A balance?

The theme of the just completed Privacy and Security Conference was ‘Digital Dilemmas, Digital Dreams’.  It had a strong privacy flavour to it, and I found a recurring theme in many of the sessions: a need to find a balance between privacy and security is critical.  We truly experience a dilemma when we make decisions that would favour one over the other.

As many have pointed out, privacy and security do not need to come at the expense of each other.  For example, increased security does not need to decrease privacy protections.  When this happens, things like surveillance cultures develop that are not only harmful to societies but almost impossible to disassemble once in place.  Simon Davies from Privacy International pointed this out in his impassioned presentation on the ubiquitous CCTV systems in the United Kingdom: establishing the cameras in public places has already been completed, and removing them is almost unthinkable despite their ineffectiveness.  Do you want to be the public official responsible for the removal of a system when the next bin Laden might walk through your town next week?  Mr. Davies also points out that building license requirements and insurance companies now mandate that CCTV be installed in order for approvals to be granted to a business.

The reason that Britain has become a mass surveillance society is that when surveillance systems were being planned and implemented, security was the Holy Grail, and privacy — if considered at all — was the second priority.  When 9/11 hit and new legislation was enacted, privacy concerns took a further back seat.

Fortunately, in Canada we have some fairly strong privacy controls in place.  This isn’t because we have brilliant legislators or lack the ability to implement security controls.  Canadian values, privacy awareness and sensitivities to privacy invasions have not been eroded by terrorism and the resulting fear-mongering that follows a terrorist attack.  We bask in our privacy acts and glow with pride each time we write a Privacy Impact Assessment.

There you have it: a tidy, smug, self-assured Canadian view of privacy and security…  But what if we did experience the unthinkable here — the toppling of the CN Tower or a coordinated attack on Alberta’s oil sands infrastructure (and the resulting environmental disaster)?  Would the privacy culture we enjoy survive such an event?  Or would invasive border controls, a national ID card and pervasive wire tapping become our norms as well?

At times it is easy to be smug and satisfied in a country that consistently wins UN awards for being the best country on earth.   We pretend to not understand the American obsession with security, and are aghast when we hear of CCTV in the UK.  How can these countries — our neighbours and cultural peers — allow such an erosion of privacy in the name of security? 

The reality is we have not experienced the same pain, and until we do our indignant rhetoric is just that: naive statements untested by the harsh reality of unthinkable events.  Keeping our balance in an uncertain future will be more difficult than we can possibly know.


Live blogging, day 2

Today’s keynote Simon Davis from Privacy International:

– in Britain CCTV surveillance has run rampant
– but only one in every 250 images is useful to law enforcement
– subtle changes in the way people gather and behave in British cities have occurred
– all data from Internet, cell and land lines are stored, BY LAW, by ISPs and phone companies
– who you call, where you are, what you say are all being recorded and stored
– over 1,000 requests PER DAY for info contained in this database…

1984 anyone?


Info Card / Smart Card Convergence

Here’s a prediction: by 2010 we’ll all carry a smart card that is linked to a virtual information card that resides on our PC.

In this near future, our bank needs us to use two-factor authentication, and the credit card companies force us to use the same when shopping online.  Our governments want us to apply for programs online, but insist on proving who we are with strong authentication to reduce fraud.  And we also have realized that its a good idea to have two-factor logins on our own computers.

In the midst of all this, our awareness of personal privacy has increased to the point that we don’t just blindly enter personal information on every e-commerce registration page that asks.  We’re not just tired of the repetitive entry, but insist on controlling what information is shared. 

A Microsoft rep told me this past week that CardSpace and smart card integration services are just around the corner.  Are info cards converged with smart cards an obvious solution to a set of already chronic security and privacy problems?