Michael N. Dundas

Several years ago I was hired to assist with an internal investigation.  The client, a large company had some concerns about an employee and wanted to covertly gather information and data on what this employee was doing while at work.   For about a week, I sat passively on the network, monitoring the subjects connections to servers, internet systems, e-mail, instant messaging and any other network connection.  There was not the selection of automated software there is today to accomplish this, so most of it was done with packet sniffers.  I would gather the data, use scripts to extract specific types of data and run it through statistical analysis, look for data that was ‘different’ or ‘suspect’ in some way. Basically the goal was to profile the user, compare his activities to other users.  Then using this profile, identify and focus on things that didn’t fit.   Personally, I found it a little creepy.  Looking into the details of someone’s private life is not really fun, a part of me felt like I was being invasive, not respecting their privacy — and technically that is true.  But it was the job, what I was asked to do.   Sometimes doing things one would prefer not to do is necessary.

One thing I had identified to the client was that the subject was using a type of VoIP software.  They asked if it was possible to listen in on the voice conversations.  I told them it was, and that I could probably get them a copy of the voice conversations the subject previously had during the time I was monitoring.  I had packet captures, most non-encrypted so it was just work and time.  At the clients request, I extracted the VoIP conversations into wmv files using date and time of the call as a file name.

At the end of the job, I was having a conversation with the CTO.  He was wondering if there was an automated way to keep audio conversations of all the employees.  At the time, this technology was not as prevalent, cheap, and available to the general public as it is today.  I asked him if he thought that was really appropriate.  I explained that I had just listened in on someones private conversations.   Maybe it wasn’t any of the companies business.   Maybe there were legalities if they were to do that (yes, I was annoyed).  His response was very quick.  “The company has a right to view all data, monitor activity that its equipment or network is used for, period”.   He told me all the employees know this and sign a document to that effect.  I said that made sense.   I asked him what he would think if he was in a confidential conversation on the phone with someone in a different province and Bell had listened in on his conversation?  I said that I assume he didn’t have problem with it, after all it is their network, their devices.  Aside from the angry facial expression, he said that was ‘different’ and they shouldn’t be allowed to do that.

Fast forward to now.  Everyone has a video camera or picture camera on them as a result of mobile phones.  If you are serious about it, you can find all kinds of tiny spy cameras.  Rob Spence has implanted a camera in his eye. It amuses me when law enforcement gets all concerned about citizens taking their picture and video taping them.  I guess they feel that they should be able to watch and monitor us, but we shouldn’t be able to watch and monitor them.  Of course if they are not doing anything wrong, then they should have nothing to worry about right? (that statement is an entire topic in and of itself).

Everyone has reasons why a particular person or group of people should or should not be monitored.  It really comes down to the basic premise that we as humans don’t want to be monitored, but we want the ability to monitor others, especially if we deem them as a threat.  Government wants the ability to covertly monitor their citizens but do not want organizations covertly monitoring them.  Police want cameras everywhere so they can monitor what is going on and use it to assist with their job, but they don’t want to be video taped in case they get caught doing something controversial, such as Robert Dziekanski being killed by officers at Vancouver airport. The video once released on the Internet, forced police to change their story.  Businesses feel they have a right to monitor their employees, but would have concerns if employees were monitoring some of their activities.

Personally, I think it is futile to attempt to stop one group from monitoring another, especially in public places.  It will never be successful.  Who do you feel should be able to monitor who?   Under what circumstances and conditions is video or audio surveillance appropriate?

photo credit

LinkedIn has a new follow feature.   If there is a company you are interested in, selecting ‘follow’ will send you notifications when people join, leave, or get promoted in that company.

Up until now, the main reason I used LinkedIn and Facebook was to keep abreast of what is happening in my contacts lives.  Typically LinkedIn are people that I have worked with, and Facebook is more social friends.  This is a really useful feature to myself for a couple of reasons:

Are people leaving a company? If there is a increased rate of people leaving a particular company and you are considering working for that company, you might want to re-consider. Or you might see it as an opportunity.  Regardless of your decision, it gives you valuable insight.  Insight that was not as easily available before social networking.

Transparency. It forces transparency for companies as they do not have any control over LinkedIn.  I love this.  If suddenly there is an increased rate of people leaving a company, public announcement or not, something is up.  Good information to have, especially if you are considering them as a potential candidate for employment or contract work.   The reverse (where a company is suddenly hiring) is also true.

