Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Why Privacy & Security Are Not a Zero-Sum Game

Posted by kdawson on Mon Jan 21, 2008 08:17 PM
from the insert-ben-franklin-quote-here dept.
Security Privacy
I Don't Believe in Imaginary Property writes "Ars Technica has up a nice article on why security consultant Ed Giorgio's statement that 'privacy and security are a zero-sum game' is wrong. The author reasons that, due to Metcalfe's law, the more valuable a government network is to the good guys, the more valuable it is to the bad guys. Given the trend in government to gather all of its eggs into one database, unless more attention is paid to privacy, we'll end up with neither security nor privacy. In other words, privacy and security are a positive-sum game with precarious trade-offs — you can trade a lot of privacy away for absolutely no gain in security, but you don't have to."
+ -
story

Related Stories

Submission: Why Privacy & Security are Not Zero-Sum Games by Anonymous Coward
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Why Privacy & Security Are Not a Zero-Sum Game 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Yes, well ... (Score:5, Insightful)

    by ScrewMaster (602015) on Monday January 21 2008, @08:22PM (#22132920)
    he's right ... but the thing is, the Federal Government isn't doing this to provide us with more security, they're doing it to provide themselves with more power, power over us. Consequently, they don't much care about our privacy, and there's no reasoning with them on that score.

    • Re:Yes, well ... (Score:5, Insightful)

      by Kazoo the Clown (644526) on Monday January 21 2008, @08:41PM (#22133030)

      he's right ... but the thing is, the Federal Government isn't doing this to provide us with more security, they're doing it to provide themselves with more power, power over us. Consequently, they don't much care about our privacy, and there's no reasoning with them on that score.

      You're right about that-- but they also don't much care about our security, for the same reasons. As long as some "bread and circuses" rewards them political brownie points, they can pass legislation "designed to increase security" that actually decreases it, and they can still come out ahead while the rest of us lose...

      If you want either security or privacy, the absolute last place to look for it is the Federal Government-- they're much of the problem, not the solution.

        • Re: (Score:3, Insightful)

          by Miseph (979059)
          Don't be silly, power and profit are the exact same motive. People/corporations/governments seek more power as a means of acquiring more profit and more profit as a means of acquiring more power.

          The system is broken and nobody in the mainstream (not even that racist lunatic Dr. Paul) has any interest in actually fixing it. One side wants to speed the whole thing and squeeze as much as they can out of it before the whole thing explodes and the other wants to try and throw on a fresh coat paint and hope it ke

          • Re: (Score:2, Insightful)

            by KDR_11k (778916)
            Don't be silly, power and profit are the exact same motive.

            I'd rephrase that to "power and profit are closely connected". Paul doesn't have any intent on changing that, AFAIK the libertarian idea is to make money = power by introducing the "vote with your wallet" idea to any sort of question which of course distributes voting power equal to income and strengthens the connection. No idea why people support it when it's pretty damn sure they're not the ones getting the big power from it. I assume it's some so

          • Re: (Score:3, Interesting)

            by alexgieg (948359)

            . . . power and profit are the exact same motive. People/corporations/governments seek more power as a means of acquiring more profit and more profit as a means of acquiring more power.

            This isn't quite accurate. The desire to be rich and "powerful" in the economic sense isn't the same as the desire to be powerful in the proper, political-military sense.

            To be more precise, you need tough, ruthless, "comfort is for sissies" guys to tame and mostly pacify a society as a necessary, although not sufficient, cond

    • Well, yes, but... (Score:5, Insightful)

      by caitsith01 (606117) on Monday January 21 2008, @08:53PM (#22133092) Homepage Journal
      ...they justify it and gain popular support/acquiescence using supposedly rational arguments, so it is a worthwhile expenditure of effort to criticise and dismantle those arguments.

      So if some security expert idiot is wandering around convincing people that security "versus" privacy is a "zero sum game", then one effective counter-tactic is to explain how that is incorrect.

      You are not reasoning with "them" as in, "the Federal Government". You are reasoning with "them" as in, "your fellow citizens, whose approval or at least inaction is needed to allow these things to happen."

