Great post Doug. I wish I could have answers/tips for ya… I only have this statement to offer:

In my department, some sites are blocked (Facebook, YouTube) and some aren’t (LinkedIn, Twitter) As I understand it, for us, it is more a cost issue with the amount of bandwidth used. We are a small department with limited IT budget.

PWGSC provides Internet access to departments via Secure Channel (which is delivered by Bell and its partners…) Is PWGSC paying too much for the WAN services provided by Bell ? Is the departmental cost recovery set at a proper level?(i.e department paying too much?)

Interesting PowerPoint doc about PWGSC Secure Channel:

http://afceaottawa.ca/uploads/AFCEA_LTC_Overview_May_presentation2.ppt

@Yanick, are you suggesting that access to the Internet for public servants is provided via Secure Channel? Because I don’t think that is correct. Secure Channel to my knowledge is the authentication and security mechanism used to allow secure communication on the web between third-parties and the Government of Canada. I think Service Canada/HRSDC and CRA pay the lion’s share of Secure Channel costs due to the nature of the programs they both offer online. I know that Service Canada/HRSDC are actively working to move away from Secure Channel, primarily due to the costs, but also because of the technical limitations of the platform and complexity/reliability issues as well.

You said: “If government departments want to get on-board with Web 2.0, they need to start by unblocking access to Web 2.0.” Are the departments that actually *want* to get on-board the same ones that are blocking access? In general, I doubt it. There may be departments who are interested in incorporating social networking practices into their business processes without using Facebook, Twitter, etc. There are a *lot* of tools out there.

I would imagine that for a lot of departments that are blocking public social networking sites, they have simply decided that it is cheaper to block something than it is to police it, and they’re not wrong in theory. The challenge as someone who wants to use blocked tools as part of their work is to write a business case that demonstrates that the increased productivity from using those tools justifies the cost of policing people that use them irresponsibly, and that it’s important enough to be actioned ahead of many other competing priorities. All of this takes time.

In some cases, it may simply be a case of a particular employee and the culture of a particular department being a bad match. Not being allowed to use the tools you want is just one of a myriad of potential mismatches in that respect. The nice thing about Ottawa is that it’s *relatively* easy to move on when it happens.

@Christopher. You are absolutely correct when you say that Secure Channel is the security mechanism used to allow secure communication on the web between third-parties and the Government of Canada. But Secure Channel is also responsible for SCnet (formerly known as GENet) It is the actual name given to the internal GoC network that all GOC departments use. From the PWGSC OAE report: (http://www.tpsgc-pwgsc.gc.ca/bve-oae/rapports-reports/2004-613/ged-gol-eng.html)

“All federal departments and agencies now use Secure Channel’s network infrastructure and operations services (SCNet) to connect to the Internet and to enable citizens’ access to their services. SCNet replaced the previous Government Enterprise Network (GENet) in the fall of 2003.”

Good post D. While consulting for multiple GoC dept’ we see that each of them is struggling with these issues at different levels for a variety of reasons. My 2 cents on some of the three top issues:

1. Educate/Coach: HR (not IT) should start to include surfing best practices in orientation programs (touching on issues of ethics, privacy & security).

2. Leave browsing ethics in the hands of each employee’s direct manager (the old “don’t use the phone for personal calls during business hours statement)

3. Infrastructure / Security / Bandwidth: GoC should get out of the ISP business! Better and cheaper solutions are available today for equivalent secure channel infrastructure. (Been saying it for over a decade now)

~sipping my coffee~

On a positive note, we’re almost there… give it a two years or so

Apologies up front for the long comment, I think this is a really important issue.

[disclaimer: I'm a security guy]

@ChristopherHyne = yes some departments do get their internet over SCNet.

I think Doug’s pegged the reasons for blocking some sites though I don’t agree with his statement that they are hard to argue against. Most of these reasons
won’t stand up in the light of day.

Trust is definitely the overlying issue here but it’s rarely called out explicitly.

You can address the threats to the network using a defense in depth strategy and using any number of tools within the network. At the end of the day
blocking is easier but may conflict w/the business needs.

Information management is a trust issue. Sure, there’s a lot of low hanging fruit you can address with tools. But at the end of the day you need to trust your people. Education/awareness is a big one here.

Productivity is all about trust. Treat people like adults. As Doug says, “no more lowest-common-denominator”. We have a values & ethics code in place
for a reason.

Infrastructure can be solved relatively easily. While I fully support net neutrality, a private corporate network is a very different from a commercial ISP. Using throttling, DPI, and QoS technologies to prioritize traffic on your network is a must. Your bandwidth usage should align with your business priorities.

Blocking/not blocking can be a complex issue. Unfortunately, it’s been my experience that InfoSec groups within the government are seen as a roadblock
instead of a partner.

Not that government InfoSec does anything to dissuade this view. The clash of group cultures usually results in a lot of wasted energy and no group is happy with the end result.

I’ve started a space on GCPEDIA to gather information on InfoSec and Web 2.0. You can see it at http://www.gcpedia.gc.ca/wiki/Information_Security_And_Web_20 from within the GC network.

I’m hoping that we can centralize some of the supporting information so we don’t have to re-invent the wheel moving things forward.

Trust, in my experience, has always been the key issue at the centre of this issue. Previously, I was told that 2.0 is a “youth” phenomenon, and once I learn the proper government way of conducting business, I would understand just how inefficient and unprofessional I appear to be (to certain managers and colleagues).

I also understand that trust in the content online is a big obstacle. Some refuse to believe the accuracy of anything they saw that wasn’t delivered through CBC/CNN. In my old job, blogs didn’t factor in the metrics for media hits either. To me, that was counterproductive since one cannot perform a 360-degree analysis by examining 180 degrees.

There is also the human factor. Some people are uncomfortable with the web, regardless of their age or profession. They won’t trust an opinion if it’s based on information extracted from a medium they have no desire in exploring or leveraging beyond absolute workplace requirements. I had colleagues and classmates that complained about departments and unis utilizing email to communicate. “What’s wrong with picking up the phone or sending a letter?”.No time in the world to address that one.

I always found it amusing that every job post (in the gov) had “ability to exercise judgement” under the required skills section. And yet, we collectively complain of our inability to exercise this skill when it really comes down to insignificant but time consuming issues of e-access. In all honesty, if I wanted to leak information out or bad mouth the department, I will find a thousand and one ways to do it before the department ever clues in. I don’t need to post a rant on my blog about Minister X doing Y. I could easily scatter some posters from the rooftops. Then what?

Back to Doug’s subject of blocked sites, I keep saying, I can’t manage the information I receive if I cannot ACCESS it. Recently, I was encouraged by our deputy director to forward blocked website addresses to IT/IM help and ask why the site is blocked. The new (and fresh imo) approach is, they need to explain why blocking the particular site is necessary. I’ve often said those that want to minimize the e-risks associated with open access need to think about protecting key information dealing with national security and the like. They’ll have to dedicate special employees to look after security on a proactive basis, as blanketing the whole department with blind firewalls is – realistically- too weak-a-mechanism to avoid a hack job by some pesky 15 year old teen running a virus from Volgagrad.

@nellleo

First off, @Yannick and @Mark, thanks for the clarification on Secure Channel. As an HRSDC/Service Canada employee, the term “Secure Channel” in my experience is used almost exclusively in the security and authentication context. I was not aware of the other aspects of Secure Channel.

Regarding Internet blocking, I have to admit that I am not 100% convinced of the value of the completely unblocked Internet for all public servants strategy.

Having been a web developer for over 12 years now, and as the owner of a web hosting company (in my free time) for the last 11 years I know the Internet is an incredibly valuable, but also dangerous and malicious place. The fact is, I don’t even provide unfiltered Internet access to my personal network at home!

In my 10 year public service career, I’ve seen more than a few people suspended for accessing porn at work, others suspended for conducting business using GoC resources, and more than I can count playing games and watching movies on the job. And all that was WITH Internet blocking, and by mostly IT folks (which is one reason I am skeptical about computer skills being a solution).

I have personally been affected by Internet blocking. I recently tweeted about the blocking of access to SourceForge at HRSDC/Service Canada. As a developer, it was a very useful site for me. However I’ve seen the report of what was downloaded from the site in the month leading up to the site being blocked. A lot were truly useful tools for which the department does not provide any suitable alternatives. But unfortunately, the majority were inappropriate things for a public servant to be downloading on the job. Not the minority, the MAJORITY.

At HRSDC/Service Canada at least, from my experience, I don’t think Internet is just blocked. The traffic is monitored (as is email) and access to sites that are inappropriate are blocked. Twitter isn’t blocked, I suspect because it is low bandwidth, hasn’t hit critical mass usage with public servants and has some value collaboration wise. Facebook, on the other hand is blocked, again I suspect for the exact opposite. It is higher bandwidth (think pictures and video), a larger segment of the public servants are users, and let’s face it they are probably using it to share pictures of their kids or of the crazy weekend up at the cottage. Basically, abuse of access to Twitter is much lower impact to the organization than abuse of access to Facebook.

And absolutely the way to deal with something being blocked that you need access to is to, as Nelly mentioned, contact the helpdesk. In my experience you almost never get a response from the IT sec folks, but in many cases the site mysteriously unblocks a few days later (though you’ll unlikely get Facebook unblocked this way).

This is a very important discussion all, h/t to Doug for getting it out in the open and all others for contributing.

I will be documenting my approach w/this issue within my department inside gcpedia. I will share the link once I have established the page.

Isn’t Canada one of the most (if not THE most) connected country on the friggin’ planet?

You wouldn’t know it when amateurs make these foolish decisions at the government level, only consulting inexpert techies who should be concentrating on technical issues.

The federal Public Service should set an example for all employers in Canada, not like this obvious and unprofessional baloney. (Have you checked the values and ethics lately? Lip service!!!) May as well take the telephones and fax machines away from these guilty-until-proven-innocent drones.

The majority of federal workers have at least secret-level security clearance. If the powers that be trust them not to send manila envelopes anonymously or share classified information at social gatherings, they should be able to get past this. Online activities are not invisible.

We could use a parental-control version for public servants to block certain websites and downloads. And don’t we have virus/malware scanning, for crying out loud?! If a criminal investigation comes up, everything is right there on the servers. Much easier to perform than a physical search of office/home.

The biggest obstacle is for communications folks who need to keep up with the latest web-related tools and programs. After all, they should have functional authority over these decisions; they are the experts, not the IM/IT people.

A paternalistic, siloed approach is simply disrespectful and insulting, further eroding already-plunging employee morale. And it’s totally embarrassing, boys & girls, for all Canadians!

Great comments on here everyone. I will include in my follow-up post.

A couple more points:

1. Reading the techie comments only reinforces my point about who are the true communications policy experts.

2. As for personal surfing, the workplace has bleeded into our personal lives and that problem only gets worse every year. Comms people and political staff were the first to be chained to their crackberries (used to be pagers, she said, thus aging herself); managers got addicted to them later on. There’s a little thing called work-life balance, another issue that’s being lip-serviced to death.

There’s another side of this that hasn’t come up yet in this thread and which I neglected in my first comment: information management/recordkeeping.

Is a tweet a record? What about a message sent from a public servant to a private citizen via Facebook? Or Gmail, for that matter. What about this comment thread?

We have a new Directive on Recordkeeping (http://bit.ly/VzriO) that emphasizes the importance of “business value” in making that call. Library and Archives Canada has been consulting with other departments, including mine, on how Web 2.0 tools fit into our IM/RK policy framework. One example: we can’t search personal social networking accounts while responding to an Access to Information request, so how do we ensure that records make their way to GoC servers so they can be managed?

I don’t know how much Internet blocking in the GoC is justified by “we don’t know how to handle this yet” as opposed to “we know people are wasting time.” I would guess it’s not a lot right now. But I think IM requirements should be at the forefront of these decisions.

