Privacy vs. Security: In the Public or in Private - and Which Came First?

I know what you’re thinking, “oh great, here it comes again. Another uninformed, opinionated blog around the topic of privacy versus security.”  Well, yeah, you got me. But here’s the twist; I offer no formal opinion here—only a scattering of just some of the millions of facts, facets and opinions on one of the most prickly topics we have come to debate in the past 50-to-100 years (aside from the “chicken or the egg” debate, which for some was recently resolved while others remain in doubt).

The comedian Ron White has a funny and interesting story that he uses in his stand-up act, explaining that he is sitting in a bar one night with the purpose of getting drunk. He accomplishes his mission, getting quite plastered, in the privacy of the bar. The bar management feels he’s overstayed his welcome and tosses him out on to the street, whereupon the bar security personnel commence to outnumber him in a street brawl. But before the fight commences, the police show up and immediately arrest Mr. Ron “Tater Salad” White for being drunk in public.

Mr. White’s very simple statement of innocence (or transference of guilt?) to the arresting officer:

"I wasn’t’ drunk in ’the public‘ until they threw me out, so arrest them!”  

For those with a stomach for slightly off-color comedy, go ahead and Google the video; it’s worth the two minutes.

In any case, while he may not have intended it, Mr. White exposes the stratus of a debate that has been gaining fervor and significance for quite a while as our digital age continues to transform itself and us. Privacy vs. Security…or Public Security, as some like to refer to it. Which is more important? Which affects the other? And what, as countries, citizens/consumers or business and industries, can we do about it to protect ourselves from the invasion?

What is Privacy?

Simple right?  Not at all. Let’s get some basic definitions out in the open first.  From our friends at Secureworks, we find that:

Privacy is often defined as having the ability to protect sensitive information about personally identifiable information, while protection is really a security component. Others define it as the right to be left alone.” 

They go on to point out the five concepts of privacy, as it pertains to the security industry:

• What data should be collected?
• What are the permissible uses?
• With whom might it be shared?
• How long should the data be retained?
• What granular access control model is appropriate?

OK, that’s fairly clear, until you take on the analogy and definitions from a CSOOnline article, which offers:

Consider a window in your home. It provides various functions for you. It allows you to look outside. It lets sunlight into your home. A window keeps weather outside. You can open a window to let in fresh air. In an emergency, you can use a window as an exit.

A window is also vulnerable. Just as you can use it as an egress, others can use it as an entrance. To protect against unwanted visitors, you can put bars or a grate in front of the window. This still allows you to keep all of the desired functionality the window provides. This is security.

Just as you can look out a window, others can look in. Preventing unwanted eyes from looking in can be addressed by putting a drape, a curtain, or a shade inside of the window. This is privacy. Obscuring the view inside of your home also provides a little security as intruders may not be able to tell when you are home or see the things you own.”

The writer of this opinion piece in CSO-Online goes on to summarize that privacy assures that personal information (and sometimes corporate confidential information as well) are collected, processed (used), protected and destroyed legally and fairly.

He points out that, “just as the drapes on a window may be considered a security safeguard that also protects privacy, an information security program provides the controls to protect personal information. Security controls limit access to personal information and protect against its unauthorized use and acquisition. It is impossible to implement a successful privacy program without the support of a security program.”

Rest assured that that debate is also still going on!

Let’s Get Scary

The former US Homeland Security secretary, Michael Chertoff, has been in the news of late, discussing cybersecurity and his new book 'Exploding Data'. His opinion gets fairly scary as he intimates most of our personal/corporate data is out there already, and we all have no idea who already has it and what they intend to do with it. Data has become the “new domain of warfare,” or at least part of the toolbox for waging war.

So, is stealing data or spying considered warfare? Chertoff says no, “but if you destroy things and kill people with it, that’s warfare.”