One can suggest that it is not ‘official’ information, but in reality that doesn’t matter.  Forgoing statistics and math,  ask any investigator or law enforcement detective.  If you get enough information from enough people, eventually you will get to the truth.  Sure each piece of information is biased, leaves something out, or has added  titbits for colour, but if you get as much information as you can (sample size), you will start to see what most likely is the situation. At the very least where to focus your efforts to answer the question.  The same applies to information from LinkedIn.   It may not be official, and sure maybe one or two people are potentially mis-representing their position or title, but if there is a sudden change in a company’s employees, there is usually a common set of reasons for the change.

A few months ago when I was looking at changing careers, I was actively on LinkedIn.  Even without the follow feature, it became obvious to me over the weeks that one company I was interested in, was letting people go.  Looking at the profiles of individuals that were leaving,  they had been at the company for a long period of time, and were typically in senior management positions.   The company was not officially downsizing.  Curious, I contacted a few of individuals at the company.  My assessment based on LinkedIn was correct.  They were quietly removing higher paid employees for lower paid ones.  Correlating this information with their hiring positions published, you could see this was clearly the case.

What fundamentally worries me is that companies start to see this as a problem and attempt to ‘fix’ it.  They could do this in several ways.  Dis-courage employees from posting to LinkedIn, offering LinkedIn money to change the perception of their company, or LinkedIn could see it as a business opportunity and offer perception control as a ‘service’ to companies.  I hope this will never be the case, but money talks.  I recently saw a tweet about Facebook, but the concept applies to LinkedIn as well:

RT @ruv: “The most important thing to understand abt Facebook is that you are not fb’s cust, you are its inventory” via @davehyndman

The risk of social networking in this case is we have to trust LinkedIn.  LinkedIn is the control point of this information and we have to trust them to do the ‘right’ thing.  While this might seem okay, one only needs to look at the recent happenings at Facebook to understand what can happen when a company gains a clear majority of followers and controls the information.

I do like this stuff though!  Isn’t behavioural analysis awesome?

http://www.flickr.com/photos/solarider/2255744829/

A few years ago, I was having a discussion with an acquaintance who was involved in an investigation.  One individual they were tracking kept changing his mobile phone every few days.  Each new mobile was typically pay as you go or stolen and personal information connected to the mobile was either false or not available.  Yet the investigators were able to very quickly determine the new number of the individual each time they switched mobile numbers.    How they did this at the time impressed me, and I use the logic to this day.

Throughout the course of the investigation they were able to determine who this individual contacted.  A few of the mobiles that the individual contacted did not routinely change their mobile number.  As a result, by watching the calling patterns of the mobile phones where the numbers did not change, the investigators could quickly determine a new number that suddenly was calling each of the static numbers in a similar pattern.  This of course requires access to mobile network data, but it worked.  Even though this individual thought they were not being tracked,  their efforts to remain anonymous unknown to them were ineffective.   As a side note, there is software that will search for and detect these types of calling patterns automatically.  The same logic here can easily be applied to a Internet connection.

A more common example is when you are ever pulled over by a police officer and you don’t have your license.  Aside from them giving you a ticket for not having your license on your person, they will most likely ask you for your full name and birth date.  The reason for the birth date is to help assure them that when they go back to the cruiser to search on their laptop, the records they obtain are actually yours and not someone else with the same name.   How many Michael Dundas’ are there in Canada?  Not sure, but the number of Michael Dundas’ with the exact same birth date really lowers the probability of a false positive.  This same logic can be applied to social networking and there is interesting research in this area including twitter.

The EFF recently published a post on information theory and privacy.  In it they discuss the concept of Entropy and how it applies to information and privacy.  It touches a bit on some of the math behind it, but if you are interested it is a good explanation of why when you think you are anonymous you may not be, even when you take precautions.  If you skip the math, their example of how a ‘user-agent’ header transmitted by your browser can narrow you down to one of 1500 people can start to give people that are new to information and anonymity a good perspective.

Most know that behavioural profiling is becoming more and more standard practice every day. Just by watching communication between mobile phones, communication between systems, where people connect to on the internet you can glean so much valuable information about a target. Johnny Long wrote a book about similar ways to accomplish profiling by information gathering on targets. Behaviour profiling can be used to find botnets, DDoS attacks, phishing and other malicious activity. It has good uses.

The next level. Google.org has a site that indirectly tracks flu trends by correlating search terms with location where the search was performed and other information. Appears the accuracy level approaches that of the Centers for Disease Control and has a lead of up to two weeks. This is cool stuff.

What gets me is many very intelligent security researchers and consultants have been saying this since before 9/11 — profiling won’t work, need to assess behaviour, personality etc. Israel has this figured out and implemented years ago. 5 years later, oh maybe we should listen to them!