And as Christopher rightly points out, policy just isn’t enough for some people.

Jeff –
There’s no way to recordkeep my phonecall conversations, watercooler chatter, post-its on my wall, or even this comment.

Department heads need to review the prevailing presumption that their departments have a de-facto monopoly over all information on their policies. After they understand so, then it reasonably follows that information, interactions, discussions exist beyond the department that are equally important; on Facebook, on Twitter, in blogs.

IM needs to follow practices. Not the other way around.

And if it can’t it shouldn’t prevent it. And I don’t see how the policy prevents it, so there’s promise for change.

You’d be surprised how quick the post-its become relevant if you were involved in an ATIP request. I’m guessing.

In my department, things are pretty heavily filtered but there’s a straightforward process to get exceptions made for certain categories or specific sites, with director approval. And IT doesn’t make the decisions about what is blocked and what is not: the provide a blocking mechanism (WebSense is the filtering tool in my department btw) to management (HR, Security) and implement whatever they come back with. I really don’t see the problem with that. When I worked in IT support if someone asked me in haughty tone to “justify” the blocking of some site to them I’d politely say it’s has been justified to their bosses’ bosses’ boss and please submit your director’s request for an exemption to some generic mailbox we had. So be careful where you put the blame
Blocking things like slideshare and gmail is just an attempt to block an avenue for protected information to go out the door. Sure there are other ways like phones, faxes, envelopes and USB keys (the latter are already being blocked in some areas- or in my dept’s case, there is automatic forced encryption.)
Coming down the pipe are products that will encrypt all documents and make them readable only on approved computers by approved users. Basically DRM for documents. Obviously it can be bypassed just like music DRM, but it will be easier to hold violators accountable.

That’s really the problem here: accountability (someone mentioned trust above… they go hand in hand.) I think the employer could trust employees more if they had a better way of dealing with those who betray the trust. Right now the process to actually discipline someone is just too convoluted so they settle for plan B.

I agree with Jeff Rose – there is legislation at play here too. Maybe the legislation should be changed but as it stands the government needs to at least try to maintain a monopoly on its information, as futile as it might be. The ATI and Privacy acts are structured as if every piece of data is nicely filed into an organized folder.
I’ve seen it suggested before but maybe the solution is just to post all government information – even boring internal stuff – to public web sites unless it has a security classification. The infrastructure required would be mind boggling but it would do away with the need for ATIP requests since the info is already out there! Plus the public would get to see all the bureaucrats emails organizing their coffee breaks !

As a techie who was heavily involved in the Government OnLine (GOL) initiatives almost a decade ago when we were thwarted at almost every turn by the policy, communication and legal folks, I find some of the comments on here incredibly ironic.

We wanted to put the Government of Canada out on the Internet 10 years ago. Thanks for finally catching up with us. Unfortunately the Internet has evolved since then, things are a lot more complicated now.

Do the majority of public servants really have secret-level clearance?

In my opinion it’s the communications folks who have a truly legitimate case for having access to social media. So where they heck are they? Service Canada gets slammed on Twitter on a nearly daily basis. Why is there no official representation from Service Canada on Twitter? It’s not blocked. I see people complaining about not having access to some social media sites, but I see nothing official happening on those where access is already possible.

I have no problem with unrestricted (or at least less restrictive Internet access for those with a legitimate business case (comm and policy folks, what percentage of the public service is that?). But unrestricted for everyone? Literally sends shivers up my spine…

Good point @Frank, regarding IT only providing the mechanism for Internet blocking. It’s the department heads who actually make the blocking policies, isn’t it?

Reading all the comments and based on conversations I’ve had with people in various departments, _most_ people agree
with blocking access to some internet sites (or at least understand the reasoning behind
it).

I think the real issue is the lack of transparency in the implementation.

@Frank brings up a good example of (un)blocking. Unfortunately, it seems to be the exceptional case. Most departments implement blocking with little (if any) communications, no clear cut rules for blocking, and no clear process for discussion around specific sites.

