Security Vs Privacy

By Ambadi MP |

Both privacy and security are crucial if you want to protect your personal information and your Safety. But what is the difference between privacy vs security? How much Cyber Security Influence National Security? How National Security Affects Privacy? Until not long ago, we didn't have to worry about privacy and security all that much. Remember when all the technology we used to come in contact with were the phones that only hold a small number of text messages and call logs? Not to mention, there were no internet connection or apps that could compromise the security and privacy of our logs. In today's era, where technology has become part of our daily routine, things have changed.

Now it's more important than ever to stay aware of the risks that come with using technology for most of our actions. From checking emails and interacting with our peers, to online shopping and online banking, we share most of our private information with the devices we interact with. And because the internet is a window that makes it possible for cybercriminals to access your private data if you don't protect your information properly, it's crucial that you learn more about both privacy and security. Often enough, the terms of privacy and security get mixed up or are referred to as a whole. But they are not the same. And you may be wondering what the difference between privacy vs security actually is. Why should you care? Well, for your online safety, it's important to have both privacy and security. We'll go over what both privacy and security are and what is the difference between the two, why you should be cautious about your privacy and security, along with some tips about how to keep yourself safe online to avoid becoming a victim of internet hacking.

What is Privacy & Security?

Privacy and security are not estranged to one another but are closely related. While privacy refers to the control you have upon your private information, security refers to how this information is protected. To better understand the difference between privacy vs security, let's take a closer look at what each of them is.

WHAT IS PRIVACY?

Privacy can simply be defined as the right to be left alone. 'It is a comprehensive right and it is the right most valued by a free people. It is a fundamental human right. A society in which there was a total lack of privacy would be intolerable; but then again a society in which there was a total privacy would be no society at all’ (the is a balance needed). Privacy is the right of people to make personal decisions regarding their own intimate matters, it is the right of people to lead their lives in a manner that is reasonably secluded from public scrutiny, and it is the right of people to be free from such things as unwarranted drug testing or electronic surveillance.

WHAT IS INFORMATION PRIVACY?

Information privacy is the ability of an individual or group to stop information about themselves from becoming known to people other than those they choose to give the information to. Privacy is sometimes related to anonymity although it is often most highly valued by people who are publicly known. Privacy can also be an aspect of security - one in which there are trade-offs between the interests of one group and another can become particularly clear.

The UN Declaration of Human Rights defined Privacy as this: No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone had the right to the protection of the law against such interference or attacks.

While technology made it easier than ever to protect our privacy, the methods for others to tracking our activities have also increased. Nowadays, companies and the government can monitor all our conversations, online transactions, and all the locations we've been at. Gathering enough data gives entities the possibility of learning about our past, how we think, and even to predict our future actions. Doing so can not only affect our perception about society and the market but can also result in our personal information being exploited, and not necessary for the good. The biggest challenge when it comes to privacy? You're not always aware that your privacy might be compromised.

Not only the internet is full of websites, apps, and software that are trying to hide the fact that they are collecting private information. But how many times have you clicked to agree to a privacy policy you haven't read? Most of the times, we are not even aware of what permissions we give companies regarding our private data, a mistake that could lead to terrible results.

WHAT IS SECURITY?

Security is freedom from, or resilience against, potential harm (or other unwanted coercive change) caused by others. Beneficiaries (technically referents) of security may be of persons and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change. Security mostly refers to protection from hostile forces, but it has a wide range of other senses: for example, as the absence of harm (e.g. freedom from want); as the presence of an essential good (e.g. food security); as resilience against potential damage or harm (e.g. secure foundations); as secrecy (e.g. a secure telephone line); as containment (e.g. a secure room or cell); and as a state of mind (e.g. emotional security).

The term is also used to refer to acts and systems whose purpose may be to provide security (e.g. security forces; security guard; cyber security systems; security cameras; remote guarding). National security is the security of a nation state, including its citizens, economy, and institutions, which is regarded as a duty of government. Originally conceived as protection against military attack, national security is now widely understood to include non-military dimensions, including the security from terrorism, crime, economic security, energy security, environmental security, food security, cyber security etc. Similarly, national security risks include, in addition to the actions of other nation states, action by violent non-state actors, narcotic cartels, and multinational corporations, and the effects of natural disasters. Governments rely on a range of measures, including political, economic, and military power, as well as diplomacy to safeguard the security of the nation state. They may also act to build the conditions of security regionally and internationally by reducing transnational causes of insecurity, such as climate change, economic inequality, political exclusion, and nuclear proliferation.