    • Re:Yes, well ... (Score:5, Insightful)

      by slarrg (931336) on Monday January 21 2008, @09:09PM (#22133180)
      To prove your point, let's propose to make congress the most secure place on earth by taking all of their privacy away. If removing privacy makes them secure they should do it, however, if removing their privacy makes them less powerful....

    • Re:Yes, well ... (Score:5, Insightful)

      by Anonymous Coward on Monday January 21 2008, @09:09PM (#22133182)
      All Americans suck because they'd gladly trade their privacy (without even knowing it) for the mere perception of security (without even verifying that the trade went through).

      Sufficiently general?
    • (I feel obliged to ask the same question whenever this point is brought up)

      the Federal Government isn't doing this to provide us with more security, they're doing it to provide themselves with more power, power over us.

      Why? What's the point in trying to expand powers subversively, when election terms are of limited length, it doesn't produce a bigger retirement fund, and it's more difficult, costly, and risky than just electioneering, and giving the people what they want? Could it be that the Federal Govern

        • Hello again! Once again, you thread-jack me, and call me a liar (I assume, since you, again, didn't say it outright). But fair enough, any post on /. is fair game.

          There are other sources of income for corrupt ex-Senators.

          I tentatively guess that you mean they can get lobbying jobs through senate connections? Right, well that's not good, but not particularly relevant either. The OP was talking about security measures and how the politicians want more and more control over us. The article you linked to provid

            • I'm also familiar with the term 'Netiquette, though, and if I fouled, I apologize. I don't mean to "thread-jack" you.

              Don't worry about it. I do it all the time ;) I was a bit more concerned about the "liar" tag though.

              To be honest, the whole argument was weak, but that wasn't the point. I just get sick and tired of people assuming the government is out to get them. (Actually, I get sick and tired of a lot of things on /.) What I'm saying is that you first need to ask those questions before pointing fingers,

      • Re:Happiness (Score:5, Funny)

        by Anonymous Coward on Monday January 21 2008, @08:32PM (#22132978)
        I concur. It is based on the Law of Conservation of Happiness. If you punch somebody in the nose, you transfer their lost happiness to yourself. It is a universal law of nature. Our government, education, and financial systems know that and use it the extreme. While you may think that being anally probed by airport security sucks, the airport workers love it as do the Members of Congress who use it to get reelected.

        • Hmm, I read that as:

          "While you may think that being anally probed by airport security sucks, the airport workers love it as do the Members of Congress who use it to get erected."

          Same thing, I guess.

        • If you punch somebody in the nose, you transfer their lost happiness to yourself.

          Yeah, but if you hug someone, you give some to someone else, but you still get to keep the same amount yourself (or possibly lose or gain, depending on how much you like/dislike the other person). Plus, I don't think that the amount of happiness transferred is equal to the amount of pain inflicted, and some people *like* pain, so get extra happiness from being punched. There's probably some coefficient of transfer that applie

  • Right, in theory... (Score:5, Insightful)

    by Opportunist (166417) on Monday January 21 2008, @08:38PM (#22133010)
    But... that's not the point now.

    The current system of more and more data collecting isn't for more security. That's just how it's sold. It is, bluntly, control. Over your data and you. It is easier to pinpoint and neutralize "troublemakers" before they start gaining a lot of support.

    So I guess this very interesting point will go unheard. The ones that implement the system don't care (actually, they want it to be that way), the masses don't know (or think that zero-sum game is some sort of game show) and the little rest doesn't matter (and should they start to get too vocal, we'll invent a law against them).

    • Re: (Score:3, Interesting)

      by rtb61 (674572)
      Security and privacy have always been a struggle of the common man over autocrats. That is the history of democracy, the struggle of slaves, serfs and servants to gain control over their own lives, whilst the autocrats attempted to force servitude out of them. In order to maintain that servitude those slaves, serfs and servants had to be carefully watched and monitored , as the are inherently lazy, they are of low morals, they would steal bread off their masters table, they would dare to work together to fe

    • Re:Right, in theory... (Score:4, Insightful)

      by unlametheweak (1102159) on Monday January 21 2008, @10:51PM (#22133784)
      Yes it is control, but people fail to realize the psychological aspects of privacy, that is from the perspective of the spy.

