The impact that packet inspection has on privacy is deep. There’s a deep impact to your operation when you fall foul of the law. Implementing deep packet inspection or SSL decryption provides opportunities to protect services. It also decreases the privacy of your users. A further complication when the data on the network isn’t necessarily yours.
I know you CISO, legal and IG people like to bring this up. Personally I’m not actually a fan of seeing GDPR raised anywhere in the security arena. If someone quotes ‘The GDPR’ at me, I tend to shiver and wonder how much they actually know. Quote the correct clauses of the ‘Data Protection Act (2018)’ and then you’ll instantly get my full attention. This is a digression though, as for once I’m going say the GDPR is actually where this is nailed well.
It all comes down to the legal basis for processing. The GDPR provided some very nice blocks of text and some wonderful clarity that we didn’t have written in law before.
Mandate for operation
When you possess a Security Operations Centre (SOC), you must understand the mandate under which operate. It must have a defined scope of what you cover – the Area of Operation (AO). Perform an assessment of the legal ground that the security team operates upon. Ask hard questions about you;
- Legally can,
- Morally should, and
- Are technically capable of processing
But is it legal?
As always, this blog post is being provided Without Prejudice. You really need to check with your own legal teams, solicitors and law enforcement in your own country. With that caveat though, here some sweeping generalisations to get you started. If your legal advice differs, let me know and I’ll take it into account.
As long as ALL the data is your company’s, then you can fairly process it away. As long as your employees understand (under the Acceptance of Use Policy) that you are processing everything on the network, you can intercept away. This consent model is very common and is becoming global. Completed case laws can help demonstrate employees have to assume that their communication is intercepted and is capable of being read by their employer. If this is your operating model, there’s a nice quote you can put in your Data Privacy Impact Assessment (DPIA) about this :
Public task – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;GDPR – Article 6.1(e)
Problems start to occur when you share infrastructure or start to receive data from other businesses. This gets tricky. Really tricky. The easiest way out of this is to use the law. Find one that supports the above quote to make it your task. If you are in the public sector this can even be covered by a Direction (spelt with a big ‘D’) from a supporting Secretary of State. The clause then becomes very clear cut:
Legal Obligation – processing is necessary for compliance with a legal obligation to which the controller is subject.GDPR – Article 6.1(c)
If you can’t use the law to back you up, then the only solid ground is following the consent model. This is a world of pain, capturing and recording consent – including the conditions under which consent was given. It will also increase the scope of your internal processes to ensure you include all of this within your digital subject access requests. I.e. make sure your SAR process remembers to disclose that your SOC is using this data to track the user.
The deep impact of this will be on the effectiveness of your SOC. Without the consent to intercept and read the content of the traffic, they can’t always detect if is malicious or not. Case law doesn’t seem to have caught up here yet. There are cases of employees trying to prosecute their employers for not protecting them online, whilst also they have not provided sufficient consent for the employer to do so. With a bit of a Catch-22 situation, this is likely to remain a bit of grey area for some time and morals play a part of this.
So is it morally correct ?
Every good SOC analyst / engineer / specialist I know has impeccable security morals. Job satisfaction comes from doing a good job and what is morally right comes easier than if it is legally correct. Unfortunately in todays modern world, being morally correct can get you into some serious hot water. You maybe trying to help a victim, but investigation and resolution of a security incident quickly evolves to charges being brought under the Computer Misuse Act. Even the strongest morals on the planet wont repair the reputational damage of a successful prosecution to your business.
Do yourselves a favour and leave the morals out of your mandate and ensure your staff are clear about the Area of Operation.
Deep impact on processing
Let’s end with the impact of tecnically processing all this data. With homes having gigabit fibre, the world is just sending more and more data. If you have the responsibility to read it all, make sure you have the capability too. Decryption is processor heavy, storage is slow. Make sure you only inspect what you need to ( again a GDPR thing ).
Roll your own
The impact that packet inspection has on privacy is deep. There’s a deep impact to...