Section 3.3. Balance Privacy and Security | Security and Usability: Designing Secure Systems That People Can Use

3.3. Balance Privacy and Security

We often say "privacy and security" in the same breath, but they can often be at odds with each other.

Let us look at an example: the problem of increasing access to employees on the job. One of the earliest technologies to be deployed in this effort was a smart card that reported to a central computer, several times a minute, the current location of each and every employee so that they could always be found. It seemed only natural to make better use of this flood of data, so it was not long before bosses were receiving printouts of how much time employees were spending at the water cooler, the lunch room, and even the bathroom. In the rush to pry, the original goal of the technology was all but forgotten.

Another technology offers the same ability to maintain employees' access, while at the same time actually enhancing employees' privacy: portable telephones. Whether they be cell phones or local wireless phones, they offer the employee the ability to wander freely while still maintaining contact, and they do so without (necessarily) ratting out the employee's location.

This approach actually enhances privacy: before, should the boss ring the employee's phone in his office, she could ascertain whether he was in the office. With a portable phone, the caller has no idea where the employee is (unless sounds of a live ballgame give him away). At the same time, these phones make contact easier than with the smart cards, since the boss no longer has to slog off in pursuit.

For employers who judge their workers by how busy they look, such a scheme might well send chills down their back. For employers who, instead, judge employees by the quality of their results, such a system solves the employer's problem without shredding the last vestiges of employee privacy.

A new threat to our personal liberty is the electronic cards being used for rapid toll paying. These cards were designed to record the time the car passed through the toll station and remove the toll amount from their account. It wasn't long before they were pressed into use in tracking ongoing kidnappings, something everyone applauded (except for the Kidnapper's Union).

Recently, however, the governments in some states have started mounting card readers all along the freeways. The stated reason is that, by monitoring cars in the aggregate, they can map the flow of traffic. We've heard about aggregation before. It has a tendency to be the "introductory offer" that leads to something darker. How long will it be before the government is routinely monitoring or backtracking the movement of citizens suspected of far less violent crimes, like overdue parking tickets, or noncrimes, like being seen at a political rally?

Citizens today can buy "disposable cell phones," recycled phones that carry a certain number of prepaid minutes. They can be bought with cash and used until exhausted, all without anyone's knowledge as to who the possessor is. (Don't ask why someone would want such a phone. It's the essence of freedom that we need not declare a reason.) Prepaid toll cards could achieve the same anonymity, while achieving the same purported goal: collecting the toll.

You can do better than simply balancing privacy against security. The proper approach can actually increase both.

Privacy considerations should be separate and distinct from security. Your designs can either support or degrade privacy. You can build highly secure systems that enhance, rather than reduce privacy. For every strategy to increase security that decreases privacy, you will usually be able to devise an alternative that will not only retain it, but also enhance it.