The whistle blower's tale: part 2

By David Broadland, June 2015

The spyware installed on Mayor-elect Richard Atwell’s computer was only one of three IT strategies that targeted him.

New evidence brought forward by current and former employees of the District of Saanich’s IT department may create additional pressure on BC’s Attorney General Suzanne Anton to investigate whether, on the direction of senior Saanich officials, the communications of Mayor Richard Atwell were wilfully intercepted. Section 184 of the Canadian Criminal Code provides for punishment of up to five years in prison for the “wilful” interception of private communications between parties unless at least one of the parties agrees to the interception. Atwell has said he was never informed by the District of the interception. Saanich has provided no proof he was.

Before getting to that new information, let me remind you of what we already know.

The public position of the District so far has been that Spector 360 employee monitoring software was installed on 13 District computers as a temporary network security upgrade in order to impress upon the newly-elected mayor that recommendations made in a May 2014 computer network security audit by Wordsworth & Associates had been acted upon. The District decided to install the monitoring software on November 19, only four days after Atwell defeated long-time incumbent Mayor Frank Leonard in a bitterly-contested election.

Atwell became aware of the monitoring software on December 11 after a Saanich IT department employee (whom Focus has named “Whistle Blower”) expressed concerns to his former manager at Saanich, Jon Woodland, who is now the manager of IT at the Township of Esquimalt. Woodland contacted Atwell who then interviewed Saanich IT department employees until he found Whistle Blower.

Atwell then requested that Saanich Police investigate. On January 12 Saanich Police provided an opinion to Saanich Council that no criminal code violation had occurred. That same day, Atwell went public with his concerns. Shortly afterwards, BC’s Information and Privacy Commissioner Elizabeth Denham announced she would conduct a formal investigation to determine whether BC privacy law had been broken. 

In late March Denham delivered a scathing report that found Saanich broke BC privacy law when it installed the software and then collected the personal information of Atwell and others. Her report challenged the District’s claim that the initiative was a response to the Wordsworth & Associates’ security audit. Denham reported that installation of the software likely weakened the District network’s security against external attacks. She also observed that access logs that would have recorded whether anyone had accessed the information collected from the mayor’s computer hadn’t been enabled.

Denham’s report revealed that five District directors, the Fire Chief and CAO Paul Murray met on November 19, 2014 and discussed the use of “a security strategy focussed on high-profile users.” No written record of that meeting was kept, so it’s uncertain what action was actually agreed to by assembled directors. Records obtained by FOI show Spector 360 employee monitoring software was purchased on November 20. On December 2, Director of Corporate Services Laura Ciarniello gave approval to District IT Manager Forrest Kvemshagen to enable the software. An email between Ciarniello and Kvemshagen shows that Murray was aware that employee monitoring software had been installed.

Last month I wrote here about an affidavit prepared by Whistle Blower on January 17. The document was created to protect Whistle Blower in case Saanich took disciplinary action against him—which it subsequently did. More on that later. In the affidavit, Whistle Blower stated that on November 20 he was told by the District’s Assistant IT Manager John Proc that monitoring software was to be installed on 13 District computers. Whistle Blower quoted Proc as saying, “They are nervous about the new mayor…we’re installing it on the directors computers as well to make it look like it is not targeted.” 

A spokesperson for the District of Saanich refused to comment on the allegation, saying only that such comment would be “premature” given that an internal report was being prepared by Saanich’s interim CAO Andy Laidlaw.

Since then, Focus has obtained additional records that show the installation of Spector 360 monitoring software on Atwell’s computer was only one of three actions Saanich’s IT department was ordered to undertake that were aimed directly at Atwell. 

The records were provided by former and current Saanich IT department employees on condition of anonymity; they fear Saanich will retaliate if their names are known. No details that could harm the security of Saanich’s network were sought or shared.

