Lectures and the cybersecurity literature have long noted that security and privacy are not the same thing, although they are related.   The point of these many discussions is that security has to do with procedures and technologies that control access while privacy is about policies that prevent or discourage the misuse of data.  It has always been acknowledged that good security is needed to protect privacy, but there the discussions diverge.  

Understanding the differences between security and privacy and their logical relationship is best developed from the perspective of the threats that need to be mitigated.  More broadly, cybersecurity defenses seek to detect and prevent attacks that can lead to the loss of data, damage to the infrastructure, or threats such as ransomware that prevent access to the data by authorized users.   The loose connection to privacy is that these kinds of controls over access are a requirement to ensure that privacy protections are sustained.  

The thrust and energy expended on cybersecurity over the years has been about controlling access to the network as a whole.   For many systems, the assumption is that the investment should be devoted to ensuring that people accessing the network are who they say they are and that they have the right to gain access.  Hence, many systems were content to set up usernames and passwords and use them to grant access to all the data on the network.  This perspective was not very effective in deterring insider threats and even external threats based on such techniques as phishing. 

Eventually, the emphasis changed to put the focus on the data content rather than the network itself.  After some years of discussion and developing a consensus, the National Institute of Standards and Technology in August, 2020, released the Zero Trust Architecture Framework (ZTA).   The special publication, NIST SP 800-207,  says that “Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources….as the network location is no longer seen as the prime component to the security posture of the resource.”[1]

The concept of moving the perimeter where security is defined to the objects stored in a network instead of the network itself ties security and privacy together much more closely.  Policies controlling access to objects or data components can be implemented in new ways by embedding such polices in the objects themselves rather than indirectly through network access rules.   Privacy policies that vary as a function of the object itself can be implemented down to the data element level.  Concepts such as role-based access can be defined for a particular set of individual objects, derived from policies related to privacy rules or statutes. 

Security and privacy meet most forcefully in sharing imagery objects, particularly video imagery.  For example, video imagery collected from body-worn cameras worn by police officers that becomes evidence to be submitted at trial has in each object variations on the kind of security and privacy policy that must be supported.   Courts rightly insist on ensuring that the video evidence has not been tampered with while the prosecutor and the courts must ensure that the privacy of victims, witnesses or bystanders is protected.  The simultaneous protection from improper access or modification and the protection of the privacy of individuals included in the imagery can best be accomplished if the appropriate policies and access constraints are actually embedded in the object or file itself.  It is also possible to embed in individual objects the ability to monitor and report on attempts at improper access.[2]

Making the object perimeter the point of establishing protections by embedding the policies and technology needed is a better way to implement solutions when objects are distributed across networks.  Digital evidence, including videos, is passed from police to prosecutor to defense attorneys to courts, often on disparate networks and systems.   Instead of attempting to impose security and privacy rules across all relevant networks, the simple approach of embedding the policies and rules in the object provides the consistency needed across all applicable networks. At the same time, this approach permits access to those data objects authorized under the law without opening access to the entire network and all data. 

The shift to object-based perimeter protection enables the development of technologies that can control the capture of data so as to generate immutable storage possibilities that will protect against threats such as ransomware and assure stakeholders of the integrity of the original data.  In the case of video imagery, the assurance of original data or imagery integrity becomes a critical basis for the acceptability of proposed evidence. Equally important is the ability to protect certain data that cannot be shared to meet state Constitutional and statutory requirements without compromising the data integrity. Companies are creating the technology to guaranty the integrity of data capture. [3]  

The combination of a zero-trust architecture with rules of access and monitoring violations embedded in objects and the capability to make data capture immune from modification offers criminal justice agencies a way to guarantee the integrity of digital evidence and satisfy the courts as well as the public interest.  

[1] https://csrc.nist.gov/publications/detail/sp/800-207/final

[2] See for example, https://www.sertainty.com

[3] See for example, https://greentec-usa.com

2 thoughts on “When security and privacy meet”

  1. It was a pleasure to work with Paul on reviewing the legal policy implications with this type of data protection. I found it to offer a lot of potential for prosecutors who are required by Constitution, statute, and case law to protect the privacy rights of defendants, victims, witnesses, and innocent bystanders balanced against the importance of being transparent to the public and maintaining the rule of law. Going beyond typical redaction requirements embedding the access and rules around sharing of data in the data itself would provide invaluable assistance to prosecutors to help them meet the burdens for protecting privacy and the chain of custody at the same time and free up the time they would otherwise be required to spend on manually ensuring privacy and security for everyone in the justice system.

Leave a Reply

Your email address will not be published.