Finding a Needle When You Can’t Look in the Haystack
Long before I was a security geek, I was a systems administrator. Oh sure, security goes with the territory when you’re a systems administrator, but it’s only one aspect of the job.
Needless to say, I’ve maintained email servers as part of my duties, where I’ve had plenty of access to look at people’s private emails. I also ran a computer bulletin board in the late 1980s, where I had the same privilege. In college, I did a term paper where I wrote about the Electronic Communications Privacy Act of 1986, which protects people’s personal email, but does little to protect corporate email. Provisions in the law allow business to monitor their networks for business purposes, which means they can see everything going on–including potentially non-business related communications.
While generally speaking, all an employer in the U.S. has to do is disclose that use of the corporate network is subject to monitoring, that is not the case in many European countries, where there are strict data privacy laws forbidding the practice. That would make it difficult for, let’s say, Nokia, to find out if a Finland-based employee was leaking secrets about upcoming handsets. It’s so difficult, in fact, that there was a reported rumor that Nokia was threatening to leave Finland if they couldn’t get a law passed that would allow employee email monitoring.
While Nokia spokespeople are officially denying this rumor, it doesn’t change the fact that the passing of such a law would be extremely beneficial to Nokia. Many companies, including Nokia, have a similar problem: how can evidence of corporate wrongdoing be found when you can’t look where evidence of wrongdoing would easily be found? In Europe, obviously, there are strict laws regulating who can see or do what with “private” electronic communications like email.
Even if monitoring workplace communications is legal, let’s assume the communication is somehow encrypted. How would you determine something inappropriate is going on? One school of thought is that the very use of encryption implies you have something to hide–something the company might not like.
Even if a communication is encrypted, some things about the communication usually aren’t: who it’s coming from, where it’s going to, and how much data or how long it is. One can certainly make some inferences based on that information, but one cannot conclusively prove that wrongdoing is taking place. However, you might find out enough just from that information alone to suspect something.
Of course, if you’re going to leak any company secrets, it’s probably best not to do it using the corporate network