HITB GSEC: The privacy and security balancing act, or not

• There is no one true definition of privacy
• Machine learning might be one way to address privacy issues

INDIVIDUALS claim a right to privacy, while societies (read: the state) say such concerns are trumped by security, usually citing the need to combat terrorism and crime.
 
There are strong arguments for both sides perhaps, but the problem is that in reality, the issue of privacy versus civil liberties is not as clear-cut as all that, according to Acuity Solutions president Kristin Lovejoy (pic above).
                                                                                                                              
Mainly because ‘privacy’ itself is not clearly defined. “Privacy is considered a fundamental human right according to Privacy International,” Lovejoy told the HITB GSEC Singapore 2015 conference on Oct 14.
 
“But the reality is that privacy is messy – in the United States, India and Ireland, privacy is not a constitutional right, and 49 of the 52 US states have their own definition of privacy,” she said in her keynote address titled, Security vs Privacy: Our Daily Struggle to Balance National Security Interests and Civil Liberties at the Ground Level.
 
Besides the varied definitions, there is also a generational gap between how millennials and baby boomers handle their personal information.
 
Citing studies done by the Direct Marketing Association, Lovejoy said that up to 56% of millennials say they would be willing to give away their personal information for a better online shopping experience.
 
Commercial interests
 
Currently, there were three factors driving privacy protection regulation across the world, according to Lovejoy.
 
The top factor was to promote e-commerce, with many countries, especially in Asia, as well as Canada and the United States, recognising that consumers are uneasy with their personal information being sent worldwide, she argued.
 
“What countries have found out is that consumers don’t like giving out information unless they feel somewhat protected,” she said.
 
“Privacy regulations have nothing to do with human rights; they have everything to do with economics,” she added.

READ ALSO: Malaysian Govt spyware use unconstitutional, call for action
 
Another factor was a raft of pan-European laws, which Central and Eastern European countries are now forced to adopt based on the Council of Europe Convention and European Union (EU) Data Protection Directive.
 
“Europe has historically led the arena when it comes to privacy protection laws,” Lovejoy said.
 
“With the exception of Ireland, all the EU nations have substantiated with their respective constitutions that privacy is a fundamental human right, with some going so far to say that people have a right to anonymity,” she added.

READ ALSO: Singapore is using spyware, and its citizens can’t complain
 
The final factor driving privacy regulation is to remedy past injustices that occurred under authoritarian regimes, according to Lovejoy.
 
“This is where there has been human trafficking, sex slavery and all those kinds of things, you see a bunch of regulations,” she said.
 
It is important to know about these factors because security practitioners have to understand the laws in the countries their companies operate in, Lovejoy argued.
 
“I have to understand what the laws are so I can implement effective security controls to enforce privacy rights and not get into a legal jam,” she said.
 
“It is important to know the why and the how,” she added.

How to co-exist
 
While privacy might not always be a priority for businesses or governments, a co-existence is possible, according to Lovejoy.
 
“Privacy is kind of sketchy with no-one really knowing what it means, but we do understand where security fits in that context, and the big issue is still around monitoring,” she said.
 
Machine learning might be the key to resolving some of these issues from the security perspective, Lovejoy argued.
 
“The concept with machine learning is to take an engine and teach the system to understand malware through the malware genome project,” Lovejoy said.
 
“Machine learning will classify all the events in the network by looking at the code and not the data, making it impossible to make any privacy violations,” she added.
 
HITB GSEC Singapore 2015 is being held at Hotel Fort Canning. Digital News Asia (DNA) is the official media partner.
 
Other HITB GSEC Stories:
 
Security industry to female hackers: We want YOU!
 
The road less travelled: Hacker Lyon Yang’s penetration tales
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.