      Having the ability to know everything about both their friends and their foes gives them a feeling of control, however transient and imaginary that may be. It is the act of trying to control their own psychological insecurity.

      It's like a patriarch snooping through their child's belongings, or reading their diary, it gives them a sense of power. In the end it doesn't matter why they do it; they have a compulsion to do it. It is not surprising that leaders in government and industry would do this because the same psychological motivations that drove them to positions of power are the same motivations that drive them to gain control in other areas. Much like Ford or Disney wanted to have total control of their employees; the same types of people in power today have the same psychological needs. Only laws and enforcement of laws that aim at mitigating these behaviors can help stifle the worst abuses. The real problem is trying to convince these people to give up some of this power once they have it. It's not an easy task. Nobody wants to give up (power).
      • Plato was wrong about a lot of things, but he did rightly observe that the desire to hold power is evidence of one's unfitness to hold power.

        Confounding and frustrating those who want to exercise power over us is not just enjoyable, it's a survival imperative.

        Putting out the eye of the cyclops is our only choice besides being eaten.

      • A troublemaker is anyone who questions the status quo with an impact on society itself. The key message lies in the second part.

        Everyone here (and on other boards) is lamenting the current situation. As am I. We're not troublemakers, because we simply don't do anything. But we would most likely support someone who does.

        If you read the sentence carefully again, you'll notice that the "they" refers to the troublemakers, not some nibulous THEM.

  • Darwin's law of terrorism... (Score:5, Insightful)

    by gillbates (106458) on Monday January 21 2008, @08:48PM (#22133068) Homepage Journal

    Terrorists who get caught don't continue to plan attacks...

    The fundamental problem with the privacy-vs-security argument is that it is a false dichotomy:

    1. When someone says, "I have no problem with the government listening in on my conversations or reading my emails," I ask, "Are you a terrorist?". Inevitably, they reply in the negative. Which leads me to ask, "How then, does the government reading your emails make anyone more secure?" Often, this results in an awkward silence, and then they begin to get it.
    2. Sometimes, they'll quip, "Well, how do they know who the terrorists are if they don't read all of the emails..." To which I reply, "If a terrorist is so dumb so as to discuss their plans over the phone or email, how much damage could they do?" I'll remind them of Richard Reid, who was so dumb he didn't know plastic explosives couldn't be detonated with matches.

    The fundamental problem with eavesdropping is that it assumes that the bad guys are willing to divulge key operational details over an insecure channel. Even the dumbest of criminals knows to shut up when the cops are around. So who do the feds expect to catch? That's right - ordinary Americans like you and me. When we become a "problem" to those in power, they'll have hours of phone calls and pages of emails, in which they will find something - no matter how innocent - which, when taken out of context, sounds nefarious. The famous quote, "Give me six sentences by even the most upright man and I will find a reason to hang him..." (or similar) comes to mind.

    Rather, I think it is helpful to expose the lies used to increase the amount of political power wielded by the executive branch.

    • Re: (Score:3, Insightful)

      by Vellmont (569020)

      Sometimes, they'll quip, "Well, how do they know who the terrorists are if they don't read all of the emails..." To which I reply, "If a terrorist is so dumb so as to discuss their plans over the phone or email, how much damage could they do?" I'll remind them of Richard Reid, who was so dumb he didn't know plastic explosives couldn't be detonated with matches.
      This is just a poor argument. Criminals do this all the time. They might not be dumb, they just don't think anyone is listening. Why do you think

      • That's not to say I approve of the "wide net" approach the Bush Administration has advocated. Far from it. My enormous problem with the approach is that it's warrantless.

        If you're a "suspected terrorist" they got all the means in the world to surveilance you, what they don't have an abundance of is suspects. You can't have warrants without suspicion, instead they use warrantless wiretaps to *find* suspects. Which is fine if you don't give a shit about the fourth amendment or the principles behind it and let the government do whatever it wants. I'm sure there's a lot of illegal things going on in houses, it doesn't mean they can search my house for no reason.