 

ON NOVEMBER 17, 2014, two days after Atwell’s victory over Leonard, the District’s IT department began preparing for the transfer of political power from Leonard to Atwell. This included emailed instructions from Assistant IT Manager John Proc to his staff for physical removal of Leonard’s computer to IT department offices for “secure archival storage” in a “locked environment.” The email also shows that Leonard’s access to departmental shared drives was to be set up on a home-based computer (this access ended on December 1).

In the same email, IT staff were directed to configure a new computer for Atwell’s use in the mayor’s office with “no other shared drive access at this time.”

This first initiative, then, served to prevent Atwell from accessing files to which Leonard had access. Atwell recently confirmed that, six months later, he still has no access to any departmental shared drives.

The second initiative was undertaken a few days later. At 8:55 am on November 21—the same day that Proc purchased Spector 360 employee monitoring software for installation on Mayor-elect Atwell’s office computer—a Saanich IT division employee used an iPhone to photograph a series of actions mapped out on a whiteboard. The directions in the plan showed that Atwell’s office computer would be configured so that any attempt by him to access the District’s corporate intranet—the heart of information exchange between Saanich employees—would be redirected to the network that’s available in places like recreation centres. That is, unlike Leonard, who could access all the information and ideas on that intranet, Atwell was locked out. Atwell recently confirmed he still has no access to Saanich’s corporate intranet.

This new information changes the story in two ways.

First, the technical details of the two initiatives make it even more difficult to accept the security rationale for the Spector 360 software on which Saanich’s defence of its actions depends.

Second, the basic nature of the two initiatives outlined above, which have isolated Atwell from information needed to function properly as mayor, and shut off his access to the conduit through which Saanich employees communicate amongst themselves, raises serious questions about the motivation behind all three schemes.

Let’s examine the security rationale again, this time in light of the new information, and then circle back to the underlying nature of the managers’ actions.

I recently asked Laidlaw by email if he was aware that Atwell’s computer had been isolated from the District’s network through initiatives undertaken by Saanich’s IT division. Laidlaw replied, “The set up on Mayor Atwell’s [computer] was identical to the set up on Mayor Leonard’s computer.” That assertion, obviously, is deeply at odds with the records Focus has obtained.

In her report, Denham outlined the rationale the District had given her investigators for why they had chosen employee monitoring software to strengthen network security. She stated, “Proc understood that the goal was to have a forensic auditing capability. The software was also to have the ability to determine whether user accounts were accessing areas which they were not supposed to be accessing.”

We now know that Atwell’s computer had been blocked from accessing anything but his Saanich email account, his own personal files, and the internet. The councillors’ computers could only access the internet. So I asked Laidlaw why the Spector software had been put on Atwell’s and the councillors’ computers, which had no access to the sensitive files the employee monitoring software was apparently intended to guard. Laidlaw wrote, “When council use these machines, they access their personal accounts; malware could be transfered to the network through emails or sharing of files on flash drives.”

I asked Jon Woodland for his opinion of Laidlaw’s claim that putting employee monitoring software on computers would protect them from malware. Woodland said, “Let me reiterate that Spector 360 provides exactly zero protection against malware and virus attacks, and, that Saanich IT staff had to disable portions of Saanich’s existing anti-virus features to allow Spector 360 to be installed on the PCs. Otherwise, their existing security measures would have prevented the installation of Spector 360.”

Even if Atwell and the councillors’ computers did have access to the District’s network, why wouldn’t Saanich simply use anti-malware and anti-virus software to protect them? I posed that question to Laidlaw, who then responded, “It was never the intent to have Spector act as an anti-virus or anti-malware software—Saanich has other programs that complete these tasks. Spector was implemented as a forensic analysis tool.”

That response, a feat of circular logic, takes us back to my first question to Laidlaw: Why would a forensic analysis tool be put on computers that had no access to sensitive files? The District is unable to explain this.

The absence of a reasoned explanation coincides with an absence of records: Saanich’s FOI office has been unable to provide a single written communication showing that Murray, Ciarniello, Kvemshagen or Proc considered how employee monitoring software related to any of the recommendations made in the Wordsworth & Associates audit.

