Documents Related to the Alberta Privacy Commissioner's Ruling into Workplace Surveillance by Parkland Regional Library

Keystroke Logger Ruled Invasive, Intrusive, & Excessive

What you will find here is various documents relating directly to the Alberta Privacy Commissioner's precedent setting ruling into the illegal use of keystroke logging software by Parkland Regional Library. Immediately following the linked list of documents you'll find my response to the numerous inaccurate accounts of the Parkland Regional Library keystroke logging fiasco. If you care to issue an opinion or otherwise comment on this incident I would ask that you read all the documents available here. You won't get a passing mark without proper research!

Firstly..., I would just like to thank a few folks that urged me to pursue this matter for the sake of worker privacy and the misguided use of surveillance technology in the workplace. Thanks go to Michael Geist, privacy expert at the University of Ottawa, for the prodding, Philippa Lawson, Executive Director of the Canadian Internet Policy and Public Interest Clinic (CIPPIC), for the encouragement and April Brousseau for a very well done research memo that was very helpful in reaching the favourable decision I finally obtained from the Privacy Commissioner. And I guess a final thank you would have to go to Frank Work, the Privacy Commissioner for the Province of Alberta for putting me at ease as I represented myself at the inquiry and for offering his personal parking stall when I couldn't find parking.

These are the Documents in Question

Grievance Lodged with Parkland Regional Library
Last Page of Grievance Signed by Patricia Silver
Termination Letter from Parkland Regional Library
CIPPIC Research Memo
Michael Geist Paper to the Canadian Bar Review
Privacy Commissioner Letter to PRL Director, Patricia Silver - Page 1
Privacy Commissioner Letter to PRL Director, Patricia Silver - Page 2
Submission to Privacy Commissioner's Inquiry of January 19, 2005
Privacy Commissioner's Ruling Parkland Regional Library - June 24, 2005
C & D Attempt from John Bilsland Parkland Regional Library Legal Counsel
Letter from Barrie Chivers

My Response to Numerous Inaccurate Accounts of the Parkland Regional Library Keylogging Fiasco

::NEW:: January 28, 2007

A few days ago their was a news article published at itbusiness.ca on keystroke logging, or as they term it, "keylogging'. In the last paragraph of the article there was mention of the Parkland Regional Library keystroke logging ruling by the Privacy Commissioner for the Province of Alberta, Canada where it stated...,

Quote from itbusiness.ca news article:

In 2005, the Parkland Regional Library in Lacombe, Alberta, installed keystroke logging software on an employee's computer to monitor his job performance; when they thought the results weren't up to snuff, they fired him, prompting the man to take his case to the Alberta privacy commissioner, who ruled that monitoring him like that went against his Freedom of Information and Protection Privacy Act rights. In 2006, an Alberta judge sentenced a man to a year in prison for cyberstalking, which included using keystroke logging software to get her personal information.

That ticked me off a tad as it implied that the employee in question was some sort of a slacker or something. If the guy was truly a slacker then it should have been a simple procedure for "human resources" to request work order reports or something similar and check those against actual "production". There have been numerous articles published on this "incident" and not all of them have been accurate. In fact, many have been completely off the mark. I say this because I was the employee in question! It's been two and half years since I discovered the keystroke logger and a year and a half since the Alberta Privacy Commissioner's ruling. It's high time the record be set straight.

Parkland Regional Library claimed they never even looked at the keystroke logging logs or screen captures so it would be misleading to state that I was fired as result of keystroke logs whose, "...results weren't up to snuff". This is what the Privacy Commissioner had to say on that evidence...,

Quote from Privacy Commissioner's ruling:

[para 9] The Public Body conceded that the keystroke logging program collected personal information of the Applicant. However, it did raise the suggestion that this collected material might not be properly viewed as ‘information’ because no one other than the Applicant actually read the information before it was deleted. I do not accept this suggestion. The Public Body itself provided evidence that its managers intended to review this information a couple of weeks after installation to determine exactly what the Applicant was doing on his computer. The material that was collected was readable and was information whether or not any manager read it.

Now there's some pretty heady legal logic, "...the suggestion that this collected material might not be properly viewed as ‘information’ because no one other than the Applicant actually read the information before it was deleted." The counsel for Parkland Regional Library obviously took a "Philosophy 101" course in his first year of law school. Remember, lawyers charge tera-bucks for their legal expertise so a little extra qualification helps lighten the shock of the legal bill. Especially knowing the guy is, "highly qualified" in wide range of subjects beyond agricultural law.

Curiously, Parkland Regional Library claimed I deleted the keystroke logs before they managed to view them even though it was a month before I discovered the keystroke logger. I know for a fact that I didn't delete the "evidence" and as a matter of fact I had good reason not to. I would have been deleting evidence that backed up my position. Just think about that for a second or two! Who would have had the greatest motive to make the keystroke logs and e-mail reports "disappear", me or Parkland Regional Library? I'll let you be the judge. E-mail reports? Who said anything about e-mail reports?

Here's an actual description from the iOpus Starr shareware page that really makes me wonder why a network administrator deploying the keystroke logging software wouldn't be curious enough as to want to know what the Starr Keystroke Logger might be capturing.

Quote from a shareware site pushing the Starr Keystroke Logger:

In the stealth mode STARR does NOT show up in the system tray, task bar or task list. For remote surveillance of (internet-) networked PCs STARR can invisibly email the log file to another PC via any standard email account or save the log directly to the server. Contains installation wizard for extremely easy setup and use.

Tell me now, what network administrator on the planet would deploy this software without flipping the switch for "stealth mode" and have the keystroke log reports e-mailed to himself? After all, the "installation wizard makes for extremely easy setup and use".

A good part of my argument as to why I considered "keystroke logging" intrusive, invasive and otherwise completely unwarranted in respect to "employee management" centred around the premise that they already had a way of determining productivity by way of "trouble ticketing" software that I deployed for them. On my first day of employment I was asked if I could set up a trouble ticketing system for Parkland Regional Library as they were getting complaints that help desk calls weren't being handled efficiently and in some cases, neglected entirely. This might sound like an unusual request for a guy's first day on the job but it resulted from a converstion I had during the job interview. No problem, I knew that I could handle the request without too much difficulty. For those that don't know what "trouble ticketing" software is all about, let me explain briefly.

Trouble ticketing software tracks help desk calls and keeps the information collected in a database. Information such as the nature of the help desk request, all correspondence accumulated in resolving the issue, the help desk staff assigned to the trouble ticket, whether or not the trouble ticket required being escalated to more knowledgeable staff and whatever other information may be required in solving problems. For this task I chose the highly regarded open source trouble ticketing software, Request Tracker, developed by Best Practical Solutions, LLC. Request Tracker is used by Fortune 100 companies, government agencies, educational institutions, and development organizations worldwide. I had worked with it before and I knew it would be up to the task.

I set the trouble ticketing system up on an old AMD K6 they had kicking around that the network administrator had tried real hard at getting Trustix to work on but was never successful. What was real funny is that there was a "burnt" copy of Trustix in the CD tray when I went to pop in the FreeBSD disc. The network administrator said that he had burnt a few CDs but he could never get the K6 box to boot them. When I took a look at the Trustix CD I instantly figured out why. The guy had burnt the ISO file directly to the disc. Yup..., there was only a single file on the disc and it was "trustix_ver_whatever.iso". My immediate thought was, "how the hell did this guy get a network administrator's job"? Not only that, any network administrator I know would pick OpenBSD if they're looking for a secure server OS. I had never even heard of Trustix before I met this guy and I know a thing or two about secure operating systems.

It took me a couple of weeks to get everything tuned and running to my satisfaction but when I did I had a FreeBSD/Apache/MySQL box running Request Tracker and handling help desk calls from 150 different community libraries. This installation and deployment was done completely at the command prompt as the box was a bit light for handling X Windows. The box is still running and handling all help desk calls to this day. The reason I know is that I still get the status reports e-mailed from the box on a regular basis. That's because the network administrator, my ex-supervisor, has never figured out how to disable my FreeBSD account. The biggest problem I had deploying the trouble ticketing system was working around a perplexing issue of a racing hardware clock, otherwise I would have had it up and running in a lot less time. If the help desk requests would have required collecting credit card information or anything like that I would have almost certainly considered the use of OpenBSD instead of FreeBSD. We were talking "library card" and not "credit card" so I chose FreeBSD. It's stable, fast on antique equipment, and pretty much idiot proof. Unless some idiot decides to compile source code in the root slice and fill it to 107%. Amazingly enough, FreeBSD didn't crash when the network administrator decided to do just that! It did slow down a bit though.