    • "If a terrorist is so dumb so as to discuss their plans over the phone or email, how much damage could they do?"

      Plenty.

      An idiot with a bomb he made/aquired and a reason to use it can do quite a bit of damage.

      I have no problem with the authorities listening in on people (including me), provided:
      . They have good reason to do so.
      . Another government organisation oversees such action.
      . Records are destroyed after the investigation is complete.

      The government reading my emails and tapping my phonelines _can_ make

      • Re:Darwin's law of terrorism... (Score:5, Informative)

        by gillbates (106458) on Monday January 21 2008, @11:08PM (#22133928) Homepage Journal

        The government is _not_ out to get you if you aren't breaking any laws.

        Actually, this is not true - the search and seizure laws passed as part of the War on Drugs allowed law enforcement to seize money and property from suspects without ever charging them with a crime. Having myself been deprived of property by the police in just such a situation, I would be inclined to disagree with you. You seem to believe that the power wielded by the FBI has no implications for corrupt individuals. I would argue that such power is specifically sought by corrupt individuals, and the web is full of supporting evidence. Research McCarthyism sometime. Or the civil rights struggle of the sixties.

        Or even the story of Randy Weaver, whose wife and infant were shot and killed by an FBI sniper. (And this because the Justice Department moved up his trial date without informing him. When he missed it, they issued a warrant for his arrest. And in spite of the fact that the sniper killed an innocent bystander, the sniper was given an award by the FBI. Think about that for a moment: our government issued an award to someone who killed an innocent woman and her infant child. And was later forced to pay a settlement - of taxpayer money, mind you - to her husband and children.)

        And let's not forget that Egyptian student that from which the FBI wrested a confession under duress. A confession that was later shown to be false. And no, the FBI did not compensate him for his lost time.

        But that's not the biggest problem, though. Certain laws are just plain immoral, and one cannot follow them without doing something wrong. For example, for many years in the US, racial discrimination was enshrined in law. In my state, Catholic pharmacists cannot legally practice their religion - they are forced to dispense birth control, even abortifacients, or face legal penalties. In the US, you are required to pay taxes on loan interest, even if you didn't collect any interest at all (because doing so would violate Mosaic law).

        So, if you are an advocate for any type of social change, you can be considered a disturber of the peace, and prosecuted for just about anything. The idea is not that they believe you are actually guilty, but rather, by using the government's seemingly unlimited resources against an individual, they can deny the individual the ability to effectively function as an activist. The problem with email scanning, as I see it, is that just about anyone's words can be taken out of context to mean something nefarious. Which means that - even though you, if innocent, and able to afford a lawyer - will eventually be exonerated, the process will drain you financially and take away years from your life. Sure, its better than prison, but the act of being charged in the first place is a de facto fine.

        • In the US, you are required to pay taxes on loan interest, even if you didn't collect any interest at all (because doing so would violate Mosaic law).

          This statement strikes me as being odd. If you don't collect interest, then paying taxes on interest you don't pay would be meaningless (because, tax_rate * zero_percent_interest = zero tax). Could you elaborate please.

          You also talk about Mosaic law (the law of Moses I would presume). I find it dubious that current US tax law is based on the Old Testament. At any rate, the religious freedoms you speak of are not relevant to privacy in anything but the most contrived manner. This is not a discussion about morality (religious or otherwise). I don't think anybody really wants to go there.

        • In my state, Catholic pharmacists cannot legally practice their religion - they are forced to dispense birth control, even abortifacients, or face legal penalties.

          Maybe Catholics just shouldn't practice pharmacy, if doing so in an acceptably complete and non-discriminatory way is against their religion. Just like Christians used to refrain from practicing banking (as collecting interest used to be considered a sin).

        • In my state, Catholic pharmacists cannot legally practice their religion - they are forced to dispense birth control, even abortifacients, or face legal penalties.

          Pharmacists only exist because of government interference in the free market: the only place you can buy birth control pills is a pharmacy. If it wasn't for the government making such rules, you could probably buy them from vending machines or just get them at the MegaMart.

          For pharmacists to benefit from government interference which cre

      • This is pretty naive. You say it would be OK, if there was oversight - but what makes you think there would be oversight?

