Security or Privacy?
Posted by Lance Koonce
We don't often do this on this blog, but since Kraig and I are both attending the same conference and listening to many of the same speakers, I thought I'd comment briefly about my take on the issue Kraig just raised about the yin and yang of privacy and security. While I agree that there is a tension between the two concepts, I've always focused more on the complementary aspects: the collection of personal data gives rise to a need for security measures to protect the stored information, and security measures that require high levels of authentication may require collection of personal data in order to function.
But note that we're talking about two kinds of security here. There's the security that needs to be in place for personal information that is collected for business or governmental purposes and stored in a database. But there is also security that's in place to protect sensitive information generally, whether it's trade secrets, financial data, military information, or - and here's the circularity that may cloud the issue - a database of personal information. What I mean is that there is security driven by the value to the data collector of the information stored behind the walls, and security driven by the value to the individuals who have contributed the information stored behind the walls. While the systems used to secure the data may be the same, the forces driving their implementation may not be, so when we lump these types of security issues together we may be creating a false tension.
David Brin has argued vigorously - both here at the conference and elsewhere - that in fact the politically-laden debates over giving up privacy for better security is a Hobson's choice, and that we ought to be able to demand both privacy and security, damn it. And in the abstract this is certainly true: if I want to build ten-foot-thick concrete walls around my home and patrol it with armed guards, well, then it's secure but it's also pretty private. And for security with a big "S", Brin is probably correct. But specifically with respect to security of personal information itself, collected for the very reason that it is valuable to the collector and will be exploited by that collector in various ways for financial (or societal) gain, I think the tension Kraig identifies likely will always exist.
