Julian Sanchez on Balancing Privacy and Security

From a blog post:

In my own area of study, the familiar trope of "balancing privacy and security" is a source of constant frustration to privacy advocates, because while there are clearly sometimes tradeoffs between the two, it often seems that the zero-sum rhetoric of "balancing" leads people to view them as always in conflict. This is, I suspect, the source of much of the psychological appeal of "security theater": If we implicitly think of privacy and security as balanced on a scale, a loss of privacy is ipso facto a gain in security. It sounds silly when stated explicitly, but the power of frames is precisely that they shape our thinking without being stated explicitly.

I've written about the false trade-off between security and privacy.

Posted on February 11, 2011 at 12:48 PM • 24 Comments

Comments

Rob KFebruary 11, 2011 1:24 PM

Privacy *IS* security. Any violation of privacy is a violation of security by definition.

Brandioch ConnerFebruary 11, 2011 1:41 PM

And, once again, we need more words in order to have this discussion.

A loss of personal privacy (word?) should also result in a loss of personal security (word?).

A loss of personal privacy does not equate to an increase in "the security of other people" (word?).

Anyone got better words for those concepts?

time flies like a bananaFebruary 11, 2011 3:23 PM

I thought that was a very interesting blog. I tend to see these issues in terms of the false "quantification" of the essentially "qualitative". I suppose that people like to quantify because they feel on solid ground with quantity and cannot fathom how they can use quality as the basis for authoritative decision making - or as a justification.

I could understand it to an extent because when I try to argue in these terms I always lose the argument, because I can't quantify what I'm talking about. Julian has got around this with the concept of a shared quantitative axis that is "lacking" (without going into why it is lacking), which is a cute strategy.

mcbFebruary 11, 2011 3:31 PM

Privacy can be both an element of security and a result of effective security.

Can privacy be the result of obscurity, secrecy, or anonymity? If so, that sort of privacy may not be the same thing as security.

Are there any circumstances where limitations on individual privacy can be justified in the interest of collective security?

Clive RobinsonFebruary 11, 2011 3:35 PM

As has been found with research on attitudes to climate change there is an interesting problem.

People take on a "Blind Faith" viewpoint usually bassed on some half remembered "mumbo jumbo".

Importantly no matter how reasonable and patient you are at explaining things they will at best only take away that part of your argument that reinforces their viewpoint. At worse they will develope an extream enmity towards you and treat you as a crackpot or heretic.

Oddly it appears that instead of being reasonable and patient, if you lay into them verbally using compleatly irrational argument and belittle them very personaly and become a screaming demogog they will respect your oppinion far more...

Why this should be I do not know but it might explain why being right about something makes you a target.

Thus having won over the Open Minded modertes perhaps it is time for Bruce to become more strident and less coherent over "Security Theater" for the more "dyed in the woll" types.

Mary MorshedFebruary 11, 2011 6:16 PM

Security's job is to protect things.... like privacy. I don't see them on opposite sides of the balanced scale.

I do see security on the other side of the scale from "ease of use" or "access."

Just my two cents.

Imperfect CitizenFebruary 11, 2011 7:20 PM

Bruce, your comments in your book about people needing privacy in the bathroom, the bedroom etc was so appropriate. I don't think anyone realizes because so little is out there about what happens to people who are being "watched". You can't imagine the horror of having your privacy violated so casually until you are targeted. Bruce you were right about privacy, please don't back down ever about it. I hope one day the stories of people watched under this warrantless surveillance business will be publicized. I still can't believe that our government would do this to innocent people and with all the tightening of budgets my observation continues and observers shrug and laugh like this is really stupid. Its really tragic. You can't imagine, and I hope you never know, what it is like to hear total strangers talking about what is in your car, what is in your house, what their "take" is on why you are still being watched, if there's something suspicious about you wearing a sweater when you have a summer cold. Its a terrifying and humiliating experience. What's worse is its absolutely destructive to community, try and raise a kid with a terrorist label on the family.

panÓptikoFebruary 11, 2011 7:35 PM

Thanks for the highly interesting posts, and your original work.

One straight question: you open your book "Beyond Fear" stating that security implies tradeoffs. Aren't this tradeoffs unavoidably linked to privacy?

You write the problem is to link security to identity, but won't be any security measure instantly associated to identity?

I suppose I have to read more. All the best,

Richard Steven HackFebruary 11, 2011 8:49 PM

Privacy is fundamentally "concealment". The Japanese ninja made concealment a fundamental security requirement. Concealment is a fundamental aspect of security. Any security which is not also concealed can be defeated. But if you don't know it's there it's harder (if not impossible) to defeat it. This is not "security through obscurity", by the way. That refers to an inadequate security measure which is kept obscure so its inadequacy is not obvious.