He further points to the public and business fascination and reliance upon social media as an obvious data giveaway.  Chertoff warns of our cell phone usage as an immediate and direct funnel of personal, and private, information. “We’re opening ourselves up and freely giving away our data, even “Locational Data…our Digital Exhaust,” as he puts it. Loyalty cards at the grocery store, credit cards, iWallet’s, ride services and the like are other examples, and Chertoff explains that we give it away easily in the name of convenience and consumerism.  Is he right? For me, guilty!

In the Public or Private

So where does it stop, or does it? As Jon Evans wrote in his recent TechCrunch article, "Personal privacy vs. public security: fight!" he asks us to consider…”the constant demands for “golden key” back doors so that governments can access encrypted phones which are “going dark.” Its opponents focus on the fact that such a system will inevitably be vulnerable to bad actors — hackers, stalkers, “evil maids”. Few dare suggest that, even if a perfect magical golden key with no vulnerabilities existed, one which could only be used by government officials within their official remit, the question of whether it should be implemented would still be morally complex."

He says that "this accumulation of data is, in and of itself, not a ’personal privacy‘ issue, but a massive public security problem." Three problems, in fact, and summarized as follows:

1. Loss of “Private Spaces” inhibits growth, experimentation, research and technological/cultural advancement:

Private spaces are the experimental petri dishes for societies. If you know your every move can be watched, and your every communication can be monitored, so private spaces effectively don’t exist, you’re much less likely to experiment with anything edgy or controversial; and in this era of cameras everywhere, facial recognition, gait recognition, license plate readers, Stingrays, etc., your every move can be watched."

2. Loss of mass privacy, and exempting “the rich” from it, helps to perpetuate status-quo laws / standards / establishments, and encourages parasitism, corruption, and crony capitalism:

Cardinal Richelieu famously said, ‘If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.’ Imagine how much easier it gets if the establishment has access to everything any dissident has ever said and done, while maintaining their own privacy. How long before ’anti-terrorism‘ privacy eradication becomes ’selective enforcement of unjust laws‘ becomes ’de facto ‘oppo research’ unleashed on anyone who challenges the status quo?’”

3. Advancing technology can manipulate the public based on their private data.

Do you think ads are bad now? Once AI starts optimizing the advertising? Behavior? Data feedback loop, you may well like the ads you see, probably on a primal, mammalian, limbic level. Proponents argue that this is obviously better than disliking them. But the propaganda? Behavior? Data loop is no different from advertising? Behavior? Data, and no less subject to ’optimization’.”

Evans further encourages us to also read from the 538.com blog, its premise being: “you can’t opt out of sharing your data, even if you didn’t opt in.”

Bringing it all back to Mr. Ron White being drunk and getting kicked out of the bar and into the “public.” Whether you think your data is private but you gave it to someone/thing/company in exchange for something else, it will then always have the ability to get kicked out of “the private” and into “the public.” And, yes, if your personal or private data is not already stolen from whence you gave it, it can easily get sold, and has…just ask your friends that run Facebook. This debate, as per mentioned, continues.

However, as mentioned previously, the importance of security as the ultimate first step in the protection of privacy cannot be understated. As the CSO article mentioned above clearly articulates, consumers must take an active part in their privacy by reading the privacy notices before they give out their personal information, as well as taking proactive security measures to ward against viruses, malware and phishing scams. And businesses, as well, are best advised to first enact a strong security assessment and then plan that complements its privacy plan.

As the author advises,

It is not up to a privacy program to state the technology or processes to be used to protect personal information (though the privacy team may have valuable opinions); it is up to the security specialists to make this determination.”

And there is of course the argument that privacy and security are not all that different at all. Daniel Miessler looks at that side of the argument in his article stating that:

The word Security breaks down as “se” and “cura”, which is Latin for “without worry”.

Without Worry is the most succinct description of the goal of security I’ve ever heard, and it applies equally to both Privacy and InfoSec. It also allows us to reduce the discussion to first principles."

Do I have my own suggestions and opinions regarding privacy and security? You bet, but for now, I’m keeping them to myself.