Network Monitoring: How Far?

In my January post The Revolution Will Be Monitored and elsewhere I discuss how network monitoring is becoming more prevalent, whether we like it or not. When I wrote my first book I clearly said that you should collect as much data as you can, given legal, political, and technical means because that approach gives you the best chance to detect and respond to intrusions. Unfortunately, I did not provide any clear guidance for situations where I think monitoring might not be appropriate. While this is by no means a political blog, I would not want my NSM approach to be taken as justification for monitoring and retaining every electronic transaction, especially beyond the security realm.

In that spirit I would like to point out three recent stories which highlight some of the contemporary problems I see with electronic monitoring.

First is Boeing bosses spy on workers. From the story:

Within its bowels, The Boeing Co. holds volumes of proprietary information deemed so valuable that the company has entire teams dedicated to making sure that private information stays private.

One such team, dubbed "enterprise" investigators, has permission to read the private e-mails of employees, follow them and collect video footage or photos of them. Investigators can also secretly watch employee computer screens in real time and reproduce every keystroke a worker makes, the Seattle P-I has learned...

"Employees should understand that the law generally gives employers broad authority to conduct surveillance, whether through e-mail, video cameras or other forms of tracking, including off the job in many cases."

The law grants companies the right to protect themselves from employees who break the law, such as by embezzling money or using the company warehouse to run a drug-smuggling ring.

The problem, [Ed] Mierzwinski [consumer program director at the federation of Public Interest Research Groups] said, is when companies use the surveillance tactics available to them to root out whistle-blowers.

"We need greater whistle-blower protections," he said. But, "if you're using the company's resources and you think it's protected because you're using Hotmail, think again."

My first point on this story is that I have never advocated NSM as a means to combat fraud, waste, and abuse by employees, let alone whistle-blowers. I have almost exclusively focused on external threats. I say let legal and human resources look for non-security policy violations.

My second point on this story is that I think the operative word here is surveillance. NSM is not a surveillance methodology. NSM does not advocate identifying a person of interest, then examining all traffic generated by or directed at that person. NSM is more channel- and system-centric. If I am going to conduct network surveillance of any type, I expect legal and human resources tasking. I do not engage in network surveillance for my own security purposes. I conduct NSM.

The next story is Cal-Ore Telecommunications on Solera Networks. This is a blog posting advertising the adoption of a packet capture appliance sold by Solera Networks to the Cal-Ore ISP in California. From the story:

Cal-Ore, a rural telephone company and ISP headquartered in Northern California, has been serving customers for more than 55 years. In order to comply with CALEA requirements, Charles Boening, Cal-Ore’s network manager considered three choices. First, they could do nothing and hope they never received a lawful intercept warrant request. Second, they could contract with a trusted third-party (TTP) that would perform any tapping services and bring them into compliance: at a six-figure price tag with ongoing fees. Or third, they could purchase a Solera DS 1000 from Solera Networks...

“We not only capture traffic that goes to the Internet, we can also use those extra Ethernet ports to capture traffic from other areas of our network,” Boening said...

While not being used to fulfill a warrant, Boening uses the Solera DS 1000 for complete network packet capture and storage. This has become an integral component to network management at Cal-Ore...

“We’ll hear from other providers telling us that we have a customer who is sending out spam,” said Boening. “Before I disconnect that customer, I need to verify it is a legitimate compliant. I use the Solera Networks box to find specific traffic over a period of time and put it into an analyzer, such as WireShark, to determine whether it is junk. If it is, I will then turn off the customer.”

When I read this I thought "This ISP is logging all traffic that customers send to the Internet?" I read their terms of service and found this:

Use of any Cal-Ore Telephone network service constitutes consent to monitoring at all times. If monitoring of any device in the Cal-Ore Telephone network reveals any evidence regarding violation of copyright laws, security regulations or any instance of unauthorized use of any system, this evidence and any other related information, including identification information about the user, can and will be provided to law enforcement officials.

It appears Cal-Ore is relying on the consent exception to the wiretap act to not break Federal law. They could also hope that their activity "is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service" and thereby receive another exception to the wiretap act.

However, California law is a little different. As noted in Applying the Wiretap Act to Online Communications after United States v. Councilman, California is a two-party consent state, meaning that both parties to the communication must give consent in order to make interception of a communication permissible. I am not a lawyer (I may have to rectify that situation at some point), but it sounds like the consent exception is lost when a Cal-Ore user who has not granted consent communicates via IM to any Cal-Ore user.

The third story is actually a set of articles posted by The Baltimore Sun about the National Security Agency and "cyber security." A slightly more recent article called In focus: Targeting Internet terror offers a few items of interest:

President Bush quietly announced yesterday his plans to launch a program targeting terrorists and others who would seek to attack the United States via the Internet, according to lawmakers and budget documents.

Bush requested $154 million in preliminary funding for the initiative, which current and former government officials say is expected to become a seven-year, multibillion-dollar program to track threats in cyberspace on both government and private networks...

At the White House, spokesman Sean Kevelighan would say only that the money would be used for "increased monitoring capabilities, as well as to increase the security of our networks."

I'm interested in this article because it and previous stories hint that the government might monitor private networks for security purposes. This would be quite a step if true.

Monitoring remains a hot topic, so I plan to keep my eye on these issues going forward.