Computer security, cybersecurity, or information technology security (IT security) is the protection of computer systems from the theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide. The field is becoming more important due to increased reliance on computer systems, the Internet and wireless network standards such as Bluetooth and Wi-Fi, and due to the growth of "smart" devices, including smartphones, televisions, and the various devices that constitute the "Internet of things". Owing to its complexity, both in terms of politics and technology, cybersecurity is also one of the major challenges in the contemporary world.

PRIVACY, LAW ENFORCEMENT, AND NATIONAL SECURITY

By its very nature, law enforcement is an information-rich activity. The information activities of law enforcement can be broken into three categories:

  • Gathering and analyzing information to determine that a law has been violated.
  • Gathering and analyzing information to determine the identity of the person or persons responsible for a violation of law.
  • Gathering and analyzing information to enable a legal showing in court that the person or persons identified in fact were guilty of the violation

All of these gathering, and analysis activities have been altered in basic ways by functional advancements in the technologies that have become available for collecting, storing, and manipulating data.

PRIVACY CONCERNS AND LAW ENFORCEMENT

Any modern society requires an effective and rational law enforcement system. Gathering, storing, and analyzing extensive information are vital to the law enforcement process, even though some information will also be gathered about persons who are manifestly beyond suspicion. Privacy concerns arise most clearly when law enforcement agencies gather information about those who have broken no law and are not suspects, or when such information is used for purposes other than the discovery or prosecution of criminals, or when the very process of gathering the information or the knowledge that such information is being gathered changes the behavior of those who are clearly innocent and above reproach.

In an interview with journalist Steve Kroft on 60 minutes, Julie Brill, Federal Trade Commissioner, remarked: “No one even knows how many companies there are trafficking in our data. But it’s certainly in the thousands, and would include research firms, all sorts of Internet companies, advertisers, retailers and trade associations. The largest data broker is Acxiom, a marketing giant that brags it has, on average, 1,500 pieces of information on more than 200 million Americans.”

What’s worrisome is that some of these data mines could distribute your information without you even knowing. Take for instance, the recent news of the UK’s largest online pharmacy being fined $200,000 for selling patients’ personal data to scammers. Pharmacy2U was found to have unlawfully sold the names and addresses of more than 21,000 patients without getting their consent or even informing them beforehand. Even more troubling, one of the companies who bought this data included a fraudulent Australian Lottery company that deliberately targeted elderly males with chronic health conditions.

To compound the worries of intentional data sharing, there is the unintentional sharing that results from cyber breaches and attacks. Some major corporate data and security breaches occurred this past year, among them:

  • Healthcare Provider BlueCross BlueShield experienced two hits. The Excellus BlueCross BlueShield and Premera BlueCross BlueShield breaches resulted in the potential leaks of name, date of birth, social security number, bank account information, telephone and address for over 21.7 million healthcare subscribers.
  • Credit Service Provider Experian was targeted by hackers, compromising the the private data of its 15 million T-Mobile customers. The compromised data included social security numbers, dates of birth and ID numbers.
  • CVS Pharmacy had to pull its popular online photo print ordering site due to a suspected hack. Credit card data, email & postal addresses, phone numbers and passwords were taken. It’s not clear how many millions were affected
  • Toy manufacturer VTech suffered a scary breach, especially considering that the hack attack affected the privacy of innocent youngsters. Leaks of child profiles (including name, gender and birthday), sales logs, email, profile photos and activity logs affected lose to 5 million parents and more than 6 million children.

