Roger Clarke's 'Employee Dismissal'
Roger
Clarke
**
Notes of 23 November 2005 (with minor adaptions to the description of bots)
©
Xamax Consultancy Pty Ltd, 2005
Available under an AEShareNet licence or a Creative
Commons licence.
This document is at http://www.rogerclarke.com/II/OffIm0511.html
Introduction
An organisation dismissed an employee after an examination of the employee's
workstation caused the employer to conclude that the employee had accessed
inappropriate sites, and stored inappropriate images.
I received an urgent request to provide expert evidence in relation to ways in
which 'accesses to inappropriate sites' and 'storage of inappropriate images'
might occur, without the intention of an employee, and even without their
knowledge. This document is an edited version of the document I provided.
The
Nature of a Personal Computer
- It is first necessary to consider the nature of a personal computer. The
intention of the designers of personal computers was to create a highly
functional device that was inexpensive. As a result, a personal computer is
not an intrisically secure device, and omits features that would make it easy
to convert it into a secure device.
- The operating systems that enable applications to be used on personal
computers are inherently insecure. This is the case with both the Linux and
Macintosh operating systems, but especially so with the various Microsoft
operating systems that are used on the large majority of devices.
- The applications that are run on personal computers are in many cases
insecure, and in some cases extremely insecure. Especially important examples
of highly insecure applications include most versions of Microsoft Internet
Explorer (MSIE), which is the most commonly-used web-browser. The most recent
versions of MSIE have been improved, and are merely insecure rather than highly
insecure.
- It would appear to me to be necessary for the employer to have documented
the facts relating to operating system and the relevant application(s), and
versions, that were installed on the device in question, together with key
parameter settings. That is neeed as a basis for the analysis that is
necessary in order to establish a case against the Employee that justifies his
dismissal.
The
Operation of Internet-Connected Devices
- It is further necessary to consider the manner of operation of a personal
computer that is connected to the Internet.
- Software in the device performs operations, in order to:
- receive data from some other device; and
- 'render' the data (i.e. display it on a screen, 'play' it as sound through
speaker, or print it on a printer); and/or
- store the data on some storage device connected to it.
- The software may be caused to perform these operations in any of several
ways:
- by the action of a human being, typically using a keyboard and/or mouse;
- by the action of a remote device. This is referred to as a 'push'
mechanism. An example of this is a file attached to an email, which is
automatically received and stored, without any action by the user;
- because of the action of some logic in the software itself. Examples of
this include a timed action ('fetch this file at midnight each evening'), and
an action taken on each occasion that the program is started.
- In the sections below, I will work through the various ways in which the
offending accesses could have occurred, and the offending images could have
come to be on the machine, for reasons other than the intentional actions of
the Employee.
The
Physical Security of the Internet-Connected Device
- I understand that the device in question sat in an office shared by
several people, each of whom:
- may have had access to a device of their own;
- may have been capable of seeing the screens of some or all of the other
devices; and
- may have been capable of using the other devices.
- Based on my knowledge of employment circumstances in general, I make the
assumption that the room was accessible to a number of categories of people,
including:
- the Employee;
- the other people assigned to the room;
- visitors (in particular, other staff and students, but perhaps also
outsiders such as a spouse and children) invited into the room by those people;
- supervisory and managerial staff, who would normally have a duplicate key
or master-key;
- cleaners, who would normally have a duplicate key or master-key, and who
would generally visit the office outside normal working-hours, when none of the
people assigned to the room were likely to be there;
- security staff, who would have a duplicate key or master-key, and who
would generally visit the corridor outside normal working-hours, when none of
the people assigned to the room were likely to be there.
- There is therefore a range of people who may have been able to use the
device in the circumstances that I understand applied, above and beyond the
individual to whom the device was assigned.
- It is possible to impose physical security measures (such as auto-locking
doors and unique keys). I am unaware what physical security measures were in
place. However, from my knowledge of employment circumstances in general, and
taking into account the multi-user nature of the room in question, it is likely
that such measures would be regarded as being far too impractical and
expensive, and not justified by the limited vulnerabilities involved.
