Upload
christopher-warren
View
214
Download
0
Embed Size (px)
Citation preview
““The Strategy of Using The Strategy of Using Security to Protect Privacy”Security to Protect Privacy”
Peter P. SwirePeter P. SwireOhio State UniversityOhio State University
Consultant, Morrison & Foerster, LLPConsultant, Morrison & Foerster, LLPData Protection Commissioner ConferenceData Protection Commissioner Conference
Montreux, September 14, 2005Montreux, September 14, 2005
A Shift In This TalkA Shift In This Talk
I provided different materials to the I provided different materials to the conference last monthconference last month
Today is my 4Today is my 4thth privacy or security privacy or security conference in Europe in past two weeksconference in Europe in past two weeks
Today’s talk focuses on the most Today’s talk focuses on the most important theme from this experienceimportant theme from this experience
Theme for TodayTheme for Today
Political challenge to data protection after 9/11Political challenge to data protection after 9/11 Security often trumps privacySecurity often trumps privacy
Burkert, Cavoukian & need for strategy and Burkert, Cavoukian & need for strategy and alliesallies
Theme: need effective, critical examination of Theme: need effective, critical examination of proposed security measuresproposed security measures Show when they are bad for Show when they are bad for securitysecurity Often an effective way also to protect Often an effective way also to protect privacyprivacy
Examples here for government access to Examples here for government access to commercial datacommercial data
OverviewOverview
My backgroundMy background Data retention and its security flawsData retention and its security flaws Security critiques of other government Security critiques of other government
access to dataaccess to data ConclusionsConclusions
My BackgroundMy Background
Now law professor, Ohio State UniversityNow law professor, Ohio State University 1998, “None of Your Business” book on EU-US 1998, “None of Your Business” book on EU-US
data protection & e-commercedata protection & e-commerce 1999-early 2001, Chief Counselor for Privacy for 1999-early 2001, Chief Counselor for Privacy for
the Clinton Administrationthe Clinton Administration Much work since on many privacy & security Much work since on many privacy & security
issuesissues www.peterswire.netwww.peterswire.net
Data Retention StrategyData Retention Strategy
Overall, in addition to privacy, stressOverall, in addition to privacy, stress CostCost SecuritySecurity
Data preservation is likely the best policy Data preservation is likely the best policy outcomeoutcome Save records where have individualized Save records where have individualized
suspicionsuspicion Is strict enough for the USIs strict enough for the US Complies with Cybercrime Convention, etc.Complies with Cybercrime Convention, etc.
Critiques of Data RetentionCritiques of Data Retention
Data protection argumentData protection argument Data retention is bad, not proportionateData retention is bad, not proportionate Will lead to many secondary usesWill lead to many secondary uses
Familiar cost argumentFamiliar cost argument High costs to ISPs, etc.High costs to ISPs, etc.
Familiar data security argument:Familiar data security argument: Huge databases become targets for future Huge databases become targets for future
attacksattacks Security measures for the databases are hardSecurity measures for the databases are hard
Other Threats to SecurityOther Threats to Security
Security threats to the intelligence & police agenciesSecurity threats to the intelligence & police agencies Risks for all government agenciesRisks for all government agencies
Their web & email activity will be retained as well!Their web & email activity will be retained as well! Unknown outsiders, in ISP and government agencies Unknown outsiders, in ISP and government agencies
elsewhere, can see this dataelsewhere, can see this data Invite their CIOs to testifyInvite their CIOs to testify
Undercover cops & other confidential activityUndercover cops & other confidential activity Data retention of contacts between undercover Data retention of contacts between undercover
operatives & their agenciesoperatives & their agencies Invite these cops to testifyInvite these cops to testify
A Double BindA Double Bind If police & intel actions are retained:If police & intel actions are retained:
Risk that terrorists, organized crime will target ISPsRisk that terrorists, organized crime will target ISPs New burden of background checks at ISPsNew burden of background checks at ISPs
• Including universities, small ISPsIncluding universities, small ISPs Costs and risks at ISPs go upCosts and risks at ISPs go up
If police & intel are If police & intel are notnot retained: retained: Would need complex & expensive system to shield Would need complex & expensive system to shield
these activities from the systemthese activities from the system The “hole” for police would be a hole for others to The “hole” for police would be a hole for others to
exploitexploit Either way, have costs & security risksEither way, have costs & security risks Put burden of persuasion on the other side to explainPut burden of persuasion on the other side to explain
Solution on Data RetentionSolution on Data Retention
Better to use the U.S. approach of data Better to use the U.S. approach of data preservation than a data retention regimepreservation than a data retention regime
These individualized searches will not expose These individualized searches will not expose the police and intel agencies to surveillance by the police and intel agencies to surveillance by terrorists & organized crimeterrorists & organized crime
Better for privacy, cost, & securityBetter for privacy, cost, & security That has been a winning coalition in U.S.That has been a winning coalition in U.S.
Security & Other IssuesSecurity & Other Issues
Other current data protection debatesOther current data protection debates BiometricsBiometrics RFIDs & other pervasive computing issuesRFIDs & other pervasive computing issues Identity theftIdentity theft
Technical security critiques will reduce the risk of Technical security critiques will reduce the risk of bad systems in these areasbad systems in these areas
ConclusionConclusion
““Information Security” is clearly part of “Data Information Security” is clearly part of “Data Protection”Protection” Effective critiques on security are part of the Effective critiques on security are part of the
core mission of DPAscore mission of DPAs Pragmatic politicsPragmatic politics
Gain allies to critique badly-designed systemsGain allies to critique badly-designed systems Staff within DPAsStaff within DPAs Participation in “cybersecurity” conferences & Participation in “cybersecurity” conferences &
activitiesactivities
ConclusionConclusion
The critique of security as The critique of security as partpart of DPA of DPA effortsefforts No need to abandon traditional effortsNo need to abandon traditional efforts
The results will be better legal and The results will be better legal and technical decisionstechnical decisions More secure & efficient systemsMore secure & efficient systems Better protection of human rightsBetter protection of human rights
A pragmatic strategy to achieve high moral A pragmatic strategy to achieve high moral goalsgoals
Contact InformationContact Information
Professor Peter P. SwireProfessor Peter P. Swire Phone: (240) 994-4142Phone: (240) 994-4142 Email: Email: [email protected]@peterswire.net Web: Web: www.peterswire.netwww.peterswire.net