Monday, April 14, 2008

Is losing employee consent the price to be paid for cyber-terrorism safety?

I read with some initial horror this morning that the Federal Attorney-General, Robert McClelland, has proposed amendments to the Telecommunications (Interceptions) Act among other legislature to be introduced in order to combat cyber-terrorism. These amendments apparently (I can't find the original documents for all the searching I have done so far today after trawling the parliament website, all I could find is a proposed amendment from February that just expands warrant powers) allow companies and others who run critical infrastructure (apparently the financial system, stock exchange, electricity grid, transport system, etc.) to monitor employee use of the internet including email and other communications without their consent. The Act so far only allows those working in security agencies to be monitored without consent.

McClelland and Julia Gillard have spoken out to say that these amendments will help in securing Australia's infrastructure against cyber-terrorism, because a terrorist attack on critical infrastructure would "reap far greater economic damage than would be the case of a physical attack", according to McClelland, which Gillard backed up soon after.

Why do the A-G and Julia Gillard suppose that cyber-terrorists are likely to be working from within an infrastructure company? McClelland used the example of the Estonian hackers which used a bot-net of thousands of external zombie computers to take down the system. This isn't something that will be fixed by monitoring, all it requires is decent Distributed Denial of Service (DDoS) attack prevention mechanisms, which are available. And even if they still think that insider jobs facilitate terrorist attacks, why do they think that cyber-terrorists that may happen to be inside the company are likely to be stupid enough to communicate through company channels?

I'm also interested in what sort of mechanisms they are putting in place to avoid situations where employers with a grudge could use this law to poke into private affairs of their employees who are in no way a danger to the company or Australia's infrastructure, and how they are proposing that employers effectively monitor their employees for terrorist activity. What sort of delegation of these powers would there need to be to, say, someone employed by the company to monitor other employees? What sort of checks and balances are there for this? It seems like it would be detrimental to Australia's security if employers could act as if they were security experts and identify likely threats from innocuous emails.

Another thing that needs to be asked is why consent needs to be taken away. Consent can be construed as a waiver of normative expectations, according to Neil Manson and Onora O'Neill (and my upcoming thesis on informed consent in ICT will explain why I think this is a reasonable model to apply to ICT). It seems here that by legislating consent out of a workplace agreement that the government here is almost attempting to make workplace surveillance the norm. This surprises me coming from a supposedly liberal government! Why is not having an employee's consent important to this bill? Surely we can have a bill that allows for all the other parts with explicit knowledge of the employee. Many companies already have internet use policy agreements with their employees, which involve degrees of surveillance. Legislating this sort of thing is fine, but surely, like collecting tax file information or as part of a standard contract for employment, the legislation could include some sort of policy for detailing the surveillance and obtaining consent from the employee?

McClelland has said that information from these communications could be used in "for instance, disciplinary matters regarding the employees' conduct or any other privacy issues. In other words, you're not interested in communications from employees' friends, their children, other family members." I fail to understand why this sort of thing isn't already covered by the existing legislation though, or why it is necessary to remove consent from the equation, or put employers (and/or the person delegated to deal with these matters) in charge of judging the relevance of personal communication.

I agree that infrastructure is a juicy target for potential cyber-terrorist attack, but this set of laws is not the way to protect infrastructure. Infrastructure needs good solid protection through careful construction and management and contingency plans, not the ability for employers to be able to monitor their employees' internet use. If that's not what this is about, then terrorism needs to be fully disconnected from the discourse about this law. Otherwise, it's just fear-mongering, something more suited to the dim dark past of Australian government history.


Nick said...

So you are saying, as I understand it, that we are monitoring a system of communication a) in a way that seems to be dubious at best, and b) that most probably will not by used by said baddies anyway?

Adam said...

Good work catie.
It seems a poorly thought out idea at best, and a very very dodgy one at worst.
I like the idea of allowing employers to police their employees. Great, no chance for abuse there.
As for the real threat, shouldn't the government have rolled out protecting the children at some point, it seems a pretty standard line when talking about contolling the internet. But perhaps throwing children in would be a bit overboard.
If you manage to find anything specific on this, please post it.

liedra said...

Nick, yeah, that's basically what I'm saying. They are essentially making a false correlation between employee surveillance and cyber-terrorism prevention. It's just astounding.

Adam, thanks! And yeah, I dunno, maybe something like a national pornography filter implemented at the ISP level to shield our childrens' eyes from the horrors of the inter...WOAH HANG ON