On a regular basis I find myself perplexed by someone asserting that they have a ‘right’ to something. This is particularly the case when someone tells me that they have a right to privacy. What on earth do they mean?
I am not the first to ask this question and many different (and often conflicting) answers have been offered. A right to maintenance of confidentiality over personal data, the right to be left alone, etc. These are all potentially useful definitions of this particular right, but what appears to be missing – IMHO – is an acknowledgement that rights are constructed by society. Rights do not have an existence outside of a social context. Different human cultures define rights in different ways, drawing on religion, culture and environmental drivers to construct baseline statements or principles regarding the privileges of individuals and/or groups.
I find the right to privacy (however it is defined) particularly odd. Humans are social animals. We congregate in groups and erect complex cultures and social structures. Social interaction is based on the exposure and sharing of personal data. All of that personal data that many of us consider private (such as your birth date, favorite color, etc.) is known by many people, only some of which we know and can control through some sort of culture-based behavioral expectation. A lot of people tell me that the growth of IT has spurred the public outcry around privacy because IT makes personal information accessible to people and organizations that we do not personally know and with whom we do not share a cultural basis for management of behavior. The security analyst in me, translates this to “we used to have security through obscurity (difficulty of getting access to personal data), but now the obscurity has been removed.”
This makes sense to me. As the use case changes so must the controls we apply. If we are to enable innovation without engaging in undue privacy risks, we need to develop new security approaches to replace the obscurity that we once enjoyed. But let’s not kid ourselves. The right to privacy under discussion also is changing as people are alternately repulsed by and attracted to the power of new IT service delivery options.
Rights are fluid and dynamic. Their meanings change across time and cultures and (here’s the part that drives IT security investment) the policies and laws written to define and enforce these rights will experience continual change. The end result is that your privacy and data protection program can never rest.