If there was no credible security rationale for the three initiatives managers ordered, then why were they ordered?

Two of the initiatives limit Atwell’s access to information. Was there sensitive information someone was fearful Atwell would find if he were able to access departmental shared drives and the corporate intranet?

Given the reputation of the mayor-elect, such a fear might be understandable. Atwell first came to public attention for his critique of CRD bureaucrats’ handling of the sewage treatment plan. He filed FOIs, analysed that information, and compared what he found to CRD claims—and soundly embarrassed CRD staff when they provided misinformation. Atwell was a highly effective community activist. But he then took his activism to the next level and campaigned for mayor on a platform of change and more open and transparent government. Against all expectations, he won. Perhaps those at the top in Saanich were caught by surprise and felt compelled to quickly circle whatever wagons they could rustle up.

Take, for example, the position in which CAO Paul Murray found himself following Atwell’s surprise victory.

Murray had made statements during the election that indicated he favoured Leonard. He told a gathering of Saanich managers that he couldn’t work with Atwell. Following Atwell’s unexpected win, Murray was suddenly in an awkward position, and, as it turned out, he had a lot to lose. Through an FOI we know that, earlier in 2014, Leonard and the previous council had agreed to an unusually generous compensation package for Murray in which he was given a retroactive salary increase from $16,151.50 per month to $18,432. A personal letter from Mayor Leonard informed Murray his annual salary would rise to $250,000. A previous contract had stipulated payment of 18 months severance if Murray were terminated without cause—a much more generous provision than other local municipal executive contracts allowed. Murray's settlement agreement with Saanich  strictly reflected the terms of that contract.

Atwell, after being advised by an expert on municipal law that Murray’s publicly-stated unwillingness to work with him presented a problem, met with Murray to determine whether he would be willing to consider leaving Saanich under the terms of his employment contract. Atwell has since said Murray agreed to leave. Unfortunately, Atwell hadn’t seen Murray’s contract. Saanich staff refused to provide him with a copy, and because of the IT initiative described above that prevented Atwell from accessing shared departmental drives, he was unable to access Murray’s contract directly. So Atwell didn’t understand the significant financial impact Murray’s leaving would have, and this mushroomed into a political fiasco for Atwell. The new mayor was roundly blamed for the outcome, the conditions for which had been set in place by the previous council’s generous compensation package and Murray’s stated unwillingness to work with Atwell.

If the IT initiatives launched after Atwell’s election were a circling of the wagons, Saanich managers’ specific choice of wagons has since turned out to be a colossal embarrassment to the District: An arguably political decision was made to block Atwell’s access to departmental shared drives and the corporate intranet, access that Leonard had enjoyed. At the same time, a decision was made to install employee monitoring software on Atwell’s computer—which, according to Whistle Blower’s account of his conversation with Proc, was aimed only at Atwell. IT experts have ridiculed Saanich’s claim that Spector 360 was a legitimate response to the Wordsworth & Associates security audit. In any case, Atwell couldn’t access the files Saanich says it was trying to protect, so placing Spector 360 on his computer didn’t make sense on that basis alone. Moreover, there is no written record that even a cursory consideration of the merits of Spector 360 as a response to the security audit ever took place amongst senior managers.

The big remaining question, one that Laidlaw is widely expected to avoid, is this: Who, ultimately, made these decisions and ordered the three initiatives?

Saanich’s Information Technology division is part of the Department of Corporate Services, which is headed by Ciarniello. Ciarniello’s boss at the time was CAO Paul Murray. Although FOIs have shown that Ciarniello gave approval to Kvemshagen to purchase, install and enable the Spector 360 software, Focus has found no explicit approval from Murray. The records obtained, however, make it clear that Murray was aware that employee monitoring software had been installed on Atwell’s computer. 

Who approved the IT measures that were taken to isolate Atwell’s computer from departmental shared drives and the corporate intranet on November 17 and November 21?