There is a fundamental human requirement for privacy because of our primate natures. Humans view other humans as possibly dangerous competitors, and certainly as entities with the power to judge us. Therefore it is imperative that we have the ability to conceal our behavior that we think would be judged negatively. And we can not be sure what behavior that is, so the more privacy we have, the safer we feel.

At the same time, precisely because we are afraid of being judged - and thereby possibly subjected to harm - by our fellows, we also demand security. We fear terrorists precisely because we feel they are judging us and have the means to harm us as well.

So the two are deeply interlinked on an emotional level, not a rational one.

A completely rational entity would have no fear of being judged and no fear of being harmed - only an awareness of and a rational response to actual danger. But humans are not completely rational entities. Humans are CAPABLE of conceptual reasoning - but it's not their normal state. This is where Ayn Rand went totally wrong. As William S. Burroughs once wrote, the human species are like certain species who are caught between one evolutionary stage and the next.

Human primate nature is also the reason for the effect Clive mentions. Humans have a hierarchical relationship among themselves. There are alphas and betas. The more you behave like an alpha - belligerent, powerful - the more likely you are to sway a beta to your position. Of course, this doesn't work with other alphas, it just starts conflict.

Privacy and security are not in conflict on a personal level. They are only in conflict on a public level because the state makes it so. As long as humans delegate their personal security to the state instead of taking personal responsibility, this situation will remain.

mwFebruary 12, 2011 5:33 AM

When analyzing flaws of the security and privacy tradeoff, we shouldn't blur the distinctions between loss of privacy to the 1) government, 2) corporations, and to 3) individuals. I doubt many people believe that loss of privacy to corporations or individuals enhances their security, and I hope that many people understand that loss of privacy to the government decreases their liberty.

TanukiFebruary 12, 2011 1:15 PM

This is a deep and pervasive justification for the whole idea of having multiple and non-congruent online identities.

It's not that hard to achieve. And it's worth the effort.

Dirk PraetFebruary 13, 2011 5:31 AM

The zero-sum concept makes perfect sense in a society where security doesn't stand for safety but for control over the masses by governments and corporations working together to increase and perpetuate their power over the little people.

@ Clive

"Oddly it appears that instead of being reasonable and patient, if you lay into them verbally using compleatly irrational argument and belittle them very personaly and become a screaming demogog they will respect your oppinion far more..."

For long, salesreps and politicians have understood that you don't win people over by rational arguments, but by emotion, assertivity and repetition. I once took a free course in selling life insurances at a well-known German company where the general message was that in order to be successful you needed to focus on the more emotionally inclined partner when dealing with a couple, using emotional rather than rational arguments. The best example I've ever seen in my IT career was a big customer presented with hardware tenders from HP, IBM and Sun. They eventually went for the Sun solution because both IT manager and engineering crew were absolutely thrilled by the cute blue lights and the fluorescent front panel of the equipment. I've given up on rational sales ever since.

rlssecFebruary 13, 2011 6:00 PM

Security means 'protection from interference'. Invisibility is 'resistance to selection for interference'. Invincibility is 'resistance to the interference, itself'. Security = Invisibility + Invincibility. Privacy means 'invisibility resulting from social norm'. ANY reduction in invisibility (of any type) that isn't counterbalanced by a corresponding increase in invincibility is always, necessarily a reduction in Security. The proper question is, therefore, "whose Security is to be improved by my loss of invisibility?" because, by definition, the person giving up the invisibility will never receive a resulting increase in Security.

wFebruary 13, 2011 8:51 PM

@rlssec , Can you be invisibilty in this day and age.
It would take some one to look(meta) in someones direction to find them.
How would you increase and still be in a socitey?

HJohnFebruary 14, 2011 9:26 AM

I think much of it depends on the situation. Privacy is largely security against government, and for the most part, an increase in privacy increases our safety.

There are some exceptions, provided they don't go too far. One such exception that comes to mind is license plates on cars. Surely we would have more privacy if cars did not have license plates and there was no registration. However, the license plates give the authorities a mechanism for identifying vehicles and likely drivers (they also give a mechanism for charging outrageous fees, but that's a side issue). We have less privacy, but for the most part we have more security... someone stole a radio from my car a few years back and i got my radio back because a co-worker wrote down the license plate number, and this would be even more important if it were a hit and run felony.

There is a limit to how effective this is though. The government can collect far too much information on far too flimsy grounds, and its end use is seldom what people were told to get them to go along with it.

For example:

License Plates = Good privacy and security trade off.

TSA = Bad privacy and security trade off.

2 cents.

anonymousFebruary 14, 2011 2:41 PM

"Privacy is largely security against government, and for the most part, an increase in privacy increases our safety."

No, it is not!
Privacy is also very much security against corporations and other organizations and other people.

RookieFebruary 14, 2011 4:14 PM

@HJohn "Privacy is largely security against government..."

