William Jackson | Privacy and security: There's always a tradeoff

UPDATED | Cybereye'Commentary: Although security can help ensure privacy, the two are not the same thing

Cybereye columnist
William Jackson

Originally posted Nov. 19 at 11:37 a.m. and updated Nov. 20 at 11:31 a.m.

Hugo Teufel III, chief privacy officer of the Homeland Security Department, said recently at a roundtable discussion on cyber security for the Congressional High Tech Caucus that there was no need to balance privacy and security. The two go hand in hand, he said.

What a disturbing thing for a chief privacy officer to say.

Although it is true that security can help ensure privacy, the two are not the same thing. Security often entails gathering sensitive information about individuals, and these collections raise plenty of concerns about privacy, no matter how well-intentioned.

The idea that privacy is not an issue so long as you are in the pursuit of security is symptomatic of the way DHS and other federal agencies operate. Congressional concerns about the lack of privacy safeguards recently forced DHS to delay plans for sharing domestic satellite intelligence with state and local law enforcement agencies. That was merely the latest in a string of multi-million-dollar DHS programs scrapped or delayed because of such worries. The revelation in 2005 that the National Security Agency was illegally sweeping up data from most of the nation's major telecom carriers led to public outrage and a number of lawsuits against the carriers.

The government appears to feel it is entitled to gather any personal information in the pursuit of homeland security and that as long as it holds on to the information, there is no privacy problem.

Not so. No matter how well the data is secured, once an agency has acquired personal information without the permission of the individual or without proper judicial process, privacy has been breached.

It does not seem to have occurred to government or to many private sector organizations that use personal data that they are part of the problem. During the same event where Teufel made his comments, Stuart Pratt, president of the Consumer Data Industry Association, said that identity theft is not really that much of a problem and that complaints to the Federal Trade Commission are leveling off.

Yes, ID theft complaints to the FTC have leveled off, down to 246,000 in 2006, which was comparable to 2004 numbers after spiking in 2005. But that still is an awful lot of cases and they account for 36 percent of all fraud complaints, far and away the largest single category of fraud handled by the FTC. Still, Pratt says, the more personal data industry has about you, the more secure you are.
'Data has been used to prevent fraud,' Pratt said. He added that in the name of security we must get used to what we once considered invasions of privacy, from intrusive searches in public buildings to the use of our personal information by strangers.

Teufel said transparency is the key to gaining the trust of people in the use of their personal information. He invited everyone to visit the privacy page on the department's Web site, so I did. It has the standard government Web boilerplate about not using persistent cookies or gathering identifying information about visitors. But there is no mention on the page of the personal information the department gathers or plans to gather in the name of homeland security. There is no mention of the Computer Assisted Passenger Prescreening Systems II; the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement program; the Secure Flight Program; or the Multistate Anti-Terrorism Information Exchange Pilot Project.

'We believe that respect for individual privacy is a core value of our free society and one that the department is fighting to protect,' Teufel wrote in a newsletter on his office's Web site. 'To achieve our mission, we work closely with our colleagues in the department to ensure that privacy is considered throughout the lifecycle of each information system or program.'

And yet, in addition to the delay of the recent satellite intelligence program there are a number of high-profile programs in which concerns have been raised about inadequate attention to privacy. There is the Computer Assisted Passenger Prescreening Systems II; the Analysis, Dissemination, Visualization, Insight and Semantic Enhancement program; the Secure Flight Program; and the Multistate Anti-Terrorism Information Exchange Pilot Project.

Teufel called transparency the key to gaining the trust of people in the use of their personal information, and said proudly that his office has completed a Privacy Incident Handling Guide that lays out how the department will respond to breaches of personal information. That policy is on the department's intranet, he added; it is not available to the public.

Benjamin Franklin, who knew the value of a penny, also knew that there was no such thing as a free lunch and that security is always a tradeoff. It was Franklin who said, 'those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety.'

Just what the proper balance is between security and other essential rights is a decision that should be made openly, not behind the closed doors of DHS, NSA or any other agency.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group