The
'Logical' Security of the Internet-Connected Device
- A range of security measures can be implemented that reduce the likelihood
of an unintended person using the device. These include:
- the prevention of any use being made of the device unless the user
demonstrates that they know a specific 'secret', such as a password, PIN or
passphrase. Providing such a secret is commonly referred to as 'logging in';
- the auto-locking of the device after a period of inactivity, typically
10-15 minutes;
- stronger authentication mechanisms, e.g. involving the periodic demand
that the authorised user's thumb be placed on a reader built into or connected
to the device, with the device made inoperable if the print does not match
sufficiently closely to the pre-recorded image.
- Such measures significantly reduce the scope for use of the device by
unintended people, but do not reliably prevent it.
- All such security measures are subject to countermeasures. For example:
- a password may be discovered by watching someone key it in, or by guessing
that it will be the same as the person's name or pet's name, or by finding it
written down in the person's top-right-hand drawer or on a yellow 'stick-it'
attached to the device itself;
- auto-locking can be avoided by ensuring that the device is used in a
continual manner, such that the time-out never occurs;
- a copy of the user's thumbprint can be acquired, and a latex overlay made
to put over the unauthorised user's own thumb.
- Countermeasures of these kinds tend to undermine the security measures,
and hence increase the vulnerability of the device to abuse by unintended users.
- I am unaware what such 'logical' security measures were in place, and
hence my comments must be abstract and qualified. From my knowledge of
employment circumstances in general, however, it is not unusual for devices to
be subject to little or nothing in the way of logical security measures. It is
inconvenient for users, it is expensive both to install and to maintain them,
and the harm that arises in practice from colleagues and even from occasional
visitors making use of such devices is generally very limited.
First
Cluster of Uncertainties
- The 'accesses to inappropriate sites' and 'storage of inappropriate
images' may have resulted from actions by someone other than the Employee.
Possibilities include several categories of people authorised to use the room
but not the device in question, and a range of other persons who were not
authorised by the employer to use even the room, let alone the device.
- It would appear to me to be necessary for the employer to have
investigated the facts relating to physical and logical security measures, to
have satisfied themselves that the probability was high that no other user was
responsible for the inappropriate accesses and images, to have documented the
reasons for that conclusion, and to have provided a copy of that document to
the Employee prior to dismissing them.
Actions
Giving Rise to Unintended Consequences
- Any user of an Internet-connected device may cause accesses and/or the
downloading of images that are later judged to be inappropriate in some way,
but without the intention of doing so. Moreover, this may even occur without
the user knowing that it is happening, or even that it has happened.
- The reasons this is the case include the following:
- software does not necessarily communicate to the user all that it is
doing. For example, a web-browser may access multiple files in response to a
single request by the user, these files may not all be on the same site, and
the content of these files may not all be displayed in the browser-window;
- software that is understood by the user to be performing a particular
function may be performing other functions, perhaps instead of, but much more
likely as well as the expected one.
- It is not clear from the limited information at my disposal what
applications were used in making the accesses. It is therefore necessary for
me to express the above statements in a somewhat vague manner, because the
appropriate way to express the statement depends on what the applications in
question actually were.
- I understand that the employer may have made reference to 'cache', and in
particular 'web-cache'. If so, that would imply that a web-browser was
involved. As indicated above, it is feasible for files to be in web-cache that
have not been visible on the screen, and hence for files to be in cache whose
contents the user was not aware of.
- Further, many applications have the capability to write copies of files
onto the device's hard-disk drives. Generally, they have the capability to
write those files into any of a wide range of folders or directories. I
understand that some files may have been found in a directory called 'My
Music'. This is the name of a directory that I understand to be commonly
auto-generated by Microsoft operating systems, and to be readily accessible to
applications of all kinds. The existence of a file in such a directory is only
weak evidence of intent on the part of the device's user to store that file.
- I have been provided with little information regarding the technical
competence of the Employee. This is a relevant matter. Most people have only
a fairly hazy understanding of how their machines work, of the functions of the
applications that they use, of the structure of the directories on their
machines, of the file-types that are stored in those directories, of the
formats that the data in the files is expressed in, and of the programs that
are capable of reading the various formats. Generally, the greater the
competence of the user, the more reasonable is an inference that they are or
should have been aware of the functions of programs and the contents of files.
And the inverse also holds, such that care must be taken before ascribing
intent to users with limited technical competence.
