The whistle blower’s tale: part 1
By David Broadland, May 2015
Did Saanich staff conspire to spy on the newly-elected mayor?
Following release of BC Information and Privacy Commissioner Elizabeth Denham’s report on the controversial installation of employee monitoring software on 13 District of Saanich computers—including incoming Mayor Richard Atwell’s—many Saanich citizens expressed frustration that Denham had left fundamental questions unanswered: Did Saanich managers conspire to spy on Atwell? If so, who ordered the spying? And who, they asked, will now determine what actually happened?
Saanich Council’s decision on April 13 to turn further investigation of the matter over to Interim CAO Andy Laidlaw did nothing to allay concern that these questions would be left unanswered.
Indeed, shortly after Denham’s report was released, Laidlaw wrote to her and stated, “My purpose in writing you is to express our concern about how you have chosen to characterize the District…We believe your conclusions are only accurate to the limited number of interviews conducted and the narrow scope of material reviewed…”
With Laidlaw already assuming a defensive position on behalf of his staff, it’s pretty much a foregone conclusion that his report will step backwards from where Denham left the central questions. And since councillors directed Laidlaw—on the recommendation of staff—to deliver his report at a meeting closed to the public, there’s little hope it will shed any light. In camera meetings are like black holes—no light can escape the gravitational clutches of the legal advice that will inevitably be attached to Laidlaw’s report.
Although many people—including most Saanich councillors—want to leave this story behind, that’s unlikely to happen. The evidence Denham’s investigation gathered included interviews with all the key players in the software scandal. Their explanations for why they did what they did are, at times, a challenge to accept at face value. Denham’s report concluded what happened in Saanich was illegal—District employees broke BC privacy law. But her report also provides several key facts that are consistent with Atwell’s allegation that he was spied on following his election last November. The word “spying” simply implies secretly gathering information. If Saanich managers intended to covertly gather information from Atwell, that would be a serious erosion of the democratic principle that control of government must be kept in the hands of the people—through their elected representatives—and not the other way around.
Focus has obtained a document created by a person we will call “WB”—for “Whistle Blower.” WB’s document outlines a much different rationale for installing the Spector 360 software than put forward by Saanich staff in Denham’s report. It documents WB’s recollection of what he was told by Assistant IT Manager John Proc on November 20, 2014. At that time WB was an IT analyst with Saanich, but he has since left the District’s employ. The document was apparently created by WB for the purpose of getting a fellow Saanich IT worker’s signature certifying that he agreed to the facts presented in WB’s document.
In the document, WB noted that he was “present during initial talks about monitoring software on 2014-11-20.” WB went on to write, “This is my recollection of conversation between myself, [name redacted] and John Proc…John Proc came to us ([name redacted] and I) with a directive that had just come down to IT in regards to installing monitoring software on the mayor’s computer. He said, ‘They are nervous about the new mayor. We’re installing it on the directors’ computers as well to make it [look like] it is not targeted’ and ‘this won’t last long’.”
In his commentary in the document WB noted that he had “made his concerns known that he was nervous about being involved in this and to move forward he would need some assurance that everybody subject to having a keylogger installed on their computer would be given [the opportunity for providing] proper consent above our normal end user agreement.”
WB emailed this document to Jon Woodland on January 17, 2015, asking him “What do you think?” Woodland is the manager of information technology for the Township of Esquimalt. Before that he worked in Saanich’s IT department for 16 years. WB initially contacted Woodland in early December, 2014, and told him about the installation of surveillance software on Mayor Atwell’s computer. Woodland, after checking with his own employer, then told Atwell on December 11. Atwell eventually connected with WB independently. WB was interviewed by Denham, but his “recollection” did not appear in her report. (John Proc was asked by Focus to comment on WB’s recollection but did not respond to repeated emails.)
The takeaway from WB’s recollection is that Atwell was targeted for surveillance and that installation of software on other computers was simply a ruse. This is a serious allegation. Does Denham’s report provide any evidence that could disprove this allegation? It does not. In fact, a careful read of the “Chronology of Events” section of the report offers much information that supports WB’s allegation.
