ingenuities, circumventions, detours, translations, augmentations, improvisations, fixes, kludges, tricks, minor adjustments'. They may be 'awkward, temporary or.
IT FOR REGIONAL INDUSTRY & e-COMMERCE
WORKING AROUND SECURITY: ISSUES OF IMPLEMENTATION AND DISTANCE Fiona Brady FR Brady Services ABSTRACT Remote communities have access to increasingly sophisticated technology: intranets and the Internet are now standard. Technology has been promoted as a means to overcome “distance” yet, distance increases the difficulty of implementing and maintaining technology. So how are remote communities negotiating this situation? This project uses an actor network approach to look at technology use in a remote workplace. Through the focus of a workaround of the computer security I trace the network of associations and alliances that led to this point. It is my aim to describe the different understandings of the situation to look at the ways distance, both geographical and conceptual, affects technology adoption, implementation and ongoing use.
INTRODUCTION The objective of this paper is to describe an incident with the computer security in a remote workplace and, using an actor network approach, to identify issues, and to trace some factors that composed this situation. This type of study is important: people are increasingly required to use technology: in the home, to access services and at work, so we need to gain a wider understanding of the process of information technology adoption and implementation. This study focuses on the interplay between the social and geographical contexts as the technology and workplace routines integrate. The project addresses concepts found in the study of science and technology. I also draw on work from the fields of information systems, the sociology and anthropology of technology, the philosophy of science and technology, and organisation science. I have used the concept of “workaround” to focus this study and I discuss its utility drawing on the work of Neil Pollock, in particular his paper “The tension of workarounds: how computer programmers negotiate the use of technology”. (Pollock 2001).
ITIRA CONFERENCE DECEMBER 2003
The empiric al section of the paper explores a short conversation held in the office between a staff member and the consultant about how to “workaround” the computer security. CONTEXT This story is set on a small island in Far North Queensland. The island population is approximately 150 and all permanent residents are indigenous. Services available on the island include a general store, a primary school (classroom computers are Macs), and a Medical Aid Post. There is a church and the council, which provides municipal services. Few households have personal computers; all households have or have had telephones. There are four TV and two radio stations available. The power is supplied by diesel generator: brownouts and blackouts are common as the capacity of the generators is limited. To travel to the local business centre you must catch two ferries and a light aeroplane. The council administration office is the setting of the project. Staff and councillors each have separate offices, and there is a common space where the fax, photocopier, network printer and Internet computer are located. The main participants (actants) in this project are the administration staff: council clerk and a senior and junior clerk; their computer network; the
PAGE 253
IT FOR REGIONAL INDUSTRY & e-COMMERCE
technician, and the vis iting consultant/researcher. The computer network is five years old, the server and some machines were replaced 12 months ago. The technician who did the installation and set up was from the regional centre 900km distant. METHOD The project uses Actor Network (ANT) framework. The value of this approach in relation to the adoption of technology is well established (Callon 1987, Latour 1996, Star 1991, Law 2000). The Actor Network approach presents an alternative to the concept that innovations spread by diffusion. The adoption of innovation is seen rather as contingent, reflexive and above all complex and unpredictable, laborious and political. The network approach enables researchers to trace back the choices, associations and factors that contribute to the development and use of technological artefacts. An “actor network” can be described as relationships around a common interest: these may be contradictory and they will be heterogenous, that is including human and non-human actors, many of whom participate in other networks. They are dynamic, they may be sites of contest or cooperation, they may disintegrate, or they may become “black boxes” (Bowker and Star 1996). The Actor Network approach has been characterised as interested in “description, rather than claims about the operativity of artefacts, their technological efficiency, success or failure of technological change, irrationality of choices or procedures or the “real” function or purpose” (Brey 1997).
