Policy Considerations Before Deciding Who Can Connect to the Internet

1. Introduction

Before the Internet became well known, most computer networking occurred through closed systems: systems in which all of the data, communication lines, software, security and users were controlled by a single entity, the organisation running the system. This is the local area network (“LAN”).

Standardization of digital communication protocols and the growing popularity of the Internet shifted preferences toward open systems: systems in which no one administrative or legal entity controls the information, the communications activities or the user population. The open system is like an open market. Anyone can communicate with anyone else without any real control. This shift, from closed to open systems, raises several issues that are worth thinking about in determining when and how lawyers should use the Internet. I do not propose to go into a detailed discussion.

For a law firm, the Internet serves two basic purposes: (1) for sending and receiving E-mail to and from clients, other law firms, the courts and various government agencies; and (2) for using World Wide Web to retrieve information (eg the Legal Workbench) and to publish information such as the firm’s newsletters, articles and presentations in its home page.

2. Issues?

The following are some of the issues that a law firm should consider before deciding who and when a user can have access to the Internet.

  1. a. Work ProductivityWould allowing a substantial number of office staff onto the Internet result in productivity suffering? The answer is “It may”. The solution is “Control usage”. Some companies have a very clear Acceptable Use Policy (“AUP”) on this which applies to the whole organisation, ie. both users and non-users, so that all will know what they can and cannot do with their Internet access as and when they do so.
  2. b. SecurityA law firm should be concerned with security. If the Internet access is through a standalone Personal Computer that is not connected to other computers in the firm, then this may be a small problem, just check that no sensitive information is on that computer’s harddisk.If Internet access is through a Personal Computer that is also connected to the law firm’s LAN, then there should be more concern. If the Internet access is a leased line or allows outsiders to dial into the firm’s network, then security is a serious issue that must be addressed.
  3. c. VirusesClosely related to Security Issues is the issue of computer viruses. Viruses can infect a computer when files are indiscreminately downloaded from the Web or with a program called Java, the virus may be downloaded without the user knowing it. The solution, make it clear in the AUP when to and when not to download files. Also get a virus protector.
  4. d. Breaches of the LawThe users, especially in a law firm, have to be educated on what are the laws and regulations concerning their Internet access. They have to know that Intellectual Property rights are breached when they download a picture or a program unless there is express permission from the author/creator to do so. They have to know what is considered as objectionable information under the various Media Development Authority’s regulations. Also users have to know when they may be breaching professional codes of conduct. List them in the AUP.
  5. e. ConfidentialityConfidentiality of a client’s information is of utmost importance to a law firm. Some experts consider E-mail to be an unsecured form of communication and advise that the message be encrypted to prevent wrongful access.Access to the Internet also means that confidential information can be passed to third parties without the wrongdoer leaving the office. A law firm may want to consider means of monitoring this.
  6. f. Others Issues
    There are other issues which have to be considered on a firm to firm basis. Some firms have an Internet or an Intranet site. A policy must be set on what information should be published at such sites.

Another consideration is that very soon there will be more and more legal related services on the Internet. This means that law firms will have to allow more and more of its staff onto the Internet, otherwise work just cannot be done. It was not that long ago that law firms only had a few computers and users had to “book” time slots to use them. Now almost every member of a law firm has access to a computer. I expect the same to happen for Internet access.

3. Acceptable Use Policy

As stated above, the AUP must be clear so that no one in the firm can say that they did not know they were prohibited as a matter of the firm’s policy from doing something. A sample AUP is set out below.


Sample

Acceptable Use Policy

Introduction

  1. These guidelines set the policy for the Firm’s general staff and lawyers. Failure to comply with this policy may lead to disciplinary action ranging from warnings to termination. Access to certain computer resources may be withdrawn without notice or reason being given.
  2. This policy may be up-dated from time to time and users are advised to check this page regularly.
  3. The use of computer resources in the Firm must be in support of the Firm and for research, personal and professional development only. The interest of the Firm and the Firm’s clients are paramount.
  4. There shall be no offering of IT services for profit making and to unauthorised users. Users are fully responsible for the provision of the computer resources at all times and in no way attempt to by-pass the authentication procedure.

General Policy

  1. Use the computing and communicating facilities in a manner which is not detriminal to the good name of the Firm; for example; by entering anything confidential, provocative or distasteful onto the local and international bulletin boards, World-wide Webs, and Internet communication channels from the Firm’s network.
  2. Respect the integrity of computing systems and data; for example; by not intentionally developing programs or making use of already existing programs that harass other users, infiltrate a computer or computing system, damage or alter the software components of a computer or computing system, or gain unauthorised access to other facilities accessible via the Firm’s network.
  3. Respect the rights and privacy of others by not accessing another person’s files without proper and appropriate permission, and not tampering with their files, passwords or accounts, or representing others when E-mailing, messaging, conferencing and any other kind of communications cia the Firm’s network.
  4. Not to use the computing facilities for any unlawful purposes such as, but not limited to, vice, gambling or other criminal purpose whatsoever or for sending to or receiving from any person or site any message which is offensive on immoral, religious, communal or political grounds or is abusive or of an indecent, obscene, pornographic or menacing character or which will result in a breach of another person’s intellectual property rights.
  5. You must comply with rules appropriate to that network should you use another organisation’s networks or computing resources.
  6. You must not run any services that allow people to access your computer in any way, eg. HTTP, Telnet, FTP, Talk, IRC, etc.

Desktop

  1. Do not leave your sessions unattended. Always log off.
  2. Always scan diskettes before using them.
  3. Make frequent backups of the data stored in the hard disk.

Computer Accounts and Passwords

  1. Use only the computer account which you are duly authorised to use. Do not give it to another person. You do not publicise yours or other computer accounts and passwords that do not belong to you in a clear text or encrypted form.
  2. Use the computer account for the purposes for which they are intended and not for any commercial purposes.
  3. Use a password with mixed-case letters. Do not just capitalise the first letter, but add uppercase letters in the middle.
  4. Use a password that contains alphanumeric characters and includes punctuation.
  5. Use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your keyboard.
  6. Change your password every six months.
  7. Do NOT use your userid in any form (as-is, reversed, capitalised, doubled etc.) in your password.
  8. Do NOT use your first, middle or last name in any form.
  9. Do NOT use any nicknames you may have nor your initials.
  10. Do NOT use your spouse’s, significant other’s or child’s name.
  11. Do NOT use a word contained in English or foreign dictionaries, spelling lists or other word lists.
  12. Do NOT use other information easily obtainable about you. This includes license plate numbers, telephone numbers, identification numbers, the brand of your automobile, the name of the street you live on, etc.
  13. Do NOT use a password of all numbers, or a password composed of the same alphabet.
  14. Do NOT write your password on desk blotters, calendars, or store it on-line.
  15. Do NOT attempt to crack, guess and capture computer passwords or PINs.

Computer Virus

  1. Do NOT attempt to write and spread computer virus and hoax.

Copyrighted Materials and License Software and Data

  1. It is prohibited to transfer, duplicate or obtain illegally any copyrighted material, including, but not limited to, agreements, license software, programs and data.
  2. You must respect the rights of others by complying with all law, regulations and policies regarding intellectual property.
  3. No unlicensed or unauthorised software to be installed in the local hard disk or the servers’ disks.

E-mail

  1. You should always use your real name or user account in E-mail. There shall be no conceal of user identity and do not masquerade or send E-mail anonymously.
  2. You should always append the appropriate confidentiality warning and/or disclaimer to any E-mail sent. The warning should read:

    “Information in this message is confidential and may be legally privileged. It is intended solely for the person to whom it is addressed. If you are not the intended recipient, please notify the sender, and please delete the message and any other record of it from your system immediately.”

  3. You should not harass people with language, frequency, or size of messages.
  4. You may not send E-mail to any person who does not wish to receive it. If a recipient asks to stop receiving E-mail, you must not send that person any further E-mail.
  5. You are explicitly prohibited from sending unsolicited bulk mail messages, junk mail or spam mail. This includes, but is not limited to, bulk-mailing of commercial advertising, informational announcements, and political tracts.
  6. You may not forward or otherwise propagate chain letters, whether or not to the recipient wishes to receive such mailings.
  7. Malicious E-mail, including but not limited to “mailbombing” (flooding a user or site with very large or numerous pieces of E-mail), is prohibited.
  8. E-mail on the Internet is not secured. Never include in an E-mail message anything which you want to keep private and confidential unless encrypted.
  9. E-mail is not reliable and can get lost. Let senders know you have received their E-mail, even if you are unable to respond in depth immediately.

Internet Mailing Lists and Usenet News Groups

  1. All the guidelines covering E-mail apply here as well.
  2. Actively disclaim speaking for the Firm if you are not. Note that professional rules and conduct prohibit any act which “is likely to lead to the attraction of professional business unfairly”.
  3. Obey copyright laws and indicate quoted material.
  4. Do not post any messages anonymously.

FTP and Peer-To-Peer Services

  1. Look locally before ftp-ing something from a geographically remote site.
  2. Observe any posted restrictions on the ftp server.
  3. Obey copyright laws when uploading or downloading any files.
  4. Do not upload any files confidential to the Firm.
  5. Always scan any downloaded file (software or document) for virus.

World Wide Web

  1. Do not download any objectionable information as defined by the Singapore laws and regulations.
  2. Always scan any downloaded files for virus.
  3. Do not submit any information confidential to the Firm.

Telnet

  1. Do not telnet to machines on which you have no account, or on which there is no guest account.
  2. Observe any posted restrictions on machines to which you telnet to.
  3. Do not use the same password that you use for the Firm’s systems. Passwords are transmitted in the clear when you telnet and can be easily captured.
  4. You are encouraged to access the systems over a secured channel.

Internet Publishing

  1. Information published on the Internet about the Firm should be accurate and valid and must comply with the Publicity Rules issued by the Law Society.
  2. Objectionable information as defined by the Singapore Laws must not be published.
  3. Obey copyright laws.
  4. All published information must be accompanied by the Firm’s standard disclaimer.

Acceptable Use Policy © 1998 Ong Tay & Partners.