AnyAnd of course, there was the infamous Ashley Madison attacks, which, for better or worse, resulted in the outing of 37 million cheating users. Companies are taking a lot of data, but understandably consumers are worried if this private and valuable data is being adequately protected. Yet new Internet bills that have been introduced, which ideally would provide advanced protection, have certainly not assuaged any fears. modern society requires an effective and rational law enforcement system. Gathering, storing, and analyzing extensive information are vital to the law enforcement process, even though some information will also be gathered about persons who are manifestly beyond suspicion. Privacy concerns arise most clearly when law enforcement agencies gather information about those who have broken no law and are not suspects, or when such information is used for purposes other than the discovery or prosecution of criminals, or when the very process of gathering the information or the knowledge that such information is being gathered changes the behavior of those who are clearly innocent and above reproach.

The passing of the CISA bill has been extremely controversial, as we discussed in our blog post 10 Things to Know About the CISA Bill. The bill, which, as stated, aims to “improve cybersecurity” with “enhanced sharing of information about cybersecurity threats,” essentially encourages the sharing of Internet traffic information amongst private entities and federal government agencies with the hopes of preventing large-scale cyber-attacks. It has, however, been criticized by many cybersecurity and online privacy advocates. They point out that it incentivizes businesses sharing their data with the government and other businesses, rather than encouraging the actual heavy lifting required to ensure real protection against cyber-attacks.

INFORMATION TECHNOLOGY, PRIVACY, AND NATIONAL SECURITY

Nowhere is the disparity of power and resources greater than that between the individual citizen and the federal government. At the same time, it is primarily the federal government that needs to gather information not only for law enforcement purposes but also to ensure the national security of the country. Such data-gathering activity differs in several respects from similar activities performed for law enforcement, notably in the procedures that must be followed, the oversight that constrains the intelligence agencies, and the ability of those about whom data is gathered to view and amend or correct that data.

National Security: The Other Side of the Coin

The recent course of events, like the Paris Terror attacks and San Bernardino shootings, reveal that the global online reach of terrorist groups can’t be ignored either. The use of the web and social media channels is increasingly popular among extremists who have been successful in using these channels to recruit, radicalize and raise funds. As many of us already know, Terrorist groups avidly uses all forms of social media including YouTube, Twitter, Instagram and Tumblr. One day the group reached an all-time high of almost 40,000 tweets in one day as they marched into the northern Iraqi city of Mosul.

Since the highly coordinated Paris attacks, which took the lives of 129 innocent people, there’s been a great deal of talk regarding the measures international governments should and will take. The attacks highlight the mounting difficulties Western intelligence agencies are having tracking and thwarting terror attacks as terrorists increase their online presence and move towards sophisticated methods of encrypted communications. As Yahoo News reported, Nick Rasmussen, the current director of the NCTC, National Counter Terrorism Center, told a congressional committee that terrorists are displaying a growing ability to communicate “outside our reach” and the difficulty in tracking their plots is “increasing over time.”

Terrorists’ aggressive and sophisticated approach towards online communication, coupled with the new obstacles in tracking their activity, poses a unique challenge for government intelligence agencies. In reaction, government authorities have sought to establish new, more powerful legislations. The UK Investigatory Powers Bill, for instance, aims to revamp rules governing the way authorities can access people’s communications in order to help the government combat crime, terrorism and other threats to national security.

However, like CISA, this bill has raised strong privacy concerns. For instance, it includes new power requiring communications firms, such as broadband or mobile phone to hold a year’s worth of consumers’ communications data. In the past, under the existing law, government agencies could ask firms to start collecting this data but couldn’t access historic information because companies didn’t keep it. The UK Investigatory Powers Bill has also come under hot water due to its approach towards encryption. The bill includes a clause that would compel companies in the UK to hand over their encryption key so that scrambled messages could be decoded and read. Most recently, Apple has taken a stand to voice their concerns about this, pointing out that doing so could also inadvertently create a weakness that others could then exploit, making users’ data less secure. As the BBC reports, the company stated: “A key left under the doormat would not just be there for the good guys. The bad guys would find it too.”

National Security and Technology Development

While law enforcement agencies were among the early adopters of information technology, the agencies involved in intelligence gathering and analysis have often been the generators of technological innovation. Since the efforts during World War II to break the codes of other countries and to ensure that U.S. codes could not be broken, the intelligence community has directly developed, collaborated in the development, or funded the development of much of the current information infrastructure.

