I’ve been thinking a lot about pornography today.
More specifically, I’ve been thinking about a new law passed in South Carolina that will require IT managers to report network users who send or receive child pornography through e-mail. Those who fail to comply with the legislation face a US$500 fine and up to six months in jail.
I suppose it was only a matter of time before technical support personnel became burdened with these sorts of responsibilities. IT managers, in between system maintenance and network upgrades, are now expected to become Internet traffic cops. Never mind that the law gives an extremely wide definition of what constitutes child porn, or that it fails to outline what kind of training IT managers would need in order to take on such a role.
Of course, monitoring corporate Internet use is only going to grow as abuses lead to lawsuits, and companies try to save court fees and protect their reputations. IT managers probably seem like the most appropriate parties for the job, since they’re the only ones who really know what’s going on. They’re the eyes of the network.
They are not, however, the mind. While many IT managers and CIOs play an increasingly critical role in setting out technology strategies, employee behavior policies have traditionally been the prerogative of human resources staff, as directed by senior management. Rather than empowering IT managers to work better with their organization, South Carolina’s law dumps a chore no one else wants to deal with and uses scare tactics that will only distract them from issues that need their expertise and attention.
Whether or not this particular law makes its way to Canada — and if it’s adopted by more states, the possibility is all too likely — it exposes gaping policy holes in the many organizations which haven’t fully adapted to the so-called New Economy. As security professionals love to point out, most incidents come from internal abuses due to lack of proper procedures. The Canadian government no doubt takes pride in the passage of our Internet privacy law, but how many banks and other large enterprises have complied with the requirement that a person be appointed to enforce the legislation?
Until a network attack has occurred or the RCMP finds a kiddie-porn ring deep in the accounting department, it’s tempting to put these sorts of challenges aside while everyone deals with bottom-line issues. But the government, faced with pressure from their constituents, is starting to demonstrate its impatience and demanding action. Without a deep understanding of how these organizations work — in particular, the load that already rests on a typical IT manager’s plate — its strategies will no doubt prove less than effective and create more problems than they solve.
I have no doubt that most IT managers have the morals necessary to guide their actions if they learned about misuse by a network user. But there has to be a more cohesive effort by CEOs, HR departments and other parts of the organization to establish rules of online conduct that will respect the law without putting IT managers in the position of office snitch. Besides the considerable implications this would have for the hiring qualifications of IT staff, it would needlessly create more friction and distrust between the IT department and their users. If the people who run corporate enterprises were doing their jobs, the law would only serve to reinforce their practices. Let’s stop this Orwellian scenario at the border.