- A further consideration is that the content of a web-page in many
circumstances cannot be known or inferred until it has been downloaded, and
hence stored in local cache. Two examples are as follows:
- web-pages may be identified only as IP-addresses, and thereby lack any
descriptive information. For example, if an email (perhaps from a friend, but
perhaps only purporting to be from a friend) suggests that a person click on
the link http://66.198.36.17/, they may be unaware that they are going to a
('soft-')porn site, which is also known by the name www.adultactioncam.com;
- web-pages may have innocuous-looking names, but contain unexpected
material. A celebrated example is whitehouse.com, which for some years was
used for the sale of pornographic images, to the surprise of many people who
went there assuming they would find information about the U.S. President and
his home.
- Another complication is that web-pages can be designed to make a user's
web-browser effectively a captive of the remote web-site. The software sent by
the web-site opens additional windows, and intercepts attempts by the user to
close windows. Such techniques have been known to be used by web-sites that
contain pornographic material, with the result that, once a person has gone to
a single web-page on the site (whether intentionally or otherwise), further
web-pages will be downloaded to the browser, irrespective of what the user
does, even if the user is horrified by what they see.
Second
Cluster of Uncertainties
- The possibility exists that the Employee caused the inappropriate accesses
and/or the downloading of the inappropriate images, but not with intent, and
possibly not even with knowledge that it was happening, or even that it had
happened.
- It would appear to me to be necessary for the employer to have
investigated the facts relating to the accesses and images (e.g. the dates and
times they occurred, and the elapsed times between successive actions), to have
satisfied themselves that the probability was high that the Employee was
actively responsible for the relevant actions, to have documented the reasons
for that conclusion, and to have provided a copy of that document to the
Employee prior to dismissing them.
Malware
- The expression 'malware' is a useful generic term for a considerable
family of software and techniques implemented by means of software, which
result in some deleterious and (for the user of the device) unexpected outcome.
- One well-known category of malware is a 'virus'. This is a a block of
code that inserts copies of itself into other programs. A virus generally
carries a payload, which may have nuisance value, or serious consequences. To
avoid early detection, viruses generally delay the performance of functions
other than replication. The function of a virus may conceivably be to cause
files to be fetched from some remote location, and stored on the device's
disk-drive.
- Another well-known category of malware is a 'worm'. A worm is a program
that propagates copies of itself over networks. It does not infect other
programs. Similarly, the function of a worm may conceivably be to cause files
to be fetched from some remote location, and stored on the device's disk-drive.
- Another category is a 'trojan' or 'trojan horse'. This
is a program that purports to perform a useful function (and may do
so), but certainly performs one or more malicious functions. An example is a
useful utility that someone sends you (which, for example, helps you find files
you've lost on your disk, or draws a Christmas Tree that you can send to
friends at the appropriate time of year). If it is a trojan, then it performs
some additional function (reminiscent of enemy soldiers carried in a wooden
horse's belly). This may conceivably be to cause files to be fetched from some
remote location, and stored on the device's disk-drive.
- Security measures are available that can achieve some success in combating
malware. They are far from perfect, however. Their effective application
would require active support on the part of the employer. And they require
some assiduousness on the part of the user as well.
- I am unaware what security measures against malware were in place, and
hence my comments must be abstract and qualified. From my knowledge of
employment circumstances in general, however, it is not unusual for devices to
be subject to limited such security measures.
Third
Cluster of Uncertainties
- The possibility exists that one or more forms of malware were running on
the device in question, and that the inappropriate accesses and/or the
downloading of the inappropriate images were a result of the operation of that
malware.
- It would appear to me to be necessary for the employer to have examined
the device in question using available tools for detecting a wide range of
known malware, to have satisfied themselves that the probability was high that
malware was not the cause of the inappropriate accesses and images, to have
documented the reasons for that conclusion, and to have provided a copy of that
document to the Employee prior to dismissing them.
'Hacking'
- The term 'hacking' is in popular usage to refer to the use of a device by
a remote user without the authority of the local user. Other (and preferable)
terms for this are 'break-in' and 'cracking' (as of a safe).
- There are readily-accessible libraries of recipes on how to conduct
'hacking'. Many of the techniques have been productised in the form of
'scripts'. The people who perform hacking require a moderate amount of skill,
but they do not need to be experts.