Many of the technologies that are used to gather, sift, and collate data were developed initially by the intelligence agencies either for the purposes of cryptography or to allow them to sift through the vast amounts of information that they gather to find patterns for interpretation. At the same time, the cryptographic techniques that can be used both to ensure the privacy of stored information and to secure channels of communication trace their roots back to the same intelligence services, in their role as securers of the nation’s secrets. Moreover, many of the concepts of computer security, used to ensure that only those with the appropriate rights can access sensitive information, have been leveraged from developments that trace back to the intelligence or defense communities.

There is considerable uncertainty outside the intelligence community about the true nature and extent of national capabilities in these areas. Many of those concerned about protecting privacy rights assume that the technology being used for intelligence purposes has capabilities far above technology available to the public. Rightly or wrongly, it is often assumed that the intelligence community can defeat any privacy-enhancing technology that is available to the general public and has a capability of gathering and collating information that is far beyond any that is commercially available. Given the secret nature of the national security endeavor, this assumption is understandably neither confirmed nor denied by either those intelligence-gathering groups themselves or the governmental bodies that are supposed to oversee those groups.

Terrorism has become more ferocious following the September 11, 2001 attacks in the United States. Since then, it has spread across Europe, to parts of Asia, specifically in Mindanao. Along with rising criminality, advocates claim the havoc brought by both is enough justification for the adoption of a national ID system. They said the system can help government determine quickly the status of individuals and weed out those with false identification and false intentions. On everyday life undertakings, a national ID card could obviate the worries and problems of presenting the “valid IDs” required in order to consummate transactions with government and private sector. Yet, those against the idea find the program’s feasibility a problem. They insist that it would be difficult to ensure that all of the country’s population would register. The case of vagabonds is one example. The cost of a tamper-proof ID is also expensive. Note that it would need trained people to distribute them too. Most important of all, it has a high potential for abuse, i.e. invasion of privacy. Unscrupulous individuals could use the national ID system to fleece other people while government officials could use it as an effective weapon against their critics, even those with legitimate grievances.

Pros of Government Surveillance

1. It is one of three primary methods of collecting information to keep people safe.

Marc Thiessen from The Washington Post argues that there are only three ways that the government can collect the data that is needed to keep everyone in the country safe. Officials can obtain the information by questioning subjects, infiltrating enemy groups, or using intelligence resources to monitor communications. Even though this effort can track the phone calls, text messages, and emails of millions of people who pose no threat to the country, the argument is that the government surveillance is necessary to detect any association to international terrorism.

2. Surveillance does not create a threat of physical harm on its own.

When the government is performing surveillance over video, communication lines, and Internet resources, then no one is being physically harmed by these activities. You can install trackers on a vehicle that might invade some of your privacy, but it will not be an actual attack on your person. Because the goal of this work is to discover criminal activities, many people believe that the ends justify the means when it comes to keeping everyone safe.

3. The act of surveillance acts as a deterrent to would-be criminals.

Because there is an extensive web of government surveillance in place across the country, there is a natural deterrent in place that stops criminal activity before it can start. People tend to react to safety interventions instead of responding to them, which means their effort at harming someone is stopped before it can start. When those with nefarious intent discover that they have no way to hide from law enforcement, then there are fewer incidents that will eventually come to fruition. That won’t stop the individuals who take their communication underground, but it can pick up many of the conversations and messages that people exchange when trying to coordinate an attack.

4. It provides a real-time look that provides an accurate account of events.

When we look at the case of Trayvon Martin, who was an unarmed African American teen that was shot because of his appearance, the most important evidence was the words of the shooter about how the argument between the two began. During the trial, the statements of the eyewitnesses differed, creating uncertainty about the sequence of events. With surveillance in place, it would have been much easier to determine what happened and what level of justice was necessary in that circumstance.

5. Surveillance equipment can be installed almost anywhere.

The modern equipment for government surveillance can go almost anywhere. You can find cameras installed on telephone poles, stop lights, and in the ceilings and exterior of homes and businesses around the world. There are automated license plate readers that can be installed almost anywhere to track driving patterns in the city. Drones can provide real-time surveillance as well. Then you have the secret programs of the government that can record and analyze data automatically on a mass scale.

6. Government surveillance can occur on a global scale.

Under FISA 702, the U.S. government can collect a massive quantity of detailed, sensitive, and intimate personal information about individuals from all over the world. This advantage includes anyone who has a foreign intelligence interest for the government. That means we can even eavesdrop of foreign ambassadors, gather information about commodities, and then use all of this information to gain more leverage during negotiations.

Cons of Government Surveillance

1. It is impossible to catch everything that happens in society.

When the government is conducting surveillance on a mass scale, then it is impossible for the monitors to pay close attention to everything that happens in society. Even when there are automated systems in place that can alert the authorities to suspicious behavior, conversation keywords, or specific subjects who could be problematic, the number of false positives in the system are always going to be greater than the real problems you’re trying to catch. The world is full of a variety of conversations that makes monitoring all of them an imprecise effort at best. From the words with double meanings to metaphors that alarm systems unintentionally, there is a lot of data to sort through. That reduces the chances to catch something of concern.

2. Anyone can connect the dots in hindsight.

When we look back at the various acts of violence that were captured through government surveillance, it is notable that many of the perpetrators tend to appear on watch lists because of the sheer amount of data collected. When Boston bomber Tamerlan Tsarnaev was placed on a terrorist watch list before attacking the city during the marathon, it was much easier to see the behavioral patterns and actions that led to the event after the fact than it was to predict what his actions would be. This issue creates a conundrum for government surveillance. You can always see clearly in retrospect. That means we tend to learn more when we start to connect the dots instead of trying to prevent problems in real time.

3. Surveillance misses lead to even more data being collected on people.

When there is a miss from government surveillance activities, then the reaction tends to be an ever-closer analysis of the information that was collected already. It can also lead the authorities to add even more surveillance to create additional data to sift through in the hopes that the real threats can be isolated from the false ones. This outcome means that there will be more privacy invasions over time as AI and human investigators apply a mass-scrutiny policy to their review efforts. “There will come a time when it isn’t ‘They’re spying on me through my phone’ anymore,” said Philip K. Dick. “Eventually, it will be ‘My phone is spying on me’.”

4. Government surveillance places innocent people under investigation.

Even if the data collected through government surveillance creates a reasonable suspicion of conduct for the targeted person, there may not be a guarantee that the individual is guilty. When we increase the amount of coverage that’s available in society, then we begin to restrict the rights of those who don’t deserve security interventions. We have already seen innocent people being placed on watch lists, having their lives placed underneath the microscope of an investigation, and it occurs with ever-fewer pieces of evidence that back up the scope of what is happening. “There are no private lives,” said Dick. “This is a most important aspect of modern life. One of the biggest transformations we have seen in our society is the diminution of the sphere of the private.”

5. The government can use the information for its own benefit.

The information that the government collects through surveillance can provide more data on behaviors and choices that go beyond the need for safety. This effort could help politicians discover unique data points which might predict voter behavior patterns in an election. It shows a person’s travel patterns, the structure of their social networks, and even the products they prefer to purchase at the grocery store. When the government can use the information from surveillance to influence people to vote or buy in specific ways, then they are changing the very fabric of society. It is an authoritarian way to govern without the presence of a dictator to direct traffic. “Under observation, we act less free,” said Edward Snowden, “which means we effectively are less free.”

6. Government surveillance sweeps gather more bystanders than subjects.

In an analysis of the information gathered through FISA 702, the number of non-targeted communications are 10 times greater than the data that the government actually wants to analyze from a suspect. Even if the goal is to spy on foreigners only, the huge volumes of data cannot help but to bring in information from email exchanges, photographs, social medial sharing, and conversations. The government classifies the unwanted data as being incidental, but that doesn’t necessarily stop the information from being used in inappropriate ways. Once the data is acquired, other law enforcement agencies can search through the information without the need to obtain a warrant in some situations.

7. There is a persistent threat for insider abuse.

There are already documented cases of agents in the government taking advantage of the data that surveillance programs collect information about others. It is easy to access this data to look at what is going on with a spouse, a mistress, or someone who is a personal enemy. The problem is so prevalent that there are nicknames for these searches. The insider abuse of this data also applies in the form of attorney-client privilege. Governments are not bound to recognize this confidential nature of this relationship with the data that they collect. That means people could potentially incriminate themselves through surveillance even though they believe that there are protections in place while they prepare for their defense.

