It was only a handful of months ago that I joined in the chorus for better Cybersecurity. After all, we’re in the midst of a Cyberwar, with attacks coming from all quarters. But then there was Edward Snowden, revealing how the Cybersecurity sausage is made at the NSA. Now everybody is up in arms about privacy. And what’s going to suffer? Cybersecurity!
This interplay between privacy and security concerns takes place in many aspects of our lives. After 9/11, congress passed the PATRIOT Act, reducing privacy in favor of increasing security – and in large part, the US public was OK with the law. Or at the very least, we understood why we might need such a restriction on our constitutional rights. Bitter medicine, maybe – but our illness was worse.
We run into this tradeoff every day we fly. When the TSA inspects our baggage – or our bodies – we give up privacy in exchange for security. We grumble, sure, but we understand the necessity. And when we do get upset, it’s because the TSA is being unfair or unreasonable, not because we don’t think they should be inspecting travelers.
Of course, if you don’t want to get your privates prodded by the TSA, you can simply avoid flying. Air travel is a privilege, not a right, after all. Nobody is forcing you to go through security. You always have the option of simply turning around and taking a bus instead.
Does the same reasoning apply with Cybersecurity? If you don’t want the NSA or law enforcement inspecting your emails, then don’t send emails. If you don’t want someone snooping around your phone call records, then don’t use the phone. If you don’t want someone to know your Google search history, then don’t use Google. After all, using the Internet is a privilege, not a right.
But wait, you say – the Fourth Amendment states “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated” – a clause that the Supreme Court has interpreted as a right to privacy. Furthermore, the Founding Fathers put the word “papers” in there, paper being the primary medium for storing and transmitting information at the time. Our emails, phone calls, and Web histories are the 21st century version of our “papers,” right?
Fair enough, but that same amendment also uses the word “secure.” So, if the Internet is being used as a tool of war to attack us, that violates our rights as well. And thus, the conundrum we face today. Which do we want more: privacy or security? The answer, of course, is that we want both at once. We have all this great technology, so isn’t there a way to have the proverbial cake here?
Yes, in fact, technology does give us a solution to this conundrum, but it’s not one that people particularly like. What did the TSA do about scanners that showed people’s outline beneath their underwear? They moved the agents responsible for viewing those images into another room, where they were unable to see the faces of the passengers, and the passengers were unable to see them. Yes, they still get to see the outline of everyone’s junk, but the process has been anonymized. And that’s the key, even though it still makes us uncomfortable.
We’re perfectly OK with the government collecting information on us as long as that information is not personally identifiable. For example, census data is online and publicly searchable, but nobody’s complaining. Why? The data are anonymous. Remember, however, the data the census collected included personally identifiable information – but their technology was able to anonymize it. The personal info is still at the census somewhere, but only computers can see it. People can’t.
If the NSA were similarly able to see only anonymized data about ourselves, then we’d be far more comfortable. We’re all OK with them seeing personal information on the terrorists, of course – as long as they cannot see personal info on anybody else. But today, we don’t trust that they are able or willing to enforce this policy.
But it’s not a technology problem. Just as with the census data, we have the technical ability to anonymize personally identifiable information. It’s a governance and public policy problem. How do we establish and enforce policies that give the government the ability to execute its bona fide intelligence and law enforcement missions, while preventing individuals at the various agencies from overstepping their bounds and violating our privacy? Once we answer that question, the technology is available to make it work.