Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

The Relation Between Privacy and Security

advertisement

The Relation Between Privacy and Security

Robert Sloan and Richard Warner

This course focuses on security and privacy. In the latter case, we focus exclusively on non-governmental threats to privacy. The governmental threat is increasingly worrisome; however, the chorus of concern in that case is large and strong, and the threat from private business merits consideration on its own. Second, we consider only informational privacy. Informational privacy consists in the ability to control what information others collect about one, and how they use that information. The greater the ability, the greater the degree of privacy. Computer technology and the Internet have greatly reduced the ability.

What is the connection between privacy and security? The answer is that online security is essentially a matter of preventing unauthorized access to information while ensuring authorized access. A consideration of privacy is, in many cases, essential to explain how we distinguish (or, better, should distinguish) between authorized and unauthorized access. Consider health information. What information should be secured against unauthorized access, and how secure should it be? The answer depends in part on what information should have what degree of privacy. This may nonetheless seem counterintuitive to those who think of security violations as being the misappropriation of information by an unauthorized outside intruder, and of privacy violations as resulting from the mishandling of information by a party who has authorized access to it. The outsider, however, may violate privacy depending on what information was misappropriated and how it was used; and the insider violates security if there were (or should have been) protocols in place to guard against the mishandling of the information. Of course, there are cases in which privacy considerations drop to a minimum. An outsider who hacks into a network and misappropriates trade secrets is better described as doing just that—misappropriating trade secrets—rather than as violating privacy. We tend to focus more on the heath-informationtype cases as that is where the controversy over how much security should be required is the most intense.

In these cases, we contend that making the distinction between authorized and unauthorized access requires norms that define a distinction between public and private, and that a sufficient body of such norms does not currently exist. The need for norms is a unifying theme running through the course. We emphasize that norms will inevitably evolve and, once established, will be very hard to change. We are in that brief period of time during which the norms will be established. As the security expert Bruce

Schneier notes:

History will record what we, here in the early decades of the information age, did to foster freedom, liberty, and democracy. Did we build information technologies that protected people’s freedoms even

during times when society tried to subvert them? Or did we build technologies that could easily be modified to watch and control?

1

1 Bruce Schneier, Risks of Data Reuse, C RYPTO GRAM , July 15, 2007, http://www.schneier.com/crypto-gram-0707.html.

Related documents
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
New Patient Information Form
New Patient Information Form
Acknowledgement of Privacy Practices
Acknowledgement of Privacy Practices
Project Suggestions
Project Suggestions
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Download
advertisement