I've not bothered to comment so far on the numerous news reports on the NSA's PRISM programme. It's not because I have no views, but simply because it's revealed nothing surprising to the security professional, generated little visible citizen reaction and presented no new issues in ethics or policy.
The ethics of eavesdropping is certainly not a new debate. Back in 1929, Henry Stimson, US Secretary of State and a military hawk who went on to direct the building of the atom bomb, closed down a code-breaking bureau on the grounds that "gentlemen don't read other gentlemen's mail", demonstrating that you can be both a military hawk and a privacy advocate.
Personally I'm neither an advocate nor a critic of covert eavesdropping. I appreciate both sides of the debate. In my view security and privacy are opposing aims and it's a hard balance to strike. Intelligence agencies are tasked with the goal of acquiring secret information on individuals. In contrast regulators are tasked with a more challenging objective of preserving human rights. Unfortunately in practice this becomes a zero-sum game. You can fully achieve one objective, but not both.
Civil liberties are important: the rights of individuals to be free from government interference, to be free to associate, to speak freely, and to maintain privacy are fundamental liberties, enshrined in constitutions, charters, covenants and bills of rights going back eight centuries. But national security is also important: the need to identify and combat criminal, espionage or terrorist threats. A balance has to be struck. In practice this will depend on which of these conflicting issues is the most burning one of the moment. But wherever you strike it will be challenged by supporters of both causes.
Some people are prepared to sacrifice their security for freedom. But not everyone thinks that way. Society is polarised on this issue. I suspect that public opinion follows a normal distribution curve: for every person who is paranoid about privacy, there's probably another one who couldn't care less, and perhaps two or three others who have rather mixed views.
An important and largely overlooked need is to educate and consult the public before laws and policies are developed. This is a fundamental flaw in most countries. Security professionals can certainly help to educate laypersons. I've tried it. Several years ago I served as a technical adviser to the Royal Society's "Science in Society" programme, which consulted a cross-section of UK society on their views on this subject. One thing that struck me then was the high level of trust that people place in government agencies to safeguard their interests. More informed experts might disagree. And citizen opinions change over time and across generations. But, if put to a vote, I doubt that privacy would win the day.
For more than ten years I've been predicting that privacy will lose the argument. The reason is simple: there aren't enough sponsors, lobbyists and supporters of privacy to capture the imagination of the public or overturn the combined interests of the law enforcement, defence and intelligence communities. Our only realistic hope therefore is that our politicians and leaders of public sector agencies adopt responsible practices and behaviours.
But don't forget that the everyday decisions of ordinary security managers can also have an impact on the civil liberties of employees and customers. Security technologies can block or intercept information, and detect and report inappropriate behaviour. Decisions of how to configure these filters should certainly not be left in the hands of individual administrators. They should be developed through a responsible and informed process including all stakeholders.