Getting back to the issue of keystroke logging and Parkland Regional Library's illegal use of the sleazy technology, it should be noted that the Parkland Regional Library Board of Directors had approved the purchase of the Starr keystroke logging software after a request by the network administrator. What on earth is an IT dude doing putting in a requisition for keystroke logging software when its use and deployment would, at best, be a human resources problem seeking a misguided solution? Clearly, there were a lot of Directors of Parkland Regional Library that didn't understand the implications involved in the indiscriminate use of keystroke logging software. Then there's the whole other issue of "purchasing" software of this ilk when free versions are readily available on the internet and are much better at disguising their presence. Just because it was "purchased" certainly doesn't mean it was "enterprise ready" software.

iOpus Starr Pro Keystroke Logger is some kind of shady shareware that even iOpus seems to want to disassociate itself from. When you search their site this page comes up when you query "Starr". It looks like they've renamed it "ActMon". Just to give you an idea of what kind of quality you might expect consider this from their Actmon product page:

Quote from the Actmon product page:

    •Most not miss important keyboard activity.
    •Only software that can logs the Windows login password.
    •Your data is secure against unauthorized access.
    •Files can NOT be removed by unauthorized user.
    •Runs 100% maintenance free.

That sure presents a proffessional product image that an enterprise might consider unleashing on their pawns. And all this for a mere $69. What a bargain!

Ok..., you would think that the Parkland Regional Library Board of Directors would require some kind of "usage policy" be implemented before the software was ever deployed for "employee management", but nope, in their infinite wisdom they left it up to the network administrator to use as he saw fit. Although I can't be certain, it appears that the human resources department was never consulted. Imagine that! In fact, Parkland Regional Library conceded it was a human resources concern that prompted their deployment of the Starr Keystroke Logger. This is what the Privacy Commissioner for the Province of Alberta had to say about it:

Quote from Privacy Commissioner's ruling:

[para 26] The Applicant provided uncontradicted evidence that the ‘trouble ticket’ system was a means by which to determine his productivity that fell far short of knowing every key he struck on his computer. Whether or not the particular program for “trouble ticket” logging that had been installed was adequate for this purpose, I believe that it would be possible to implement a computer-based method for gauging productivity of information technology workers relative to ‘troubleshooting’ tasks. Further, even just asking the Applicant for an account of his productivity, or how he was using his time, would have been a good first step, and far less intrusive. If a more systematic approach was desirable, performance measures and performance reviews based on such measures are widely-accepted management tools that could also have been applied in this case.

[para 27] As well, I note the Applicant’s concern that he had been given permission to do personal internet banking on his computer in non-working time, and that this personal information was also being collected. There was clearly no justification whatever for collecting this personal information. The failure to resolve this issue before instituting the collection indicates that the action was not well-thought-out. Banking information was not related directly to management of the Applicant as an employee, and collection of this category of information was not in conformity with the Act.

Now that we have a keystroke logger loose on the network how are we going to cope with the volumes of information flooding the log file and the countless e-mail reports being generated? That's an easy one! We'll pick a "test subject", at random maybe, and monitor his activity. Here's what the Privacy Commissioner for the Province of Alberta thought of this brilliant plan:

Quote from Privacy Commissioner's ruling:

[para 28]    Finally, I note that while there were other information technology employees in the organization, they were not similarly monitored. This lack of even-handedness further undermines the Public Body’s explanation for the collection.

[para 29]    There may be some circumstances in which information that is collected by means of keystroke logging software is necessary for the purpose of effective employee management within the terms of section 33(c). However, because such programs involve a continuous monitoring of an employee’s working life, they are highly intrusive into the privacy of employees. Where such programs are employed surreptitiously, the encroachment on an employee’s personal privacy is even greater.

[para 30]    In my view, information collected by keystroke logging software becomes “necessary” within the meaning of section 33(c) of the Act only when there is no less intrusive way of collecting sufficient information to address a particular management issue. Furthermore, surreptitious use of the software will result in “necessary” information only where forewarning employees that such a program will be used means that information needed for management cannot be collected.

[para 31]    For example, if keying in text were the primary task for a job, and speed and accuracy were agreed performance measures, the use of keystroke logging software might be justified. The information could be “necessary” in such a case because other indications of performance would not be as effective or efficient. However, there would be no reason not to inform the employee that such a measure would be taken, either consistently or periodically. To give another example, if an employer had reason to believe an employee was using office equipment to surf the net on office time, information collected by keystroke logging software could become “necessary”. However, this would be only after the employer had developed and conveyed to the employees a written “accepted use policy” relative to their computers.

[para 32]    With respect to surreptitious use of keystroke logging software, this is a form of surveillance. In my view information collected through surreptitious use would be considered “necessary” within the meaning of section 33(c) only when the information needed for managing could not be obtained by other means. For example, information from surreptitious use of keystroke logging software relative to a particular employee could be “necessary” where an employer had reason to believe that fraud was being committed by the employee using office-supplied information technology equipment. I might add that the use of such software for “law enforcement purposes” may be permissible under section 33(b) of the Act, but a discussion of that is beyond the scope of this case.