In the text below, I provide a part of Denham’s “Chronology of Events” from her investigation report. The part I’ve included covers Saanich’s explanation of who led the initiative and why they did what they did, up to the point when the software was enabled. Denham’s chronology is included verbatim—with one general exception. Wherever she identified a person simply as a staff position such as “CAO,” or “Director of Corporate Services,” I have identified that person by name. I have also provided additional information and analysis, identified as “Focus commentary.”
All of the Saanich staff named below were sent emails by Focus that included questions specific to the role they played. Each person was invited to provide any commentary they might want included in this article. Saanich’s Director of Legislative Services Carrie MacPhee, acting on behalf of the holidaying Laidlaw, informed me that no Saanich employees would respond to my questions. “Given Council’s direction,” she explained, “it would be premature for staff to be commenting at this time and it is anticipated that any future comment will be provided by Mr Laidlaw or Council once they have considered Mr Laidlaw’s report.”
Commissioner Denham’s “Chronology of Events”
Denham: Through interviews and review of documents the following chronology of events was established relating to the selection and implementation of Spector 360. This chronology is the basis for my analysis of the District’s compliance with FIPPA.
May 2014: The District contracted with an IT security consultant to perform an information security audit (“IT Audit”) on the District’s IT infrastructure. The IT Audit revealed security shortcomings which District IT staff have been working to address since that time.
The District stated in a January 14, 2015 media release, Spector 360 was purchased in response to one of the recommendations in the IT Audit. My staff reviewed the IT audit report and it did not make any specific recommendation that could be interpreted to recommend the purchase and installation of employee-monitoring software.
The Audit’s author, also interviewed by my Office, confirmed that he did not make any such recommendation nor did he intend to make any recommendation that could be interpreted to recommend the installation of monitoring software such as Spector 360.
Focus commentary: The “audit report” Denham mentions was executed by Wordsworth & Associates. The Commissioner is clearly skeptical of the District’s claim that its decision to purchase Spector 360 employee monitoring software was a credible response to the recommendations of Wordsworth & Associates.
That claim is further eroded by Saanich’s response to an FOI filed by Focus for communications between Director of Corporate Services Laura Ciarniello and Manager of Information Technology Forrest Kvemshagen that took place as a result of the recommendations of the audit report. Ciarniello and Kvemshagen were at the centre of the decision to purchase and install the employee monitoring software.
But according to Saanich’s FOI office, Ciarniello and Kvemshagen left no written record that they ever communicated about the recommendations of the Wordsworth & Associates audit report; there’s also no written record that they ever communicated on whether or not Spector 360 software would address any of those recommendations.
The absence of such records over a six-month period suggests little or no effort had been made to address the security issues raised by Wordsworth & Associates. A senior IT analyst at Saanich, whose name Focus is withholding at his request, has confirmed that other than quick and easy patches to the District’s computer network security provisions, none of the major recommendations made by Wordsworth & Associates have been acted upon.
The takeaway from this is that Saanich’s claim that the Spector 360 initiative was a response to the Wordsworth & Associates security audit recommendations is not supported by any written evidence.
Denham’s chronology: Nov. 15, 2014: Richard Atwell was elected as the mayor for the District of Saanich.
Nov. 17 to 19, 2014: The Director of Corporate Services Laura Ciarniello continued discussions with the Manager of IT Forrest Kvemshagen about the need to remedy outstanding IT security issues, and the need to accelerate resolution of some of those issues prior to the new mayor taking office.
According to Ciarniello, the motivation for this renewed focus on IT security was the perception by District Directors that the new mayor was experienced in the area of IT and would be able to identify and criticize current weaknesses in the District’s IT security.
After discussions with Kvemshagen, Ciarniello decided to procure and install software which would provide for comprehensive monitoring and recording of all actions undertaken by key District employees and officers.
Focus commentary: Motive is key. Two days after Atwell was elected, senior managers initiated a program that we have since learned may have left the District’s computer network more vulnerable to attack than before, but would have allowed intensive monitoring of Atwell’s computer use. What might have motivated this reaction?
Ciarniello admitted to Denham that District Directors were aware of Atwell’s IT experience. He also has a reputation for his ability to extract damning information from local government. Did Ciarniello and her boss, Paul Murray, worry that Atwell might hack into the District’s information vault?
