Is Anonymous Really Anonymous?

Last week’s column endorsed the need to provide your employee with anonymous means of reporting wrong-doing to management – Essentially, if you preemptively mitigate the threat of retaliation for your employees, you’re more likely to receive tips about improper behavior from within the company. Increasing the likelihood of being notified vastly improves your ability to investigate and neutralize real wrongdoing before such activities damage your company’s standing.

From an ethical standpoint, this is a fairly straightforward argument. From a technical standpoint … not so much. Given the tools we have to work with in business-grade IT, can you really provide anonymity to your employees? I think you can.

First, let’s touch on how not to do it. Using basic company e-mail, for example, is right out. Every message sent within the company system has to have an authenticated sender. If an employee wants to e-mail you about a problem, that’s fine. Encourage them to! When the employee’s identity shows up in the “from” field of the message, though, you know exactly where it came from. No anonymity there.

Using an in-house web server that allows comments to be posted (wiki style) or e-mailed (form field style) is much better. You can allow the employee to defer from including a contact identity, and the submitted content can be reviewed at any time. The problem with this method is that evidence of the posting probably exists on the author’s workstation. If an unscrupulous boss or co-worker were to pull the author’s browser history, they’ll find a record of the user having navigated to the in-house complaints page. Similarly, an unscrupulous sysadmin could correlate the time a message was sent via the web server to the time the employee accessed that page from their workstation from the files in their history.

Even if the user clears their browsing history and cache, those records are still on the hard drive. Anyone with basic forensic examination skills can quickly image a drive and recover all of those deleted files. Is this a stretch? Perhaps, depending on your company. It’s definitely possible, though.

You could allow complaints to be filed by intra-office fax transmission. That’s safer … provided the user typed their complaint. A handwritten note can almost always be traced back to its author. Even with a printed fax, however, there may be headers and footers added to the transmission by the sending or receiving machine that betray where the sending machine was, and at what time the fax was sent. Further, the complainant most likely will have to type their message in a word processing application first (leaving electronic evidence on their workstation), then print it (producing physical evidence, likely with the author’s fingerprints on it) and then have to risk being caught with the original at or coming from the sending fax machine.

Intra-office distribution holds many of the same risks as fax transmission. The complainant has to generate their content (leaving a document trail) and print their complaint. Then they have to handle the output in such a way that they don’t leave fingerprints on the document (including when they load the blank paper into the printer).  They have to find an envelope (usually a routing envelope for internal distro) that doesn’t have marks, addressing or fingerprints, and finally have to deliver it into the distribution system without being seen. Possible, but risky.

You can allow phone calls to an internal phone line that only takes voicemail messages, but that method requires the complainant to alter their voice beyond recognition – highly improbable. They also have to make their call without being observed or overheard. Again, impractical at best.

It gets frustrating trying to solve this puzzle, doesn’t it? On the one hand, all of our advanced digital evidence examination methods and network monitoring tools are awesome for detecting and prosecuting bad behavior – you can tell who did what, where, when and usually how in sufficient detail to convince a judge to find a miscreant guilty. Those same tools also make it extremely difficult for an employee acting inside the company to safely and anonymously submit a complaint without the IT or security department tracing it back to them.

My proposed solution to this is to post public kiosks throughout your organization: disk-less PCs that boot from an optical disk with no need for local storage.[1] Tie the kiosk to a public ISP – a completely different physical and logical network infrastructure from your production network so that it lies outside your internal monitoring tools. Make it a matter of company policy that employees, guests and visitors are allowed to use the accessible kiosk machines for any personal use throughout the day.[2]

Second, create the public-facing, form-based web page discussed earlier in this column. Optimally, build the site in such a way that a comment filed through it can upload documents as well as accepting typed text. That way, employees can turn over evidence to support their complaint when they file it.

With this kiosk and website solution in place, an employee can slip away from their office with (at most) a flash drive in their pocket, and potentially with nothing at all that might alert an observer to their intentions. The employee can visit a kiosk under the pretense of browsing some something inane, and – when no one is looking – they can fire off their comments very quickly. One swift reboot of the kiosk on the way out (usually just a tap of the power button will suffice) clears all of the history from the PC since everything is stored in RAM on a diskless system. Even if someone follows the employee to the kiosk, there’s nothing there for them to find. Management receives the complainant’s  information, and the frightened employee can significantly increase the odds that they’ll avoid identification and retaliation.

Remember: the purpose of this solution is to facilitate anonymous communications between a witness and an authority figure so that potential wrongdoing can be brought to leadership’s attention quickly. The deployed technology is worse than useless if no one is monitoring the other end of the solution. Someone in your organization needs to be held accountable to receive and act on incoming complaints in a timely manner and with the upmost professionalism.

If you’ve deployed a similar solution in your company, I’d love to hear about it – what you did, and how well it’s worked out for you. Please post a comment, below, or drop me a line directly.

[1] I’m particularly fond of the U.S. Air Force’s Lightweight Portable Security product. It’s a completely bootable, stand-alone, UNIX-based kiosk PC that features significant hardening and security controls. Anyone can download the .ISO file and can either run it as a virtual machine or can burn it to a CD-R. I’ve deployed this solution around my campus and it’s been an absolute God-send: it’s fast, stable, economical, safe and secure enough to meet our demands for protecting the users’ from themselves. The team who put this product together were brilliant. You can also download many different pre-build virtual appliance ISOs from VMware’s online community.

[2] This is especially useful for companies that strictly limit what employees can do on the production network. For example, if you make it company policy that employees may not send or receive personal messages from their company PC, the kiosks provide employees with a safe and legal place to conduct personal activities (when needed) without fear of betraying company standards.

Keil Hubert is a business, security and technology operations consultant in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo! Broadcast, and helped launch four small businesses (including his own). His experience creating and leading IT teams in the defence, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employees. He currently commands a small IT support organization for a military agency, where his current focus is mentoring technical specialists into becoming credible, corporate team leaders.

Tags: , , , , , , , , , , , , , , , , , , , , ,