Privacy vs. Security
The AFCEA Global Intelligence Forum was scheduled for this June but given the ongoing debate in Congress on the conference topic and the FY13 budget uncertainties, the event has been postponed. Nevertheless, they have proposed some interesting questions:
• What does it mean to be a citizen of the information nation?
• Who are the protectors of that nation and what is the appropriate balance between personal privacy and public security?
• Is the choice between security and privacy a false one? Can technology itself enable safe and secure citizenship?
• Who and how should the ethics of information technology be determined? How does the next generation – the generation of cyber “citizens” – view the issue of privacy and security?
It is easy to believe that there are more questions than answers but that is not a particularly useful ground to stand on for analysis. Let’s explore these questions.
What does it mean to be a citizen of the information nation?
Are we considering a nation built around the rights and responsibilities of people with respect to information? First, we need to clarify the term ‘nation’ (classically, a politically organized body of people under a single government). This suggests a full complement of social mechanisms that need to be in place to ensure compliance with society’s common interests. If we consider these mechanisms to include moral pressures, reputational pressures, institutional pressures and security controls, then we have a dilemma. To what are we going to apply these mechanisms? Moral, reputational and institutional controls can only be applied to citizens themselves. Information does not have morals, nor does it care about the relationships among people. While we can apply security to information itself, it can only be done with respect to the personal, social and/or economic value that people associate with that information.
Are we actually going to suggest that information itself is the social and political glue that binds people together or is it just a tool? That is certainly a great segue into the next question.
Who are the protectors of that nation and what is the appropriate balance between personal privacy and public security?
This is what happens when you declare a nation. You now have to build a set of institutions to enforce compliance. We all know that compliance is never absolute and there will always be defectors from the common interest, so we need to understand just what level of defection is acceptable. I don’t think we can do this for information in the aggregate. We need to recall that information is “data within a context”. This context is applied by the people who share it. Information in the context of experience is knowledge and knowledge extrapolated forward for prediction is intelligence. Intelligence applied to society toward the common good is wisdom. So, what are we protecting, data, information, knowledge, intelligence or wisdom?
The dilemma as stated is “privacy vs. security”. Humans are a networked species. We require information exchange to exist. Remember “no man is an island,” but we need to have control of what information we exchange. Let’s consider a scenario.
A catholic parishioner goes to confession specifically to divulge things about him that would be very socially compromising. Why does he do it? Because there are several enablers in place that provide confidentiality. First, it is just him/her and one other person. Second, that other person has moral and reputational pressure, as well as institutional pressure, placed on him not to divulge the information. Because of these pressures, the parishioner has a high level of trust that what he says will not leave the booth. Would he/she feel the same if they knew that the confession was being recorded? I think not. Once recorded, there is no assurance that unintended parties will not gain access to the information. These other parties are not likely to have the same moral, reputational and institutional pressures against divulging the content. So, what is the lesson here? It is simply that the form that information takes is important and people need to control the authorization chain with respect to information about them. We do not currently have the technology to do such a thing.
Is the choice between security and privacy a false one? Can technology itself enable safe and secure citizenship?
Privacy does not equal security. We are constantly weighing our privacy needs against the need to elicit cooperation from others which requires the exchange of information. Sometimes we are more secure when we are isolated and sometimes our security depends on the cooperation of others. The cooperation of others is not evoked without the exchange of information. We are not choosing between privacy and security, we are choosing between privacy and cooperation.
Citizenship is a complex web of trust and cooperation among people otherwise known as a risk equation. Trust relationships are built on a combination of moral, reputational, institutional and security measures that provide an “acceptable level of trust” that enables any given society. We cannot have “safe and secure citizenship”. There will always be a percentage of defectors given the many conflicting interests embodied within any social group. The best we can have is a level of trust reflected as risk. Technology is simply one tool in providing security measures that reduce the risk to a tolerable level. Nothing we do as citizens is safe and secure. Life is dangerous and we know it to be a zero sum game in that, eventually, we all lose. As humans, we don’t necessarily weigh risk logically. We take huge risks like driving automobiles. We regularly amplify that risk by driving less carefully than we should in order to get to work on time. We could reduce that risk by automating highways so that speed, spacing and congestion were absolutely controlled, but I haven’t run into too many people who like that idea. Clearly, the concept of “safe and secure” is relative from person to person.
Who and how should the ethics of information technology be determined? How does the next generation – the generation of cyber “citizens” – view the issue of privacy and security?
Finally, this is the ultimate question. As in all nations, citizens have to decide how they will be governed. This is particularly true in large complex nations like ours. It ultimately comes down to people. Perhaps we are acknowledging in this discussion that societies are converging as globalization drives common interest across pervious national borders and this common interest is a “new nation”. As stated earlier, we cannot apply ethics (moral and reputational pressures) to information. Only people suffer consequences of risk. Logically, it would be an extension of the institutions that we have in place such as the FCC (Federal Communications Commission) to enforce policies that promote greater cooperation and penalties that drive less defection.
The technology challenge is, as I have frequently held, to provide the mechanisms for people to control the authorization chain on information about themselves in concert with institutional policies that will promote trust across society and enable cooperation toward the common interest. It is not an absolute exercise any more than any other aspect of societies or nations. Trust is the only way people move forward.
What’s it all mean?
Information is indeed a powerful tool in achieving group prosperity. It is the enabler of all social interaction that can be imagined from the most primitive exchanges of “how to” to the global reach of resources such as Google, YouTube, Facebook and Twitter. The human propensity to use information to “defect” from the common interest of society in favor of short term, individual advantage will certainly have leverage commensurate with the power of these tools. But that cannot deter us from engaging them within ever-increasing complex policy structures and pursuing technologies offering greater control.
There will always be more questions than answers and answers are never absolute. They evolve as inputs to other questions and so it goes. I agree with AFCEA’s assertion that it is “past time” to begin a national dialogue aimed at exploring theses questions. Given the international nature of information technology and its institutions, it should actually be an international dialogue. We cannot let the passions of national pride and cultural interpretations of well being become the determining factors in our toolset in this domain of expertise anymore than we can let those factors determine our interpretation of the laws of physics or math.