Security versus privacy - a difficult and uncomfortable balance

| 3 Comments | No TrackBacks
| More

I've not bothered to comment so far on the numerous news reports on the NSA's PRISM programme. It's not because I have no views, but simply because it's revealed nothing surprising to the security professional, generated little visible citizen reaction and presented no new issues in ethics or policy.

The ethics of eavesdropping is certainly not a new debate. Back in 1929, Henry Stimson, US Secretary of State and a military hawk who went on to direct the building of the atom bomb, closed down a code-breaking bureau on the grounds that "gentlemen don't read other gentlemen's mail", demonstrating that you can be both a military hawk and a privacy advocate.  

Personally I'm neither an advocate nor a critic of covert eavesdropping. I appreciate both sides of the debate. In my view security and privacy are opposing aims and it's a hard balance to strike. Intelligence agencies are tasked with the goal of acquiring secret information on individuals. In contrast regulators are tasked with a more challenging objective of preserving human rights. Unfortunately in practice this becomes a zero-sum game. You can fully achieve one objective, but not both.  

Civil liberties are important: the rights of individuals to be free from government interference, to be free to associate, to speak freely, and to maintain privacy are fundamental liberties, enshrined in constitutions, charters, covenants and bills of rights going back eight centuries. But national security is also important: the need to identify and combat criminal, espionage or terrorist threats. A balance has to be struck. In practice this will depend on which of these conflicting issues is the most burning one of the moment. But wherever you strike it will be challenged by supporters of both causes.  

Some people are prepared to sacrifice their security for freedom. But not everyone thinks that way. Society is polarised on this issue. I suspect that public opinion follows a normal distribution curve: for every person who is paranoid about privacy, there's probably another one who couldn't care less, and perhaps two or three others who have rather mixed views.

An important and largely overlooked need is to educate and consult the public before laws and policies are developed. This is a fundamental flaw in most countries. Security professionals can certainly help to educate laypersons. I've tried it. Several years ago I served as a technical adviser to the Royal Society's "Science in Society" programme, which consulted a cross-section of UK society on their views on this subject. One thing that struck me then was the high level of trust that people place in government agencies to safeguard their interests. More informed experts might disagree. And citizen opinions change over time and across generations. But, if put to a vote, I doubt that privacy would win the day.

For more than ten years I've been predicting that privacy will lose the argument. The reason is simple: there aren't enough sponsors, lobbyists and supporters of privacy to capture the imagination of the public or overturn the combined interests of the law enforcement, defence and intelligence communities. Our only realistic hope therefore is that our politicians and leaders of public sector agencies adopt responsible practices and behaviours.   

But don't forget that the everyday decisions of ordinary security managers can also have an impact on the civil liberties of employees and customers. Security technologies can block or intercept information, and detect and report inappropriate behaviour. Decisions of how to configure these filters should certainly not be left in the hands of individual administrators. They should be developed through a responsible and informed process including all stakeholders. 

Enhanced by Zemanta

No TrackBacks

TrackBack URL: http://www.computerweekly.com/cgi-bin/mt-tb.cgi/47939

3 Comments

David,

Thanks for the thoughtful article. I share many of your perspectives. I do believe in national security. I am grateful that NSA and other surveillance programs are now subject to public scrutiny. But I also think the motives and actions of whistleblowers should be scrutinized. I don't think that acts of disclosure or oath breaking without inspection make a party a hero or trustworthy, nor do I think they instantly exonerate a party from prosecution for (criminal) wrongdoing.

I would like to add to one of your comments:

"A balance has to be struck. In practice this will depend on which of these conflicting issues is the most burning one of the moment"

This is a spot on observation, but there are two issues conflated here: dealing with the burning issue in the heat of moment, and dealing with the enduring aftermath of the decisions made. What we see too often when decisions are made in the name of national security is not a short term fix but a lasting concession of privacy or other constitutional rights.

The NSA activities (and generally, many activities or legislation in the Post Patriot Act era) aren't a temporary declaration of a curfew but a long term adoption of surveillance under a debatable warrant process with no transparency regarding retention, remanence, scope, or purpose. In cases like this, I can't find any evidence that balance was sought or struck: it's a tug of war where secrecy and influence bias the outcome.

"An important and largely overlooked need is to educate and consult the public before laws and policies are developed."

This need is woefully unfulfilled. As while I agree that you can educate and that, as you say, "citizen opinions change over time and across generations", it's hard to dispute that secrecy plays to the strength of those who exploit the burning issue or play to the fears or ignorance of the population, and thus the "long slow learn" necessary to balance security and privacy will be difficult to realize.

Privacy has and continues to lose, as you predicted. I have little faith that politicians or public sector leaders will adopt responsible practices and behaviors unless citizens begin to insist that privacy be as prominent a campaign issue as healthcare, abortion, education or gun control.

I do, however, believe that privacy advocate participation in multi-stakeholder Internet governance models can increase the whistleblower capacity by, as you suggest, making use of security technologies to detect and responsibly report rights-infringing behavior. We should not wait for a Snowden to act when we can use social media responsibly to amplify activism.

But what about chapter 11

Dear David,

may I kindly ask you to write me a mail, as I couldnt find any contacts to do it myself.I really inspired by your blog and would like to invite you to our CISO FORUM event as I suppose your experience is really interesting for our audience.

Thanks for reply in advance,

Best regards,
Olga

Leave a comment

About this Entry

This page contains a single entry by David Lacey published on July 18, 2013 7:30 PM.

Information security for non-technical managers was the previous entry in this blog.

The art of strategic crisis management is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

 

-- Advertisement --