Security and Privacy

It’s probably impossible to get too much of Bruce Schneier, although I honestly wouldn’t mind if he stopped Friday Squid Blogging.

His latest Wired.com article on the false dichotomy between security and privacy is an excellent counterpoint to a recent Lawrence Wright profile in the New Yorker on Director of National Intelligence Mike McConnell. The Lawrence Wright article was surprisingly uncritical, considering the New Yorker’s usual zealous approach. Check out, for example, his description of the “Clipper” chip:

In the nineties, new encryption software that could protect telephone conversations, faxes, and e-mails from unwarranted monitoring was coming on the market, but the programs could also block entirely legal efforts to eavesdrop on criminals or potential terrorists. Under McConnell’s direction, the N.S.A. developed a sophisticated device, the Clipper Chip, with a superior ability to encrypt any electronic transmission; it also allowed law-enforcement officials, given the proper authority, to decipher and eavesdrop on the encrypted communications of others. Privacy advocates criticized the device, though, and the Clipper was abandoned by 1996. “They convinced the folks on the Hill that they couldn’t trust the government to do what it said it was going to do,” Richard Wilhelm, who was in charge of information warfare under McConnell, says.

(emphasis added). Compare, for example, EPIC’s Clipper Chip information page.

Schneier, by contrast, sees right through the core:

We’ve been told we have to trade off security and privacy so often — in debates on security versus privacy, writing contests, polls, reasoned essays and political rhetoric — that most of us don’t even question the fundamental dichotomy.

But it’s a false one.

Security and privacy are not opposite ends of a seesaw; you don’t have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it’s based on identity, and there are limitations to that sort of approach.

Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and — possibly — sky marshals. Everything else — all the security measures that affect privacy — is just security theater and a waste of effort.

By the same token, many of the anti-privacy “security” measures we’re seeing — national ID cards, warrantless eavesdropping, massive data mining and so on — do little to improve, and in some cases harm, security. And government claims of their success are either wrong, or against fake threats.

The debate isn’t security versus privacy. It’s liberty versus control.

Read the whole essay. And send it to your mother, as well.

[Tags]Schneier, Privacy, Security[/Tags]

2 comments

  1. Dylan Thurston Jan 30

    EPIC’s clipper chip page is outdated. The Skipjack algorithm is now public, for instance. I think public cryptographers are skeptical of the algorithm; there are attacks against almost the entire algorithm.

  2. adam Jan 30

    Fair point. I was only citing the EPIC page to show that the New Yorker’s rather positive characterization of the Clipper chip was flawed.

Leave a Reply

(Markdown Syntax Permitted)