Denham’s chronology: Ciarniello opted to secure the workstations used by employees and officers of the District who are deemed to be “high-profile” and therefore likely targets for an IT security breach.
Ciarniello stated that this strategy was adopted so that the District Directors would be able to reassure Mayor Atwell that steps had been taken to secure the District’s IT infrastructure.
Focus commentary: Did this specific direction make sense as an effective strategy to address the District’s security issues? In Denham’s “Conclusions” she notes, “[S]ecurity measures taken by the District may have resulted in a net reduction to IT security by concentrating the personal information of key employees and officers in one location, creating a ‘honeypot’ for external attackers.”
If Ciarniello was intent on improving security, why would she have chosen a strategy that could actually weaken security? Was the choice of effective monitoring over effective security a mistake? Or was it deliberate? Whistle Blower’s understanding is that it was deliberate.
Moreover, there is no record that any District director made any attempt to “reassure” Atwell that “steps had been taken to secure the District’s IT infrastructure.” He was kept in the dark until WB came forward. If not for that person’s initiative, Atwell might still be typing away, unaware he was being intensely monitored.
Denham’s chronology: Assistant Manager of IT John Proc stated that deploying monitoring software only on the workstations of high-profile users was considered an interim measure until the District was able to install and configure a district-wide Intrusion Detection System (“IDS”) and Intrusion Prevention System (“IPS”) capability that would protect all District workstations. The Assistant Manager stated that this was considered an effective interim step because the district-wide IDS/IPS solution would be too expensive to rapidly implement.
Focus commentary: The foundational logic of using an employee monitoring strategy is difficult to grasp. Does it follow that a course of action that would create a “honeypot” for external attackers would be deemed “effective” just because a real security system would be “too expensive to rapidly implement”? Alarm bells are ringing. Were the objectives of the initiative rapid implementation and low cost—or effective network security?
Denham’s chronology: Nov. 19, 2014: Ciarniello met with Chief Administrative Officer Paul Murray, the Chief of the Fire Department, and the Directors of Legislative Services, Planning, Parks and Recreation, and Finance. The use of a security strategy focussed on high-profile users was discussed and the Directors were advised that protection and monitoring software would be installed on the following employee workstations: 1. the Mayor; 2. two shared workstations for Councillors; 3. the CAO; 4. the Directors of Corporate Services, Legislative Services, Planning, Parks and Recreation, Finance, and Engineering; 5. the Chief of the Fire Department; and 6. two executive administrative assistants.
Focus commentary: Saanich’s FOI office confirmed that no minutes were made of the proceedings of that November 19 meeting. Prodded, Saanich did provide the only record made at the meeting by Ciarniello—a hand-written note to herself that contained 13 words: “Council machines”; “Paul + Directors”; “Assistants”; “Same protection from hacking put on all machines.” The absence of a substantial record of the meeting, other than that it took place, suggests an organization that has a keen grasp on the downside of accountability.
Of the computers on which Spector 360 was installed, two were shared by several people—those used by councillors. All other computers were dedicated to a single individual, including the mayor’s. Of those individuals, records show that only Mayor Atwell was kept in the dark that monitoring software had been installed on his computer. Does this prove Atwell was being targeted? It comes close, but what about the councillors’ computers? They were to be monitored too.
I asked Councillor Colin Plant if he had been informed that his computer use would be monitored. Plant said, “No,” and added, “I was never given a Network Access Terms and Conditions form to sign. When the story hit that the mayor had been given one and hadn’t signed it [Atwell maintains he wasn’t given this form] I asked the Director of Corporate Services why I had not been asked to sign a form. I was told that because the Council computers did not access the Saanich network we did not need to sign that form.”
Let’s review that. The supposed purpose of installing the software was to protect the District’s network, but the councillors’ computers didn’t have access to that network. Why, then, were the councillors’ computers being monitored if they didn’t have access to the Saanich network? Was this part of a strategy to make it appear—in case of discovery—that Atwell had been treated the same as other elected officials?
