- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
Better Security Means Worse Privacy
If we ask people if privacy is important, we will undoubtedly get an enthusiastic “Yes!” It is explicitly mentioned in the United Nation’s Declaration of Human Rights.75 The consensus in law is that there is an implicit right to privacy embedded in the U.S. Constitution,76 and an explicit recognition in several laws. Europe has enacted major laws around privacy, the best known of which is the General Data Protection Regulation (GDPR); however, similar to security, no formal definition of privacy is widely accepted. It is recognized as contextual within time and society—different cultures have defined it differently over time.
Technology has also played a role in defining privacy and the violation of privacy. The invention of the window, the camera, and the telephone are all examples of how technological changes have privacy implications. Computing and networking continue to push boundaries in this regard. Many venues associated with cybersecurity are labeled as about “security and privacy,” making the association explicit.
The myth associated with this association is that increasing privacy protections reduces a system’s security and vice versa. This is certainly not the case! If we think about it, one of the primary drivers of cybersecurity is to support privacy: We want to limit access to private information.
The myth comes about because there are cases where the most straightforward or cheapest solution to a security problem involves reducing privacy. For example, if we want to reduce the chance of phishing, we would examine and store copies of all emails coming into the enterprise. We have a better chance of catching phishing links at the expense of email privacy. This fails to acknowledge that there are other methods, including methods that allow us to use the power of computing to enhance security and preserve privacy. For example, we can automatically rewrite URLs in an email to neuter them without having to keep a record or have anyone read the contents.
There is not an automatic trade-off of privacy for better security. Adding logging or surveillance is not always the only way to address an issue, although it is often the cheapest and fastest way to do so. “Fast and cheap” often results in incrementally less privacy for the user community. Privacy is important. People should have the opportunity to give informed consent to when, how, and if their privacy is being reduced to use a system. Public pushback on cookies and online advertising are examples of growing awareness of these issues.
People who work in cybersecurity should protect privacy when they can, not reduce it. When presented with restrictions, such as those imposed by the GDPR, it should be a matter of professional duty to find ways to support them rather than circumvent them.