Roger Clarke's Web-Site

 

© Xamax Consultancy Pty Ltd,  1995-2017


Roger Clarke's 'Employee Dismissal'

Employee Dismissal on the Basis of Offending Images on Their Workstation

Roger Clarke **

Notes of 23 November 2005 (with minor adaptions to the description of bots)

© Xamax Consultancy Pty Ltd, 2005

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at http://www.rogerclarke.com/II/OffIm0511.html


Introduction

An organisation dismissed an employee after an examination of the employee's workstation caused the employer to conclude that the employee had accessed inappropriate sites, and stored inappropriate images.

I received an urgent request to provide expert evidence in relation to ways in which 'accesses to inappropriate sites' and 'storage of inappropriate images' might occur, without the intention of an employee, and even without their knowledge. This document is an edited version of the document I provided.


The Nature of a Personal Computer

  1. It is first necessary to consider the nature of a personal computer. The intention of the designers of personal computers was to create a highly functional device that was inexpensive. As a result, a personal computer is not an intrisically secure device, and omits features that would make it easy to convert it into a secure device.
  2. The operating systems that enable applications to be used on personal computers are inherently insecure. This is the case with both the Linux and Macintosh operating systems, but especially so with the various Microsoft operating systems that are used on the large majority of devices.
  3. The applications that are run on personal computers are in many cases insecure, and in some cases extremely insecure. Especially important examples of highly insecure applications include most versions of Microsoft Internet Explorer (MSIE), which is the most commonly-used web-browser. The most recent versions of MSIE have been improved, and are merely insecure rather than highly insecure.
  4. It would appear to me to be necessary for the employer to have documented the facts relating to operating system and the relevant application(s), and versions, that were installed on the device in question, together with key parameter settings. That is neeed as a basis for the analysis that is necessary in order to establish a case against the Employee that justifies his dismissal.

The Operation of Internet-Connected Devices

  1. It is further necessary to consider the manner of operation of a personal computer that is connected to the Internet.
  2. Software in the device performs operations, in order to:
  3. The software may be caused to perform these operations in any of several ways:
  4. In the sections below, I will work through the various ways in which the offending accesses could have occurred, and the offending images could have come to be on the machine, for reasons other than the intentional actions of the Employee.

The Physical Security of the Internet-Connected Device

  1. I understand that the device in question sat in an office shared by several people, each of whom:
  2. Based on my knowledge of employment circumstances in general, I make the assumption that the room was accessible to a number of categories of people, including:
  3. There is therefore a range of people who may have been able to use the device in the circumstances that I understand applied, above and beyond the individual to whom the device was assigned.
  4. It is possible to impose physical security measures (such as auto-locking doors and unique keys). I am unaware what physical security measures were in place. However, from my knowledge of employment circumstances in general, and taking into account the multi-user nature of the room in question, it is likely that such measures would be regarded as being far too impractical and expensive, and not justified by the limited vulnerabilities involved.

The 'Logical' Security of the Internet-Connected Device

  1. A range of security measures can be implemented that reduce the likelihood of an unintended person using the device. These include:
  2. Such measures significantly reduce the scope for use of the device by unintended people, but do not reliably prevent it.
  3. All such security measures are subject to countermeasures. For example:
  4. Countermeasures of these kinds tend to undermine the security measures, and hence increase the vulnerability of the device to abuse by unintended users.
  5. I am unaware what such 'logical' security measures were in place, and hence my comments must be abstract and qualified. From my knowledge of employment circumstances in general, however, it is not unusual for devices to be subject to little or nothing in the way of logical security measures. It is inconvenient for users, it is expensive both to install and to maintain them, and the harm that arises in practice from colleagues and even from occasional visitors making use of such devices is generally very limited.

First Cluster of Uncertainties

  1. The 'accesses to inappropriate sites' and 'storage of inappropriate images' may have resulted from actions by someone other than the Employee. Possibilities include several categories of people authorised to use the room but not the device in question, and a range of other persons who were not authorised by the employer to use even the room, let alone the device.
  2. It would appear to me to be necessary for the employer to have investigated the facts relating to physical and logical security measures, to have satisfied themselves that the probability was high that no other user was responsible for the inappropriate accesses and images, to have documented the reasons for that conclusion, and to have provided a copy of that document to the Employee prior to dismissing them.

Actions Giving Rise to Unintended Consequences

  1. Any user of an Internet-connected device may cause accesses and/or the downloading of images that are later judged to be inappropriate in some way, but without the intention of doing so. Moreover, this may even occur without the user knowing that it is happening, or even that it has happened.
  2. The reasons this is the case include the following:
  3. It is not clear from the limited information at my disposal what applications were used in making the accesses. It is therefore necessary for me to express the above statements in a somewhat vague manner, because the appropriate way to express the statement depends on what the applications in question actually were.
  4. I understand that the employer may have made reference to 'cache', and in particular 'web-cache'. If so, that would imply that a web-browser was involved. As indicated above, it is feasible for files to be in web-cache that have not been visible on the screen, and hence for files to be in cache whose contents the user was not aware of.
  5. Further, many applications have the capability to write copies of files onto the device's hard-disk drives. Generally, they have the capability to write those files into any of a wide range of folders or directories. I understand that some files may have been found in a directory called 'My Music'. This is the name of a directory that I understand to be commonly auto-generated by Microsoft operating systems, and to be readily accessible to applications of all kinds. The existence of a file in such a directory is only weak evidence of intent on the part of the device's user to store that file.
  6. I have been provided with little information regarding the technical competence of the Employee. This is a relevant matter. Most people have only a fairly hazy understanding of how their machines work, of the functions of the applications that they use, of the structure of the directories on their machines, of the file-types that are stored in those directories, of the formats that the data in the files is expressed in, and of the programs that are capable of reading the various formats. Generally, the greater the competence of the user, the more reasonable is an inference that they are or should have been aware of the functions of programs and the contents of files. And the inverse also holds, such that care must be taken before ascribing intent to users with limited technical competence.
  7. A further consideration is that the content of a web-page in many circumstances cannot be known or inferred until it has been downloaded, and hence stored in local cache. Two examples are as follows:
  8. Another complication is that web-pages can be designed to make a user's web-browser effectively a captive of the remote web-site. The software sent by the web-site opens additional windows, and intercepts attempts by the user to close windows. Such techniques have been known to be used by web-sites that contain pornographic material, with the result that, once a person has gone to a single web-page on the site (whether intentionally or otherwise), further web-pages will be downloaded to the browser, irrespective of what the user does, even if the user is horrified by what they see.

Second Cluster of Uncertainties

  1. The possibility exists that the Employee caused the inappropriate accesses and/or the downloading of the inappropriate images, but not with intent, and possibly not even with knowledge that it was happening, or even that it had happened.
  2. It would appear to me to be necessary for the employer to have investigated the facts relating to the accesses and images (e.g. the dates and times they occurred, and the elapsed times between successive actions), to have satisfied themselves that the probability was high that the Employee was actively responsible for the relevant actions, to have documented the reasons for that conclusion, and to have provided a copy of that document to the Employee prior to dismissing them.

Malware

  1. The expression 'malware' is a useful generic term for a considerable family of software and techniques implemented by means of software, which result in some deleterious and (for the user of the device) unexpected outcome.
  2. One well-known category of malware is a 'virus'. This is a a block of code that inserts copies of itself into other programs. A virus generally carries a payload, which may have nuisance value, or serious consequences. To avoid early detection, viruses generally delay the performance of functions other than replication. The function of a virus may conceivably be to cause files to be fetched from some remote location, and stored on the device's disk-drive.
  3. Another well-known category of malware is a 'worm'. A worm is a program that propagates copies of itself over networks. It does not infect other programs. Similarly, the function of a worm may conceivably be to cause files to be fetched from some remote location, and stored on the device's disk-drive.
  4. Another category is a 'trojan' or 'trojan horse'. This is a program that purports to perform a useful function (and may do so), but certainly performs one or more malicious functions. An example is a useful utility that someone sends you (which, for example, helps you find files you've lost on your disk, or draws a Christmas Tree that you can send to friends at the appropriate time of year). If it is a trojan, then it performs some additional function (reminiscent of enemy soldiers carried in a wooden horse's belly). This may conceivably be to cause files to be fetched from some remote location, and stored on the device's disk-drive.
  5. Security measures are available that can achieve some success in combating malware. They are far from perfect, however. Their effective application would require active support on the part of the employer. And they require some assiduousness on the part of the user as well.
  6. I am unaware what security measures against malware were in place, and hence my comments must be abstract and qualified. From my knowledge of employment circumstances in general, however, it is not unusual for devices to be subject to limited such security measures.

Third Cluster of Uncertainties

  1. The possibility exists that one or more forms of malware were running on the device in question, and that the inappropriate accesses and/or the downloading of the inappropriate images were a result of the operation of that malware.
  2. It would appear to me to be necessary for the employer to have examined the device in question using available tools for detecting a wide range of known malware, to have satisfied themselves that the probability was high that malware was not the cause of the inappropriate accesses and images, to have documented the reasons for that conclusion, and to have provided a copy of that document to the Employee prior to dismissing them.

