I was catching up on my reading today, and this post by Richard Bejtlich reminded me of the tension we sometimes see between security and privacy. Richard represents the perspective of a Fortune 5 security operator who is tasked with securing customer information and intellectual property, while facing a myriad of international privacy laws – some of which force us to reduce security for the sake of privacy (read the comments).
I’ve always thought of privacy from a slightly different perspective. Privacy traditionally falls into two categories:
- The right to be left alone (just ask any teenage boy in the bathroom).
- The right to control what people know about you.
According to the dictionary on my Mac, privacy is:
the state or condition of being free from being observed or disturbed by other people : she returned to the privacy of her own home.
My understanding is that it is only fairly recently that we’ve added personal information into the mix. We are also in the midst of a massive upheaval of social norms enabled by technology and the distribution and collection of information that changes the scope of “free from being observed.”
Thus, in the information age, privacy is now becoming as much about controlling information about us as it is about physical privacy.
Now let’s mix in security, which I consider a mechanism to enforce privacy – at least in this context. If we think about our interactions with everyone from businesses and governments to other individuals, privacy consists of three components:
- Intent: What I intend to do with the information you give me, whether it is the contents of a personal conversation or a business transaction.
- Communication: What I tell you I intend to do with said information.
- Capability: My ability to maintain and enforce the social (or written) contract defined by my intent and communications.
Companies tend to get into trouble either when they fail to meet their stated policies (due to business or technical/security reasons), or when their intent is incompatible with their legal requirements.
This is how I define privacy on the collection side – but it has nothing to do with protecting or managing your own information, nor does it address the larger societal issues such as changing ownership of information, changing social mores, changes in personal comfort over time, or collection of information in non-contracted situations (e.g., public movement).
The real question then emerges: is privacy even possible?
- As Adam Shostack noted, our perceptions of privacy change over time. What I deem acceptable to share today will change tomorrow.
- But once information is shared, it is nearly impossible to retract. Privacy decisions are permanent, no matter how we may feel about them later.
- There is no perfect security, but once private information becomes public, it is public forever.
- Isolated data will be aggregated and correlated. It used to require herculean efforts to research and collect public records on an individual. Now they are for sale. Cheap. Online. To anyone.
We share information with everyone, from online retailers, to social networking sites, to the blogs we read. There is no way all of these disparate organizations can effectively protect all our information, even if we wanted them to. Privacy decisions and failures are sticky.
I believe we are in the midst of a vast change in our how society values and defines privacy – one that will evolve over years. This doesn’t mean there’s no such thing as privacy, but does mean that today we do lack consistent mechanisms to control what others know about us.
Without perfect security there cannot be complete privacy, and there is no such thing as perfect security. Privacy isn’t dead, but it is most definitely changing in ways we cannot fully predict.
My personal strategy is to compartmentalize and use a diverse set of tools and services, limiting how much any single one collects on me. It’s probably little more than privacy theater, but it helps me get through the day as I stroll toward an uncertain future.