I was catching up on my reading today, and this post by Richard Bejtlich reminded me of the tension we sometimes see between security and privacy. Richard represents the perspective of a Fortune 5 security operator who is tasked with securing customer information and intellectual property, while facing a myriad of international privacy laws – some of which force us to reduce security for the sake of privacy (read the comments).
I’ve always thought of privacy from a slightly different perspective. Privacy traditionally falls into two categories:
- The right to be left alone (just ask any teenage boy in the bathroom).
- The right to control what people know about you.
According to the dictionary on my Mac, privacy is:
the state or condition of being free from being observed or disturbed by other people : she returned to the privacy of her own home.
My understanding is that it is only fairly recently that we’ve added personal information into the mix. We are also in the midst of a massive upheaval of social norms enabled by technology and the distribution and collection of information that changes the scope of “free from being observed.”
Thus, in the information age, privacy is now becoming as much about controlling information about us as it is about physical privacy.
Now let’s mix in security, which I consider a mechanism to enforce privacy – at least in this context. If we think about our interactions with everyone from businesses and governments to other individuals, privacy consists of three components:
- Intent: What I intend to do with the information you give me, whether it is the contents of a personal conversation or a business transaction.
- Communication: What I tell you I intend to do with said information.
- Capability: My ability to maintain and enforce the social (or written) contract defined by my intent and communications.
Thus I see security as a mechanism of capability. The role of “security” is to maintain whatever degree of protection around personal information the organization intends and communicates through their privacy policy – which might be the best or worst in the world, but the role of security is to best enforce that policy, whatever it is.
Companies tend to get into trouble either when they fail to meet their stated policies (due to business or technical/security reasons), or when their intent is incompatible with their legal requirements.
This is how I define privacy on the collection side – but it has nothing to do with protecting or managing your own information, nor does it address the larger societal issues such as changing ownership of information, changing social mores, changes in personal comfort over time, or collection of information in non-contracted situations (e.g., public movement).
The real question then emerges: is privacy even possible?
- As Adam Shostack noted, our perceptions of privacy change over time. What I deem acceptable to share today will change tomorrow.
- But once information is shared, it is nearly impossible to retract. Privacy decisions are permanent, no matter how we may feel about them later.
- There is no perfect security, but once private information becomes public, it is public forever.
- Isolated data will be aggregated and correlated. It used to require herculean efforts to research and collect public records on an individual. Now they are for sale. Cheap. Online. To anyone.
We share information with everyone, from online retailers, to social networking sites, to the blogs we read. There is no way all of these disparate organizations can effectively protect all our information, even if we wanted them to. Privacy decisions and failures are sticky.
I believe we are in the midst of a vast change in our how society values and defines privacy – one that will evolve over years. This doesn’t mean there’s no such thing as privacy, but does mean that today we do lack consistent mechanisms to control what others know about us.
Without perfect security there cannot be complete privacy, and there is no such thing as perfect security. Privacy isn’t dead, but it is most definitely changing in ways we cannot fully predict.
My personal strategy is to compartmentalize and use a diverse set of tools and services, limiting how much any single one collects on me. It’s probably little more than privacy theater, but it helps me get through the day as I stroll toward an uncertain future.
Reader interactions
3 Replies to “Thoughts on Privacy and Security”
Thanks for the kind words, Rich.
My short form answer: privacy is possible and advantageous for those societies which support it. Those societies in which we never forget a mistake, an experiment or a youthful indiscretion will limit the pools from which they draw talent, and will repress the exploration and experimentation from which we all learn.
Dave,
Believe it or not I’ve studied the privacy principles in NZ… which, like those in Oz, are based on the EU data protection directives.
The big problem in NZ, to my understanding, is the lack of enforcement. Government follows them, but I know many private businesses don’t- especially foreign business.
Good article!
Part of the reason that information-privacy is recent is that prior to this generation it has not been possible to collect and trade personal information at the level of detail that we now see. Information privacy was inconceivable, for anyone except dooms-day merchants like Huxley and Orwell. By “inconceivable” I don’t mean that we didn’t believe it would happen – I mean that it wasn’t something we would conceive, it wasn’t an issue to consider.
Prior to this generation, information-privacy was often tied to the home. It was what we did behind closed doors. And data-leakage was essentially “gossip”.
In my country (NZ) our privacy act takes a bit of a different turn to what I understand in the US. A person’s information is essentially theirs almost as ownership. Not a million miles away from copyright. You can only use my information if I give it to you, directly, and then only for the reasons which I gave it to you. On-selling that information is illegal (unless I said you could).
I am not at all happy about some of the details (especially enforcement) of our act. But I really do like general principles behind it. You may be interested. There are 12 in total. An overview is here http://www.privacy.org.nz/information-privacy-principles The first 4 are about data collection, the next 7 are about use of peoples data and the last one is a left field rule to put up Chinese walls against government information sharing.
You’re correct – agreeing to share your information is a one time decision. Once given you can’t get it back. But it’s not a simple binary choice (public vs private). The facebook issue shows this. We are often happy for some people (friends) to know information which we would NOT be happy making public for everyone. We do this on the basis of trust. In facebook’s case we trusted our friends to respect us and not share information (that’s often not stated and we’re hurt if they do). But also we trusted facebook to respect our settings – something they broke when they overnight set many things to “everyone”.
Privacy is as much about usage as collection, and it is not simply a “public”/”secret” issue