Security Plus Privacy

The Royal Academy of Engineering (in the UK) has just published a report: "Dilemmas of Privacy And Surveillance: Challenges of Technological Change" (press release here) where they argue that security and privacy are not in opposition, and that we can have both if we're sensible about it.

Recommendations

R1 Systems that involve the collection, checking and processing of personal information should be designed in order to diminish the risk of failure as far as reasonably practicable. Development of such systems should make the best use of engineering expertise in assessing and managing vulnerabilities and risks. Public sector organisations should take the lead in this area, as they collect and process a great deal of sensitive personal data, often on a non-voluntary basis.

R2 Many failures can be foreseen. It is essential to have procedures in place to deal with the consequences of failure in systems used to collect, store or process personal information. These should include processes for aiding and compensating individuals who are affected.

R3 Human rights law already requires that everyone should have their reasonable expectation of privacy respected and protected. Clarification of what counts as a reasonable expectation of privacy is necessary in order to protect this right and a public debate, including the legal, technical and political communities, should be encouraged in order to work towards a consensus on the definition of what is a 'reasonable expectation'. This debate should take into account the effect of an easily searchable Internet when deciding what counts as a reasonable expectation of privacy.

R4 The powers of the Information Commissioner should be extended. Significant penalties -- including custodial sentences -- should be imposed on individuals or organisations that misuse data. The Information Commissioner should also have the power to perform audits and to direct that audits be performed by approved auditors in order to encourage organisations to always process data in accordance with the Data Protection Act. A public debate should be held on whether the primary control should be on the collection of data, or whether it is the processing and use of data that should be controlled, with penalties for improper use.

R5 Organisations should not seek to identify the individuals with whom they have dealings if all they require is authentication of rightful access to goods or services. Systems that allow automated access to a service such as public transport should be developed to use only the minimal authenticating information necessary. When organisations do desire identification, they should be required to justify why identification, rather than authentication, is needed. In such circumstances, a minimum of identifying information should be expected.

R6 Research into the effectiveness of camera surveillance is necessary, to judge whether its potential intrusion into people's privacy is outweighed by its benefits. Effort should be put into researching ways of monitoring public spaces that minimise the impact on privacy -- for example, pursuing engineering research into developing effective means of automated surveillance which ignore law-abiding activities.

R7 Information technology services should be designed to maintain privacy. Research should be pursued into the possibility of 'designing for privacy' and a concern for privacy should be encouraged amongst practising engineers and engineering teachers. Possibilities include designing methods of payment for travel and other goods and services without revealing identity and protecting electronic personal information by using similar methods to those used for protecting copyrighted electronic material.

R8 There is need for clarity on the rights and expectations that individuals have over their personal information. A digital charter outlining an individual's rights and expectations over how their data are managed, shared and protected would deliver that clarity. Access by individuals to their personal data should also be made easier; for example, by automatically providing free copies of credit reports annually. There should be debate on how personal data are protected -- how it can be ensured that the data are accurate, secure and private. Companies, or other trusted, third-party organisations, could have the role of data banks -- trusted guardians of personal data. Research into innovative business models for such companies should be encouraged.

R9 Commercial organisations that select their customers or vary their offers to individuals on the basis of profiling should be required, on request, to divulge to the data subjects that profiling has been used. Profiling will always be used to differentiate between customers, but unfair or excessively discriminating profiling systems should not be permitted.

R10 Data collection and use systems should be designed so that there is reciprocity between data subjects and owners of the system. This includes transparency about the kinds of data collected and the uses intended for it; and data subjects having the right to receive clear explanations and justifications for data requests. In the case of camera surveillance, there should be debate on and research into ways to allow the public some level of access to the images captured by surveillance cameras.

The whole thing is worth reading, as is this article from The Register.

Posted on March 29, 2007 at 11:11 AM • 13 Comments

Comments

GeorgeMarch 29, 2007 12:54 PM

Although we are not on a National Health Service program here in the USA, health insurance companies would love to have this access...

@The misuse of data
Data may be misused in many ways. The examples above show how data may be misused as a result of being leaked.
However, sometimes the misuse will be by someone who has legitimate access to a database: for example, a ‘mole’
inside the DVLA provided an animal rights group with information about friends, family and acquaintances of the
owners of a guinea pig farm in Staffordshire, after being given the registration numbers of cars visiting the farm.
It is not entirely absurd to imagine that supermarket loyalty-card data might one day be used by the government to
identify people who ignored advice to eat healthily, or who drank too much, so that they could be given a lower priority
for treatment by the NHS. Whether this should be considered a misuse of the data is debatable, but it would certainly
constitute unwelcome ‘function creep’ for the individuals whose data were initially collected for wholly different
purposes.

Clive RobinsonMarch 29, 2007 1:31 PM

@George,

"It is not entirely absurd to imagine that supermarket loyalty-card data might one day be used by the government to
identify people who ignored advice to eat healthily"

Not in the least absurd, I have been banging on about this for some time.

