140 likes | 419 Views
“The Strategy of Using Security to Protect Privacy”. Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner Conference Montreux, September 14, 2005. A Shift In This Talk. I provided different materials to the conference last month
E N D
“The Strategy of Using Security to Protect Privacy” Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner Conference Montreux, September 14, 2005
A Shift In This Talk • I provided different materials to the conference last month • Today is my 4th privacy or security conference in Europe in past two weeks • Today’s talk focuses on the most important theme from this experience
Theme for Today • Political challenge to data protection after 9/11 • Security often trumps privacy • Burkert, Cavoukian & need for strategy and allies • Theme: need effective, critical examination of proposed security measures • Show when they are bad for security • Often an effective way also to protect privacy • Examples here for government access to commercial data
Overview • My background • Data retention and its security flaws • Security critiques of other government access to data • Conclusions
My Background • Now law professor, Ohio State University • 1998, “None of Your Business” book on EU-US data protection & e-commerce • 1999-early 2001, Chief Counselor for Privacy for the Clinton Administration • Much work since on many privacy & security issues • www.peterswire.net
Data Retention Strategy • Overall, in addition to privacy, stress • Cost • Security • Data preservation is likely the best policy outcome • Save records where have individualized suspicion • Is strict enough for the US • Complies with Cybercrime Convention, etc.
Critiques of Data Retention • Data protection argument • Data retention is bad, not proportionate • Will lead to many secondary uses • Familiar cost argument • High costs to ISPs, etc. • Familiar data security argument: • Huge databases become targets for future attacks • Security measures for the databases are hard
Other Threats to Security • Security threats to the intelligence & police agencies • Risks for all government agencies • Their web & email activity will be retained as well! • Unknown outsiders, in ISP and government agencies elsewhere, can see this data • Invite their CIOs to testify • Undercover cops & other confidential activity • Data retention of contacts between undercover operatives & their agencies • Invite these cops to testify
A Double Bind • If police & intel actions are retained: • Risk that terrorists, organized crime will target ISPs • New burden of background checks at ISPs • Including universities, small ISPs • Costs and risks at ISPs go up • If police & intel are not retained: • Would need complex & expensive system to shield these activities from the system • The “hole” for police would be a hole for others to exploit • Either way, have costs & security risks • Put burden of persuasion on the other side to explain
Solution on Data Retention • Better to use the U.S. approach of data preservation than a data retention regime • These individualized searches will not expose the police and intel agencies to surveillance by terrorists & organized crime • Better for privacy, cost, & security • That has been a winning coalition in U.S.
Security & Other Issues • Other current data protection debates • Biometrics • RFIDs & other pervasive computing issues • Identity theft • Technical security critiques will reduce the risk of bad systems in these areas
Conclusion • “Information Security” is clearly part of “Data Protection” • Effective critiques on security are part of the core mission of DPAs • Pragmatic politics • Gain allies to critique badly-designed systems • Staff within DPAs • Participation in “cybersecurity” conferences & activities
Conclusion • The critique of security as part of DPA efforts • No need to abandon traditional efforts • The results will be better legal and technical decisions • More secure & efficient systems • Better protection of human rights • A pragmatic strategy to achieve high moral goals
Contact Information • Professor Peter P. Swire • Phone: (240) 994-4142 • Email: peter@peterswire.net • Web: www.peterswire.net