Traffic analysis is a field of espionage, focused on learning about the enemy by looking at their communication patterns without having to understand the content. Here’s some examples from the Wikipedia entry:
- Frequent communications — can denote planning.
- Rapid, short, communications — can denote negotiations.
- A lack of communication — can indicate a lack of activity, or completion of a finalized plan
- Frequent communication to specific stations from a central station — can highlight the chain of command.
- Who talks to whom — can indicate which stations are ‘in charge’ or the ‘control station’ of a particular network. This further implies something about the personnel associated with each station.
- Who talks when — can indicate which stations are active in connection with events, which implies something about the information being passed and perhaps something about the personnel/access of those associated with some stations.
- Who changes from station to station, or medium to medium — can indicate movement, fear of interception.
Some of these might sound familiar to anyone interested in analysing implict data. Number 4 sure sounds a lot like PageRank. The others can all be applied to any communications where you know the time, sender and recipients. Email content isn’t encrypted, but computers can’t full understand natural language so it might as well be, so anything we can gather from the external characteristics is invaluable. There’s obviously a lot we could learn from the work that’s been done over the years.
Unfortunately it’s been exclusively the territory of government intelligence services, and they don’t publish too many papers. Some of the most useful work I’ve found has been declassified World War II reports, but even there cryptanalysis tends to get the most coverage. Probably the most fascinating I found was the post-mortem report produced on the British TA work with German signals. It’s not very enlightening about the techniques they used, but the management recommendations they make are startling relevant for a modern tech company, once you get past the formal language:
"The policy of recruiting personnel for T.A. should emphasize the quality of personnel, not the quantity. Conforming to the usual pattern of history, in the beginning of such an undertaking as T.A., there is available only a very limited number of experienced people. Therefore, from the whole field of possible T .A. functions only the most useful and urgent should be undertaken. As the exploitation of these functions progresses, other possible functions will be recognised by the small but able original staff. Their suggestions for organisational changes and expansion should be encouraged and taken seriously. Only from operational experience can possible new functions be properly evaluated in the first instance. Once operational opinion is agreed that certain specific undertakings should be added, the additional personnel should be, as far as possible, chosen and trained by those who have the operational responsibility. … A wholesale creation of a T.A. staff with the a priori idea of providing a sufficient quantity of people to exhaust the field of T.A. … is wasteful and operationally inefficient."
History shows that small motivated teams usually beat the lumbering man-month monstrosities that large companies keep trying to assemble. I guess that’s a lesson they learnt back in 1942!