8. Individuals can be charged without any knowledge of their participation.

This disadvantage comes to us courtesy of the Upstream program from the NSA. The government scans the information that flows over the internet to see if there is information about foreign intelligence targets. If you mention a political figure to a friend who lives overseas, then that could be enough to trigger a review of your conversation. Discussing their address or contact information could even lead to charges. This issue could apply if you’re having a conversation with someone who commits a crime without your knowledge. In the United States, government surveillance efforts could collect your whole email account even if there is only one email that triggers the automated review systems.

9. There may not be any oversight over the government surveillance programs.

Under section 702 in the United States, there is no judicial participation in the targeting decisions made by the government. The courts will assess the procedures to determine if they fit into the correct procedures that authorize this monitoring. There is no actual oversight on the targeting decisions that get made. That means any of the information that is collected through incidental gathering can flow to law enforcement even though it was never authorized by a judge.

10. There is an expense to consider with government surveillance.

When you consider all of the technology investments, labor, and analyzing hours that go into a government surveillance program, the amount of money that gets spent each year can total several billion dollars. That money comes through taxpayer support in the name of defense, which means the population effectively pays for the data that the government could potentially use against them under the right set of circumstances.


With each new piece of technology, a dangerous cat-and-mouse game emerges – increased connectivity also leads to a greater chance of a breach of confidentiality. That is why the Special Rapporteur calls upon the UN human rights mechanisms to update their conceptualizations of the right to privacy in the context of new technologies. Without this, existing protections will not just become outdated. Rather, inaction to reconceptualize how our privacy is protected will leave the door wide open for States to abuse new technology, violating our rights in the process, all because those with the power to do so refused to act. Any State that is serious about promoting the right to free expression must get serious about promoting the right to privacy. A free and open press is nothing if the journalists writing for the papers are at risk of surveillance; if the individuals who read the online news sources are being tracked and their data recorded. Just as security cannot be used to justify the suppression of minority opinions, so too it must not be used to justify the monitoring, profiling, tracking and general unwarranted interference with our lives, our autonomy, and the development of our personalities.

Privacy is the fundamental barrier that stands in the way of complete State control and domination. Without it, the social contract is broken, and individuals cannot recognize their democratic rights to participate, build, grow and think. A citizenry unable to form or communicate private thoughts without the interference of the State will not only be deprived of their right to privacy, they will be deprived of their human dignity. For the ability to freely think and impart ideas is essential to who we are as human beings.

Investigating with CSI Linux

Taking all of this into consideration and because CSI Linux focuses on “full stack” digital forensic investigations, we made a point to choose the side of privacy or a “need to know”. The goal is to protect collected evidence along with the identity of those doing the investigation. The last thing you want is to risk the case or even the lives of your team, your family, or yourself. Unfortunately, in extreme circumstances, lives can be at risk, depending on who the suspect is and what kind of investigation is being done. Some “bad guys” just don’t want to go to jail. We have added several open source solutions within the investigative platform including tools that offer “military grade” encryption (FIPS 140-2) to protect the digital evidence along with several methods for secure communications with other investigators, informants, or suspects while adding the option for collecting and preserving that evidence.

We have also included methods to communicate securely online. We even teach how to set up a Tor hidden service in our Dark Web Investigation certification course. If you are doing an online investigation (OSINT, SOCMINT, etc.), much of the communications will be public, unencrypted, and/or stored on a server. Most systems bleed data all the time. It takes good OPSEC to minimize that leakage to an acceptable risk level. Once the evidence is collected, it takes more OPSEC or due diligence to minimize the leakage from both internal and external sources. If you are an organization or agency, this is where it is a good idea to invest time and effort into good policies and procedures along with good Standard Operating Procedures (SOPs).

This needs to be said. Do not ignore or even destroy evidence when it does not fit your theory or the allegations. Digital forensics and investigation is a science. It is your job to prove or disprove a theory using reproducible methods. If you do find something that proves your theory wrong, verify it to make sure. This evidence then becomes exculpatory. Since investigating is the process of uncovering the truth, go where the truth leads.

References

Image credit: csilinux.com

csilinuxlogo

Get the latest articles on your email