Noteworthy, too, is that Director of Legislative Services Carrie MacPhee was present at that November 19 meeting. MacPhee is the District’s officer responsible for compliance with FIPPA’s privacy provisions. In a recent letter to Laidlaw, Denham referred to MacPhee’s presence at that November 19 meeting and pointed out, “[I]n the documents provided to my staff by the District we can find no mention of any concerns being raised regarding the privacy implications of this course of action, or of the need for the District to consider its obligations under FIPPA before proceeding.”
Denham has said that the whole affair could have been avoided if Saanich had completed a “Privacy Impact Assessment.” Saanich has, in the past, performed PIAs before instituting other IT initiatives. As Denham’s report makes clear, had one been undertaken in this case, Saanich would have needed to consult with her office before proceeding to implementation. Why did MacPhee fail to recommend completing a PIA before proceeding with the intensive monitoring strategy? (MacPhee did not respond to repeated emails.)
The answer to that, at least in part, seems straightforward: Completing a PIA would have slowed implementation and would have required that Atwell and the councillors be notified that their personal information was going to be collected—before it was collected. If the objective had really been to impress the mayor as Ciarniello told Denham, wouldn’t notifying Atwell and the councillors have been the chosen course of action? If spying was the objective, though, what would be the purpose in warning Atwell that he would be spied upon? For whatever reason, MacPhee didn’t insist on a PIA and Kvemshagen and Ciarniello were able to proceed quickly and quietly.
Denham’s chronology: Immediately after this meeting Ciarniello directed Kvemshagen to research and procure protection and monitoring software. Kvemshagen then directed Proc to research and source software that could be installed on selected workstations and record all user activity.
Proc understood that the goal was to have a forensic auditing capability. The software was also to have the ability to determine whether user accounts were accessing areas which they were not supposed to be accessing.
Nov. 20, 2014: After researching available options through an online search, Proc reported back to Kvemshagen, recommending that the District acquire Spector 360.
Kvemshagen reported to Ciarniello that available alternatives had been researched and that he recommended Spector 360. Kvemshagen stated that this program would provide IT staff with information to assist in identifying and mitigating a security breach.
Focus commentary: The speed with which decisions were made is breathtaking. After taking no action for six months, it took only three days to decide on a new “security” system and one day to do an online search for which system to buy. An interesting feature of the desired security system was that “The software was also to have the ability to determine whether user accounts were accessing areas which they were not supposed to be accessing.” This would have been particularly useful if the motivating concern was that Atwell would use his IT technology skills to look for skeletons in the closet.
Elsewhere in her report, though, Denham points out “that the software didn’t restrict access to sensitive IT resources and could only provide information about a security breach after it had taken place.” Unless, of course, the information being collected by the system was being monitored more or less continuously. Then it could be known right away when someone went looking for skeletons in the closet.
This was the point in the timeline at which the conversation in Whistle Blower’s recollection took place.
Denham’s chronology: Nov. 21, 2014: Spector 360 was purchased.
Nov. 26 to Dec. 3, 2014: District IT staff installed Spector 360 on 13 employee workstations. Spector 360 was installed with the default configuration, which provided for: 1. automated screenshots at 30-second intervals; 2. monitoring and logging of chat and instant messaging; 3. a log of all websites visited; 4. recording all email activity (a copy of every email is retained for 30 days); 5. a log of file transfer data to track the movement of files on and off the District network; 6. a log of every keystroke made by a user; 7. a log of program activity, recording which windows were open and which window had the focus of the user; 8. a log of when the user logged in and logged out; 9. tracking of every file created, deleted, renamed, or copied; and 10. a record of network activity including applications that are connecting to the internet, when the connections are made, the internet address they connect to, ports being used, and the network bandwidth consumed by those connections.
Data collected by the Spector 360 tool was encrypted and stored on a virtual server located at Saanich City Hall. The virtual server is dedicated to Spector 360. The server was configured to retain the data for a period of three months. There is no backup copy of this information.
Kvemshagen and Proc both described the implementation and configuration of Spector 360 as providing a reactive approach to IT security, helping to enable rapid remediation after a security breach.
District IT staff were directed by Proc to use a “silent” installation, which refers to installation without any user input on the target computer and were specifically directed to configure the software to enable keystroke logging and timed screenshots.
With regard to the specific direction to enable screenshots, Proc stated that there were concerns from IT staff that frequent screenshots could result in a possible drain on IT resources. However, in consultation with the vendor for Spector 360 it was determined that the software could be configured to enable screenshots with negligible effect on IT resources.
With regard to the specific direction to enable keystroke logging, District IT staff had expressed concerns about the privacy implications of keystroke logging. Proc directed staff to enable keystroke logging because it had been specifically authorized by District management.
Focus commentary: The specific direction to enable keystroke logging and frequent screenshots is one of the strongest pieces of evidence that the motivation of District staff was internal surveillance, not security from outside hackers. The IT analyst who was instructed by Proc to download the Spector 360 software on November 24 seemed to know that when she wrote Proc and asked, “So do I get filled in with what’s going on? [redacted]? Surveillance software. Sounds ominous.”
Elsewhere in her report Denham noted that some aspects of the Spector 360 software were “at least minimally related to the securing of the District’s IT resources.” But a couple of points Denham made that I’ve already mentioned are worth reiterating. First, she noted that the software didn’t restrict access to sensitive IT resources and could only provide information about a security breach after it had taken place. Secondly, she observed that “Any tool that monitors network traffic or collects confidential information in one place is a primary target for attackers. This is particularly the case where, as with the District’s implementation of Spector 360, logs that monitor administrator access to the server are not enabled.”
Saanich’s failure to enable the logging of administrative access to the information collected by the software led Denham to make a statement that she couldn’t rule on whether the information had been used.
Why would those logs not have been enabled? Although Denham noted this was “a common security failing,” it’s also consistent with a plan to quietly monitor Atwell’s activity. Was the decision to not enable access logs made so that no one could later see who accessed the data collected, or how often they had accessed it?
The surreptitious nature of the initiative is alluded to by Denham in her reference to Proc’s instruction to an IT analyst to perform a “silent installation” of the software once it had been purchased and downloaded. But that doesn’t fully capture the extent of the District’s culture of secrecy. Months later, the District tried to cover up the secretive circumstances in which the software had been deployed. FOI requests that captured Proc’s emailed instruction for a “SILENT deploy” all came back with the word “SILENT” unjustifiably blacked out. A small, but telling misuse of FIPPA by the District.
Denham’s “Chronology of Events” continued on right through to January 21, 2015, when the software was disabled by Saanich, but the key staff decisions and justifications for those decisions are captured in the text above. The striking differences between what Saanich staff said were their objectives and what Denham reported they achieved seem to all support Whistle Blower’s allegation that the software initiative’s objective was to monitor Atwell, and that other installations of the software were done to make it look like the mayor wasn’t being targeted.
Sadness in Saanich
At the April 13 meeting at which Saanich councillors voted to have Laidlaw give them an in camera report, Atwell asked his fellow councillors to support a motion that Saanich apologize to those people whose privacy rights had been violated. Citizens at the crowded meeting were given a chance to voice their opinions on Atwell’s motion.
One of the speakers was Shellie MacDonald, who said, “I feel sad that someone in our staff for our community decided to spy on an elected official. I feel sad that that’s our culture. I feel sad that people on this council did not work as a team to find out what was going on, and talked freely about things like impeachment in the media afterwards.
“We elected you folks to do your best and work together. You all promised to do your best for us, for the benefit of our community, and it’s just been sad for months.
“In human culture, when people are sad, then the people who caused that need to apologize. And if there’s any doubt about who needs an apology…I do. And everyone who voted for you people because you promised to do your best and we haven’t seen it; and you promised to be responsible and we haven’t seen it. And you need to work as a team and you haven’t done that. We need that and we need an apology.”
The majority of the councillors were unmoved. Apparently unwilling to fully accept Denham’s verdict that Saanich staff had broken privacy laws, and out of touch with the widely-held perception in their community that democratic representation had been eroded, if not insulted, most councillors weren’t feeling sad. They voted against any apology and then voted again to avoid even an expression of regret.
David Broadland is the publisher of Focus Magazine.