He was ridiculed and dismissed as paranoid for claiming that district employees had installed a surveillance software in his office computer to spy on his online activities. In the end, Richard Atwell, mayor of the District of Saanich in British Columbia, is vindicated and gets to say “I told you so.”
Last week Elizabeth Denham, the Information and Privacy Commissioner of B.C., released a report castigating the district for installing monitoring software on employees’ computers with little regard for the people’s privacy rights covered by privacy laws that have been in place for 20 years.
Denham said her staff “observed that the software had been configured to record the activities of District employees, including recording and retaining screenshots of computer activity at 30 second intervals and every keystroke taken on a workstation’s keyboard, and retaining copies of every email sent or received.”
The report 35-page report revealed that the bugging of Atwell’s machine stemmed from concerns of district directors that because of Atwell’s IT background, the new mayor would be able to uncover outstanding security issues in the district’s IT infrastructure. These were issues IT security shortcomings revealed by an IT audit back in May 2014.
“I welcome this report and wish to thank Privacy Commissioner Elizabeth Denham and her office for a timely and thorough report. As Mayor, I will bring a motion to Council at our next meeting ensuring all her recommendations are enacted as a priority,” said Atwell. “We must foster a culture within our community and throughout B.C. and Canada where employees and citizens can be assured that their privacy is being protected.”
It all began shortly after Atwell was elected mayor November 15 last year. In January, he raised concerns that his computer and possibly those of other Saanich employees were being bugged.
A former debugger engineer for Motorola and later a member of Apple’s iPod and special projects team, Atwell said he discovered that IT department employees installed Spector 360 on his work computer. Spector 360 is an employee monitoring software that logs and monitors user email, chat and instant messages, Web activity, programs, keystrokes, documents, file transfers and network activity.
Privacy laws disregarded
Atwell went to the police, but they found no signs of wrongdoing. The district said it was just following through on a recommendation from a security audit, which recommended the software.
Around this time, Atwell also admitted to an extramarital affair and then said that police had stopped him several times for groundless suspicion of impaired driving. This helped in portraying Atwell in the media as a blundering political neophyte.
Eventually, Denham looked into the allegations on workplace surveillance. Her report pointedly said that the municipality failed to tell employees and elected officials about the amount of data it was collecting.
“One of the most disappointing findings in my investigation of the District of Saanich’s use of employee monitoring software is the near-complete lack of awareness and understanding of the privacy provisions of B.C.’s Freedom of Information and Protection of Privacy Act (FIPPA),” Denham said in her report. “Public agencies, including municipal governments, have been subject to these comprehensive privacy laws for over 20 years. Yet the District went ahead and installed monitoring software, enabling automated screenshots and keystroke logging and other intrusive monitoring tools, without considering how these actions would measure up to their privacy obligations under the law.”
IT security weaknesses
The report found that from November 17 to 19, 2014, the director of corporate services discussed with the manager of IT and other city officials the issue of how to remedy the outstanding IT issues prior to Atwell formally taking office.
Denham’s report did not identify who the director of corporate services was, but The Saanich News reported documents obtained through freedom of information legislation reveal it was Laura Ciarniello who authorized the software’s installation.
The director of services said the motivation for this renewed focused what the perception by district directors that Atwell would find out and criticize the weaknesses of the district’s IT security.
The director of corporate services opted to “secure” workstations used by employees and officers who “are deemed to be high-profile and, therefore, likely targets of an IT security breach,” the report said.
On November 19, the director of services met with the chief administrative officer, the chief of the fire department, the directors of legislative services, planning, parks and recreation and finance. They were advised that monitoring software would be installed on the following employees’ workstations:
- The mayor
- Two shared workstations for councillors
- The CAO
- The directors of corporate services, legislative services, planning, parks and recreations, finances and engineering
- The chief of the fire department
- Two executive administrative assistants
The manager of IT recommended Spector 360 and the software was purchased on November 21. The software was installed on the machines of 13 employees between November 26 and December 3.
Atwell was sworn in on December 1, and on the following day the manager of IT emailed the director of corporate services requesting authorization and activation of Spector 360.
The director of corporate services told Denham’s staff the mayor was asked to sign a Network Access Terms and Conditions Form that advises employees that IT resources are being monitored.
“However, the district was unable to provide my office with a copy of the formed signed by the mayor and the mayor told my staff that he had not been provided with the form,” said Denham.
On December 11, Jon Woodland, a former assistant IT manager of Saanich, informed Atwell about the installation of Spector 360.
Findings and recommendations
Denham said if the district had taken the time to evaluate how the software would impact individual privacy rights “a different solution that addressed information security risks while ensuring compliance with privacy laws.”
The commissioner’s finding were:
- Because of the way the software was configured, the district collected all personal information that employees entered into their workstations
- The district did not have the authority under FIPPA to collect personal information recorded by the monitoring software
- The district did not notify employees of the collection of their information as required by FIPPA
- It could not be determined whether the District used or disclosed the information it gathered using the software because the district did not activate the functionality to monitor user access through logs that show user activity
The commissioner recommended that the district:
- Disable various employee monitoring software functions and destroy all personal information collected by the software
- Update various policies so that employees are informed, as required by FIPPA, when their personal information is being collected
- Generate logs of administrator level access to all IT systems which collect store, use or disclose personal information
- Implement a comprehensive privacy management program to ensure that the district’s obligations to FIPPA are being met
“My expectation is that this report will prompt the District of Saanich and other B.C. municipalities to consider the privacy rights of citizens and employees as they exercise their management responsibilities and decision-making, particularly in the IT sector,” said Denham.