|
Security
and Confidentiality Issues
Authors' Note:
Our thanks to our colleagues
and readers who have encouraged us during this column's first year!
We now begin a new direction as this column continues: safety and
security in practice. Also, please note that Bob Vernon has joined
the Indiana University social work faculty and has a new e-mail
address at the bottom of this article.
Emerging Issues:
Confidentiality is our
cornerstone for practice. While new technologies such as e-mail,
listservs, and the web bring immense resources, we must be able
to manage information in confidential and responsible ways. Fortunately,
our Code of Ethics and new policy statement on technology from the
Delegate Assembly provide some guidelines for this. (Visit www.socialworkers.org/Code/ethics.htm
and search for "comput" in the document by using the "Edit-Find"
feature. You'll find the specific code sections that deal with computing.
If you don't have a copy of the new policy statement then its time
to upgrade your paperware! Treat the agency to the new edition of
NASW Speaks! Visit www.naswpress.org.)
We begin this series of columns by discussing four technical issues
you need to worry about.
Browser Conflict:
One of the basic conflicts
is that internet browsers such as Internet Explorer and Netscape
are antithetical to our confidentiality needs. Browsers intentionally
make multiple records and copies of where we have surfed and what
we have seen. To make things worse, this information is often scattered
in several places on your computer. As a result, you can't just
erase one history file and be certain you have completely covered
your tracks. This applies to any internet-connected computer you
use, either at home or the office, or that snazzy new palm pilot!
Chances are very good that there are multiple ways for unauthorized
people to review your work with clients by searching for a few files
you did not know about. We think that security breaches within
the agency probably pose the biggest danger to using the web
in practice.
ISP Records:
A second conflict rests
with the ISP (Internet Service Provider) that connects your machine
to the Internet. These firms keep logs of where you have been and
what you have done. This is legitimate: they need this information
to manage their systems and as insurance against crashes. Yet their
records provide another trail that can conceivably lead back to
that session where you surfed toxic sexuality issues with one client
or searched for very sensitive mental health support resources with
another. This is a more remote problem than browser conflict because
recovering this information is like searching for a needle in a
Nebraska's worth of haystacks. Yet it is possible. Law enforcement
agencies do this all the time.
Cookies:
A third danger is directly
web-related. Many websites, especially commercial ones, use a technology
called "Magic Cookies" that records every smidgen of your surfing
experience at their website. This includes recording which pages
you surfed, how long you viewed each page, the links you visited
within the website and -- get this -- the complete internet address
of the machine you used! More invasive, many "cookie" programs then
write a small text file on your computer so that when you visit
the website again they can recognize you as a past customer. The
website can now adjust how it interacts with you based on your previous
visit. If you bought books from an internet bookseller, for example,
the website may greet you by name and try to entice you with new
titles based on your recent surfing forays and purchases. This form
of targeted marketing is very up-close and personal, and explains
those nasty surprises when families discover porn advertisements
cropping up at home on junior's PC. Those advertisements aren't
there by accident. We call these "anchovy chip cookies" and they
certainly can leave a bad taste from surfing too close to the rocks.
Viruses:
Finally, there are really
clever and destructive people that actively want to destroy your
computer. Their efforts range from individual pranks to serious
organizational attempts to destroy the web, and most need therapeutic
encounters from the district attorney. The recent "I Love You" virus
attack via e-mail is only one example of many assaults, and we can
expect more sinister ones in the future.
Practice Tips:
Browser conflicts are
probably the hardest security issue to control because no two browsers
store surfing and e-mail records in the same way. To make matters
more difficult, you need to be able to eradicate surfing records
from multiple browsers and e-mail programs if you are using them.
If you use Netscape at home and the office has Internet Explorer
and Eudora, you have to learn how to control them all. In addition,
different generations of browsers, such as Netscape 3.0 versus 4.0,
handle records in different ways. We recommend three strategies:
First, do not type URLs
in the "Location/Go to" (Netscape) or "Address" (Internet Explorer)
boxes. When you do this, another person can easily click on the
pull-down menu at the right side of the box and follow your tracks.
Make this more difficult by instead entering URLs from the "File-Open
Page" box (Netscape) or "File-Open" box (Explorer). Make this a
habit.
