Any organisation that routinely deals with sensitive information should have a security clearance requirement for IT Systems Administrators. Typically this is one level above the material being handled.

So for Restricted material, sysadmins need Secret clearance, for systems that handle Protected material, they need Highly Protected clearance, and so on.

Any right to private electronic communications disappeared years ago.

Echelon Pact countries (including Oz and the US) have been abusing privacy this way for years.

Have a look at the 2001 European Parliament Report on Echelon. Some of the rapporteurs even suggest that the UK should be kicked out of the EU if the UK continues doing this.

This raises a very real issue for Australia: participation in Echelon makes us a primary target for any group (terrorist or national) that wants to hit US SIGINT and military capabilities. It’s likely to be one major reason why Oz agencies got hit in May 2001 by what seemed like a “dry run” electronic warfare attack - one quietly acknowledged by a CIA director as a “horror month”.

And in the preamble to the Europarl report was the apt Juvenal quote: Sed quis custodiet ipsos custodes.

7. Protective Access
7.1 Both the Telco Act and the Interception Act presently recognise that some
functions related to the provision or operation and maintenance of services need to be exempted from the strict application of the general prohibitions against
interception, access and disclosure e.g. acts done by an employee of a carrier in the course of installing equipment or by a person providing an emergency service.
7.2 Understandably and properly those exceptions are tightly drawn and tightly
controlled.
7.3 During the review it became obvious that there are circumstances which are not appropriately catered for by the existing exemptions but which, although different, warrant special consideration.
7.4 In the main, those circumstances were related to the need to protect enterprise systems against damage whether deliberate or accidental. An example is the need to protect computer systems against unauthorised entry (hacking) or damage from viruses or worms. Whilst much of this can be achieved through systems applications there is often a need for human intervention which it is argued can involve interception or access in contravention of the relevant legislation.
7.5 There are two critical elements to ‘interception’: the first is the concept of the communication ‘passing over’ the system and the second is ‘the system’ that it is ‘passing over’. The concept of ‘passing over’ has received a lot of attention and I think is effectively resolved by acceptance of the idea of the communication being automatically processed as electromagnetic energy up to the point at which it can be directly accessed by the intended recipient. However the issue of ‘direct access’ does itself raise some issues about whether a communication is still ‘passing over’ the system and therefore subject to the Interception Act when it has been ‘downloaded’ but which, on its way to the recipient, is processed by equipment say a ‘firewall’ installed by the recipient or more contentiously, an employer to protect their equipment, and as a consequence is viewed by an authorised person as part of that process.
7.6 It is at least arguable that once such communications reach the equipment
installed by the ‘owner’ to protect their equipment they are no longer ‘passing
over the system’ or even within the system. If that were so they would no longer
be subject to either the Telco Act or the Interception Act.
7.7 If however such communications are still ‘passing over the system’ access would require an interception warrant. If they are not passing over the system but are still ‘within’ the system they would be treated as stored data. At the moment as stored data access would be in accordance with the Telco Act.
7.8 The submissions were overwhelmingly opposed to access to such communications being governed by the Interception Act. I agree. Even as stored communications the requirements of the Telco Act would appear to effectively preclude access for the intended purpose, i.e. the protection of the system.
7.9 The implications for the effective protection of systems if access is denied are serious including for very large users such as the States and the Commonwealth. The Department of Defence advises that without speedy access to the data major systems will be at risk with implications for essential functions and for costs. The current exclusion of stored data from the Interception Act is seen as enabling that speedy access.
7.10 Given the ‘rights’ of owners to protect their system, the potential consequences of not doing so, the universality of the need and the time-critical nature of the required response, it is not in my opinion possible to meet the reasonable needs to protect systems by amending the Interception Act to provide specific exemptions.
7.11 However from a privacy point of view uncontrolled access is simply not
satisfactory. An access regime should be established which provides appropriate
protections and prevents back-door use and access to obtain content. Those
protections should in my view restrict access to that required for the identified purpose i.e. the protection of the system. There should be clear authorisation and the persons with that authority should be clearly identified. Those persons should be required to protect the privacy of any data accessed in the same way that the employees of C/CSPs are required to protect data accessed in the course of their employment. The vexed question is what should happen where such access discloses evidence of criminal behaviour. This is similar to the situation previously discussed in relation to section 282. In my view in both situations the content of the communication should be protected but the person with access may report their view that there may be evidence of criminality etc. The data, presumably other than voice data, could then be accessed as if it were a stored communication i.e. by search warrant. The question of the use of the content of voice data raises significant evidentiary and other problems and should be separately considered.

