[johncolanduoni]

Unless the devices that need to be monitored are the endpoints. Do you really oppose the laws requiring banks to record all communication (including non-official channels) that goes in and out of their trader's computers? Or do you have an alternate solution that doesn't make circumventing it dramatically easier?

[tremon]

I'm not sure I follow what you're saying. I'm arguing that the banks should already be in full control of their endpoints, so I don't see why they can't perform the monitoring there. Nor do I think that banks should be facilitating the use of non-official channels for communication.

As for circumvention: are you concerned about ensuring a complete communication paper trail or protection from insider threats?

[tcoppi]

And if you don't have control of your endpoints, any network monitoring or tls mitm is meaningless anyway, as the contents can always be encrypted again inside of the tls tunnel. Then you're back to square one, the inbound/outbound traffic is inscrutable to monitoring.

[johncolanduoni]

It's not meaningless, since for a lot of these laws doing something like that can be evidence of willfully trying to avoid the legally mandated documentation requirements and is illegal even if they can't access your information. As long as there is a paper trail from that, you're already in trouble.

[tcoppi]

It is at least meaningless from a data loss prevention/mitigation perspective.

[johncolanduoni]

The entire point of much of the legislation requiring monitoring of the communications of bank officials is to combat insider threats (though not to security in the usual sense). They're required to monitor all communication (i.e. not just official e-mail that can be easily monitored another way) so there is documentation if any of their employees does something funky (fraud, etc.).

In this case, the endpoint by necessity is physically accessible to the possible adversary, which means they have a whole host of methods for disabling monitoring software. It's much harder to interfere with a box which you don't have physical access to that is listening in on your communication, and which simply drops any data it cannot intercept.