Next, pay attention to
those URLs you "Bookmark" (Netscape) or record as "Favorites" (Explorer).
If these are very sensitive and can be directly linked to an individual
case, then save these to a floppy disk and not your hard drive!
Tuck the disk into the case folder or lock it up, away from prying
eyes.
Finally, control that
"History" button! Most browsers will allow you to voluntarily erase
the history file, the primary way to track past surfing. If you
are using Netscape, follow the "Edit-Preferences -Navigator" sequence
of choices and click on the "Clear History" button. This will destroy
your latest records. If you set the page history choice to "0" (Zero)
you can avoid making additional surfing records on the history file.
The Internet Explorer procedure is similar: follow the sequence
"Tools-Internet Options-General-History." If you do this, you will
lose the ability to see the links you just surfed because the link
colors will not change, they will just stay blue. But you will gain
the security of knowing that your machine is not saving a history
file full of confidential information that anyone else can access.
Unfortunately, there
is more to do that can't be covered in this short column. Basically,
you need to erase "cache" files that store other surfing records
and images. We suggest that you find a consultant, especially when
using an agency computer that is shared by others, and work out
policies and procedures that assure that surfing histories and all
other traceable records will routinely be eliminated.
ISP Records:
The Internet Service
Provider marketplace is vast and complex. Some providers have direct
policies covering the ownership and retention of records. Others
are vague or do not address the issue. The sensible approach is
to directly examine your home-provider and agency-provider contracts
and determine what action is necessary to assure that records are
professionally managed and routinely destroyed. Check out your provider's
website as many post their policies and service agreements online.
Negotiate. Bargain. Consider changing your provider if you don't
get satisfactory answers!
Cookies:
The best approach to
avoid anchovy-flavored cookies is to disable this feature from your
browser. In Netscape, follow the "Edit-Preferences-Advanced" choices
and disable the cookies. In Explorer, follow "Tools-Internet Options-Security
and in both the "trusted sites" and "restricted sites" sections
disable the two cookie options. You may occasionally encounter a
website that you really need to use but can not view without allowing
cookies. When this happens, temporarily enable the cookie feature
by following the sequence above and again disable it when you are
done. The only cookies we recommend are those sold by live girl
scouts. You don't need cookies to surf!
Viruses:
Getting a virus from
a website or e-mail is difficult but certainly not impossible. Why?
Most e-mail and websites are written in text-based programs, making
the passing of a virus very difficult. The danger usually lies in
attachments that are added onto messages or links. Some are simple
annoyances, sort of like head lice in the day care center. Others
are truly lethal, can ruin your computer, and may earn you undying
animosity from former friends if you have passed the virus along.
The best defense is to buy an anti-virus program that includes an
online update service, install it, and routinely maintain the updates.
These programs are inexpensive insurance against catastrophe. Some
of the more sophisticated brands offer integrated programs that
will both routinely search your computer for viruses and clean out
those cache files of old surfing records.
There are other dimensions
to safely using the web and e-mail in practice, such as informed
consent and the need to encrypt exchanges. We will take these up
in future issues. At minimum, we strongly recommend that anyone
using the Internet in practice needs to become aware of these issues
and fully inform clients about risks and benefits. Agencies should
review how employees need to use the web and create policies that
minimize the risks. A professional security consultation may be
a most worthwhile investment, especially when the Internet is extensively
used in practice with vulnerable clients.
Websites to Visit:
Privacy, providers and
associated issues:
FreedomNet is a specific
service provider and we do not specifically recommend or disapprove
of it, but their website contains some very good discussions of
privacy and technology issues. The URL is:
http://www.freedom.net
Cookies:
Cookie Central has substantial
discussions of the merits and liabilities surrounding the magic
cookie technology. The URL is:
http://www.cookiecentral.com
Viruses:
Ziff-Davis has an excellent
series on virus issues, security and protection. The URL is:
http://www.zdnet.com/zdhelp/stories/main/0,5594,2248291-3,00.html
In addition, John Pallato's
discussion is very helpful for the novice and contains software
program reviews:
http://www.zdnet.com/sr/infopacks/virus/anti.html
Symantec, publishers
of the Norton Utilities, offers associated products and services.
http://www.symantec.com
or http://norton.com
So does McAfee, another
leader in the industry:
http://mcafee.com
|