This article can also be found in the Premium Editorial Download "Information Security magazine: Negative exposure: Web scanners reveal unknown holes."
Download it now to read this article plus other related content.
The 9/11 attacks raised the stakes in the conflict between protecting individual privacy and protecting our physical and digital infrastructure and the lives of our citizens. Security is far more proactive and intrusive, as antiterrorist investigative measures allow government to collect and analyze gigabytes of data on individuals and their online activities.
Some believe security at the expense of privacy is un-American and unconstitutional. Others say security must take precedence over all to ensure the safety of the nation. Must national security and privacy clash?
Congress has created the Department of Homeland Security with unprecedented powers to collect, correlate and act upon mountains of digital data on individuals. Government and law enforcement officials say this level of monitoring is necessary to cull the intelligence needed to prevent another 9/11. Privacy activists counter that such deep data mining is an unjustified invasion of personal privacy, undermining civil liberties and eroding longstanding constitutional protections.
Security cuts both ways. Organizations implement security measures to protect digitally stored and transmitted information. In fact, the government mandates protection of personal information in the health care and financial services industries. On the other hand, government compromises privacy and demands access to protected information in the name of preserving national security.
For the most part, when government officials talk about security, they're talking about protecting the general public from threats--foreign and domestic. Their goal isn't to make money or exude trust among customers, but rather to stop the bad guys from doing bad things. It may sound Orwellian--punishing the good people to catch a few bad guys--but the government will argue that sacrificing some civil liberties is necessary to protect against the terrorist threat. In other words, there are situations where security trumps privacy.
The tension in security and privacy is not limited to law enforcement and individuals. Corporations are also facing the security-privacy tension. For example, studies have consistently shown that one of the biggest security threats facing companies is from insiders, employees who misuse or abuse rights they are given to do their jobs. Furthermore, courts have held companies liable for misuse of their IT resources, leading many organizations to monitor their employees' use of e-mail and the Internet. According to the American Management Association, more than 80 percent of the companies it surveyed use some form of electronic monitoring or surveillance to watch their employees.
However, there's a growing trend for courts and legislatures to recognize the rights of employees to workplace privacy. In a recent case, a court found that a company was forbidden to look at an employee's e-mail if it's labeled "personal." If this trend persists, it will put companies in a lose-lose situation where they will be exposed to liability whether or not they monitor employee activity. Most of these conflicts can be avoided if each situation was analyzed from both a privacy and a security perspective.
The private sector also faces some challenges in the recent calls for more public-private partnership in fighting terrorism on the Internet. While this type of partnership has terrific potential, there will undoubtedly be some bumps in the road. For example, companies approach security from a business perspective (i.e., will the solution improve my bottom line?). Law enforcement doesn't, for the most part, think like that. Resource constraints do require prioritization, but that's not the same as the risk management analysis of the private sector.
There are natural and unavoidable conflicts, mirroring the centuries-old debates between advocates of national and commercial security and advocates of privacy and civil liberties. The best way to resolve them is with more collaboration and, yes, compromise between security and privacy. Many conflicts can be avoided if the public and private sectors work together to ensure that security and privacy considerations are addressed and adequately represented at all stages in the development of computer systems, corporate policies and government regulations.
About the author:
Andrew Konstantaras is the executive director of the Internet Law & Policy Forum, a nonprofit association that supports the growth of the Internet.
This was first published in January 2003