Home > Articles

This chapter is from the book

Better Security Means Worse Privacy

If we ask people if privacy is important, we will undoubtedly get an enthusiastic “Yes!” It is explicitly mentioned in the United Nation’s Declaration of Human Rights.75 The consensus in law is that there is an implicit right to privacy embedded in the U.S. Constitution,76 and an explicit recognition in several laws. Europe has enacted major laws around privacy, the best known of which is the General Data Protection Regulation (GDPR); however, similar to security, no formal definition of privacy is widely accepted. It is recognized as contextual within time and society—different cultures have defined it differently over time.

Technology has also played a role in defining privacy and the violation of privacy. The invention of the window, the camera, and the telephone are all examples of how technological changes have privacy implications. Computing and networking continue to push boundaries in this regard. Many venues associated with cybersecurity are labeled as about “security and privacy,” making the association explicit.

The myth associated with this association is that increasing privacy protections reduces a system’s security and vice versa. This is certainly not the case! If we think about it, one of the primary drivers of cybersecurity is to support privacy: We want to limit access to private information.

The myth comes about because there are cases where the most straightforward or cheapest solution to a security problem involves reducing privacy. For example, if we want to reduce the chance of phishing, we would examine and store copies of all emails coming into the enterprise. We have a better chance of catching phishing links at the expense of email privacy. This fails to acknowledge that there are other methods, including methods that allow us to use the power of computing to enhance security and preserve privacy. For example, we can automatically rewrite URLs in an email to neuter them without having to keep a record or have anyone read the contents.

There is not an automatic trade-off of privacy for better security. Adding logging or surveillance is not always the only way to address an issue, although it is often the cheapest and fastest way to do so. “Fast and cheap” often results in incrementally less privacy for the user community. Privacy is important. People should have the opportunity to give informed consent to when, how, and if their privacy is being reduced to use a system. Public pushback on cookies and online advertising are examples of growing awareness of these issues.

People who work in cybersecurity should protect privacy when they can, not reduce it. When presented with restrictions, such as those imposed by the GDPR, it should be a matter of professional duty to find ways to support them rather than circumvent them.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.