RSA: The fundamental challenge of security versus privacy
A fundamental tension exists in balancing individual privacy rights and the collective right to security, Gary McGraw, CTO of application security vendor Cigital, said at the RSA Conference on Tuesday.
McGraw moderated a session called “Surveillance: Security, Privacy and Risk” in which panelists discussed the challenges of balancing the effort to scrutinize terrorist communications while preserving the privacy of innocent individuals. In addtion, panelists debated the effectiveness of surveillance efforts within and outside the country by commercial and government sectors. Panelist Alexander Joel, a civil liberties protection advocate, said that the government does a good job of balancing privacy and security challenges.
Joel added that the Foreign Intelligence Surveillance Act (FISA) created a framework outlining when government entities must get a court order to conduct surveillance. It also mandates the protections that entities must follow when carrying out surveillance. Assessments compliance occur twice a year and are submitted to Congress.
“When you do something under FISA, you achieve a good balance,” Joel said.
He added that all three branches of government are involved in surveillance activities and having it that way creates a “gold standard of intelligence.”
Panelist Matt Blaze, professor of computer science at the University of Pennsylvania, said that government surveillance efforts have historically been very secretive, to their disadvantage. In addition, there have been other government surveillance efforts which have lead to “overcollection” of data, resulting in questions of legality of such efforts, Blaze said.
“We need to think long and hard about what is actually a secret, because sunlight works really well and there's a tendency to hide,” Blaze said.
Panelist Deidre Mulligan, assistant professor, School of Information, UC Berkeley, agreed.
“When surveillance is something that's behind closed doors we lose some of those checks on discretion,” Mulligan said.
Having worked on both the public and private side of the spectrum, panelist Rebecca Bace, president, Infidel, said that commercial surveillance activities have made her “shudder” more than those she has known within the government. If nothing else, at least the government must comply with surveillance mandates such as FISA, Bace said.
Bace brought up other questions relating to this issue – who actually makes government privacy decisions? And, when privacy violations occur, who is accountable?
Blaze said that technology used to carry out surveillance efforts must be scrutinized, along with the policies that are followed. Mulligan questioned the effectiveness of government surveillance efforts.
“On the front end, when deploying and debating a system you don't just say, ‘we are going to get the bad guys, we are going to use this to make us more secure,'” Milligan said.
Mulligan said that first, you need to make sure the technology works. It must be determined scientifically how it will make us more secure.
Blaze said that whether technology works right is not a partisan issue. But Mulligan said she thinks the Obama administration will begin looking more critically at whether surveillance efforts are yielding the success they should.