The Illusion of Privacy

Opinion by Tim Mather

The public's idea of confidentiality is not compatible with the way their details are handled.

The public's idea of confidentiality is not compatible with the way their details are handled.

There is an increasing concern about privacy of personal information. Following the terror attacks of recent years, government officials have increasingly framed the need for greater amounts of information about individuals as a security versus privacy debate. Frankly, that misses the point.

First though, let's back up a minute. Can you have security and not have privacy? Of course. I can have the most secure enterprise in the world, and yet have the marketing department selling customers' personal information to third parties as part of approved company operations.

Can I have privacy if I do not have a secure enterprise? Of course not. And this is the situation that you read about so frequently with regards to security or data breaches in the US.

But it is also not true that the issue is security versus privacy. That argument implies an either/or situation, a zero-sum game. This debate over security versus privacy is not going to simply disappear anytime soon, so we need to move beyond simplistic rhetoric and analyse the issue in more detail.

Let's start with the fact that many individuals equate privacy with security. That simply is not true, as my first illustration demonstrates. Security and privacy are two different things, even if they have similarities. So let's look more closely at privacy itself. Most individuals equate privacy with confidentiality. That is, if I merely keep my personal data confidential, then I have privacy.

In today's world that simply is not going to happen. As Scott McNealy, then CEO of Sun Microsystems, once said, "You have no privacy; get over it." McNealy took a huge amount of criticism over this statement but perhaps he should have said "you have no confidentiality". Does anyone today really believe that they can keep their personal information entirely confidential?

In numerous interactions every day, we all give up some of our personal information, for example shopping with a credit card or through government mandates we accept as necessary. While some people nevertheless have justifiable personal preferences about how much personal information they are forced to reveal, to function within society requires some exposure of such information.

The real concern about privacy is not confidentiality, but access (implicitly leading to usage). In today's electronic society, the problem is who (or what government agency or commercial enterprise) has access to the personal information you have either willingly or reluctantly agreed to supply. The concern people have is that some government agencies and most commercial enterprises treat supplied personal information as surrendered - that is, as if you have given up all control over access to and use of that personal data.

Once supplied, personal information today can be accessed, aggregated, sorted and processed very easily. While many companies claim to have privacy policies governing how this supplied personal information will be used, those same companies invariably also reserve the right to change that policy at any time and without any prior consent - or even notice.

For most individuals, this lack of control over access to and usage of personal information after it has been supplied is the real privacy concern. Most people would have much less concern over this access and usage if they had an assurance over how their supplied personal data would be used, and by whom - whether by government for agreed upon security needs, or by commercial enterprises for agreed upon convenience or benefit in return.

The vast amounts of personal information available - and sought - today effectively mean that non-technical enforcement of access and usage is completely impractical. As information security professionals, our task should be to foster the development of system-enforceable privacy policies, governing not only what personal information can be collected, but how such information can be accessed and used (and audited) once collected - as well as protected from attacks and leaks while stored.

Tim Mather is chief security strategist for RSA Conferences.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events