Tuesday, June 08, 2004

Criminal Code Amended to allow for e-mail interception by sysadmin

By amendments to the Criminal Code of Canada, the authority of a sysadmin to review employee e-mail in the course of system management has been clarified. From the London Free Press:

London Free Press: Business Section - Law amended for e-mail:

"The Criminal Code of Canada makes it an indictable offence to "willfully" intercept a private communication. On April 22, Bill C-14 came into effect, which among other things amends the Criminal Code to protect computer system managers from the threat of criminal conviction. The bill amends the Criminal Code to add a section that allows computer system managers to intercept a private communication. Interception under this new provision is lawful only if it is "reasonably necessary" for managing the "quality of service" of the computer system.

Preventing and dealing with intrusion detection and malicious attempts to compromise systems is a crucial issue for any business.

The concern was that without such a change, the viewing or scanning of e-mails by a computer systems employee for such things as virus detection or spam-blocking might be considered an illegal interception of a private communication. Other legitimate purposes include the prevention of data theft or the use of systems by unauthorized individuals. One could argue that, depending to some extent on employer policies, e-mails to and from the workplace are not private communications. But this amendment clarifies the issue.

...

Under the changes, intrusion-detection activities must be limited to authorized individuals who perform duties relating to the security management and protection of computer systems.

Intrusion-detection activities must be limited to what is reasonably necessary for legitimate management purposes to ensure service quality and protect systems against computer-related offences.

The then-Privacy Commissioner took issue with one aspect of the bill.

The commissioner opposed permitting a private communication that had been intercepted lawfully to be disclosed in the course of a civil or criminal proceeding, or for the purposes of any criminal investigation.

That would have meant that a manager operating a computer intrusion-detection system who discovered an e-mail attachment containing child pornography, or evidence of a murder plot, could not notify the police or use the material to discipline the employee.

The commissioner's proposal was defeated. ..."

No comments: