Policies for external links

In the preceding two articles, I’ve reviewed some issues of reliability and legal liability for external links. In this final article I discuss policies about external links from corporate Web sites.

Although a link to another document may be intended solely as a useful contribution to users of a Web site, corporate public relations, marketing and legal personnel are justifiably concerned about the tacit assumptions of some of their customers or users.

For many technologically unsophisticated people, the concept of the World Wide Web is vague; it may not be obvious to a novice that they have moved from one Web server to another. If they click on a link on one site, they may erroneously assume that the page they are viewing belongs to the site they began visiting. If they don’t like what they see, they may transfer their dislike to the original Web site and its owners.

Dislike of linked material boiled over into the public arena in July 2004, when NewsScan authors John Gehl and Suzanne Douglas wrote:

“South Dakota Governor Mike Rounds has had the teen section of the State Library’s Web site shut down because it provided links to material he doesn’t believe young people should see. The links to which he found objection included one to a Planned Parenthood site and one to Columbia University’s Go Ask Alice! Rounds said: ‘As a parent, I would be very disturbed to have my children connecting to any of these Web sites.’ His position is that state government should not feature links to any advocacy groups and that removal of the links isn’t censorship because users can still go directly to those organizations’ sites.”

Some organizations explicitly display a disclaimer when a visitor clicks on an external link. For example, the National Institute of Standards and Technology Web site uses a Common Gateway Interface (CGI) script that includes the following text:

“Thank you for visiting. We hope your visit was informative and enjoyable. We have provided a link to this site because it has information that may be of interest to our users. NIST does not necessarily endorse the views expressed or the facts presented on this site. Further, NIST does not endorse any commercial products that may be advertised or available on this site. Click on the following link to go to: (or you will be taken there in 15 seconds).”

Most organizations with security policies in place also forbid employees to put personal, non-business-related links on corporate Web pages. It may be fun for an employee to add a link to a model airplane club in her biographical notes on the “About Us” page on the corporate Web site, but if someone else working at Acme Corp. puts a link in his bio to a highly politicized site (e.g., supporting or opposing a particular political ideology or party) there may be repercussions for Acme’s reputation or acceptance by customers. To avoid having to argue about which personally chosen external links are acceptable, it makes sense to restrict all personal links from a corporate Web site.

The most surprising case of an inappropriate external link I have ever encountered in my security practice concerned a law firm (all details are obscured to protect confidentiality) in which the network administrator was a pleasant and popular staff member who happened to be a transvestite. Jim showed up on Mondays, Wednesdays and Fridays and Jan showed up on Tuesdays and Thursdays. Nobody at the law firm minded at all – until it was pointed out that the firm’s home page on the Web included a link to an association promoting transsexuality – which in turn had links to all kinds of, ah, vivid pictorial material. The lawyers were astounded to discover that the link had been on their home page for quite some time and immediately asked for it to be removed.

You never know what you might be linking to out there.