Sunday, May 14, 2006

Some more thoughts on network traffic monitoring

(Please note: I'm no expert on any of this).

I believe it is possible to monitor network traffic on a statistical basis, i.e., without violating anyone's privacy to detect certain types of threats. For instance, you can find the following on the web, from 2003:
AT&T developing early warning tool

As an example, Eslambolchi points to the MS-SQL Slammer worm, which was reported on the Internet in January. AT&T saw anomalies in its network three to four weeks before that worm hit and was able to take certain precautions. "When the worm actually happened, AT&T's network did not take a hit,'' Eslambolchi said.

One can go to the AT&T business website, and find this:
AT&T Internet Protect

As far as I understand, the idea is that when a computer is infected and is attempting to spread its infection over the network, and as more computers get infected, there is a change in the normal patterns of traffic in the network that can be detected early enough to be useful to blunt the attack. I don't think any human follows or needs to follow individual network sessions on the Internet, what is done is a statistical analysis.

Notice however that we are talking about something that would be growing and affecting many, many computers. The NSA, with its phone call records faces a very different scale of problem, if they're trying to use anomalous calling patterns as a warning sign of terrorist activity. In the case of say, the 19 hijackers and their handlers of 9/11, the statistical monitor would have to extract changes in patterns in the phone calls of this small network, flag them as as suspicious and give them to an analyst to examine. This is worse than a needle in a haystack.

If the NSA already had suspicions about this small network, it could simply monitor them rather than the whole nation. If the belief is that actually quite a few people know one way or another of an impending terrorist attack, and the change in their calling patterns can be picked out from the vast mass of call records, then the question is why does not human intelligence get to know of it? And how are you going to isolate the terrorist threat from among this larger group of people who are somehow in the know in time to nullify the threat?

Ultimately, the point is that there are possible legitimate, civil-liberties-neutral and illegitimate, civil-liberties-violating uses of a nation-wide database of call record data. The point of the Declaration of Independence and the Constitution are that civil liberties are inalienable, and that to keep the government from stepping all over these, the responsibilities and powers are divided among three branches of government. However brilliant an idea the Bush team may have to protect us all, they need to run it by Congress and the Courts, to follow a process of law.