[para 33]    In this case, no circumstances such as those just described existed. There were alternate means by which the managers could address any concerns they had about the Applicant’s productivity, use of his working time, or way of prioritizing his tasks. The surreptitious aspect of the information collection made it even less justifiable. Therefore the information collected by the chosen method was not necessary information within the terms of section 33(c) of the Act, and the Public Body did not have authority to collect it under that section.

To say I felt "violated" would be a bit of an understatement. No problem, I'll file a formal grievance with the Director of Parkland Regional Library - one small twist there - the Director is the network administrator's wife. I was pretty certain she was completely unaware that her husband had taken a possible -and I use that term loosly - human resources issue and decide to make a unilateral decision to deal with it himself for the common good of the organization. I thought about this a lot over the weekend that I drafted the grievance. I was mistaken to believe that no body in their right mind would ever try and justify such an atrocity. It was a couple of days after I filed the grievance the bitter reality of that little mistake hit home.

I was a bit aprehensive about filing the grievance with the Director of Parkland Regional Library and would have prefered it be escalated immediately to the Personnel Committee comprised of Parkland Regional Library Board Members. I even suggested to the Director that's I wanted it handled but she convinced me that the "Human Resources Manual Personnel Regulations" were clear where it stated:

Quote from the Human Resources Manutal titled, "Grievance/Complaint Prodedure":

An employee having a complaint or grievance arising from the interpretation, application, operation, or alleged violation of the Personnel Policy, or other matter relating to his/her employment, should first discuss the subject of the proposed complaint or grievance with the Director. A full written record of the complaint should be made.

If an employee is not satisfied with the decision received from the Director, he/she has the right to appeal to the Personnel Committee of the Board. A full written record of the complaint should be sent to the chair of the Personnel Committee.

A complaint may result from any condition of employment that the employee feels is unjust or inequitable.

To ensure prompt attention, a complaint should be lodged within five days of the event prompting the complaint, but a complaint may be lodged at any time.

Under the circumstances, I wasn't real comfortable about presenting my grievance as the Director obviously had a conflict of interest in the matter, being the wife of the network administrator. Never-the-less, I presented the grievance and had the Director sign my copy just so there was written record of the meeting. She reluctantly signed the grievance, the signed portion shown in the image below.

Portion of Grievance Signed by Patricia Silver

The handwriting is a bit hard to read but I believe it says,

Interpretation of handwriting in above image:

I received this document June 21/04

I have put Dan on paid leave until the matter can be dealt with by the Personnel Committee and/or whatever other groups relevant.

Dan was informed by me of steps PRL has taken to address his concerns.

Patricia Silver

Unfortunately, the assurance was short lived as two days later I received a letter of termination that said,

Body of termination letter from Parkland Regional Library

Dear Dan

Further to our conversation this morning, I spoke with the Chairman of the PRL Board and the chairman of the Personnel Committee and have taken legal counsel. As a result of these conversations, I regret to inform you that we are terminating your employment with us immediately. This action is taken under clause (2) of the section on summary dismissal in the Human Resources Manual in response to your unauthorized deletion and modification of the STARR application files on your computer and on the server, and under clause (7) which supports the prohibition against mounting unauthorized software, such as Nmap and Sygate personal firewall, on the Parkland system.

Please find attached a cheque and explanation of how the amount was arrived at by the accounting department.

We are returning to you under separate cover your mug. Please return to Rimbey Public Library any material you may have belonging to Parkland, such as your binder. Thank you for your co-operation in this matter.

Best wishes for the future.

Sincerely,

Patricia Silver
Director

I guess I had somehow anticipated things weren't going real smooth with the grievance procedure so I decided the thing to do would be to file a complaint with Privacy Commissioner for the Province of Alberta. Good guess! Seven months after filing the complaint the inquiry finally took place in the hearing room of the Privacy Commissioner's Office. In situations such as this I have always believed that sticking to the truth allows for the least chance of a screw up. It worked for me.

My only regret was not having legal counsel represent my interests but I think I did just fine under the circumstances. Legal representation varies widely in quality which was quite evident by the performance of the Parkland Regional Library lawyer so when all was said and done, I probably wouldn't have come out with a more favourable ruling. Not only that but I saved myself a chunk of change in legal fees. It's certainly not a strategy I would recommend to others but if a person does decide to represent themselves in a legal matter my best advice would be to tell the truth and come prepared.

Parkland Regional Library took a completely different strategy and I think the Privacy Commissioner made that quite clear where he stated in his ruling,

Quote from Privacy Commissioner's ruling:

[para 16]    With regard to the concern about the Applicant’s productivity - on which the Public Body’s oral argument was primarily based - I have carefully reviewed the evidence on this point given at the oral inquiry. In my view this evidence does not support the contention that a perceived shortfall in the Applicant’s productivity prompted the decision to install the keystroke logging software.

[para 17]    According to the Director’s initial testimony, she instructed activation of the software because she was uneasy that the Applicant had not ‘heard’ or ‘bought into’ concerns she expressed to him at his probationary interview. The concerns were that he was not being a team player, and was too independent in his approach in finding solutions to work-related information technology problems. It is notable that the Director did not testify that she raised any concern with the Applicant at this interview that he was insufficiently productive or, (more specifically), that he was not completing a sufficient number of “trouble tickets” – the primary activity to which he had been assigned. The Applicant’s testimony supported that there was no discussion or warning about under-productivity.

[para 18]    In other parts of her testimony, the Director provided a different account of her reasons for directing installation of the software. She mentioned that productivity was difficult to measure relative to information-technology people (in contrast to, for example, book cataloguers). She also said there were a large number of outstanding “trouble logs”. However, the Director did not say that she had a reason to be concerned that it was the Applicant’s lack of productivity that had given rise to this backlog. Rather, she said that she could not tell whether it had or hadn’t – whether he was working on really difficult problems that would take more time, or spending his time on something else. She said she wanted to know what was actually happening and to “get a feel for” the way the Applicant was spending the Public Body’s time.

[para 19]    Looking at the totality of the Director’s evidence, there is some internal conflict as to what exactly motivated her to have the software program activated on the Applicant’s computer. On the one hand, she tied her decision to her concern about his “maverick” working style; on the other, she tied it, more loosely, to her inability to know whether he was or was not being productive on routine troubleshooting tasks. I can conclude the Director wanted to know how the Applicant was using his working time. However, I cannot say definitively, any more than she did in her evidence, that she had reasons for believing the Applicant was unproductive. I am similarly left in doubt as to which of her concerns prompted her to direct the installation of the software.

[para 20]    The Applicant’s supervisor also gave testimony about the Applicant’s work. He said he had two concerns. One was that the Applicant was spending working time on personal pursuits, as indicated by the single incident to which I have already referred. The other was that the Applicant was using his time on work-related tasks that had a lower priority than “trouble-ticketing” tasks. He referred to an instance in which the Applicant was spending time installing an “insta-messaging” program. He conceded that he and the Applicant had discussed the utility of this program for all the staff, but denied specifically instructing or permitting the Applicant to install it. Apart from his awareness that the Applicant did spend time on work-related projects other than the customer service “trouble logs”, the supervisor did not indicate whether or on what basis he thought the Applicant was actually under-producing relative to “trouble-ticketing”.

[para 21]    The Applicant addressed the question of the alternatives that were available to his managers to monitor his productivity and gauge the way he was structuring his priorities. He said that it would have been simple to review the ‘trouble tickets’ – documents that apparently existed relative to the handling of particular information technology problems – to determine who handled the bulk of the problems and how they were handled. He also noted that his supervisor sat just a few feet away from his workspace and could observe his computer screen at any time. No one from the Public Body contradicted or responded to the Applicant’s suggestion that the logged ‘trouble tickets’ could have been reviewed to determine his level of productivity and how he was spending his time.

One thing I might add is that the Director of Parkland Regional Library claimed that it was a result of the probationary review that prompted her to authorize the installation of the Starr Keystroke Logger but I have a clear recollection of the probationary review taking place two weeks before I discovered the keystroke logger, which had been installed two weeks previous to that. It's also notable that Parkland Regional Library was unable to provide any proof the meeting had even happened. The Privacy Commissioner granted Parkland Regional Library an adjournment during the inquiry proceedings but they were unable to come up with any proof during the hour they had to access the Parkland Regional Library server and have a staff member check the Director's daytimer for any indication of when the meeting took place. Judging by the Privacy Commissioner's comments on the "probationary review" I would have to conclude that Parkland Regional Library must have come up with something after the inquiry had officially ended. I know they never came up with anything at all during the inquiry.

The thought never occured to me to present my daytimer even though it was in my briefcase. It's too bad because my daytimer indicated that I was out of town on service calls the day they claimed I was attending the probationary review. The observant will likely note that I really missed a chance at a touché moment there.

I'm pretty sure that by now it's obvious that not a single person in the organisation, besides myself, considered the ramifications of having a keystroke logger loose on the network. Who would ever think of high-jacking the keystroke logger and turning it against the organization? I confess, the thought crossed my mind momentarily but common sense prevailed. I suppose the logic was that it was library cards and not credit cards so the risk was minimal. Yikes!

Thanks for checking this out.