1 / 14

“The Strategy of Using Security to Protect Privacy”

“The Strategy of Using Security to Protect Privacy”. Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner Conference Montreux, September 14, 2005. A Shift In This Talk. I provided different materials to the conference last month

bette
Download Presentation

“The Strategy of Using Security to Protect Privacy”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “The Strategy of Using Security to Protect Privacy” Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner Conference Montreux, September 14, 2005

  2. A Shift In This Talk • I provided different materials to the conference last month • Today is my 4th privacy or security conference in Europe in past two weeks • Today’s talk focuses on the most important theme from this experience

  3. Theme for Today • Political challenge to data protection after 9/11 • Security often trumps privacy • Burkert, Cavoukian & need for strategy and allies • Theme: need effective, critical examination of proposed security measures • Show when they are bad for security • Often an effective way also to protect privacy • Examples here for government access to commercial data

  4. Overview • My background • Data retention and its security flaws • Security critiques of other government access to data • Conclusions

  5. My Background • Now law professor, Ohio State University • 1998, “None of Your Business” book on EU-US data protection & e-commerce • 1999-early 2001, Chief Counselor for Privacy for the Clinton Administration • Much work since on many privacy & security issues • www.peterswire.net

  6. Data Retention Strategy • Overall, in addition to privacy, stress • Cost • Security • Data preservation is likely the best policy outcome • Save records where have individualized suspicion • Is strict enough for the US • Complies with Cybercrime Convention, etc.

  7. Critiques of Data Retention • Data protection argument • Data retention is bad, not proportionate • Will lead to many secondary uses • Familiar cost argument • High costs to ISPs, etc. • Familiar data security argument: • Huge databases become targets for future attacks • Security measures for the databases are hard

  8. Other Threats to Security • Security threats to the intelligence & police agencies • Risks for all government agencies • Their web & email activity will be retained as well! • Unknown outsiders, in ISP and government agencies elsewhere, can see this data • Invite their CIOs to testify • Undercover cops & other confidential activity • Data retention of contacts between undercover operatives & their agencies • Invite these cops to testify

  9. A Double Bind • If police & intel actions are retained: • Risk that terrorists, organized crime will target ISPs • New burden of background checks at ISPs • Including universities, small ISPs • Costs and risks at ISPs go up • If police & intel are not retained: • Would need complex & expensive system to shield these activities from the system • The “hole” for police would be a hole for others to exploit • Either way, have costs & security risks • Put burden of persuasion on the other side to explain

  10. Solution on Data Retention • Better to use the U.S. approach of data preservation than a data retention regime • These individualized searches will not expose the police and intel agencies to surveillance by terrorists & organized crime • Better for privacy, cost, & security • That has been a winning coalition in U.S.

  11. Security & Other Issues • Other current data protection debates • Biometrics • RFIDs & other pervasive computing issues • Identity theft • Technical security critiques will reduce the risk of bad systems in these areas

  12. Conclusion • “Information Security” is clearly part of “Data Protection” • Effective critiques on security are part of the core mission of DPAs • Pragmatic politics • Gain allies to critique badly-designed systems • Staff within DPAs • Participation in “cybersecurity” conferences & activities

  13. Conclusion • The critique of security as part of DPA efforts • No need to abandon traditional efforts • The results will be better legal and technical decisions • More secure & efficient systems • Better protection of human rights • A pragmatic strategy to achieve high moral goals

  14. Contact Information • Professor Peter P. Swire • Phone: (240) 994-4142 • Email: peter@peterswire.net • Web: www.peterswire.net

More Related