Friday, October 24, 2014

Security versus Privacy

The difference between security and privacy is not that hard. If others can see my bank transactions then I lack privacy. If others can take money out of my bank account then I lack security. However important people think privacy is, they must admit that security is much more important ... Right?

In fact we see an endless stream of postings that seem to be completely muddled about the difference between security and privacy. There are good reasons for that:
  • Security is about the protection of our assets, including life and health. Privacy is the particular asset that is most immediately compromised by security breaches in the information industry
  • Often we use privacy to protect our security. This is most obvious in the way we protect passwords and PINs. Anonymity, an extreme form of privacy, is used as a security mechanism by those doing things, good or bad, that others would, rightly or wrongly, seek to punish.
  • An important information security mechanism is public key cryptography, where keys come in pairs: the public key that is made available to all; and the private key that the owner holds and does not share. In this case the word "private" is to distinguish it from "secret": A secret, and in particular a secret key, is something that is shared.
Still it is hard to understand the confusion, because we see that privacy is something that most people seem prepared to give up very lightly. Most of us enter "customer relationship management" schemes for very little reward, put details of our life on social media, tolerate privacy invading indignities at airports.

I ask people pushing for protection of privacy to address actual privacy issues. If they are actually interested in privacy as an enabler of security then they need to include some evaluation of how effective it is in that regard. When governments lacked the ability to penetrate the anonymity of protesters then it was effective. Would it still be effective if governments said that they would not use their new capabilities to penetrate people's anonymity? Pardon my doubts.

Most particularly I want people to acknowledge that the greatest protection of our security against the government, and against the oligarchs, is transparency and accountability. Transparency is anti-privacy, and that is what we need. People advocating for individual privacy need to be explicit about why it is not going to weaken transparency. People who are not advocating for transparency are not the good guys, and their privacy concerns can be dismissed.