Saturday, April 17, 2010

Is Privacy Destroying Security?

In reading a recent post entitle “The Smart Grid Privacy Smoke Screen” describing how relatively low impact privacy concerns are masking some more significant security vulnerabilities, it got me think that this issue is broader than just Smart Grid.  And it makes me question what is Privacy’s role today some thirty years after the OECD Privacy Guidelines were first released.  Back then, security was just a single reference (Security Safeguards Principle) that simply noted that security was an important element to making privacy successful.  After all that adage that you can have security without privacy but you can’t have privacy with security is as true as ever today.  Perhaps that why so many in the privacy community have been the champions of encryption at all costs even if they don’t completely understand how it works.

The truth is that privacy’s purview is relatively narrow.  It really asks who should be given access and for what purpose.  Everything else is about security.  And not surprisingly, because the answer to that question can vary significantly depending upon the organization, the subject of the information, and type of information, discussions in that area become somewhat unsatisfying.  Instead many become involved in somewhat high-level discussions of security issues.  As many security professionals will tell you, privacy professionals are often less technical, but because many are lawyers who have the ear of the CEO, such high-level technical guidance suddenly becomes the new mandate for the chief information security officer.  Moreover, the objectives of privacy are often somewhat squishy and personal.  People willingly give up their privacy on a daily basis in exchange for access to some information or to save money on what they buy.  That makes defining misuse of private information much more difficult.  We all agree that stealing one’s bank account information for the purpose of withdrawing funds is always a bad thing.  However, but selling magazine subscription information to marketing firms that send out junk mail is just one of many consequences we’ve come to expect.

Let’s not forget that compared with cyber attacks that put lives at risk or result in significant financial losses, the value of the dignitary right of privacy hardly holds a candle.  The message to the privacy professionals out there is to focus on the who for what purpose and leave the security to the real experts.

No comments: