DPI, Employees, and Proper Inspection

In my last post I alluded to the fact that Deep Packet Inspection (DPI) technologies could be used by businesses to try and reduce the possibility of ‘inappropriate’ employee use of bandwidth and wrongful or accidental transmissions of confidential IP. In that last post I was talking about IT security, and this post will continue to reflect on DPI technologies’ applications and benefits to and for corporate environments.

A Quick Refresher on DPI

From ArsTechnica:

The “deep” in deep packet inspection refers to the fact that these boxes don’t simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble e-mails as they are typed out by the user. (Source)

For a slightly longer discussion/description of DPI I suggest that you look at the wiki page that I’m gradually putting together on the topic of Deep Packet Inspection.

Employers and Data Breaches

We often hear about the loss of personal information in the news these days – it seems that almost every day another few tens of thousands of records are lost, often because a database was poorly secured, or because a laptop was lost or stolen. What isn’t covered in the news as often as it once was, is that breaches of confidential information also are (still) caused by email that is sent by employees with access to that confidential information. Indeed, a recent (and somewhat sensationalized) article by SmartCompany.com outlines that 40% of the companies that they surveyed are already watching their employee’s email. (It should be noted that, to date, I haven’t found the raw data that these statistics are based on, so take them with a grain of salt!) Quoted below are the reasons why:

  • 40.6% say it is to ensure they are doing their job properly.
  • 47% say they are worried about too much personal use of email.
  • 40.6% say they only do it if they have a problem with a staff member (such as bullying or stealing). (Source)

In addition, the article notes that “[e]mployers are very concerned that IP, customers and other information might be stolen and either passed on to competitors or used to set up other businesses in competition.”

Scaling and Cost-Effectiveness

One of the issues with having people actually read email before it is delivered past a corporate network’s perimeter is that people cost money. A lot of it. In addition to this financial disincentive to monitor email (though it is only a disincentive when the costs of reading email exceed those of preventing IP and data breaches that would cost the corporation money), people get incredibly antsy when they find out that their email is being read. In particular, they become increasingly guarded against their corporation – why, if they (the employee) slave for the corporation in good faith, should the corporation be hiring people to double-check employee loyalty? As your workforce increasingly feels monitored and untrusted, it reflects this lack of trust towards the corporation and sheds the devotion to the corporate brand (and potentially principles) that are so helpful in raising morale.

In addition to these problems, as your corporation expands it gets increasingly expensive to monitor the email sent from your company. What if there was a way of easily scaling your monitoring system, easily monitoring your employees, and ‘tricking’ them into believing that you trust them and simply run routine operations on all email?

Monetizing ISP-Level DPI

I won’t lie: I don’t particularly like DPI technology. It strikes me as a sneaky way of spying on your users. Moreover, I don’t particularly like the idea that I’m about to suggest, but think that its interesting enough that others might be able to run with it in helpful ways for their own work.

As it stands, ISPs use DPI to look at the payload of packets – this lets them evaluate what is inside packets and prioritize traffic as per their traffic shaping rules. Now, when you send an email from your corporate email account it moves from your corporate email server (assuming that you haven’t outsourced your email to a third party, such as Yahoo!, Microsoft, or Google) to your ISP’s network, to the Internet at large. When you send email from your corporate account, right now, it passes through the ISP’s DPI system.

What if a corporation could invest/pay their ISP some money, and have STMP (email) traffic that leaves corporate servers be inspected by applying corporate-inspired heuristics. This would let the corporation automate their surveillance of email, and have ‘flagged’ email brought to the attention of system administrators before the mail could be passed forward. Moreover, depending on the legality, the corporation could have all email, including personal web email, scanned using their ISP’s DPI technology, letting them identifying any and all possibilities of data breaches.

This holds a series of benefits for corporations:

  1. Enterprise-level heuristic analysis, retention, and flagging;
  2. (Presumably) easily updatable heuristics, allowing for improved surveillance as time passes;
  3. Impersonal, insofar as a computer rather than a person is responsible for email screening;
  4. Better allocation of resources – a smaller number of people will have to be retained to analyze email, letting you hire IP creators, rather than IP defenders

At the same time, there are some downsides:

  1. Employees may not share the corporate mantra that ‘impersonal’ scanning is less intrusive than ‘personalized’ scanning;
  2. It will take time to weed out heuristics that persistently result in false positives;
  3. If employees learn to bypass in-place heuristics, then the ‘stop before sending’ aspect of this system may fail;
  4. ISPs must develop a corporate-cost mode;
  5. Corporate heuristics would have to, presumably, remain secret (i.e. codenames, upcoming trademarks and IP could not be accessible/known by the ISP network admins without them signing confidentiality agreements)

In a forthcoming post I’ll talk briefly (again) about why I think that this mode of sorting is a questionable practice, but given the present legal attitudes surrounding email it seems like corporations should, in some jurisdictions, be permitted to filter email in this fashion without falling prey to legal concerns related to inspecting employee email. This, of course, is a somewhat scary and censoring use of DPI technologies – it acts as a nice way of filtering out conversation that once took place around the watercooler as people become increasingly mindful of what they are saying. Given that a substantial amount of personal development almost of necessity has to happen at work, given the periods of time that are spent there, DPI applied to corporate email threatens to totally remove the ‘private-personal’ from the ‘private-workplace’ environment by potentially publicizing ‘private-personal’ interactions and disciplining those who engage in such activity in their workplaces.