'Hacking'

  1. The term 'hacking' is in popular usage to refer to the use of a device by a remote user without the authority of the local user. Other (and preferable) terms for this are 'break-in' and 'cracking' (as of a safe).
  2. There are readily-accessible libraries of recipes on how to conduct 'hacking'. Many of the techniques have been productised in the form of 'scripts'. The people who perform hacking require a moderate amount of skill, but they do not need to be experts.
  3. In addition, hacking may be made easy through the existence of a 'backdoor' or 'trapdoor'. This term refers to any planned means whereby a person can surreptitiously gain unauthorised access to a remote device. Examples include a feature of a package intended to enable maintenance programmers to gain access, or a feature added into a program by a virus.
  4. When a device is hacked, a remote user is able to use the device as though they were the local user. The capabilities available may be somewhat restricted, or may be the same as those available to the local user. A hacker generally has reasonable technical competence, and hence knows enough to be able to do far more than most users can do with their own machine.
  5. It is entirely feasible for a hacker to run software so as to cause 'accesses to inappropriate sites' and 'storage of inappropriate images'.
  6. A further category of the malware discussed above is commonly referred to as a 'bot'. This form of malware creates a backdoor in a device, such that a remote user can later instruct the device to perform particular functions. The installation of a bot can be depicted as a form of 'automated hacking' of the device, or as a way to facilitate hacking of the device.
  7. Bots have been used to perform attacks on other computers, and to relay spam. But they can conceivably be used to cause files to be fetched from some remote location, and stored on the device's disk-drive. This would be an attractive technique to someone who is trying to reticulate files that are illegal in some manner (e.g. copyright-infringing, or in breach of censorship laws), and who would prefer to avoid suspicion and hence retribution, by distributing them from some machine other than their own.
  8. It has been estimated that a large proportion of Internet-connected devices contain bots. This applies especially to devices that are connected via Internet Service Providers (ISPs), but also to many that are connected via the Local Area Networks (LANs) of organisations such as the employer.
  9. Security measures are available that can achieve some success in combating hacking and bots. They are far from perfect, however. Their effective application would require active support on the part of the employer. And they require some assiduousness on the part of the user as well.
  10. I am unaware what security measures against hacking and bots were in place, and hence my comments must be abstract and qualified. From my knowledge of employment circumstances in general, I would expect that some centralised measures would be in place, in particular firewalls between the employer's network and the Internet as a whole. These are useful, but far from entirely reliable. It is not unusual for individual devices to be subject to only limited security measures of this kind, and hence they may also be exposed to hacking from other devices within the employer's own internal network.

Fourth Cluster of Uncertainties

  1. The possibility exists that the device in question may have been subjected to one or more break-ins, and that the inappropriate accesses and/or the downloading of the inappropriate images were a result of the break-in(s).
  2. It would appear to me to be necessary for the employer to have examined the device in question using available tools for detecting evidence of hacking and bots, to have satisfied themselves that the probability was high that hacking and bots were not the cause of the inappropriate accesses and images, to have documented the reasons for that conclusion, and to have provided a copy of that document to the Employee prior to dismissing them.

Conclusions

  1. Prior to making a decision or taking action that is seriously harmful to the interests of an employee, it is incumbent on any employer to gather appropriate evidence, and subject it to analysis to a degree appropriate to the circumstances.
  2. The preceding paragraphs have suggested a great many ways in which inappropriate accesses could be made by a device, and inappropriate files could come to be stored on a device, without intention by the Employee.
  3. It therefore appears to me that a heavy onus rests on the employer to have gathered the appropriate evidence, to have demonstrated by analysis that there is a strong probability of misbehaviour by the Employee sufficient to warrant dismissal, and to publish the evidence and analysis to the Employee to enable it to be checked.
  4. There is now reasonable access to techniques that support relevant evidence collection and analysis, including specialist consultancies, and even specialist courses run by educational institutions.

Caveats

I repeat the important caveats that this document is based on very limited information, and has been prepared in a matter of a few hours. In order to provide formal expert evidence targeted at the key issues in the matter, I would need access to much more information, and more time.


Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., a Visiting Professor in the E-Commerce Programme at the University of Hong Kong, and a Visiting Professor in the Department of Computer Science at the Australian National University.



xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.

Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 11 September 2006 - Last Amended: 11 September 2006 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/II/OffIm0511.html
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2013   -    Privacy Policy