Transparency is essential when monitoring your users' activities

Posted by    on   Sep 20, 2017

The inspection of HTTPS traffic is a sensitive issue among security experts. On the one hand, there are those who argue that this breaks the important end-to-end principle of secure connections, while others argue that it is essential if one wants to block malicious network traffic, which is increasingly using HTTPS.

I tend to side with the latter group, but with great power comes great responsibility, and there are a few criteria that need to be satisfied by those doing the inspection.

Firstly, users should have alternative ways of accessing the content without being monitored. This is satisfied in a work environment, where users can switch to mobile devices or use their home Internet connection, but not when monitoring happens at the level of a country or region.

Secondly, the interception should be such that it does not degrade the security of the connection. It is possible to achieve this, but many security products have failed here. At VB2017 next month, Cloudflare's Nick Sullivan will give a Small Talk on this very subject, aiming to help security products to do things better and thus relieve the tensions in the encryption vs inspection debate.

And thirdly, the interception should be transparent to the user. This is also what the European Court of Human Rights said recently when it ruled that companies that monitor their employees' work accounts should notify them in advance.

I would thus recommend organizations that monitor network traffic and other user activities to be upfront about it, and to discuss their monitoring activity as part of the regular security training they provide to their employees. As for these employees, a nice online tool developed by the same Nick Sullivan will tell you whether your traffic is being monitored. (The tool is currently in beta and appears to give false positives or false negatives for some users.)


A related issue occurs with consumer spyware: mobile apps used by people to spy the activities on (ex-)partners – the subject of a VB2017 presentation by Joseph Cox of The Daily Beast. Such apps are despicable, yet functionally barely any different from apps used by parents to monitor their children's mobile phone usage.

There is one big difference though: transparency. Legitimate child monitoring apps will make it clear to the phone's user that their activities are being monitored. If apps fail to do so, even if they make bold claims about wanting to protect children, they should not be used – and ideally should be blocked.

Whether it concerns children or employees, treating users as potential adversaries isn't helpful and may even have an adverse effect – something that is argued by Forcepoint's Kirstin Leary and Richard Ford in their VB2017 paper on the inside threat. But it would be naive to assume that users never do things they shouldn't, whether intentionally or by mistake. The monitoring of activities by a security product can mitigate the risks that come with this. But do make sure to do it right.

Registration for VB2017 (4-6 Oct in Madrid, Spain) is still open. Places are filling up fast – book now to avoid disappointment!




Latest posts:

VB2017 paper: The life story of an IPT - Inept Persistent Threat actor

At VB2017 in Madrid, Polish security researcher and journalist Adam Haertlé presented a paper about a very inept persistent threat. Today, we publish both the paper and the recording of Adam's presentation.

Five reasons to submit a VB2018 paper this weekend

The call for papers for VB2018 closes on 18 March, and while we've already received many great submissions, we still want more! Here are five reasons why you should submit a paper this weekend.

First partners of VB2018 announced

We are excited to announce the first six companies to partner with VB2018.

VB2018: looking for technical and non-technical talks

We like to pick good, solid technical talks for the VB conference programme, but good talks don't have to be technical and we welcome less technical submissions just as much.

Partner with VB2018 for extra visibility among industry peers

Partnering with the VB conference links your company to a successful and well-established event, demonstrates your commitment to moving the industry forward, allows you to meet potential clients, be visible to industry peers and build lasting…