        My dad's snail mail was being read while he was active in politics. We complained to the postmaster, who did nothing, because he was of the opposite political party. (Heck, it was probably his idea). The planning meeting for California had to be moved to a different location, because the United States Post Office was violating the privacy of snail mail for political gain.

        The impetus for

    • i>I'll remind them of Richard Reid, who was so dumb he didn't know plastic explosives couldn't be detonated with matches.

      You do that. But you should have your facts right:

      there was nothing unsophisticated about Mr. Reid's intended weapon: a wedge of plastic explosive dyed black and concealed in the sole of his high-top suede sport shoe. An official of the Federal Bureau of Investigation has confirmed that a highly unstable component known as triacetone triperoxide, or TATP, served as the trigger. T

    • "That's right - ordinary Americans like you and me."

      Who says they are not listening to "secure" channels (there are no such thing as "secure" channel) as well? If they decided to go with you and not listen to simple insecure channels they will have to assure you about that, right? Then "insecure" channel will become a "secure", because nobody is legally listening to it.

      If you are guarding a massive metal door with 3 locks on it, you also have to guard a whole in the metal fence as well.

      I am tired of listeni

  • Oh, it's much worse than that (Score:5, Interesting)

    by Rogerborg (306625) on Monday January 21 2008, @08:50PM (#22133076) Homepage

    It doesn't even take malicious access. In the UK, some low level government peon recently snail-mailed the financial details of 25 million people on discs that went missing [bbc.co.uk]. Since that broke, a slew of other government agencies, from health through to defence have dumped "me too" admissions into the shitstorm.

    The government's response? They'll put "new procedures" in place to ensure that it can't blah blah again blah fight them on the beaches blah.

    They're still pressing ahead with the National Database, misnamed as a National ID card (the equivelant of the USian Real ID). It's Total Information Awareness [epic.org] with a fluffier spin on it, but exactly the same goals: to know everything, about everyone, all the time, and Goddamn the consequences when (not if) the black hats get their greasy fingers on it.

  • That comment was elegant propaganda. (Score:4, Insightful)

    by fuzzyfuzzyfungus (1223518) on Monday January 21 2008, @09:01PM (#22133140) Journal
    As an actual assessment of security policy "Privacy and Security are a zero-sum game" is pretty much worthless. There are obvious empirical counterarguments viz. prisons, military bases and ships, and OpenBSD. The statement manages to be both too optimistic and too pessimistic all at once. It ignores the fact that many policies end up achieving a net gain of less than zero(letting the TSA bother passengers and not even glance at cargo, for instance), even if we value security and privacy equally. It also ignores the fact that there a fair number of possible policies that achieve a positive net gain.

    As a propaganda slogan, though, it is a masterstroke. It manages to imply, while sounding like good, solid, hardheaded, professional advice, that reductions in privacy automatically provide security, that defenders of privacy are enemies of security, and that proposals for plans that protect privacy and security are a bunch of unrealistic pie-in-the-sky crap.

    It also manages to completely ignore a facet of security that the American public has been absolutely terrible at(and politicians and the media have been all too willing to help them continue to be so): Risk assessment. We suck at it. We also have a strong bias in favor of flashy interventions and against boring ones. We often end up with interventions strongly modified by various political interests and of sharply reduced effectiveness. "Privacy and Security are a zero-sum game" makes it sound like we actually have it pulled together, that the professionals are on the case; when we hardly know what game we are actually playing.

    • There are obvious empirical counterarguments viz. prisons, military bases and ships

      Prisons can be so secure that they hamper the ability of a prisoner to be rehabilitated...or worse, make the prisoner more unstable and at-risk for criminal behavior. Look at what's neatly called administrative segregation [wikipedia.org]. It used to be known as solitary confinement, but now all types of people are put in ad-seg...people who are targets of gangs (who have done nothing wrong) for example. Some countries consider solita

  • "Security" is a greater threat than terrorism (Score:4, Insightful)

    by radtea (464814) on Monday January 21 2008, @09:39PM (#22133346)
    Number of people who have been killed in the United States in the past five years by terrorism: zero.

    Number of people who have been killed by the over-zealous organs of the state in the name of "security": greater than zero.

    Ergo, increased "security" is killing people and stripping them of their privacy. So as a matter of empirical fact the things people are calling "security" are negative, and the loss of privacy is negative, so it is a lose-lose situation for ordinary law-abiding Americans. They would be SAFER with less "security", as well as having more privacy. And more of something else, too.
  • There is simply no correlation between the two. There is no function or relationship that can map one onto the other, in either direction. There aren't enough parameters. It might be possible to define a function f() with the parameters of security, privacy, base cost, cost per incident, ease of implementation, time of implementation, ease of use, and latency, such that the function (which will not be linear) produces a constant. I don't guarantee it, though. Individuals are too variable, between each other and even between moments for the same individual, and an 8 dimensional non-linear topology is too simple to capture that. Even the sci-fi notion of psychohistory didn't work on individuals, but security and privacy is all about interactions between individuals.
    • That there's no correlation is just not true at all. There are plenty of things people can do with enough information about you, including but not limited to scams, manipulation, and impersonation. I hope it's obvious to you that each of those causes you to lose security, and that every individual's loss of security is, in general, a loss of security for society as a whole. All individuals, obviously, cannot be disconnected from society or there would be no society to speak of. The gains may not be as c
      • A loss of privacy could indeed lead to a loss of security, but a scam can equally well have the effect of you spending time to correct things (ie: it spends your time) and costing others - such as banks - money. Your security ends up unaffected, but only as a result of a transfer of the damage to time and money. Because the numbers can (almost) always be shifted around, I would argue that there can't be a direct correlation between any two variables, because that can never capture how your actions after and
        • > Your security ends up unaffected, but only as a result of a transfer of the damage to time and money.

          But then SOMEBODY ends up affected. There's no "board" here to transfer all the losses to, so somebody has to bear them. If anything, you point out how the costs are borne by society as a whole.
          • Yes, ultimately (no matter how the costs are nominally distributed) the whole of society is affected, either directly or indirectly, every time there is an attack via the vector of either privacy and/or security. "No man is an island" cuts both ways. As noted in this thread, any society, no matter how structured, is inherently highly inter-dependent or it is not a society. This makes each person's privacy and security (and, ultimately, mental and physical health, education and ability, as these directly imp

  • "Giorgio warned me, 'We have a saying in this business: 'Privacy and security are a zero-sum game.'"

    This was not meant to be a hard and fast equation, folks. Just like, "you can lead a horse to water but you can't make it drink" isn't meant to be 100% true all the time. I can force that damn thing to drink if I want it to, I guarantee you. It won't be pretty. I'm not that mean though.

    Not everyone in your government is out to get you. This guy is working with the national intelligence director, you be

  • most of the threats to your privacy don't even come from government, they come from businesses. and the businesses are just going to lobby Congress to limit their liability in case they do lose your data. because accountability is expensive. you don't think AT&T is ever going to have to account for anything, do you? of course not, they've got people. hell, even credit reporting agencies have no accountability. Congress decided that it would be your responsibility to make sure the data is accurate.
  • Hey, if privacy and security were really in a zero-sum relationship, then designing systems which diminish one would cause the other to increase.

    But we know this doesn't happen. It's easy to conceive of systems in which a decrease in privacy leads to a corresponding decrease in security. For example, take an existing bank system and decrease the privacy of administrative passwords. Does this change make the bank system more or less secure? Conversely, take an anonymous ballot system and decrease its s

  • I Don't Believe in Imaginary Property writes

    "Ars Technica has up a nice article on why security consultant Ed Giorgio's statement that 'privacy and security are a zero-sum game' is wrong.

    What the heck is "privacy" if not a belief in one's ownership of their private information — an imaginary property, which the article's prolific submitter holds in such disdain?..

    • As any politician will not tell you "the less the people know the more secure they are".

      There you go. Fixed that for you.

    • Re: (Score:3, Insightful)

      by QCompson (675963)

      Quakers are against all war and violence. There hasn't been any answers as to what "threat" they presented.
      They seem suspiciously peaceful.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.