Common-law = Snooplaw

Rather than talk about the FBI’s desire to patrol the Internet backbone, have your laptop searched without warrant or any particular reason when facing US Customs officers, or Microsoft’s Computer Online Forensic Evidence Extractor (COFEE), I want to quickly talk about the Australian government’s desire to give law enforcement and corporate IT the power to monitor and inspect any and all electronic employee communications. What is most concerning is that it continues an Australian trend to insert American attitudes into common-law.

Terrorism Down Under

I don’t want to come off seeming as though I think terrorism is a small or unimportant issue. It’s not – terrorism is a very real issue, and it has incredible financial and human costs. That said, whenever someone mentions either children or terrorism as a justification for a new piece of legislation that would dramatically extend the surveillance powers of public and private actors, I immediately want to know just how invasive those new powers might be. Whereas Australian law presently only allows security companies and those dealing with the government to survey communications without permission, after a four year fight to revise the Telecommunications Interceptions Act the government may be successful in extending those surveillance powers. If the amendments are passed, all corporate IT groups will be able to survey employees’ digital communciations. The government’s reason for extending the surveillance powers is that, by monitoring workers’ emails, it will be possible to stop/deploy coercion towards those who would;

attack to disable computer networks that sustained the financial system, stock exchange, electricity grid and transport system “[and would consequently] reap far greater economic damage than would be the case of a physical [terrorist] attack”. (Source)

The Countdown

Fortunately, the proposed amendments would be subject to revisitation and expiration in a year – this means that it’s possible for changes to be brought to the amendments were they implemented. This said, if the aim of the amendments are to provide network supervisors with the ability to open emails that hold viral packages (which is incredibly unlikely – all sysadmins that I know will either delete emails with these payloads automatically, prevent them from entering the corporate domain with network edge technology, or have automated scripts that quarantine the package contents) why not make that statement in the bill itself?

Surveillance powers like this will, at best, catch the incompetent criminals, but clever terrorist cells have been found using encryption, spoofed emails, and other technologies and systems that will evade this proposed dragnet. Rather than allowing employers to survey email communications, why not implement amendments that identify basic standards for hardening network services? Why not provide money for secure VPN access? Why not do something that would prevent ‘terrorists’ from accessing sensitive systems in the first place, or from taking control of employees’ computers to then attack corporate financial and other sensitive systems?

You don’t often ‘stop’ terrorism by snooping on unencrypted, corporate email – you might catch corporate criminals, but not terrorists. This seems like a way for employers to initiate witch-hunts, not a way to effectively prevent security breeches in core business sectors.