Cybersecurity and data privacy are two sides of the same coin. Privacy is a luxury without the security of the holding systems, and security cannot be enforced whilst a persons’ privacy is compromised. There is a good deal of confusion about the interplay, rights and responsibilities between the actors in this area.
Security is defined as (OED): ‘The state of being free from danger or threat’
Whereas Privacy is defined as: ‘A state in which one is not observed or disturbed by other people’
Security and Privacy both address fundamental human needs as described in Maslow’s hierarchy of needs (Maslow, 1943). Security focused practitioners would argue that cybersecurity fulfils a more fundamental ‘Safety’ need than that of Privacy, which would fulfil the higher needs of ‘Love, Friendship and Belonging’.
It could be argued the relative importance and merits of security and privacy can explain some of the cultural differences between the balance of security and privacy in different societies. The needs of people in Syria are more focused on safety whereas people in (say) the UK are generally assured of safety and rely on the maintenance of privacy to ensure the health of their relationships, personal and professional. In times and situations of danger security takes precedence over privacy.
Cyber protection and legislation in the US since 9/11 has largely focused efforts on the security (and surveillance) aspects of the debate, and in Europe the debate has become increasingly focused on the rights of the individual to privacy (and freedom from surveillance). Privacy in cyberspace has been a right that is considered contingent on the provision of security rather than a fundamental right in itself. Privacy is not enshrined in the many older constitutions as 18th century legislators thought it ungentlemanly to eavesdrop on their neighbours. The right to privacy in past times was implied rather than explicitly stated. This situation is interesting, as (arguably) the US has most to gain from stricter privacy respect, and Europeans have more to gain from increased security.
On the one hand are the needs of civil order and protection from harm, as advanced by law enforcers and legislators, and on the other is the view of the privacy protectors who believe that freedom of expression is empowered by having the right to a private life, including all the messy contextual compromises around legislative boundaries, the right to be forgotten and freedom of information requests.
Moving Security Perimeters
The creeping of security boundaries into the area of privacy through technologies like Mobile location mapping, smart CCTV and cross platform relationship mapping (Data mining) has paradoxically lead to an increased feeling of insecurity for consumers, and this is ultimately leading to private citizens having a growing distrust of digital interactions, and a sense of being watched. My CBiS colleague Mark Sallos has blogged on this subject here.
Unlike governments or companies, consumers are not a homogenous group of actors, and they display variation in the acceptable intrusion into privacy. Many users are willing to allow a degree of privacy compromise in order to take advantage of the benefits that the large scale data mining brings (health research, location based services, or product recommendations). Some technically adept users are moving towards the surveillance culture themselves, as seen in the growth of citizen data scientists, wearables adoption and the Internet of Things ‘maker’ culture.
Privacy aware users argue that there is no ownership or ethics governing their personal data that is being collected, aggregated and used in ways that they do not consent to. This is one of the problems that underpins personal insecurity, when companies use psychometrics to make inferences about our sexual preferences and religion based on the kinds of posts we ‘like’, the friends we make or people we follow the notion of consent is bypassed.
Users cannot easily give permission to personal information disclosure when they did not know that they were disclosing.
Society and the empowered individual
The utility of personal data is different at different levels of analysis. At a societal level it is necessary to protect the safety and security of citizens, yet at the interpersonal level control over what is disclosed is important in our social relationships with others.
Users seek to retain control over disclosure by disguising or fracturing their online presence, in order to maintain the information barriers that are necessary to sustain healthy relationships. However, this misinformation is then utilised by providers to draw conclusions about the kinds of people that we are.
Social media platforms also make it difficult for users to know what permissions they are giving and how their data will be used. This threatens to stifle personal freedom of expression as users become less inclined to post about the things that are important to them. Thus, distrust in Big Data is modifying user behaviour. Privacy does not mean secrecy, but demands a confidentiality and discretion that big data providers do not always respect.
Conversely, as the realm of security has expanded, with ever greater and more comprehensive data sets being compiled on the digital citizen there is concern that cybersecurity measures to secure the datasets may not be strong enough. Immense and highly personal data breaches from the public and private sector responsible for citizen security have met with protests from citizens and (delayed) action from government and regulators.
In what may be an example of Simpson’s paradox in action, the stronger the support for security in society, the less secure many individual citizens are feeling.
The GDPR and Privacy Impact Assessments
Data Centric Information Security
Well said. In the US data privacy laws favor the collector of the data rather than the source of the data. I wonder how things would be if that were swapped?
LikeLiked by 1 person