The District of Saanich in the Greater Victoria Area showed a “near-complete lack of awareness and understanding” of British Columbia’s Freedom of Information and Protection of Privacy Act and made no effort to assess potential privacy violations when it implemented employee-monitoring software on the computers of a dozen high-level employees, including the mayor. The issue came to light when the new mayor of the district was told of the program and exposed it to the public in a press conference.
External information security audit reveals failures
In May 2014, the district hired a third party to conduct an information security audit of the municipality’s information technology infrastructure. The audit uncovered various “security shortcomings.”
The municipality eventually intended to implement “a district-wide Intrusion Detection System and Intrusion Prevention System capability that would protect all district workstations” from intentional or accidental digital security breaches. But due to the expense of such a system, it would be installed in stages.
By mid-November, when Richard Atwell was elected mayor, little progress had been made, and the director of corporate services sought to “accelerate resolution of some of those issues” before the new mayor took office on December 1.
The district decided that using Spector 360, an employee-monitoring application, on the work computers of certain high-profile users would be “an effective interim step.” The users in question were the mayor, the chief administrative officer, the directors of corporate services, legislative services, planning, parks and recreation, finance, and engineering, the chief of the fire department, and two executive administrative assistants. In addition, the software would be installed on two shared workstations used by district councillors.
Reactive vs proactive security measures
Implementation began on November 26. The application was installed with the following features:
- Automated screenshots at 30-second intervals
- Monitoring and logging of chat and instant messaging
- A log of all websites visited
- Recording all email activity (a copy of every email is retained for 30 days)
- A log of file transfer data to track the movement of files on and off the district network
- A log of every keystroke made by a user
- A log of program activity, recording which windows were open and which window had the focus of the user
- A log of when the user logged in and logged out
- Tracking of every file created, deleted, renamed, or copied
- A record of network activity including applications that are connecting to the Internet, when the connections are made, the Internet address they connect to, ports being used, and the network bandwidth consumed by those connections
The IT manager acknowledged that this type of monitoring was a “reactive approach,” which would help the district promptly respond and remedy breaches only after they occurred. It would do little if anything to prevent or detect breaches as they were occurring.
Failure to obtain consent from users
The district never formally obtained consent from any of the staff on whose computers the application was installed.
Atwell learned of the monitoring software from a whistleblower more than a week after he was sworn in. After discussing it with IT staff and police, Atwell held a press conference on January 12, 2015, to publicly state that “the district had installed spyware on his computer.”
The Information and Privacy Commissioner initiated an investigation soon after and the district ordered the IT department to disable the software.
What’s the big deal?
The commissioner’s investigation made four key findings:
- The district collected the personal information of employees and citizens through its use of monitoring software. In fact, because of how the software was configured, the district collected all personal information that a user entered into an affected workstation.
- The district did not have the authority under the Freedom of Information and Protection of Privacy Act (FIPPA) to collect the personal information recorded by the monitoring software.
- The district did not notify employees of the collection of their personal information as required by FIPPA.
- It could not be determined whether the district used or disclosed personal information collected by the monitoring software in compliance with FIPPA because the district had not activated the functionality to monitor user access through logs that show user activity.
Recommendations
The Information and Privacy Commissioner acknowledged that some of the functions of Spector 360 were appropriate to achieve the goal of enhanced IT security. These functions were:
- A log of all websites visited
- A log of file transfer data to track the movement of files on and off the company network
- Tracking of every file created, deleted, renamed or copied
- A record of network activity including applications that are connecting to the Internet, when the connections are made, the Internet address they connect to, ports being used, and the network bandwidth consumed by those connections
However, the remainder of the application’s features were not necessary to achieve that goal. Therefore, the commissioner recommended that the district:
- Disable the keystroke logging, screenshot recording, program activity logging, email recording, and user log-on functions of the monitoring software
- Destroy all personal information collected by the software’s keystroke logging, screenshot recording, program activity logging, email recording, and user log-on functions
- Update its policy for the Use of Saanich Materials, Equipment, Facilities and Resources to provide employees with notice of the collection of their personal information, as required by s. 27(2) of FIPPA
- Implement the capability to generate logs of administrator level access to all IT systems which collect, store, use or disclose personal information
- Implement a comprehensive privacy management program to ensure it is able to meet all of its obligations under FIPPA
- Appoint a privacy officer who will conduct a comprehensive audit of the district’s compliance with FIPPA, and compile a registry of all personal information in the custody or under the control of the district
- Provide training to all employees in relation to all requirements of FIPPA
In addition, the commissioner made several general recommendations. With respect to the type of extreme employee monitoring made possible by applications like Spector 360, the commissioner notes:
The level of employee surveillance that results from keystroke logging and screenshot capturing should be restricted to use in specific investigations, based on reasonable grounds for suspicion of wrongdoing, and only when other less privacy-intrusive measures have been exhausted.
Importantly, as the district’s IT department recognized, these measures will not actually prevent or detect a breach. They will only allow an organization to respond promptly when a breach occurs.
The commissioner’s office also reviewed the practices of six other municipalities in BC to determine how they secure their data and networks. These measures include:
- Firewalls, which create a barrier between two networks, typically separating internal and external network devices and computers
- Intrusion detection and prevention systems, which monitor network traffic and attempt to identify, report and block malware or unauthorized access
- Anti-malware software, which attempts to prevent malware from being downloaded, installed or executed
- Event log analysis, which records IT system events and analyzes them for likely security threats
- Email filtering
- Web filtering
Important privacy management resources
Remarkably, in 2013, the commissioner’s office published a guide specifically aimed at public sector organizations to assist them in developing and implementing privacy controls. It was clear from this case that the District of Saanich failed to review the guide, “Accountable Privacy Management in BC’s Public Sector.”
Find the investigation report, “Use of employee monitoring software by the District of Saanich,” on the Information and Privacy Commissioner’s website.