Balancing Security, Privacy and Secrecy

Recently, I read the National Security column, “We Need More Secrecy: Why government transparency can be the enemy of liberty,” by David Frum in the May 2014 issue of The Atlantic magazine. It reminded me that I had proposed adding the word “secrecy” to the title of a 2009 book that I co-edited. Instead the title of the book ended up as “Enterprise Information Security and Privacy.” I’m not quite sure why it was decided to omit consideration of secrecy as a different concept from security and privacy, but it clearly was so omitted. In retrospect it would have been interesting to have included discussions about secrecy in the book, especially as subsequent events have focused on secrecy as a major ethical issue.

There is still a fair amount of confusion between security and privacy today, particularly and surprisingly among infosec practitioners. In my mind it is fairly straightforward … privacy has to do with a person’s right to be left alone and have personal information protected from access and misuse by others. Security, on the other hand, comprises, among other attributes, the means or methods of achieving privacy. Security tools and architectures can be used to restrict access to certain information and to ensure that those authenticated individuals, who are authorized to access such information, only use the data for previously agreed-upon legal purposes.

Individuals essentially own data about themselves … not companies, government agencies or other entities that are responsible for collecting, processing, storing and distributing such personal information. Infosec practitioners seem to want to shy away from anything to do with privacy lest they be made responsible for something with which they are not entirely comfortable. To quote Gartner Research Director Anton Chuvakin from an interview by Marcus Ranum on big data security, which appeared in the April 2014 issue of Information Security magazine: “… privacy is one topic I won’t touch with a 10-mile [sic] pole. Frankly, I have no idea what it is in specific, measurable terms, and thus I am unwilling to discuss it.”

While Chuvakin is to be praised for his candor, it is quite disturbing when a security thought-leader takes this view regarding such an important topic. Privacy may not be measurable, indeed it probably isn’t. But, like many other subjects, we all have a vested interest in having our privacy maintained and so we, especially us infosec folks, should try to understand what it means to preserve a person’s privacy and particularly to know when and how it might be infringed upon. In the Chuvakin interview, the privacy issue was raised by Ranum because of his having received a note from a friend telling him that Amazon had informed the friend that Ranum’s birthday was coming up. The friend was then given a link to Ranum’s Amazon Wish List. Chuvakin thought that such notification and linking was just fine. Ranum , on the other hand, seemed to be truly concerned about how much about himself could be revealed without his even knowing it.

While one’s Amazon Wish List may not really be construed as personally-identifiable information per se, it may contain items that, for one reason or another (innocent or otherwise), you might not want others to know. There was a well-publicized case where someone learned of a friend’s intention to propose marriage to his girlfriend because the former saw that his friend had been searching for engagement rings and “spilled the beans” to the fiancée-to-be, thus destroying any element of surprise.

Here is a case where a person wanted to keep a secret, but had been denied that privilege because a system told on him to another party. Was this a privacy breach? In one sense it was, since the person looking at rings had some secret information about his activities disclosed with upsetting (and potentially life-changing) consequences. Nonetheless, the information was not what one would call nonpublic personal data, as are Social Security numbers, dates of birth, and the like, so would likely not be covered under current privacy laws and regulations. I’m not certain about this latter statement as I am not a lawyer, so anyone so compromised might want to contact a legal expert if he or she wants to take action.

Post a Comment

Your email is never published nor shared. Required fields are marked *