I put this question to Woodland, who worked in Saanich’s IT division for 16 years before moving in 2012 to manage the same division in Esquimalt. “I would think that Kvemshagen would only need Ciarniello’s approval,” Woodland said. “However, this would typically be a directive from the CAO. That doesn’t mean it has to happen that way.”

 

COMMISSIONER DENHAM DETERMINED that Saanich broke BC privacy law when it collected the personal information of Atwell and others whose communications were intercepted by the program Ciarniello approved. Had it not been for Whistle Blower’s conviction that what Ciarniello approved was morally wrong, Denham would probably never have learned that Saanich managers were spying on an elected official. So it may come as a surprise to readers that the only person who has been punished as a result is Whistle Blower.

Before I tell you about that, here’s what Section 30.3 (c),  the “Whistle-blower protection” provision of BC’s Freedom of Information and Protection of Privacy Act, says about an employer disciplining an employee who acts to stop the employer from violating the Act: “An employer, whether or not a public body, must not dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee of the employer, or deny that employee a benefit, because the employee, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order to avoid having any person contravene this Act.”

In order to avoid having his employer continue to contravene the Act by intercepting the mayor’s and others’ private communications, Whistle Blower did what he felt was required to be done. After repeatedly expressing concern to his managers and asking if they had informed Atwell that he was being monitored, and repeatedly receiving “wishy-washy” responses, he sought the advice of his former manager, Jon Woodland.

As a result, Whistle Blower was required to appear before a disciplinary hearing chaired by Saanich’s Manager of Human Resources Jo MacDonald. Also attending the hearing were Proc and Kvemshagen. At the hearing, Whistle Blower repeated, in front of Kvemshagen and Proc, his recollection of his conversation with Proc in which Proc told him Atwell was the target of the monitoring software. 

MacDonald accused Whistle Blower of breaking two of the District’s “confidentiality” requirements. One of those, which appeared in Whistle Blower’s job description, stated that he “will not release or discuss non-routine municipal or departmental business without prior authorization.”

From whom was Whistle Blower expected to get “prior authorization”? The entire management chain, from Ciarniello down to Kvemshagen and Proc, were all part of the decision to install monitoring software on Atwell’s computer. This put Whistle Blower in an extraordinarily untenable position.

The other District policy MacDonald claimed Whistle Blower defied was, ironically, the District’s Code of Ethics, which states: “A municipal employee shall not use information which is not available to the general public for his or her own personal profit or advantage and shall not provide such information to others unless it is in the course of the employee’s duties to do so.”

Who could believe that Whistle Blower sought Woodland’s advice for “personal profit or advantage”? And surely Section 30.3 (c) made it his legal duty to do whatever he could do to “avoid having any person contravene this Act.” A sworn affidavit describing what Whistle Blower told Woodland shows the only information divulged to Woodland was that Saanich’s IT division was ordered to install a key-logger on Mayor Atwell’s computer.

Apparently unaware of the prohibition against discipline under FIPPA’s Whistle-blower protection, MacDonald suspended him without pay for two days. At that point, Whistle Blower was already looking for a better place to work. So he quit. He has since found that place. Still, that an individual who had a properly functioning moral compass would be disciplined for breaking a “code of ethics” is vexing.  

Saanich managers are clearly struggling with the basic principles of democratic governance. As Focus went to press with this story, we received word that Laidlaw had called a meeting of the few remaining members of the District’s IT division—over half the staff have either quit or gone on sick leave since Saanich became Spyynich—where they were threatened with dismissal if they spoke with Focus; former employees, too, were threatened with legal action unless they divulged to Laidlaw “the particulars of any information you have provided to anyone not currently employed at the District of Saanich.” Focus to the District of Saanich: This is Canada, not North Korea.

David Broadland is the publisher of Focus Magazine.

AttachmentSize
FOI 10-15 Package.pdf593.92 KB
Settlement Agreement - Revised.pdf232.89 KB