This is the text of a presentation I gave recently during Infosec18 week. By popular demand (i.e. more than three people asked), I’m re-posting it here for a wider audience. I also intend to record it as a downloadable audio file at some point when I have some free time (hahaha, what’s that???). I took out the specific case studies for the sake of brevity, but I will post those separately as Part 2.
This is how it went
Part 1: The Big Debate
You may have seen the ‘Privacy vs Security’ debate being argued in the news, on forums and at events over the past few years. Having worked in both disciplines, I find this question coming up a lot and I want to unpick it today because I’m not convinced that any of the debates I have seen have really got to the heart of the matter.
In order to answer the question “is privacy vs security a pointless false dichotomy?“, we must first define the terms we are discussing – otherwise we’ll be shouting about tangential irrelevancies at each other all day and not getting anywhere.
What are ‘privacy’ and ‘security’? They are easier to describe in comparison than to define in a vacuum.
Security is a very wide topic, and very context-dependent. There are many flavours of security, for example (nb: these are my own words for the purposes of clarity, please don’t post argumentative comments loaded with dictionary definitions)
- Physical security – the integrity of person or premises
- Information security – the Confidentiality/Integrity/Availability triangle model that relates to information and supporting systems
- National security – the integrity of borders and infrastructure, often closely entangled with physical and economic security. Depending on the nation, there may also be a social and cultural element to how security is viewed.
- Economic security – the integrity and availability of trade and financial matters.
However, I’m only going to address information security in this talk, because that’s what we’re all here for.
Privacy is the concept of personal autonomy; the integrity of both the tangible and intangible self. It’s solely focused on people (and in data protection law, those people have to be alive for the law to apply. Zombies do not get privacy rights).
Many people working in infosec are predisposed to think of privacy solely in terms of data confidentiality, but in doing so they misunderstand and misapply the concept. This actually leads to degraded privacy, so it’s definitely a bias be mindful of and adjust for.
There are also different flavours of privacy
- Physical – being free from unwanted/unwarranted touching or restriction of movement
- Data protection – transparency, fairness and control in relation to information about (living) people
- Social – being able to associate with whomever you wish
These flavours of privacy are most defined in law. In the UK, we have the Data Protection Act 2018, the GDPR, the Privacy & Electronic Communications Regulations (soon to be ePrivacy Regulation) and the Human Rights Act. However, as well as formal codification into law, there are also a variety of cultural expectations and social consensus around privacy.
The ways in which we use the words ‘security’ and ‘privacy’ are varied. We use these terms to describe both the desired position we are trying to achieve, but also the process of managing factors in order to achieve the desired position. Security and privacy are not just states of being but also the activities required to bring about and maintain those states.
Which one – the position or the approach – do we actually mean when we ask the question “privacy vs security”? It makes a difference, because the process of working towards one may well undermine the state of the other, if we’re not careful.
Security is not a binary on/off position. The goal is to achieve suitable security to manage risk within tolerances and capability. A regime of absolute security would be pointless, it would prevent everyone from getting stuff done. What you want is enough security. How much is enough? Well, that depends on what you are trying to achieve and how you plan to go about it.
Security is not an end unto itself – you don’t pursue a position of security simply because it brings rainbows and butterflies into your soul. You do it because you need to protect something sufficiently to allow it to function as intended.
Privacy is more of an end unto itself, based on the ideal that people aren’t just units of exploitable animated flesh but that everyone has a unique and valuable contribution to make to the great mosaic of life (even if that contribution is merely to serve as a warning to others), and that they should be allowed a degree of autonomy, freedom and dignity in which to do so.
Your views on whether that’s a good thing may vary but (in theory), this is what civilised democratic society has collectively agreed upon.
Privacy is also not a binary – for example, it is certainly not the opposite state to ‘in public’. I have the same right to be free from unnecessary interference when I walk down a public street as when I am in my home, and so does my data. Neither myself or my data can be grabbed and used however the grabber wishes, no matter how gratifying or lucrative the grab-and-use idea may be.
Privacy rights – i.e. not being subject to unwarranted interference – are qualified rights. This means that there will be circumstances where the good of the collective takes higher priority when in conflict with the rights or preferences of the individual. For example, your right to move about freely stops when you are imprisoned after being convicted of a crime. Your right to control how information about you is used becomes limited when that use is necessary to protect other people.
There are degrees of privacy, just the same as there are degrees of security; and those are also dependent on context and risk tolerance – but additionally, on other factors such as cultural values, moral principles and social norms.
Both words – “security” and “privacy” relate to a spectrum of desired positions into which a variety of inputs are factored; and to the pursuit of achieving or maintaining those desired positions.
In considering whether security and privacy are really in conflict, it’s helpful to look first at where they align.
They are both intended to protect and defend things we consider to be worth protecting and defending.
The most obvious example of alignment is the principle within data protection (privacy in relation to information about living people), which states that
“personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures”. [Article 5.1(f) GDPR]
Clearly, unless personal data is protected against unintended or unauthorised uses (by securing it), then privacy will be affected – on both an abstract level (someone’s rights are infringed, although they may not realise it) and potentially on a practical level, resulting in adverse consequences such as inconvenience, harassment, fraud, discrimination or other mistreatment.
Therefore in this specific context, privacy and security are not at odds – rather privacy depends on security.
Privacy and security have a different focus, although context and circumstance can bring them closer together. Just as privacy goes beyond information security into the realms of fairness, lawfulness and transparency; so security also goes beyond privacy – extending outside the context of personal data and into business data: trade secrets, financial details, competitive advantage, regulatory requirements and operational necessities.
Privacy focuses on harm to the individual, whereas security focuses on harm to the organisation.
The question of whether ‘privacy vs security’ is a false dichotomy would require us to look at the areas where the two diverge if we were to consider it seriously. But I don’t think it’s even a question worth asking at all. It’s the wrong question – and usually only deployed to make a rhetorical and ideological point by someone with a vested interest in a particular answer.
Take, for example, the argument that increased mass surveillance of the general population is a necessary measure to keep that population safe. It is presented as a choice between ‘being watched all the time and staying safe’ vs ‘keeping other people’s noses out of your business and getting everyone blown up’. This is definitely a false dichotomy – usually followed by the maddening “nothing to hide = nothing to fear” trope. It is also nonsense, for a number of reasons. More surveillance means more data, but it does not automatically mean better analysis or response, especially when the resources for picking signal from noise are already overstretched. One does not locate more needles by adding more hay to the stack. Also, we already have mechanisms for targeted surveillance of people who the authorities think are up to no good, and this is a necessary control for a free and democratic society. Inevitably, collecting more data leads to more ways to use that data – whether well-intentioned or nefarious.
We simply cannot trust either the individual or groups of individuals to always act rationally, ethically (even if we could agree on what that looks like) and appropriately. Mass surveillance hugely increases both the likelihood and the potential impact to the victims of irrational, unethical or inappropriate action which is made possible, or justified by the uncritically-accepted data gathered by mass surveillance; but it does not benefit the desired security posture in proportion to the damage it does to individuals’ rights and freedoms.
What’s the point then?
Actually, the questions we should be asking if we want to get stuff done, stay out of trouble, not be Bad Guys and keep the organisation running are the following:
Is my security posture incurring intolerable privacy risk?
Is my privacy posture incurring intolerable security risk?
Bear in mind here that “intolerable” is not just a reference to what you or your organisation is willing to accept, but also what other individuals or society as a whole will accept; ie you must factor in legal obligations, contractual obligations and public opinion.
Neither of these questions mean that one posture invalidates the other. These are comingled analogue spectrums, not a binary OR gate.
If the answer to both questions is “no”, then the matter is settled. Keep on doing the good work and make sure you ask the questions again regularly.
If the answer to either question is “yes”, then in order to resolve the issue, you must ask more questions:
- Can I achieve an equivalent security or privacy posture in another way?
- If not;
- Can I terminate or treat the risks without compromising on tolerances?
- What is the range in cost, effort and feasibility of the options available to me?
- How do I present this clearly to executive stakeholders?
In summary: it’s not “privacy vs security”; it’s “appropriate security AND appropriate privacy“. Managing the risks of both is not just about considering cost and reputation – there are also laws which have already defined the parameters of acceptable risk and these need to be taken into account.
Security is not privacy and privacy is not security. Confusing the two or trying to manage them as a single risk will likely lead to your failure at one or the other, if not both.
Be very suspicious of anyone who says privacy must be ‘sacrificed’ for security. There is already provision in law for balancing these. Nothing is risk-free, and even the complete negation of one would not guarantee the other. Therefore, there is no need to ‘sacrifice’ anything. Ask those people: which of YOUR rights and freedoms are they planning to take from you?
Part 2: Case studies will be posted soon