I am becoming more convinced that there are way too many interpretations of the word “privacy.”
When looking it up in the dictionary, the definition intrigued me:
1. The quality or state of being apart from company or observation;
2. Seclusion: freedom from unauthorized intrusion; and
When talking about privacy in technology, number two sounds about right. Something many vendors strive towards. No one really likes the idea of intrusion, especially when it comes to those very scary emails you've sent to Claude in Finance.
When talking about number three, secrecy, it's tricky. I was trying to consider technology or methodologies that embodied true secrecy, and I failed miserably to find any. I got stuck on passwords, which are more along the lines of definition number two than number three, because we invariably choose passwords that are very rarely secret. If they were totally secret, we'd forget them ourselves. Number one just vexes me altogether. The "quality of being apart from observation," is a kind of ultra unobtainable grace. Especially when one works in a company and has to follow pesky rules and all of that. Many of us signed the all-purpose non-disclosure agreement that stated, "...all company equipment is the property of the company and all company computers are subject to random searches of data..." It's all there. All of the words and catchphrases that debunk the myth that you have any sort of (#1 definition of) privacy at all.
This shouldn't be surprising, and yet somehow it always seems to be. We go about fighting for our privacy, when the battles we are fighting are subjective, interpretive, and embedded in cultural and geographical origin. Depending on where you currently live, your battle for privacy and the standards surrounding it are bound to be constantly re-interpreted across the globe. Each nation adhering to its own unique perception of what privacy means and how much is guaranteed.
At RSA France, Lance Hayden of Cisco Systems presented an excellent paper that included the details of the personal information record. The PIR begins at birth and extends throughout your lifetime. It is made up of every bit of data ever gathered about you as a person. From the record of your birth, to your monthly cell phone usage, it's about you and everything you are. I'd have to say that up against the wealth of the PIR, lack of privacy on the company network is so much less disconcerting when compared to your human record.
What confuses me is how militant people become when they fear that their digital privacy is being invaded. The debates are many when someone brings up Echelon. Does the general public understand what Echelon was meant to do? The laws and policies that surrounded its use? How about the U.S. Defense Advanced Research Projects Agency (DARPA)? Does the public understand that a request to "observe" a known terrorist has to go through many high levels of approval before the military is allowed to unleash their powers? Quite a few regulations exist that may, in some important cases, hamper the efforts of the government to monitor dangerous people effectively. No one flips a switch at their Star Trek-like control panel and reads your grandmother's email. How frightening it is to realize that every use of a debit card provides more personal data to strangers than government observation is ever likely to gather.
When it comes to the corporate environment, I am a big proponent of system audits. Not of spying, like the use of cameras in every corner and the installation of invisible tracers, but audits: forensics, copy downs of weekly logs and such. I believe that employers have a basic right to know how the employees spend their time. Not to the minute, but by the bulk. How much time was spent working, juxtaposed against how much time was spent viewing or sending inappropriate materials? Had anyone been monitoring the exchanges between Enron and Arthur Andersen...
Well, we all send personal email. We view this mail as private, and we feel we have a right to that privacy. In some senses, yes, we have a right not to work in a hostile, prison camp environment. However, at work, one should be working. At work, everything I am doing on the laptop they have loaned to me belongs to them. I know this, and yet I conveniently forget this. I feel ownership of the data that resides on my laptop. I feel attached to the data I've placed on the network -- although that network isn't mine either, and the data on it was provided to do my job, which they pay me to do in the first place. It's an interesting rub. What privacy is owed to me and what is intrinsic? What corporate privacy am I infringing on by sending personal email outside the network and through other firewalls?
I've observed what I feel are some fundamental differences in how Americans and Europeans view privacy. Though both cultures embrace, and yet castigate, the technology to support it, the Europeans seem almost manic about their digital privacy. It's a concern for all at some level, but they appear to take it to a new extreme. In talking with David Love, head of security technology advocacy, at Computer Associates, he agreed that Europeans are more involved in protecting individual privacy, but that Americans are "coming around to it slowly." He cites the example of the U.S. HIPAA (Heath Insurance Portability and Accountability Act), the standard existing in orbit around protecting facets of the PIR. Maybe the U.S. is seeing a shift in privacy concerns, but it's slow, and seems back burner compared to our lust for enterprise privacy. Firewalls, VPNs, intrusion detection systems, it's all so glamorous and fantastic really.
Possibly it's a cultural difference. War and totalitarian governments have wrought paranoia and suspicion in some corners of Europe that Americans have never had to face. Europeans fanatically cherish their digital privacy, and they pair it with their belief in human rights issues. I'm not sure Americans see digital privacy in line with human rights and maybe we should, I'm undecided. I am, however, fairly certain that New York (or the Mid-West for that matter) would not allow CCTV to come to town without an awesome fight. Europeans are almost constantly observed. It makes perfect sense that they fight so aggressively for their right to digital privacy. They fight to protect their very PIR. In my mind, if it's for the greater good, then observe me. I'm very boring. I have very little to hide.
Melisa LaBancz is a San Francisco area security journalist wondering who knows she bought crunchy fish fillets on her debit card last week.