Given the ‘rights’ of owners to protect their system, the potential consequences of not doing so, the universality of the need and the time-critical nature of the required response, it is not in my opinion possible to meet the reasonable needs to protect systems by amending the Interception Act to provide specific exemptions.

However from a privacy point of view uncontrolled access is simply not satisfactory. An access regime should be established which provides appropriate protections and prevents back-door use and access to obtain content. Those protections should in my view restrict access to that required for the identified purpose i.e. the protection of the system. There should be clear authorisation and the persons with that authority should be clearly identified. Those persons should be required to protect the privacy of any data accessed in the same way that the employees of C/CSPs are required to protect data accessed in the course of their employment.

However, as the bills digest goes on to note, this legislation does not in fact contain the privacy protections recommended by its own consultant Anthony Blunn:

The proposed 18-month extension of the sunset clause in the current Bill is to allow the drafting of a permanent legislative solution to implement the Blunn Report recommendation. In his second reading speech for the bill the Attorney-General stated:

The proposed 18-month extension of the existing network protection provisions will ensure law enforcement and security agencies can continue to protect their networks while a comprehensive long-term solution is developed. My department has already undertaken extensive work on legislative changes that would implement the Blunn report recommendation. As mentioned, these measures will have implications across government, corporate and private networks. They must also address complex issues associated with privacy, and state and territory laws. It is important not to rush those changes, and there must be enough time to consult widely on their impact. An 18-month extension will enable full consideration of a more complete solution across all networks.

Comment

The proposed extension of the network protection provisions sunset clauses by another 18 months means that over 20 Commonwealth and state/territory law enforcement and security agencies will be given access exemptions until the end of 2009. Blunn noted that unrestricted access is unsatisfactory and recommended an authorisation process – including a requirement that the access is strictly for the purpose of maintaining network security, and that the people who are given authorisation are clearly identified. While the Minister states that resolving the Blunn recommendation is complex and requires separate legislation, it could be possible to insert such authorisation processes into the interim legislation.

We still need to know whether the legislation will merely authorise transient storage of emails for virus and spam auto-scanning (which I have no problem with) or whether it will authorise employers to actually read employee emails without their employees’ express consent or knowledge.

Settle down, Ken. The existing situation in NSW is as follows:

Privacy and your private mail, email, lockers, drawers

All workplaces would benefit from a clear understanding of the degree of privacy which employees can expect at work in relation to issues like personal mail, email, desk and locker searches.

There is no automatic legal right to privacy for personal mail delivered to a work address. Many employers reserve the right to open and inspect all mail received at work, to properly receipt cheques and remittances, as a precaution against fraud or to limit employees running their own businesses during work time.

At the same time many businesses and public agencies ask employees to provide a work address or phone number and it is not unusual for them to contact people at work. Most employers allow employees to receive private mail and phone calls as long as they do not interfere with their work.

Some people complain that letters addressed to them at work and marked personal or confidential have been opened. It is recommended that when an employer who has a policy of opening all mail receives letters marked personal or confidential, they are opened in the presence of the addressee or by the addressee in the presence of the person responsible for receipting mail. This allows the employer to be satisfied that it is genuine personal mail and gives the addressee some assurance that it is not being read or copied.

Even where confidentially addressed mail is opened and read by another person, it does not necessarily lose its status as confidential. You could have a basis for a complaint or , in extreme cases, possible legal action if the letter is copied or the information contained in the letter is used inappropriately.

A debt collecting agency which deliberately contacts you at work and discloses their reasons for calling to other employees or your employer may be breaching licensing legislation.

Electronic Mail

Unlike items of personal property that you keep in a desk drawer or locker, electronic messages you send or receive at work are not legally considered to be your personal property. Therefore an employer who owns the server or personal computer on which your email is stored is entitled to look at or copy it. Many employers reserve the right to check e-mail as a precaution against fraud, workplace harassment or breaches of confidence by employees.

However employees also have legitimate expectations of privacy in relation to their e-mail communications. A failure to acknowledge these expectations can affect the overall usefulness of providing e-mail facilities. It is strongly recommended that employers adopt clear policy statements on what rights employees can and cannot expect in relation to their electronic messages which reflect the specific needs of their organisations. All employees should be made aware of the policy.

Policies should cover:

* the requirements for storing e-mail where it relates to core business of the firm;
* whether back-up copies are stored on the server and who has access to them;
* the level of privacy employees can generally expect for their e-mail;
* the circumstances in which management reserves a right to read and take action on employee email;
* the fact that e-mail can be subject to production in litigation or other investigations;
* that it is unacceptable to use e-mail to abuse or harass other employees.

New South Wales public sector agencies should also follow the Premier’s Department Policy and Guidelines on Employer Communications Devices published in January 1999 and Protocol for the Acceptable Use of the Internet and Electronic Mail, issued in March 1999.

I think that what the Privacy Commissioner says might be incomplete, because I recall some measure introduced a few years ago where employees had to be notified, but I could be wrong if that requirement has subsequently been removed, or was only being discussed and never actually became law.

Even though quite a few employers (though by no means all) require employeees to contractually sign away this privacy right as a term of employment, it’s a significant step to legislate to remove it irrespective of knowledge or consent

I think its a good idea to notify (just like video surveillance for example), though I don’t think consent should be required. Too many people out there who believe that email they send is confidential, whereas in reality anybody sitting on the network between you and the receiver can easily intercept it (its a *lot* easier than intercepting a phone call for example).

The best rule of thumb I’ve heard is that you shouldn’t write anything in an email (unencrypted) that you wouldn’t write on the back of a postcard.

KP - anyone who wants to read my work email line by line is welcome to. I delete a good half to a third without opening it; don’t want to think of the time it would take some schmuck to read it all. And then, who would read their email?

I’d encourage people to read my email if the promised to remove the spam

You’re entitled to your opinion that two wrongs make a right.

free to contrast my honest mistake (and willingness to admit it) with total spinning bullshit

OK, always happy to give someone the benefit of the doubt
I’m sure it’s not really at all like making a statement on something without bothering to research that thing.

struck out hmm yes I see so uh still there but with a line through it

Incidentally, that’s what “struck out” means. Still there with a line through it. When you cockup on a blog it’s considered good form to admit it but not remove the original offending words for honesty’s sake.

If you’re a journo, you get away with shrugging and ignoring angry letters.

Slater & Gordon is a firm which frequently represents unions in lawsuits and there’s a lot of ex-partners in high places in the Labor movement and unions in particular.

It was a mistake on my part, but please, feel free to contrast my honest mistake (and willingness to admit it) with total spinning bullshit.

Amanda;

Gillard worked for Slater & Gordon. That’s union hackery as far as I’m concerned. But I was wrong about McClelland.

I’ve struck out the ‘union hack’ from both because it detracts from my point about lawyers.

struck out hmm yes I see so uh still there but with a line through it
working for a law firm as a lawyer; unionism definitely definitely

*complains about bad journalism*
*deliberately lies in blog*

You can of course introduce offences in this area, or simply be narrow in the expansion of the Act to only cover automatic screening, but there is no technical solution which is widely available at the company level to balance both concerns.

There is a technical solution that works at a personal level: encryption. If you and your correspondent use PGP or similar with a suitably large key, no third party can read the contents of the communications. Ditto web browsing and IM over SSL (ie any site with https:// in the URL). The communications can be stored and traffic analysis used, but the content itself is rendered opaque.

KP - anyone who wants to read my work email line by line is welcome to. I delete a good half to a third without opening it; don’t want to think of the time it would take some schmuck to read it all. And then, who would read their email?