As defined by whom? I believe people need privacy at all levels. Privacy from co-workers, peers, friends, parents, police, banks, colleges, garbage men, the military, neighbors, your boss, your doctor, your spouse, and yes, the government.

We are all willing to give each of those parties varying levels of access to our private life, but react when any of those entities gets access to data about us we don't want them to know.

The anarchists (among many others) who hold Assange up as a hero for blurting everything everywhere and say "data should be free" would, I suspect, be less enthusiastic if it was all the data for their entire life poured out for the world to see.

HJohnFebruary 14, 2011 5:02 PM

@anonymous at February 14, 2011 2:41 PM: "Privacy is also very much security against corporations and other organizations and other people"

@Rookie: I believe people need privacy at all levels. Privacy from co-workers, peers, friends, parents, police, banks, colleges, garbage men, the military, neighbors, your boss, your doctor, your spouse, and yes, the government.
_____________

If you read what I said, I said "Privacy is largely security against government." I did not say "Privacy is exclusively security against government." Of course it is against other entities as well, I mostly single out government in the context of them being the lawmakers.

Best,
HJohn

Clive RobinsonFebruary 14, 2011 6:00 PM

@ HJohn,

"Privacy is largely security against government."

Yup.

The way I look at Privacy and secrecy is slightly different to most, in that I see them as an attribute not of an individual but of the role an individual has.

An individual has many roles in life, in fact so many it begins to be difficult to count them all.

Useffully deciding what needs to be kept secret or private and from whom and who should have access is a good way to characterize a role.

For instance, with regards your medical records you can quickly see you have a role as a "patient" but also for some a secondary role as an "insurance claiment".

But if you look a little further at the "patient" role you discover that you can and often do have multiple roles as a patient.

For instance the nurse you see to get your holiday vaccinations does not need to know very much about your medical history thus you reveal only a limited set of information to her.

However if (God forbid) you have your own consultant oncologist, you reveal a great deal more not just about your medical history, but work life, personal life, etc as a necessary part of the diagnostic process.

Thus an individuals role can be seen as almost a relationship and as such has good and proper reasons to have limits on the amount of information that "it is proper to exchange".

Where the Government (amongst others) goes badly wrong is the desire to break down the barriers between an individuals roles and thus make information available that is improper to many (if not all but one) roles. It can easily be seen that whilst information may be properly divulged in one role it is highly undesirable in others (for instance does an inspector of taxes need to know you had "cradle cap", "cold sores", mumps and glandular fever at various points in your life and are currently receiving treatment for ingrowing toe nails? I suspect not).

A big chunk of this problem is the "single identifier" that is your Social Security Number. It effectivly identifies you as the individual not the role you have in a particular relationship.

In this respect "role identifiers" are like passwords, where reuse is considerd harmful.

anotherGregFebruary 15, 2011 12:12 AM

Clive Robinson at February 11, 2011 3:35 PM
"Oddly it appears that instead of being reasonable and patient, if you lay into them verbally using compleatly irrational argument and belittle them very personaly and become a screaming demogog they will respect your oppinion far more..."

If you listen to a Tea Partiers or TV Evangelists, they obviously believe screaming works. Drill sargeants, swat teams, and tinpot dictators are taught to scream, and there is considerable anecdotal evidence to suggest that it works, well enough, for them.

time flies like a banana at February 11, 2011 3:23 PM
"when I try to argue in these terms I always lose the argument, because I can't quantify what I'm talking about."

Perhaps that is why you are taught to argue that way. As others have suggested, things are called qualities because they are not quantities, ie they cannot be quantified. Your oppressors have doubtless asserted, without proof, that qualities are excluded from proper arguments.. and they have probably fibbed about their quantifications, too.

HJohnFebruary 15, 2011 7:55 AM

@anotherGreg: "If you listen to a Tea Partiers or TV Evangelists, they obviously believe screaming works. "
__________

Is there any statement that can be made that somehow be twisted to a political insult against some group?

*shakes head*

Daniel FerrerFebruary 15, 2011 11:31 AM

On your personal privacy issues you need to do a lot more anthropological studies before you make swiping claims about security and “humans”. The use of the words like society just suggests you have just thinking about a few of the so called “developed” nations.

When you write:
"Humans have a natural propensity to trust non-kin, even strangers. We do it so often, so naturally, that we don't even realize how remarkable it is. But except for a few simplistic counterexamples, it's unique among life on this planet. Because we are intelligently calculating and value reciprocity (that is, fairness), we know that humans will be honest and nice: not for any immediate personal gain, but because that's how they are. We also know that doesn't work perfectly; most people will be dishonest some of the time, and some people will be dishonest
most of the time. How does society -- the honest majority -- prevent
the dishonest minority from taking over, or ruining society for everyone? How is the dishonest minority kept in check? The answer is security -- in particular, something I'm calling societal security.”

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..