2005-02-04

Communications, Privacy Laws, and Security

As far back as 1997, I can remember Voice-over-IP, or VoIP, being called the "next big thing." Today, it seems the prophecies are finally coming true. Unfortunately, the widespread adoption of this technology stands to throw into complete disarray the boundaries of privacy laws intended to protect citizens, and the remediation could have a significant impact on the security industry.

Confusion over the application of the Federal Wiretap Act of 1968 has already arisen with regard to Instant Messaging, and this is a good starting point for a discussion on privacy in a digital environment like the Internet. If I am chatting on AIM from my home computer, sending personal messages to a friend who is at work, the conversation may be recorded. In fact, there is an emerging niche market of products designed specifically for such a purpose. The argument for such monitoring goes like this: every organization has a right (and sometimes obligation) to monitor the use of their computers and networks. There are many reasons for this, not the least of which is making sure sensitive information is not leaked. If someone happens to be chatting up a storm on IM and personal information gets logged, well, too bad. That individual knows the rules. On the other hand, as the user at home, I have no intention of my message being seen by anyone other than the recipient, and I have no way of knowing that my friend is on a network that might be monitored. On its face, mine seems to be the kind of situation for which the Privacy Act was designed, however there is little to no precedent either way. And unlike email, which already has a strange judicial precedent, the technology is not store-and-forward, so the one existing ruling regarding Internet communications cannot be applied. Now, I should know that IM conversations are easily read by third parties, but difficulty of the act of intercepting a conversation has nothing to do with its legality.

These privacy and legal concerns are quickly being realized by adopters of VoIP, except now the technology impacted completely mimics the type of technology the Wiretap Act was meant to protect: voice communications. Every time packets of VoIP data are sent over the Internet, they are most likely being analyzed by packet loggers, IDS's, and a variety of other network monitoring gear. The privacy of this data is entirely in the hands of the people who configured the devices, and the logging of this data falls into the same huge gray area as our IM conversation above. Furthermore, it would be easy to build products to monitor this data in a comprehensive manner, as with the IM conversation recorders above. After all, why not? It's the same communication paradigm: packets of communication data being sent in TCP packets over an IP network. The only difference here is that a person's voice, not fingers, generated the message.

What we have here is quite a conundrum. It's obvious that the current ambiguity with respect to privacy laws cannot last. Lines will be drawn, whether they be in the form of legislation or judicial precedent, and there is a good chance it will make the job of information security analysts considerably more difficult.

I believe that privacy laws are an important part of our democracy in the United States. That being said, security and privacy are often at odds with each other, and some would argue that this is even a zero-sum-game. If you gain security, you lose privacy, and vice versa. Consider what would happen to the job of security analysts if it is determined that neither IM nor VoIP conversations may be monitored. Intrusion detection systems would need to ignore such traffic. However, this leaves a significant gap through which an attacker could penetrate a network, as vulnerabilities are found in the associated protocols or their implementations. As an analyst, I cannot both monitor for malicious traffic and protect peoples' privacy! Any false positive that alarms on normal communication, or any attack that may also lead to the capture of benign traffic, would expose me or my organization to lawsuits. The contrary is just as concerning, as it would be a significant blow to privacy laws in the United States.

The only way to prevent this worst-case scenario is to make sure those who draw the lines in the sand, those who make the laws and set judicial precedent, make exceptions for legitimate and necessary monitoring of network traffic. It is equally important that these exceptions are well-defined, and do not create the potential for loopholes or abuse. In the interim, we must rely on the software and hardware vendors to assist in any way they can. A method for adding legal disclaimers on all IM's entering and leaving a monitored network would be a good place to start. Something similar for VoIP would be very difficult, given the backward-compatibility with POTS systems, but even a brief 2-second "this call may be monitored by networking devices" would work. Of course, there is currently no incentive for companies to install such devices, should they exist. The problem is a complex one, and watching the solution develop in time will be just as exciting as it will be scary.

No comments: