The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.

Slides:

Advertisements

Similar presentations

Why the Financial Privacy Law is Better than People Think Professor Peter P. Swire Ohio State University University of Minnesota Symposium February 9,

Advertisements

Telecom, Privacy & Security After September 11 Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001.

Privacy & Security After September 11 Professor Peter P. Swire Ohio State University University of Michigan Lecture December 4, 2001.

America Faces the World On Privacy: Four Years After 9/11 Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Keynote: Edinburgh.

Privacy and National Security After September 11 Professor Peter P. Swire Ohio State University FLICC 2002 Forum Library of Congress March 19, 2002.

The Chief Privacy Officer for the U.S. Government Professor Peter P. Swire Ohio State University Visiting, George Washington University Privacy Officers.

"Security and Privacy After September 11 Professor Peter P. Swire Ohio State Law School Consultant, Morrison & Foerster Privacy & Data Security Summit.

A Model for When Disclosure Helps Security: What is Different About Computer & Network Security? Peter P. Swire Ohio State University George Mason CII.

Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002.

Key New Surveillance Provisions Professor Peter P. Swire Ohio State University Privacy 2001 Conference October 4, 2001.

The Sunset of the Patriot Act Professor Peter P. Swire Moritz College of Law Ohio State University Winter College February 19, 2005.

Self-Help in Cyberspace: Offense, Defense, and Both at the Same Time Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP.

Privacy and Information Sharing in the War on Terror Peter P. Swire Ohio State University Villanova Law Review Conference in Villanova Law Review Conference.

"Security and Privacy After September 11: The Healthcare Example Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP April.

HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference.

Better Security and Privacy for Home Broadband Peter P. Swire Moritz College of Law The Ohio State University Morrison & Foerster LLP Privacy 2002 Conference.

Court Records and Data Privacy: Online or Over the Line? Professor Peter P. Swire Moritz College of Law The Ohio State University Judges Day 2005 October.

Gag Rules and Information Flows: Or, How to Do Secret Surveillance in an Open Society Peter P. Swire Ohio State University Modest Proposals Conference.

"Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop.

Elephants and Mice Revisited: Law and Choice of Law on the Internet Professor Peter P. Swire Moritz College of Law Ohio State University Penn Law Review.

Sharing of Medical Records Pursuant to an Authorization Professor Peter P. Swire Moritz College of Law, Ohio St. Univ. Consultant, Morrison & Foerster,

Privacy in America: Your Role as Guardians of the Publics Data Professor Peter P. Swire Moritz College of Law The Ohio State University Ohio Digital Government.

From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud Peter Swire Moritz College of Law Ohio State.

Data Breach as a Critical Infrastructure & Computer Security Issue Peter P. Swire Professor, The Ohio State University Senior Fellow, Center for American.

The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,

HIPAA and the War on Terrorism Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP HIPAA Summit West June 7, 2003.

Privacy and Security: Lessons from Non-Health Sectors Professor Peter P. Swire Moritz College of Law The Ohio State University HIPAA Summit December 12,

"Security and Privacy After September 11: Implications for Healthcare" Professor Peter P. Swire George Washington Law School Consultant, Morrison & Foerster.

Online Profiling and Consumer Choice Peter P. Swire Center for American Progress Ohio State University ATL Hill Briefing April 28, 2008.

Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.

Government Pattern Analysis: Securing Terrorists While Preserving Privacy? Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster.

Security and Privacy in Electronic Health Records Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Hospital Wireless Conference.

Lessons for Biometrics from SSNs & Identity Fraud Peter P. Swire Ohio State University National Academy of Sciences March 15, 2005.

The Need for Government-Wide Privacy Policy Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP DHS Privacy Advisory Committee.

Surviving Securely & Surviving Security -- Thoughts After 9/11 Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP HIPAA.

A Model for When Disclosure Helps Security Peter P. Swire Ohio State University Stanford Cybersecurity Conference November 22, 2003.

Keynote on Privacy and National Security: What Still Needs to Be Done Professor Peter Swire Ohio State University Consultant, Morrison & Foerster LLP IAPP.

Overview My background & support from Glenn Institute My background & support from Glenn Institute The lack of information sharing as a cause of 9/11.

“Antitrust, Privacy, and Other Non-Price Competition”

Lawful Access in the EU: The Pipe to the Cloud? Professor Peter Swire Ohio State University & Future of Privacy Forum Georgetown Law School Conference.

“Encryption’s Vital Role in Safeguarding the Digital Economy” Professor Peter Swire Ohio State University ASSOCHAM International Conference Safeguarding.

Eneken Tikk // EST. Importance of Legal Framework  Law takes the principle of territoriality as point of departure;  Cyber security tools and targets.

Reliability and Security. Security How big a problem is security? Perfect security is unattainable Security in the context of a socio- technical system.

Peter Swire Computing Community Consortium/CRA Workshop On Privacy By Design Berkeley February 6, 2015 Privacy by Design: More than Compliance with the.

Reducing Crime in Cyberspace: A Privacy Industry View Stephanie Perrin Adam Shostack Zero-Knowledge Systems, Inc.

“Privacy in a New Era” Conference Summary 13 September 2004 Wroclaw, Poland.

“Privacy and the Future of Justice Statistics” Peter P. Swire Chief Counselor for Privacy OMB/OIRA National Conf.on Privacy, Technology & Criminal Justice.

Privacy Framework for Monitoring Social Media Professor Peter Swire Ohio State University & Future of Privacy Forum National Academy of Sciences Public.

From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud Professor Peter Swire The Privacy Project.

How Can We Deal with Risks from the Internet: Why Privacy Legislation Is Hot Right Now Professor Peter Swire Ohio State University/Center for American.

September 11, 2001 Terrorist Attacks Marc Cannuli EDUC 504 Computers and Technology Website:

Prof. Blair MacIntyre Prof. Peter Swire CS4803 & 6725; MGT4803 & 8803 January 5, 2015 Information Security Strategies and Policy.

Backdoors: How Will Government Agencies Adapt to Cybersecurity on the Internet? Professor Peter Swire Ohio State University Internet Law Scholars WIP New.

Cross-Border Cooperation November 17, Purpose Highlight how Canada and US advance cross-border cooperation  Canada-US law enforcement context.

International Telecommunication Union Geneva, 9(pm)-10 February 2009 BEST PRACTICES FOR ORGANIZING NATIONAL CYBERSECURITY EFFORTS James Ennis US Department.

CS 6v Privacy The end of Privacy ?? Dr.Murat Kantarcioglu.

CSCD 303 Essential Computer Security Lecture 1 - Course Details.

Healthcare Privacy and Security After September 11 The HIPAA Colloquium At Harvard University August 20, 2002 Presented by: Lauren Steinfeld Privacy Consultant,

National Security Agency (NSA) Surveillance Christopher Boyd.

How Technology is Prompting US/EU Tension on Mutual Legal Assistance Peter Swire Huang Professor Law and Ethics Georgia Tech Scheller College of Business.

Peter Swire Holder Chair of Law and Ethics

North Carolina Law Review Symposium

CONFIDENTIALITY, INTEGRITY, LEGAL INTERCEPTION

"Security and Privacy After September 11: The Healthcare Example”

CSCD 303 Essential Computer Security

U.S. Intelligence Oversight Reforms & the Cloud Act

“Court Records and Data Privacy: Online or Over the Line?”

Peter Swire Engage CISO Roundtable with the

CSCD 303 Essential Computer Security

CSCD 303 Essential Computer Security

Presentation transcript:

The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner Conference Montreux, September 14, 2005

A Shift In This Talk I provided different materials to the conference last month I provided different materials to the conference last month Today is my 4 th privacy or security conference in Europe in past two weeks Today is my 4 th privacy or security conference in Europe in past two weeks Todays talk focuses on the most important theme from this experience Todays talk focuses on the most important theme from this experience

Theme for Today Political challenge to data protection after 9/11 Political challenge to data protection after 9/11 Security often trumps privacy Security often trumps privacy Burkert, Cavoukian & need for strategy and allies Burkert, Cavoukian & need for strategy and allies Theme: need effective, critical examination of proposed security measures Theme: need effective, critical examination of proposed security measures Show when they are bad for security Show when they are bad for security Often an effective way also to protect privacy Often an effective way also to protect privacy Examples here for government access to commercial data Examples here for government access to commercial data

Overview My background My background Data retention and its security flaws Data retention and its security flaws Security critiques of other government access to data Security critiques of other government access to data Conclusions Conclusions

My Background Now law professor, Ohio State University Now law professor, Ohio State University 1998, None of Your Business book on EU-US data protection & e-commerce 1998, None of Your Business book on EU-US data protection & e-commerce 1999-early 2001, Chief Counselor for Privacy for the Clinton Administration 1999-early 2001, Chief Counselor for Privacy for the Clinton Administration Much work since on many privacy & security issues Much work since on many privacy & security issues

Data Retention Strategy Overall, in addition to privacy, stress Overall, in addition to privacy, stress Cost Cost Security Security Data preservation is likely the best policy outcome Data preservation is likely the best policy outcome Save records where have individualized suspicion Save records where have individualized suspicion Is strict enough for the US Is strict enough for the US Complies with Cybercrime Convention, etc. Complies with Cybercrime Convention, etc.

Critiques of Data Retention Data protection argument Data protection argument Data retention is bad, not proportionate Data retention is bad, not proportionate Will lead to many secondary uses Will lead to many secondary uses Familiar cost argument Familiar cost argument High costs to ISPs, etc. High costs to ISPs, etc. Familiar data security argument: Familiar data security argument: Huge databases become targets for future attacks Huge databases become targets for future attacks Security measures for the databases are hard Security measures for the databases are hard

Other Threats to Security Security threats to the intelligence & police agencies Security threats to the intelligence & police agencies Risks for all government agencies Risks for all government agencies Their web & activity will be retained as well! Their web & activity will be retained as well! Unknown outsiders, in ISP and government agencies elsewhere, can see this data Unknown outsiders, in ISP and government agencies elsewhere, can see this data Invite their CIOs to testify Invite their CIOs to testify Undercover cops & other confidential activity Undercover cops & other confidential activity Data retention of contacts between undercover operatives & their agencies Data retention of contacts between undercover operatives & their agencies Invite these cops to testify Invite these cops to testify

A Double Bind If police & intel actions are retained: If police & intel actions are retained: Risk that terrorists, organized crime will target ISPs Risk that terrorists, organized crime will target ISPs New burden of background checks at ISPs New burden of background checks at ISPs Including universities, small ISPsIncluding universities, small ISPs Costs and risks at ISPs go up Costs and risks at ISPs go up If police & intel are not retained: If police & intel are not retained: Would need complex & expensive system to shield these activities from the system Would need complex & expensive system to shield these activities from the system The hole for police would be a hole for others to exploit The hole for police would be a hole for others to exploit Either way, have costs & security risks Either way, have costs & security risks Put burden of persuasion on the other side to explain Put burden of persuasion on the other side to explain

Solution on Data Retention Better to use the U.S. approach of data preservation than a data retention regime Better to use the U.S. approach of data preservation than a data retention regime These individualized searches will not expose the police and intel agencies to surveillance by terrorists & organized crime These individualized searches will not expose the police and intel agencies to surveillance by terrorists & organized crime Better for privacy, cost, & security Better for privacy, cost, & security That has been a winning coalition in U.S. That has been a winning coalition in U.S.

Security & Other Issues Other current data protection debates Other current data protection debates Biometrics Biometrics RFIDs & other pervasive computing issues RFIDs & other pervasive computing issues Identity theft Identity theft Technical security critiques will reduce the risk of bad systems in these areas Technical security critiques will reduce the risk of bad systems in these areas

Conclusion Information Security is clearly part of Data Protection Information Security is clearly part of Data Protection Effective critiques on security are part of the core mission of DPAs Effective critiques on security are part of the core mission of DPAs Pragmatic politics Pragmatic politics Gain allies to critique badly-designed systems Gain allies to critique badly-designed systems Staff within DPAs Staff within DPAs Participation in cybersecurity conferences & activities Participation in cybersecurity conferences & activities

Conclusion The critique of security as part of DPA efforts The critique of security as part of DPA efforts No need to abandon traditional efforts No need to abandon traditional efforts The results will be better legal and technical decisions The results will be better legal and technical decisions More secure & efficient systems More secure & efficient systems Better protection of human rights Better protection of human rights A pragmatic strategy to achieve high moral goals A pragmatic strategy to achieve high moral goals

Contact Information Professor Peter P. Swire Professor Peter P. Swire Phone: (240) Phone: (240) Web: Web: