We often like to say that in the information age “everything has changed”, but to what extent is the duality of privacy and security an age-old condition? And, perhaps more importantly, why should we care about privacy in the first place?
And crucially, as we delve into the relationship between security and privacy, what are the limits of privacy?
Information is needed in order to make decisions: the more information we have, and the more accurate and relevant it is, the better we can make decisions about both important and trivial matters.
Many mistakes, errors and disasters – whether they be personal, social, financial or industrial – are ultimately traceable to a lack of information. Therefore, it could be argued that ideally there should be no such thing as privacy. Certainly from a software developer's point of view, life would be much simpler if we could be totally transparent with data, but then there wouldn't be much need for a cyber-security industry.
However, information can be misused or misinterpreted, either accidentally or maliciously, and what's good for my personal security may not be good for that of the society of which I am a part.
Michael McFarland, a computer scientist and former president of the College of the Holy Cross in Massachusetts, USA, makes the point that there is a great deal of misunderstanding about mental illness and if it becomes known that someone suffers from a condition, it could lead to social exclusion or harassment. Or a person with spent criminal convictions may find it difficult to get a job if this information were widely known.
There is, then, an argument that this information should always be confidential but is this the case?
Andreas Lubitz, the pilot who crashed Germanwings flight 9525 into the Alps, had battled mental illness and suicidal thoughts for years, but this information – including the fact that he was signed off by his doctor on the day of the crash – was kept secret from the airline on grounds of patient confidentiality.
French prosecutor Brice Robin said that doctors told Lubitz he shouldn't fly but German privacy laws prevented them conveying this information to his employers. The sicknote that he was given on the day of the crash was found screwed up in a bin in his apartment.
In this case, it's clear that sometimes a person's mental state is everyone's business.
Drawing the line
While it's clear where the boundaries of privacy could have been drawn in the Lubitz case, it is less certain how society can codify a rule about when it's right and when it's wrong to disclose information against a subject's will – in other words, where to draw that line in general.
Any attempt to formalise a rule will quickly fall foul of exceptions and the need for interpretation. Subjective interpretation leads to inconsistencies and ultimately errors and a call to re-adjust the rule, ad infinitum.
Even hardened campaigners concede that privacy is not an absolute right. The question usually comes down to degree.
Recent events in Europe underscore the debate on privacy versus public safety. Some of the recent terrorist attacks in Europe were committed by people who operated with alleged impunity from the Molenbeek neighbourhood of Brussels containing many young, unemployed immigrants from the Middle East, a fraction of whom are attracted by jihadist ideology. Information about the perpetrators discovered after the fact, if it had been analysed, would have helped prevent the attack in the first place.
It is apparent that had information been shared more freely among the Belgian intelligence agencies and with their police counterparts it may have been possible to identify the perpetrators of the Paris bombings who went on to wreak havoc in Brussels.
It is also self-evident that the gathering of intelligence, including internet data, would have helped authorities join the dots and create a bigger picture of what was going on. Unfortunately, the data is highly perishable and unless it's gathered – in bulk – and stored, it's impossible to access and analyse when it's needed.
It is argued that individuals should accept a small intrusion into their privacy – the gathering together of the haystack, so to speak – to enable the authorities to search for the needle later. Surely this is a price worth paying to prevent mass casualties?