- In addition, hacking may be made easy through the existence of a
'backdoor' or 'trapdoor'. This term refers to any planned means whereby a
person can surreptitiously gain unauthorised access to a remote device.
Examples include a feature of a package intended to enable maintenance
programmers to gain access, or a feature added into a program by a virus.
- When a device is hacked, a remote user is able to use the device as though
they were the local user. The capabilities available may be somewhat
restricted, or may be the same as those available to the local user. A hacker
generally has reasonable technical competence, and hence knows enough to be
able to do far more than most users can do with their own machine.
- It is entirely feasible for a hacker to run software so as to cause
'accesses to inappropriate sites' and 'storage of inappropriate images'.
- A further category of the malware discussed above is commonly referred to
as a 'bot'. This form of malware creates a backdoor in a device, such that a
remote user can later instruct the device to perform particular functions. The
installation of a bot can be depicted as a form of 'automated hacking' of the
device, or as a way to facilitate hacking of the device.
- Bots have been used to perform attacks on other computers, and to relay
spam. But they can conceivably be used to cause files to be fetched from some
remote location, and stored on the device's disk-drive. This would be an
attractive technique to someone who is trying to reticulate files that are
illegal in some manner (e.g. copyright-infringing, or in breach of censorship
laws), and who would prefer to avoid suspicion and hence retribution, by
distributing them from some machine other than their own.
- It has been estimated that a large proportion of Internet-connected
devices contain bots. This applies especially to devices that are connected
via Internet Service Providers (ISPs), but also to many that are connected via
the Local Area Networks (LANs) of organisations such as the employer.
- Security measures are available that can achieve some success in combating
hacking and bots. They are far from perfect, however. Their effective
application would require active support on the part of the employer. And they
require some assiduousness on the part of the user as well.
- I am unaware what security measures against hacking and bots were in
place, and hence my comments must be abstract and qualified. From my knowledge
of employment circumstances in general, I would expect that some centralised
measures would be in place, in particular firewalls between the employer's
network and the Internet as a whole. These are useful, but far from entirely
reliable. It is not unusual for individual devices to be subject to only
limited security measures of this kind, and hence they may also be exposed to
hacking from other devices within the employer's own internal network.
Fourth
Cluster of Uncertainties
- The possibility exists that the device in question may have been subjected
to one or more break-ins, and that the inappropriate accesses and/or the
downloading of the inappropriate images were a result of the break-in(s).
- It would appear to me to be necessary for the employer to have examined
the device in question using available tools for detecting evidence of hacking
and bots, to have satisfied themselves that the probability was high that
hacking and bots were not the cause of the inappropriate accesses and images,
to have documented the reasons for that conclusion, and to have provided a copy
of that document to the Employee prior to dismissing them.
Conclusions
- Prior to making a decision or taking action that is seriously harmful to
the interests of an employee, it is incumbent on any employer to gather
appropriate evidence, and subject it to analysis to a degree appropriate to the
circumstances.
- The preceding paragraphs have suggested a great many ways in which
inappropriate accesses could be made by a device, and inappropriate files could
come to be stored on a device, without intention by the Employee.
- It therefore appears to me that a heavy onus rests on the employer to have
gathered the appropriate evidence, to have demonstrated by analysis that there
is a strong probability of misbehaviour by the Employee sufficient to warrant
dismissal, and to publish the evidence and analysis to the Employee to enable
it to be checked.
- There is now reasonable access to techniques that support relevant
evidence collection and analysis, including specialist consultancies, and even
specialist courses run by educational institutions.
Caveats
I repeat the important caveats that this document is based on very limited
information, and has been prepared in a matter of a few hours. In order to
provide formal expert evidence targeted at the key issues in the matter, I
would need access to much more information, and more time.
Author
Affiliations
Roger Clarke is Principal of
Xamax
Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the
Cyberspace
Law & Policy Centre at the
University
of N.S.W., a Visiting Professor in the
E-Commerce
Programme at the
University
of Hong Kong, and a Visiting Professor in the
Department
of Computer Science at the
Australian
National University.
Created: 11 September 2006 -
Last Amended: 11 September 2006
by Roger Clarke
- Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/II/OffIm0511.html
Mail to Webmaster -
© Xamax Consultancy Pty Ltd, 1995-2024 -
Privacy Policy