In defense of privacy

The long view of security strategies for your network.

Today I'd like to discuss a fundamental principle that security specialists have to deal with all the time but which has a much broader social significance than discussions of, say, firewalls: privacy.

Have you ever heard anyone say something like, “Government ‘invasion of privacy’ does not matter to me; I have nothing to hide.” A more extreme position is, “People who get really hung up on privacy issues are probably hiding something.” That quotation from a graduate student came in an online discussion in one of the classes I taught this summer.

Taken at its simplest level, the statement could be true: Privacy does indeed consist, in part, of confidentiality. Confidentiality implies selective sharing of information - allowing some people to know particular information about you and others not to. Privacy also implies control over information - the power to determine whether others will share information about you, with whom and for what purpose.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Today I'd like to discuss a fundamental principle that security specialists have to deal with all the time but which has a much broader social significance than discussions of, say, firewalls: privacy.

Have you ever heard anyone say something like, “Government ‘invasion of privacy’ does not matter to me; I have nothing to hide.” A more extreme position is, “People who get really hung up on privacy issues are probably hiding something.” That quotation from a graduate student came in an online discussion in one of the classes I taught this summer.

Taken at its simplest level, the statement could be true: Privacy does indeed consist, in part, of confidentiality. Confidentiality implies selective sharing of information - allowing some people to know particular information about you and others not to. Privacy also implies control over information - the power to determine whether others will share information about you, with whom and for what purpose.

Unfortunately, that second position usually has the unspoken word “BAD” tacked on to the end: “…probably hiding something BAD.”

It's hard to counter that kind of generalization. Everyone can think of scenarios in which criminals, cheaters and terrorists have something to hide. I remember my amazement as 250 black-clad, self-described anarchists at a criminal hacker convention in 1993 shouted in unison, “INFORMATION WANTS TO BE FREE.” Apart from the vision of a bunch of anarchists doing anything in unison, what seemed incongruous was that these people studiously used pseudonyms to protect their own privacy while abusing other people’s privacy.

But protecting privacy may mean that people are the good guys. For example, there are many places in the world where governments are justifiably described as criminal conspiracies. Just go to any human-rights group Web site to find examples of governments (or anti-government groups, for that matter) that suppress people’s rights to freedom of speech, assembly, habeas corpus, religious expression, education or medical care, and you will find innocent people who are afraid of their own governments, of corrupt law enforcement agents, of ruthless revolutionaries or of outright criminals who support or oppose the status quo. Under these circumstances, don't you think that anonymity and secrecy might be the hallmarks of people hiding something good?

In our own country, there was a time a few decades ago when some government agencies treated protesters against American involvement in the Vietnam War as enemies of the nation, and the president’s office kept an enemies list consisting largely of people who had criticized the president. Today, the U.S.A.P.A.T.R.I.O.T. Act (please don’t pronounce it the way the propagandists want you to) allows police to obtain lists of books borrowed by named individuals from libraries or bought from bookstores - and a gag rule preventing librarians or booksellers from discussing these demands. To obtain a warrant for such an invasion of privacy, police need merely assert compelling need but no longer have to provide grounds to a judge showing probable cause for the demand. Couple this kind of legislative change in fundamental principles of common law with the ability of administrative officials to imprison American citizens without charge, without evidence, without recourse to legal proceedings, and without limit, and can you wonder why innocent people who disapprove of the current administration’s policies might get a little nervous?

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.