Tuesday, June 15, 2010

privacy NOT versus security

i've been growing increasingly perturbed by the notion that there is some tension or conflict between privacy and security and i want to set the record straight.

there is no such conflict. my privacy is completely compatible with my security. there is no tension between them, no conflict. ultimately they have the same goal - protecting the things i think need protecting.

often when people talk about privacy vs security they're not talking about the purely person perspective, though. they're talking about other organizations that are expected to help protect an individual's privacy. here there can be a conflict, but not because of some tension between privacy and security, rather because the organization's interests are not aligned with those of the individual. they never are, they aren't supposed to be, it's not reasonable to expect them to be. even amongst individuals alone, my interests, values, and priorities are different from your interests, values, and priorities - by chance we might happen to agree on what needs protecting on a general level but when it comes to the finer details there will always be disagreement.

when we hand over our information to an organization (or when it's handed over for us) we expect that organization to act as our partner in protecting that information - and to the extent the law requires them to do so they usually do. but the organization's interests, values, and priorities are not the same as our interests, values, and priorities.

that is where the true tension exists - not between privacy and security, but between the interests of different parties. whether those parties are two individuals, an individual and a company, or an individual and a nation - any conflict exists between those parties (because they have different needs), not between privacy and security. security of the whole vs. privacy of the individual is a conflict between entities, not strategies.


Anonymous said...

These terms lack technical definition and are not worth a shit scientifically.

We are better off talking about things we understand, like confidentiality, message integrity, sender authenticity, privilege escalation, access control, etc.

But that is all on the security side of the ledger. I don't even know where to get started in breaking down privacy into something we can talk about, measure. None of the definitions I have seen to date get (or deserve) much traction.

kurt wismer said...

well i suppose it depends on what you mean by "technical definition".

i actually have definitions for both security and privacy here (though the privacy def is more implied than explicitly stated).

both are sets of strategies for protecting people/things but they work in different ways. one aims to protect by shielding against or becoming invulnerable to particular attacks, while the other aims to hide the target so an attack against it can't be launched in the first place. and in that regard confidentiality is really more a matter of privacy than of security since it's concerned with keeping things hidden/secret.

regardless, though, the fact remains that my security is not the slightest bit incompatible with my privacy. both are, by definition, intended to protect me and the things i hold important. the only time there's a conflict is when we're talking about one party's security versus another party's privacy.