workarounds in relation to the Actor Network approach. I want to draw a distinction between two types of information technology systems: Those specific purpose systems designed for large organisations, which have specialist staff to minister to them; and small business systems that use personal computers and general software packages designed to allow the user to customise them to suit their needs. This study is looking at user customisable systems in the small business situation. Information Technology implementation is a contested zone, it is the site where theory, or design, and practice meet: Information Technology software engineers strive to generalise procedures to accommodate the widest range of situations in an integrated package, while individuals in actual workplaces endeavour to particularise, either to apply these generalisations to their existing sets of procedures or to adapt their procedures to fit the technology. In practice, integration may be piecemeal, or progressive: adjustments and additions continuing while we do our regular work. Pfaffenberger (1992) argues that personal computers were originally developed for home use, for people to experiment and make their own programs, to tinker; while the mainframe was designed for the workplace. In this paper I suggest that the tension between the design intention underlying the personal computer system and its use in workplaces generally, explains some of the unexpected results in the implementation and use of IT systems in this workplace. WORKAROUNDS
Actor network is suited to the particular situation of this project; it has been used to analyse technology implementation in a range of less technologically developed regions including French Polynesia (Akrich 1992), and Sri Lanka (Pfaffenberger 1992). I am going to briefly identify two aspects of the general Information Technology context, which indicate underlying issues that add to the complexity of implementing Information Technology systems in this situation. I will then discuss key concepts that situate
ITIRA CONFERENCE DECEMBER 2003
Workaround is a non-specific term. It is used informally, in technicians’ talk, in systems talk. It is grouped with concepts like ‘boundary crossing; substitution, dodges, ingenuities, circumventions, detours, translations, augmentations, improvisations, fixes, kludges, tricks, minor adjustments’. They may be ‘awkward, temporary or creative’ workarounds and give rise to ‘patches’ to ease workarounds. Neil Pollock additionally draws in deliberately political aspects of workarounds: describing
PAGE 254
IT FOR REGIONAL INDUSTRY & e-COMMERCE
them as instances of “resistance” and power: “not performing collegiality but attempting to establish difference” (Pollock 2001). Gasser (1986) describes workarounds as “intentionally using computing in ways for which it was not designed or avoiding a computers use”.
principle of methodological symmetry:1 . The ANT researcher thus would not differentiate or indeed focus on a workaround. However in research, the method is just the starting point: in choosing workarounds as a sensitising device, I have chosen to prioritise a user centred political aspect of the project.
Those activities identified as workarounds are not outside existing theories of implementation, they are described in various studies of science and technology: Akrich (1992) refers to strategies of adjustment in the implementation process; Gasser (1986) and Star (1991) talk of numerous “ad hoc modifications”; Michel Callon’s (1987) term is “progressive negotiation”; “articulation” is described by Guerson and Star (1986).
I am using a short exchange to launch my analysis.
Workaround is an imprecise term. Workaround has a deliberate user focus; it represents the view of those who are not “authorised” to change the system: Users evade security, or use a convoluted process to use the network printer when the network is down. For technicians to perform a workaround, they must be compromising what they believe to be the design intent or the “proper” way to achieve the end. Workarounds will be small changes that leave the basic system unchallenged. So we are looking at a particular part of the implementation process, the informal adjustments that keep the system running. The term works on the perception of a power differential: To identify a workaround means to adopt a position of knowledge of a “real” or “authoritative” purpose or way which is dissonant with local application. In order for an action to be identifie d as a workaround, someone must be “janus faced” (Latour 1987) seeing the local, particular, and the general stories. It may be the person performing the workaround or the observer. An action thus may be perceived as a workaround from some perspectives and not others. Workarounds may be seen as in conflict with ANT method. The ANT approach seeks to dissipate the domains of power through its
THE STORY Jane says
Excuse me Anna, before you go could you log me in to your computer, I want to look at the payroll …wait a moment, your Windows screen saver will lock me out anyway…no I don’t want to know your network password.
Anna says: well you could ask Susan to log you in, or I could disable the screen saver like this, and you just put it back on when you are finished. ANALYSIS What does this short exchange show? Jane asks Anna, the senior clerk, to log her in, using Anna’s user name and password. That Anna accepts Jane’s right of access is shown in her willingness to do it, she actually offers three alternatives. Further more, it is not a subversive request –she suggests Jane could also ask Susan, the council clerk to do it. . We can see here a cooperative effort by the staff and consultant to workaround a Windows NT Small Business Server security set-up shortfall—Jane’s password does not give her access to the payroll program. They are not subverting the security—Jane’s right of access is not disputed. However, we can see the actual responsibility for making changes to the set-up has been placed outside the workplace, with the technician, because they do not go to the server to alter the security settings themselves. 1
Although is has been suggested that the ANT concept of inscription is an attempt to bring in the political dimension of implementation .
ITIRA CONFERENCE DECEMBER 2003
PAGE 255
IT FOR REGIONAL INDUSTRY & e-COMMERCE
By seeking help, acknowledging Anna’s ownership of the computer, Jane reinforces the social network, however Jane also maintains a semblance of “normal” security by not sharing passwords. Not all the computers have password protected screen savers set up; Anna has created effective security for her computer by introducing the screen saver, which actually prevents others using her machine. The screen saver is particularly effective as Anna knows she does not log out when she leaves her machine. The screen saver automatically enables her security every time she does not use the machine for five minutes. In this way it acts as a technical delegate similar to the door closer device described by Latour (Akrich and Latour 1992), Through the workaround example we can see Anna’s knowledge of system set-up and options exceed those listed in her job description. This is not the result of formal training, it is skill she has developed because she is interested, she watches and talks with others and has the opportunity to try things on the computer while at work. This observation has been recognised in research, “learning how to cope with systems flaws and idiosyncrasies - a knowledge of kludges and workarounds remains a large part of an employee skill” (Attewell 1997). This workaround example also shows how well designed the computer program is for “trial and error” or discovery learning methods: employees do get the technology to produce results despite their limited networking knowledge. These computers were set up to allow relatively free access and staff have explored their computers and the network. This approach may be at odds with workplace values which focus on set job descriptions, and cost-time effective outcomes. The setting is an important factor in this story; I gave a thorough description of the island not just because it is exotic, but to remind you of your particular frame of reference. In an ANT approach humans and non-human are actors; the scene sets the parameters of the performance, what is possible and what is “reasonable”.
ITIRA CONFERENCE DECEMBER 2003
A small population means there is limited technology, while television and telephone (passive technologies) are almost universal only the council and the school have access to a range of interactive technology. It can also mean social isolation, no community of practice to foster skills. There is a conceptual distance in our expectations and use of technology because the contexts of local and standard business practice are so different: A small population cannot support experts, the few people employed must do a wide range of jobs. Geographic distance means cost: it is too expensive for council to get technicians to fix problems as they arise. The prohibitive cost affects the perception of urgency of having a system that works efficiently, and thus the importance of a system and may flow on to its contents. When the technician comes only twice a year we modify our expectations and management of technology, we live with systems which limp along. Geographic distance can also heighten a cultural distance and affect attitudes to business even though computers, the tools of business, themselves are enthusiastically embraced. The network is five years old. This is not the first server, so users and the technician bring understanding and fears from prior experiences. The network was very unstable in the past, partially as a result from poor power supply, and users were frequently unable to access the network resources. The system is Windows small business server. The security options are based on a user name and password combination to which security profiles and access rights are attached. The structure may be hierarchical or lateral: security does not have to be implemented. When the network was installed the technician set up an hierarchical security system, he believed he had done what was required, what was right. The local response to this was that three out of four users logged on to the network as “administrator” in the first server and all users assigned themselves administrator rights in the second server.
PAGE 256
IT FOR REGIONAL INDUSTRY & e-COMMERCE
The technician believes he knows that it is in the council’s long-term interests to conform to the standard hierarchical security because future flexibility options of the system will require such security. The council clerk had some clear ideas about security options, she believed she had discussed these and reached agreement with the technician. However, the result was again different Windows network set-up in general requires high-level on-site skills or the ready availability of expertise. The technician views set-up as an ongoing process: they talk of the need to “tweak” the system, to fix small problems as they arise; to “bed the system down”. In a remote situation the technician must wait for a service visit so problems or difficulties persist for long periods. The technician would not take on a network administration role for remote clients such as they offer their urban clients because of the distance, time and cost factors: they just cannot provide the service. The technician does offer telephone support and there is terminal server capability. These services are not used frequently, as evident in the fact that council clerk did not call the technician to be talked through the process to correct the program access. Technicians have effectively restricted the amount of interaction the staff have with the server, not by security, but by their use of specialised technical language, and reference to staff initiated alterations as “meddling”. The technology- in- practice in the council is that users may make alterations to workstations but not the server. Our securityin-practice has been the network log on; the screensaver; to lock office doors, and protocols of access to offices and computers. The effects of the security-in-practice in this workplace indicate that the priority is to protect property, my computer; then to protect access to programs, then to protect the digital data. The security on the physical records is to lock the main office, and shred the documents in the rubbish. The scene is one of intractable issues of ownership and responsibility with regard to the set up. There are practical concerns with
ITIRA CONFERENCE DECEMBER 2003
changing concepts of access, as well as the difficulty of working with multiple languages, including the language of technology. There are local patterns of authority and service which must accommodate the fleeting site visits by technicians and consultants. In response this there is the developing information technology skills base through formal training and informal on the job learning, and strengthening and expansion of the actor network: the relations between computers, users, both local and distant, and technicians. This situation is not unique, research offers many descriptions of how organisations cope with the reality of multiple or imperfect systems. Guerson & Star (1986) discussing the sociology of work describe organisations as: characterised by ongoing negotiations about the nature of the tasks and the relationships between individuals in the organisation by ad hoc reactions to upcoming contingencies, by distributed decision-making, by multiple view points and inconsistent and evolving knowledge bases… Articulation resolves inconsistencies by packaging a compromise that “gets the job done”. Workarounds are part of articulation and extrapolating from Guerson and Star (1986) the practical importance of workarounds is that they are not extraordinary events, but a normal part of the way things actually work. Jane is the one who calls for this workaround. She has done so to do the job but also in her ‘role’ as consultant she has didactic purpose to reflect “standard” business practice. The opportunities for discussion, to continue the translation, arise because the tension is acted out in a consciously dramatic way, and the scene for change is being prepared. Technology and people continue to change as they gain knowledge, experience, and practice. Orlikowski (2000) from a structuration theory perspective states that while habitual patterns of technology use may be apparent these are always ongoing accomplishments and thus there can be no single invariant or final technology –in-practice, just multiple, recurrent and situated enactments. Users have the option at any moment and within existing conditions and materials to “choose to do
PAGE 257
IT FOR REGIONAL INDUSTRY & e-COMMERCE
otherwise” (Giddens 1993 in Orlikowski 2000). Pollock argues that workarounds should alert us to issues of control. This story shows an indirect or very measured control in operation. The computer security is partial, depending on computer operators’ needs and interests, and the technician’s prediction of future needs and perceived boundaries of responsibility and authority. In practice the security does not have an administrator role, there are agreements and shared passwords. Jane is raising the issue of appropriate usage but does not control, enforce or change systems. Even on the most superficial level we can see the gaps which must be bridged when we trace the actants in a chain from design engineers who encode what they understand to be standard commercial business concepts in software; through the technician to set it up who understands the technical relations between machine and software more than the business procedures; then the consulting company working at the decision making level; to the consultant who must work with the system and who knows the business network, but has limited experience with the technical and restricted access to the local social context; to the users and the place which make the local social context, they have some knowledge the business network and limited experience with technical network. All of these different experiences must make sense together in order for the computer network to work in this pla ce. The “chain” is a process of literally changing languages from design generalisation, with the language of flexibility and choice, to technical language of implementation; from the language of business concepts to local language and workplace concepts. Latour describes the progress through and across networks as translation (Latour 1987) and as such it is subject to faulty or incomplete portrayal.
Workarounds represent one part of a suite of adjustments being made in this workplace to implement change. What is being worked around is the result of a combination of hardware, software shortfalls or errors, procedures, people, distance, environment. What we are shown in this workaround is the users translating their understanding of the system into self initiated actions. The implementation of flexible technology will include a process of workarounds as people develop their knowledge structures concomitant with developing their technology skills. In this way we should view workarounds not as deviant, but as normal, “people do not do an ideal job but the do-able job”. (Bowker and Star 1996). Workarounds can sensitise us to very particular areas of dissonance, those we can change, or avoid, now. It requires us to confront the relative nature of experience, to identify our own position, to argue for the local stories and understandings while recognising the standard against which they are working around. Workarounds in this project represent local control, or a path of least disruption to local control. They make sense in their context. The project has shown a creative and cooperative approach at the practical level when there is a lack of clear authority or responsibility for the system. The story shows that simple things become issues in small and distant workplaces: Translations may be weakened, substantially changed or not survive the geographical and contextual distances. However, with all innovations there are conflicting interpretations. Latour (1995) uses the term “technical bricolage” to describe implementation. “We see only assemblies, crises, disputes, inventions, compromises, substitutions, translations and ordering that get more and more complicated and engage more and more elements.”
CONCLUSION REFERENCES
ITIRA CONFERENCE DECEMBER 2003
PAGE 258
IT FOR REGIONAL INDUSTRY & e-COMMERCE
Akrich M. and Latour B. (1992). “A summary of a convenient vocabulary for the semiotics of human and non human assemblies.” . In W E Bijker and J Law (eds). Shaping technology/building society: studies in socio -technical change. Cambridge: MIT P pp 259-64. Akrich, M. (1992). The De-Scription of Technical Objects. In W. Bijker and J. Law (Eds.) Shaping Technology, Building Society: Studies in Sociotechnical Change. Cambridge, Mass, MIT Press: 205-224. Attewell, P. (1997). “Thoughts on human centred intelligent systems”. http://www.ifp.uiuc.edu/nsfhcs/abstracts/attew ell.txt Accessed 15/7/03 Bowker, C & S L Star. (1996). “How things actor-net work: classification, magic and the ubiquity of standards”. Retrieved 21 June 2003. http://weber.ucsd.edu/~gbowker/actnet.htmlBr ey, P (1997). “Philosophy of technology meets social construction”. Techne: Journal of the Society for Philosophy and technology. 2:3 Callon, M. (1987). Society in the Making: the Study of Technology as a Tool for Sociological Analysis. In W. E. Bijker, T. P. Hughes and T. J. Pinch (Eds.) The Social Construction of Technical Systems: New Directions in the Sociology and History of Technology. Cambridge, Mass. and London, MIT Press: 83-103. Feenberg, A. & Alistair Hannay (eds.) (1995). “Subversive rationalisation: Technology, power, and democracy” in Technology and the politics of knowledge. Bloomington: Indianna U Press. Gasser, L., (1986), “The Integration of Computing and Routine Work,” ACM Transactions on Office Information Systems, 4(3): pp. 205-225.
Latour, B. (1992). “Where are the missing masses: the sociology of a few mundane objects”. In W E Bijker and J Law (eds). Shaping technology/building society: studies in socio -technical change. Cambridge: MIT Press, pp225-57 Latour, B. (1995). “A door must be either open or shut: A little philosophy of techniques”. Transl Charis Cussins. In Feenberg A & Alistair Hannay (eds.) (1995). Technology and the politics of knowledge. Bloomington: Indianna U Press. Latour, B. (1987). Science in Action: How to Follow Scientists and Engineers Through Society . Milton Keynes, Open University Press Latour, B. (1996). Aramis, or the Love of Technology. Cambridge, Mass, MIT Press. Law, J. (2000). Networks, Relations, Cyborgs: on the Social Study of Technology, Science Studies Centre and Department of Sociology, Lancaster University. http://www.comp.lancs.ac.uk/sociology/soc04 2jl.html. Orlikowski, W. (2000). “Using technology and constituting structures: A practice lens for studying technology in organisations.” Organisation Science. 11:4 pp 404-28. Pfaffenberger, B. (1992) “Technological dramas”. Science, Technology & Human Values. 17:3 282-312. Pollock, N. “The tension of workarounds: how computer programmers negotiate the use of technology”. Revised paper submitted to Science, Technology and Human Values 7 May 2001.Retrieved 23 October 2002 http://www.ncl.ac.uk/curds/vuniv/np2.pdf Star, S L. (1991). “Power, technologies and the phenomenology of conventions: on being allergic to onions”. In J Law (ed) A sociology of monsters: Essays on pwer, technology and domination . London: Routledge.
Guerson, E. and S L Star. (1986). “Analysing due practice in the workplace”. ACM Transactions on Office Information Systems, 4: pp. 257-70.
Star, S L (Ed.). 1995. The Cultures of Computing. Oxford, UK: Blackwell Publishers.
Kling, (1991). “Computerisation and social transformations.” Science Technology and Human Values. 16: 342-67.
Suchman, Lucy. “Located accountabilities in technology production”. Published by the Department of Sociology. Lancaster University. Retrieved 23 June 2003 http://www.comp.lancs.ac.uk/soc039Is.html .
ITIRA CONFERENCE DECEMBER 2003
PAGE 259
IT FOR REGIONAL INDUSTRY & e-COMMERCE
ITIRA CONFERENCE DECEMBER 2003
PAGE 260
