In recent years, much attention has been paid to the problem of data loss, with a corresponding explosion of products promising Data Loss Prevention (DLP). These are generally focused on one or more of the following scenarios:
• Accidentally sending sensitive materials outside the perimeter
• Insider threat intentionally sending information outside the perimeter
• Hackers exfiltrating captured data and documents
These defenses generally rely on identifying key words or patterns in the data, or anomalous patterns of activity. I feel that all of these discussions and solutions seem to miss an entire class of data loss.
Meta-data and traffic analysis are often at least as valuable as the content of communications. If you could see and analyze someone’s Internet activities, you could learn a great deal about their interests and plans. The reality is that any website can do exactly that.
Every website captures and logs identifying information about visitors, as well as a complete record of all of their activities on the websites. With just a little effort the identifying information can be converted into an identity, at least on the business or team level, and a useful analysis of their behavior.
It is particularly interesting to watch competitor or customer activity on your own website. One can watch the new product development process play out in the competitor organization just by watching who at that company is visiting what pages and how often. Similarly, the purchase decision process can be tracked from the initial contact through the approval process. Of course one must assume that anyone else might be doing that as well, and indeed we see increasing use of web analytics for corporate counterintelligence.
This counterintelligence capability is based on a leakage of information which is invisible to the existing DLP solutions. It hinges on the ability of websites to identify visitors and track their behavior. I call this “passive information leakage”.
While it is not possible to prevent the tracking, one can prevent identification and avoid analysis of behavior over anything but single sessions.
In a series of posts I will further explore the capabilities of Passive Information Leakage, look at specific impacts from it, and discuss techniques for preventing it.