Internet Cafes


3 November 2005

In response to industry demand, and in alignment with the New Zealand Digital Strategy, Standards New Zealand plans to help create a voluntary code of practice or internet cafes. The Digital Strategy states “The full potential of information and communication technology can only be realised if all New Zealanders have the confidence to use ICT (Information Communications Technology). This means having the skills to use them in an environment that is safe and secure”.

ON 3 AUGUST 2005 Mr Lee walked in and sat down. Taegu’s not the biggest city in South Korea, but it’s as wired as anywhere else in the online capital of the world. The cybercafes are full twenty-four/seven, and everyone plays.

Mr Lee sat down and started playing. Over the next three days, he only got up to go to the toilet and take brief naps on a makeshift bed.

Mr Lee was online for fifty hours nearly nonstop. He’d already quit his job to free up time. His mother sent out a search party.

On the third day after fifty hours, Mr Lee’s heart failed. He dropped dead in a South Korean cybercafe.

Mr Lee’s fate is on the extreme end of the spectrum: cybercafes aren’t usually deadly. But they are an ever-growing, unregulated environment that combines the complexity of I.T. rollouts, the endless variety of the internet, and the public nature of a bar, library, or entertainment centre. Security and safety, both real-world and cyber, are increasingly becoming major issues for cybercafes to deal with.

Cyber Alert
Earlier this year the Internet Safety Group (ISG) and IBM New Zealand convened a roundtable discussion on safety and security in internet cafes. Participants included representatives of community organisations, banks, government agencies, security professionals, law enforcement, educators, local government officials, and libraries.

John Martin, Security Practice Leader for IBM NZ, presented the results of a small random survey he did of Auckland and Wellington internet cafes. The results included:

  • Spyware and adware found on the majority of computers
  • Keyloggers (programs used to surreptitiously record keystrokes) were found on some of the machines
  • No observed supervision of users obviously under 16
  • The only video surveillance was of cafe staff, not customers

As well

  • There were no warnings, disclaimers or login messages
  • There was no correlation between user payment, receipt and computer terminal
  • Systems were generally well patched and up-to-date, but some used outmoded operating systems
  • The majority offered free access to the hardware, cables and USB ports (potentially allowing customers to use their own USB devices)
  • Personal information from previous users was found in abundance (personal CVs, chat logs, attendance lists, photos etc)
  • The majority had no restrictions on downloading software programs (potentially allowing installation of malicious software).

“Many cafe networks have totally inadequate security procedures in place and there is no protection for their customers from malicious activities. Installing anti-virus software is simply not enough and  customers should expect a better level of service from internetcafes. Customers should also do a lot more to protect themselves when using any computer to access or prepare personal information,” John Martin said.

Too much information, not enough knowledge?
Liz Butterfield, Director of the ISG, says there are now a wide range of establishments offering internet access, including libraries, community centres, cafes, and backpackers’ hostels. “Recent stories highlighting the ease with which personal information is accessed by hackers in internet cafes have been a big concern.”

Tourists make up an estimated 20% of cybercafe users in key centres. Incidents of fraud associated with captured identifi cation from internet cafes could severely undermine the perception of New Zealand as a safe holiday destination.

“Lack of common standards is a key weakness in the industry,” adds Lesley Valentine, Business Relationships Manager at Standards NZ. “Customers don’t by and large know how risky public internet can be, and don’t know what to look for in a cafe to keep safe.”

“This is not about homogenising the services offered or stifling innovation, but creating a consistent minimum standard – and giving users a basis on which to make informed decisions about the risks they take.”

Standards New Zealand
Response to the round-table discussion and a following article in Infotech weekly was strong, with cybercafe proprietors around the country agreeing on the potential risks. Standards New Zealand now plans to create a code of practice.

“The demand for a Standard within the industry is decisive,” says Lesley. “We don’t develop Standards without a clearly defined need, and this is one of the clearest we’ve seen.”

Though New Zealand Standards are often associated with legally enforced rules, the vast majority of Standards created are voluntary. Standards NZ most often acts as a facilitator, bringing together players in a wide range of industries to create voluntary codes, which benefit the sector itself and consumers.

Voluntary Standards or codes are used as a vehicle to create consistency, and to improve quality, efficiency and safety.

The Standards development process is rigorous and consensus-based. All participants have the opportunity to have their say, and public comment is invited on draft Standards. The inclusive process generates wide support and recognition for the resulting document.

“A code would be a good alternative to direct government intervention,” says Lesley. “China is the most well-known example of strictly regulated cybercafes, but many countries from India to Saudi Arabia, Taiwan, Malaysia and members of the EU have or are considering regulation.”

The Benefits
While the industry is yet to finalise the scope of this Standard the likely benefits will include:

For users

  • an easy way to identify operators offering consistent levels of “safe and quality” service – and make an informed choice. A logo with a bronze/silver/gold style compliance certification scheme may result.

For operators (including those where a cybercafe is not their core business eg public libraries and backpackers’ hostels)

  • A clear set of guidelines defining good practice and what is required to “raise the bar”, improving the performance and perception of their business as well as the industry as a whole.
  • Practical guidelines and checklists to support a risk management approach to operating their businesses and plan incremental improvement – aiming to offer services that meet or exceed full compliance.
  • Raised awareness of the key risks and issues associated with the  ndustry in general
  • Recognition – the ability to promote their business against their competitors based on level of compliance with the Standard

For local authorities and regional promotors, etc

  • A clear set of guidelines defining good practice in this industry so they can make informed decisions on promotion, permits, etc.
  • Raised awareness of the key risks and issues associated with the industry.
  • Increased public confidence in service quality and safety practices – Internet Cafes are considered by many to be a key infrastructural component of a region.

The Process
Standards NZ is on track to initiate a project before Christmas to develop a voluntary Code of Conduct and/or a Standard with guidelines for New Zealand’s Internet Cafes. A key step will be forming an effective committee representative of all stakeholder groups. There is strong potential to align the project with other industry initiatives.

“We’re still to hold discussions with interested organisations  on aligning the project with the NZ Internet Code of Conduct.” says Lesley.

The NZICC, produced by InternetNZ, is currently in draft circulation. Standards NZ is also in discussions with Qualmark - New Zealand tourism’s official quality agency - to gain interest in aligning the resulting Internet Cafe Standard with Qualmark processes.

Netsafe supports SNZ’s help in creating a code of practice
“It’s helpful given the industry itself hasn’t organised a governing body or association that I’m aware of,” says Liz Butterfield. “Getting it out there and getting it promoted I think is a really healthy thing to do.”

“The whole point of voluntary Standards is that they improve business performance and enhance reputation,” adds Lesley. “We’re looking toward the idea of Standards-compliant cybercafes being somewhere that anyone can walk into and have greater confidence that they and their information are safe.”

Keystroke loggers

Youth supervision
Video monitoring
Warnings and disclaimers
User payment and receipts