imaginary family values presents

yesh omrim

a blog that reclines to the left


The mathematics of leaks

29 December 2010

DEAR MISS MANNERS: I told my closest friend a deep dark secret that I didn’t want anyone else in the world to know, and she went around blabbing it to everyone. Don’t you think that’s disgusting and wrong? I don’t feel I can trust anybody now.

GENTLE READER: One can never learn to trust others until one has learned to trust oneself. Who blabbed first, you or she?

Miss Manners’ Guide to Excruciatingly Correct Behavior

Suppose you are responsible for information security at a cellphone manufacturer, and you are trying to prevent information about unreleased models from leaking into the press: not just prototypes, but pictures, specifications, roadmaps for future product development… all sorts of things that your employer wants to keep private.

Let us consider your odds.

Suppose that N people have access to information (from plans to physical prototypes to draft marketing materials) about every new model, and each of these people will, with probability p, leak some of the information about this model that they receive. We can calculate p*, the probability that at least one person will leak at least one privileged details, as

p* = 1 – (1-p)N

Since N is (we hope) orders of magnitude higher than p, it may be numerically convenient to recast it as follows:

p* = 1 – exp (N ln (1-p))

If each employee of a cellphone manufacturer has a one-in-ten-thousand chance of leaking confidential information about each model, and information about a new model passes through a thousand hands, then the odds of a leak are about 9.5%. At two thousand employees, the probability goes up to 18%. At five thousand, it is 39%. At ten thousand, it is 63%.

If a rigorous program of security education cuts p in half—i.e., five in a hundred thousand—then the chance of a leak among ten thousand confidantes goes back down to 39%. If p goes down to one in a hundred thousand, p* is down to 9.5%.

(Yes, I was told what the actual values of N and p* are for my employer. No, I’m not telling you.)

Which corporate initiative is more feasible: convincing every employee to be half as likely to leak sensitive information, or sharing that information among half as many employees in the first place?

Now let’s consider Cablegate, a series of leaks more newsworthy than next year’s smartphone specs. All the diplomatic cables released by Wikileaks were classified at the level SECRET/NOFORN or below, and had been distributed over SIPRNet, whose explicit purpose is to make it easy for cleared government employees—an estimated 2.5 million of them—to share classified documents with one another.

Given the large number of people with SIPRNet access, if the Russian or Chinese intelligence services wanted copies of lightly-classified documents regarding matters that they cared about, how hard would it be for them to find a mole, even without Wikileaks? What does it mean for the US to assert that a document would cause “serious damage” to national security if revealed, making it a felony to share that document with the general public (including, ahem, us voters), and then give millions of government employees and contractors permission to read it?