Saanich Mayor Richard Atwell was given a form alerting him to the security software installed on his office computer but he didn’t return it signed, according to a statement released by municipal staff on Wednesday.
But Atwell maintains that the security software, which can record every keystroke and monitor online activity, was installed “without his knowledge or consent.”
“Prior to being permitted access to the Saanich corporate computer network, employees are required to sign a Network Access Terms and Conditions form,” said a statement released by Laura Ciarniello, Saanich’s director of corporate services.
The mayor was given this form when his computer was installed on Dec. 2, the statement said. “Although no signed form has been returned by the mayor, computer access was granted to facilitate his role in the organization,” it said.
Atwell took his concerns to Saanich police on Dec. 15. Chief Bob Downie told Saanich council at an in-camera meeting Monday night that there was no criminal wrongdoing on the part of municipal staff. Atwell said the police department is in a conflict of interest and he has filed a complaint with the Office of the Police Complaint Commissioner.
The security software form refers to Saanich policy that says “the District may access, inspect, retrieve, review, read, copy, store, archive, delete, destroy, and distribute or disclose to others (including courts and law enforcement authorities) all communications system data and uses, including email, voicemail and Internet use, without any further notice and as the District in its sole discretion may consider necessary or appropriate.”
Atwell said he believes he is being spied on, which is why he won’t use his office computer and has set up a separate email account for municipal work.
The software Spector 360 was purchased on Nov. 21, less than a week after the election, and installed on a group of “key computers,” the statement said. It did not say which computers or how many.
A May 2014 independent audit of Saanich’s computer system recommended the software to protect against external hacking and to monitor “internal activity that may result from external threats.”
The statement did not explain why it took six months for the security software to be purchased.
“Spector 360 creates a definitive record of digital behaviour and, in doing so, provides organizations with the ability to monitor internal activity that may result from external threats,” the statement said. “This software assists Saanich by deterring theft and potential leaks of data and protects high-profile users.”
Data captured can be reviewed only with authorization from the chief administrative officer or the director of corporate services, and “would only be triggered in response to an incident.”
Coun. Vicki Sanders said when Atwell raised concerns in mid-December, councillors knew the software was installed on some computers. “We were quite comfortable it was being put on computers that were most vulnerable: finance, corporate records, staff records, things there would be a great fear [if] someone could access private information.”
But in a letter to the Times Colonist, B.C. privacy commissioner Elizabeth Denham said “employees have a reasonable expectation of privacy in the workplace, even when using a computer supplied by an employer.”
“We all expect governments and businesses to secure their networked systems against outside intrusions, malware or other threats. But employees don’t check their privacy rights at the office door. Privacy law sets a very high threshold for the use of routine monitoring tools such as keyboard logging, workstation mirroring or tracking of personal messages,” Denham wrote.
The B.C. government and the City of Victoria said they do not use spyware software to monitor employees’ computer activity.
Walter Ash, a Victoria software developer, called keystroke logging software such as Spector 360 “a highly questionable, grey area implementation of security.”
Ash said many computer operating systems, such as Windows and Mac OS X, have mechanisms that block keystroke loggers and antivirus software usually detects them as malicious software because the programs are often used by criminals to steal information such as credit card numbers and passwords.
He said while it’s common for IT departments to set up software to prevent employees from accessing harmful or illegal sites, there are “numerous ‘intrusion detection’ software systems that analyze network activity and computer usage to look for potential signs of hacking or unauthorized access, which do not rely on keyboard capture and screen shots.”
With a file from Lindsay Kines