Debate on Inbox snooping to stop terror needs a wider view

Patrick Gray argues that employee email filtering is a dubious anti-terror tactic and debate on the subject needs to reflect a more mature understanding of the true infosec situation.

The mainstream media has whipped fairly innocuous comments made by Attorney-General Robert McLelland into a massive controversy in this year's biggest infosec beat up.
According to reports, McClelland has proposed amendments to Australian counter-terrorism laws and Telecommunications Act designed to combat Internet-based threats.

The changes, apparently, include giving employers the right to snoop on employees' e-mail. There's no draft legislation, of course, just a few comments made by McClelland to a Sydney Morning Herald reporter.

Never mind that in states like NSW employers can already monitor staff Internet use as long as they notify employees and regularly remind them with a notice at their login prompt.

That little fact was ignored, after all, the story was too good to pass up. So the general media's take on the "proposal" is that it's a ploy by "the man" to reach into the inboxes of the powerless proletariat and rob them of their last shred of privacy in the workplace.

After all, what sort of security benefit could there be? It's not like a terrorist mastermind is going to infiltrate a critical infrastructure provider and then use their company account to mail their evil plans to destroy Sydney's power grid to [email protected]
Well, according to the e-hippies at Electronic Frontiers Australia (EFA), the changes to the Telecommunications Act McClelland was talking about could simply be designed to allow for the automated scanning of incoming mail for viruses and Trojans.

McLelland's comments, appearing in the Sydney Morning Herald piece -- headlined Bosses' Power to Check E-mail, appear to actually support the EFA's claims; context is everything.

"It's unquestionable that it's necessary from time to time for network supervisors to open emails addressed to people to identify viruses and the like," he reportedly said. "There needs to be protocols and guidelines developed so companies can protect their own networks... It will need new legislation."

The existing Act is a touch vague when it comes to the legality of e-mail scanning, EFA says. Given the popularity of spear-phishing among the world's intelligence services and cyber-military units these days, scanning incoming mail and inspecting dodgy attachments may prove to be a good idea.

Once those amendments to various acts have been made, it might also be nice for the people who run our power plants and water infrastructure to be able to manually inspect e-mails that have been quarantined by scanning systems rather than leaving a critical security decision up to Debbie on the front desk.

Because we all know that given a choice between security or executing a .scr attachment that promises to install a lolcats screensaver loaded with malware, Debbie's going for option B.

But really, is engaging in the same thing the rest of the media is in this instance: Speculation. And when you don't do your research you end up writing this sort of dubious story.

There's been a bit too much crapola written on this topic, so why don't we just put down our six-shooters and wait for the proposed legislation to surface before we declare the Rudd government a bunch of killjoy fascists using the phantom threat of TERROR to pillage your inbox in the name of productivity.

Read more on Security policy and user awareness