes on within the firewall, their Information Workers are using their gmail/Windows Live/Yahoo accounts to send important files.  Just how much important data is stored on public servers?  How out of control is the situation in reality?  Do CIOs have any idea of the scale of the risk?  Why do Information Workers do this?  Surely they know it is bad practice?

So we decided to do our own study to see what we could find out, and the first results of ‘Generation Gmail’ are announced today.

It’s not surprising that our study revealed a direct correlation between age and a propensity to use personal email in a corporate context.  In fact, 85% of Information Workers under the age 25 admitting they sent work-related emails or documents to or from personal email accounts.  The million dollar question, of course, is ‘why?’.

There’s no question that ‘Generation Gmail’ enters the workplace with a different perspective on technology and its role in work and life in general.  It’s an ‘always-connected’ world, where smart-phones, social media platforms, email, IM and SMS enable a constant flow of communication, both personal and professional.  And this ‘work/life blend’ makes it difficult – perhaps impossible – to quarantine personal communications habits from the behaviours expected of employees when they cross the corporate threshold.

If this was all about age, and culture, forty-somethings like me could just shrug, as I do when my nephew suggests I listen to Dubstep on his iPod.  But it isn’t.  Of the under 25s surveyed, more than half said that if they were not subjected to mailbox limitations by their IT departments, they would be less likely to send work emails from their personal accounts.

So the subtext here, which we will explore further in part 2 next week, is that the risk to corporate data that Generation Gmail is creating is largely down to frustrations with the tools available to them in the workplace, and the feeling that IT policies more or less force them to find other ways of getting their jobs done.  We’ve called them ‘Work-around workers’.

I can’t stop my nephew listening to Dubstep.  And IT departments can’t stop young workers from using social media, or personal email.  In fact, ‘banning’ people from using tools is tantamount to a failure.  But they do need to look at the policies they are imposing, and possibly the tools they are or aren’t deploying to enable larger mailboxes, or larger file sizes … so as to reduce the perceived NEED to send documents outside the firewall.  Watch this space …

Add your comment (0)

Communications Director
Mimecast

Article Tags

, ,
Previous Posts
Newer Posts