If you think back some time ago a large U.S. Store had records of what was purchased by people. A man who had slipped on a wet floor and injured himself got around to trying to get compensation. His representative was told that he was probably a drunk, simply due to the fact that he bought beer in the store on a regular basis.

It is known that Tony Blair / Gorden Brown have approached Equifax for consumer and other information, primarily for the National / Passport ID people to make up an applicant dossiers.

It has also seriously been sugested that the same data be used to assess the relative wealth of individual "micro" areas in an attempt to work out how much council tax (Land Tax) should be paid, so extending the idea would be relativly trivial.

After all local Health Authorities (Primary Care Trusts) are known to currently ration resources to people who are deamed to be overweight or smoke to much if they do not "mend their ways" over a six or more month period.

Stephan SamuelMarch 29, 2007 1:48 PM

A wise mentor once explained to me the difference between domain-specific knowledge of how to do things and abstract research for academic sake. Despite the fact that they're engineers, these folks seem to have done a smashing job of the latter. Their results are clear, reasonable, intelligent and target the specific issues without wasting time on implementation complexities. Now if we could only get someone to listen to this.

Fuzzy WuzzyMarch 29, 2007 1:59 PM

Loosely writing, "security" is defined by security policies and is measured by level of security policy adherence. But what is "privacy?" We could define it similarly, but I think the notion is even more fuzzy in most people's minds.

So, can security be complimentary to privacy? It depends :-}

InvisibleMarch 29, 2007 3:28 PM

> It's an interesting read once you get past the scary photograph ;)

Those are infrared lights, if I'm not mistaken. Scary indeed.

EmbitteredMarch 29, 2007 5:54 PM

Yes, it's an interesting article but does anybody seriously believe that our political masters care? I work with IT professionals yet whenever I raise privacy concerns, the response is almost always along the lines of "if you've nothing to hide, you don't have to worry". If people in IT don't get it, then what hope is there that privacy issues will percolate up from the public consciousness to popular political status?

Practically speaking, this report is like a candle in a storm at night.

Clive RobinsonMarch 30, 2007 4:33 AM

@Embittered

"Practically speaking, this report is like a candle in a storm at night"

Many a mariners life has been saved by a candle on a stormy night guiding them to a safe harbour...

Unfortunatly the "wreckers" also used candel lanterns on stormy nights to lure mariners to their deaths on rocks and beaches where they could then plunder the flotsam and jetsum that was the result of the wreck...

Which would analagy would you prefer?

EmbitteredMarch 30, 2007 1:31 PM

@Clive Robinson

"Which would analagy would you prefer?"

Well it seems to me that the wreckers are government and big business. Also, nobody is bothering to protect the candles that could guide us to safety and privacy.

"plunder the flotsam and jetsum"

Yeah, that sounds pretty much like the state of our privacy (I am also from the UK)

http://news.bbc.co.uk/1/hi/uk/6108496.stm

What's All This Then?March 30, 2007 2:04 PM

What we need is a mainstream blockbuster film to show the effects of indefinitely-stored, all areas data collection. Call it 'Permanent Record.'

Ominous Tagline -
"We all have something to hide from someone. You may not even know what it is...yet."

Bryan FeirMarch 30, 2007 6:31 PM

@What's All This Then:

I'm reminded of the first season Babylon 5 quote:

"Everyone lies, Michael. The innocent lie because they don't want to be blamed for something they didn't do, and the guilty lie because they don't have any other choice."

Stephan EngbergMarch 31, 2007 5:47 AM

There are lots of good stuff and considerations in this.

But clearly also many considereations that is almost naive in their approach.

For instance:

"R10 Data collection and use systems should be designed so that there is reciprocity between data subjects and owners of the system. This includes transparency about the kinds of data collected and the uses intended for it; and data subjects having the right to receive clear explanations and justifications for data requests. In the case of camera surveillance, there should be debate on and research into ways to allow the public some level of access to the images captured by surveillance cameras."

Great - so you are allowed to see whats on the surveillacne camera in your bedroom. This will only have two effects - a) you can see how few rights you have and b) Even more criminals can attack you.

We are only awaiting the first face recognition-triggers assassination or terrorist bomb. It will come .. and UK is the likely first place for it to happen with all this absurd "People love surveillance" propaganda.

Surveillance cameras and any sort of biometrics identification is last resort as these create more abuse and crime than they remove. They have a role to play when the threat alert escalate, but not in ordinary everyday transactions as people (the victims) have no defense against this kind of attacks.

Surveillance cameras should for instance be physically block from filming until a non-invasive sensor (such as an infrared or acustic sensor) has detected an emerging person that refuse to respond to digital challenges for authentication and authentication.

the other GregApril 1, 2007 5:46 AM

Laws, rights and privileges which include the word "reasonable" are not defective. That is the most effective way to exclude the victims from the process of defining the extent of their oppression.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..