Discussion participants included: Bruce Schneier, chief security tech officer, British Telecom; Andres Piazza, president, Latin American ICANN At-Large group; Zahid Jamil, IP rights and cybercrime law expert, Pakistan; Wolfgang Benedek, professor of law, University of Graz; Alejandro Pisanty, longtime ICANN and Internet Society leader, Mexico.
VIDEO HIGHLIGHTS: Bruce Schneier - Privacy is a key component of security, 0:59Alejandro Pisanty, Internet Society, UNAM, on challenges in a new age of transparency, 3:47Steve Purser, ENISA - on electronic common sense, 1:40Schneier - Common sense is slow to develop and clumsy, 1:59Schneier - Data pollution is a consequence of our rush for progress, 1:03Wolfgang Benedek, University of Graz - dangers of giving away freedoms to preserve privacy, 0:56Simon Davies, Privacy International - the disconnect between citizens and security professionals, 1:22Zahid Jamil, Pakistani lawyer - how the security debate affects developing nations, 1:35Purser notes people have to be more aware of how they handle risk management, 0:43
November 17, 2009 - Privacy. Security. As Bruce Schneier told the people in this session at the IGF, “These issues are not new, they are as old as multicellular life.” But in the age of digital information-sharing on the Internet they have taken on new magnitude as seemingly opposing forces.
British Telecom security expert Schneier’s practical, informed expertise combined with the riveting remarks of Simon Davies, director of Privacy International, added a dynamic charge to the exchanges in this roundtable.
Schneier is known for sharing his expertise on security in the digital age. He spends half of his time traveling to give talks and participate in events like this. He said we’re all having this privacy-security conversation more often today because the Internet is an “identifying technology.”
“The Internet and IT and computer technology have a lot of identity embedded but there’s a disconnect between the computer and the person sitting in the chair or the network and the person,” he said. “Yes, the terrorists are a threat. But repressive governments are another threat. An unethical corporations are a third threat. And nosy neighbors are a fourth threat. And when you look at all the threats, then you quickly realize that privacy is not antiethical to security, it is a component of security. In order for us to be secure, we must also have privacy. They are not in opposition at all. In giving away our privacy in some misguided attempt to make us secure against terrorism, we are actually reducing our security against governments, against multinational corporations, against those who are in power. Privacy is empowering. Giving privacy to the people raises their power with respect to government. That's why it's important; that's why it's part of security.
Schneier said identity-based security has to do with privacy. “Governments and corporations want to use that data for security and marketing or for control," he said. "‘National security’ is a pass to do anything. You can use that phrase to pretty much justify everything. There is a widespread belief that if we just knew who everybody was, we could just pick the names of bad guys out of a list – this is advancing security and pushing back on privacy. We have a warrant process and disclosure processes all designed to limit the powers of police and protect our privacy."
Davies said he directs the longest-standing organizatin devoted to tackling privacy issues. “When we started the issue was almost invisible,” he said.
“People have developed the sense that privacy is a fundamental right. There are restrictions on privacy, there always have been. I don’t believe that anything is different in 2009 than in 1989, 1969 or even in the Victorian era. Our fundamental problem is that security has become such a means to an end, such an industry that it has almost become self-fulfilling. We talk about balancing privacy and security. National security and security in general is a means to an end. Security is not quantifiable. It is extremely difficult. We are finding a disconnect between the expectations of citizens who want to exert their privacy rights and the expectations of many security professionals who believe that the mere mention of the word security should give them a golden pass through the privacy conundrum.”
Wolfgang Benedek, a professor at the University of Graz who specializes in international law, talked about various models and previous discussions on privacy, including the European Convention on Human Rights and Privacy. “Last year we met in Hyderabad after the terrorist event in Mumbai,” he recalled. “My flight was booked through Mumbai, and I was sitting in the airport all night and feeling concerned. You can’t avoid feeling some risk today. It is said that you have to give away freedom in order to preserve security. We have given away quite a good part of our freedoms and I’m not sure how much security we have gained from it.”
Steve Purser, chief information officer at ENISA noted that people often push for legislation when problems can also be managed in other ways. Legislation and rulemaking can lead to confusion and an atmosphere with no change for the better. “We talk about rights,” he said. “One of the most fundamental rights of a citizen is that we have the right to know what’s going on, and I’m not sure how many people actually know what’s going on today. Citizens are going to have to develop a sort of electronic consent. There is always legislation if things go wrong, but it’s much better if things don’t go wrong in the first place. Legislation is national and the Net is global. Preventive, proactive measures are most effective.”
Zahid Jamil, a barrister from Pakistan, said sometimes people are paranoid. “To say that corporations are colluding with this, I don’t think there’s this great desire by corporations to know who you are and where you live,” he said. “Businesses need to feel that their customers feel secure about their privacy so they can trust them, otherwise they will jump ship and go to another provider. It is important to us that consumers do feel secure about the privacy of their data.”
Moderator Alejandro Pisanty, a leader in ICANN and the Internet Society for many years, and a university administrator in Mexico, pointed out that even when companies are ethical, problems with data develop. “Many companies are sloppy about data protection,” he said. “The other thing that I’ll come back to is that the split between intimacy and data protection looked right 30 years ago but IT and the Internet are not data-protection machines.”
Jamil reminded everyone that the discussion of and understanding of privacy varies from one region to another. “In Pakistan, we find ourselves hearing the US perspective and the EU perspective,” he said. “Sometimes it gets lost in translation. We have to be sensitive about this northern debate about security and privacy - it is not understood in the south it impacts our rights. Hulu cannot broadcast to my destination. Skype is blocked in many regions. A lot of privacy decisions get misinterpreted in other countries, so please be sensitive about it.”
Pisanty said Jamil’s point is important. “There are three kinds of law. The EU tradition on privacy is precise. In the U.S. view, data is private and yours to hand out if you wish and it is assumed to be voluntary, and law in the rest of the world is the law of control.”
Rebecca MacKinnon of Global Voices, a participant from the audience, added, “We have universal concerns that play out differently in different regimes. It’s very difficult to have one-size-fits-all legislation.”
Purser noted that the context for any privacy-security balance issue counts for a lot. “In security you only have so many tools and it’s about using the best tools for the job,” he said. “When we look for likely solutions, we know expecting people to exercise common sense is limited. Legislation is too slow-moving and it’s a blunt instrument. Technology solutions - software is not perfect. Little things mean a lot.”
- Senior segment producer, Janna Anderson