Sadly, it’s the InfoSec group making the call instead of the business. @Frank’s example is spot on (if the process is a little clunky). The business should make the call, InfoSec and IT just implement and monitor.

On the technical side, most tools automatically base blocks on the category the site falls into. Who does the categorization? Most companies start w/a service like http://urlblacklist.com/ and add their own refinements.

When you implement a system for blocking, you typically block entire categories and then refine things from there.

That site you think they targeted on purpose? It probably just falls into a category that is blocked (this happens a lot with large file transfer sites a la DropSend.com).

Policy has been mentioned on the IM/RK side of things. Remember it applies to the InfoSec side as well. MITS (Management of Information Technology Security) and the GSP (Government Security Policy) are the big two. There are a whole series of directives and guidelines from the CSE as well.

(Not to steal Doug’s next posts thunder but…)

If the process behind blocking specific sites and process for re-evaluating a specific block were fully transparent, would anyone really object?

I think this really is an important discussion.

I think it boils down to the issue of trust. This goes both ways, and I think transparency is the key, like Mark suggests.

If I knew the rationale of a site being blocked, or at least knew the process, I’d be more willing to at least understand if not accept it.

The GCPedia page on blocking is interesting, because it provides some information on what is being blocked. I’ve been in a few departments and each one blocks different things.

As to the issue of how much info should be online. I agree it’d be a big challenge, but I think there appears to be a culture of secrecy developing, whereas I think openness should be the rule.

I.e. in the case of blocking, those doing the blocking should have to make the case, not the other way around (Of course it’s never going to be quite that easy, otherwise everyone would have access to porn… some things should be blocked at work..)

Great comments from all yet I’ll single out one by Marquis, “GoC should get out of the ISP business!”

I couldn’t agree more. The human and financial resources being expended to, poorly in some cases, replicate better, more secure services now wildly available should be closely examined.

If Web 2.0 has taught the government one thing it should be that in rapidly evolving time, we can no longer expect 10-20 year old policies and infrastructure to support us. That change, will take some leadership and time.

The fact of today’s reality is that public servants are no longer being offered the same tools in all departments. This will, and should lead to some departments becoming the employer of choice because staff will have more access. I will soon liken it to choosing between a desk with an electric typewriter or a computer.

If not already being done, Treasury Board should canvass all departments to see what is/isn’t being blocked and why! Identify the deficiencies that exist (bandwidth? dated systems?) and level the playing field. If, during the process, gaps and shortcomings are identified then that should be seen as a positive result.

I was recently asked by I thought government employees should be given access to a site like youtube. Answer: as soon as government started participating in or making information available in/on these plaforms, employees should be able to access it.

For those in communications, I salute you! It will be a work in progress and fortunately we get to help shape policies, new job opportunities and how our government informs and serves.

Until then, submit business cases for sites you should have access to and keep the ball rolling.

@mjmclean

Hi Doug, and all…
I’d like to share something that happened yesterday in my department for a business case for unblocking internet.

A citizen wrote to us regarding the management of a lift bridge, quoting some examples where other bridges give status updates over the web.

They pointed out that the Tower Bridge in London England is on Twitter, updating automatically when the bridge is raised. Another bridge, run by the Niagara Falls Bridge Commission, is configured to update traffic status.

The citizen provided us with further information on how to set up systems like these via a link to a blog.

The blog URL was blocked, as is access to Twitter; interaction with the citizen was essentially cut short.

[...] also refers to policies addressed in an earlier post, a 1998 policy on the use of electronic networks and a 2003 policy on management of information [...]

[...] script: Douglas B. has some great suggestions about how to deal with blocked sites and lists some of the ancient policies that could help public [...]

It is really a bit of an arms race in what is truly “blocked”. It seems like there are more “proxies”, how-to’s and similar that it is really hard to truly stop people from doing this. Though it’s a pay for site, http://www.mypersonalbrowser.com actually pops an entirely new web browser on the open internet allowing you to surf behind the firewall. Not sure if that site in particular is blocked yet.