Stop confusing privacy for secrecy

In one of the most highly anticipated sessions ever at the annual South-by-Southwest (SXSW) culture festival, NSA whistleblower Ed Snowden appeared earlier this week via live video link from Russia.

Snowden joined two privacy and security champions from the American Civil Liberties Union – Chris Soghoian and Ben Wizner – to canvass the vexed tensions between intelligence and law enforcement, personal freedom, government accountability and digital business models.

These guys traversed difficult ground, with respect and much nuance. They agreed the issues are tough, and that the solutions are non-obvious and slow-coming.

Yet the headlines and tweets have been dominated by “Snowden’s Tips” for personal online security, as if he had been conducting a self-help workshop. He was reported to recommend we encrypt our hard drives, encrypt our communications, and use Tor (the special free-and-open-source encrypted browser). But even if such fine suggestions were within reach of the typical citizens, they are not true privacy measures.

Ed Snowden is a remarkably measured and thoughtful commentator on national security.  Despite being hounded around the word, he is not given to sound bites. His principal concerns appear to be around public accountability, oversight and transparency. When drawn on questions of technology, he doesn’t dispense casual advice; instead he calls for multifaceted responses to our security dilemmas: more cryptological research, better testing, more robust cryptographic building blocks and more careful product design.

So how did the media, both mainstream and online alike, distil Snowden’s sweeping analysis into three sterile and quasi-survivalist snippets?

Partly it’s media sensationalism. But there is also a deeper over-simplification of privacy going on which inhibits our progress.

Too often, people confuse privacy for secrecy. Privacy gets framed as a need to hide from prying eyes, and from that starting position, many advocates descend into a combative, everyone-for-themselves mindset.

However privacy has very little to do with secrecy.  We shouldn't have to go underground to enjoy that fundamental human right to be let alone. The social reality is that most of us wish to lead rich relatively public lives. We actually want others to know us – to know what we do, what we like, and what we think – but all within limits. Digital privacy (or more clinically, data protection) is not about hiding; rather it is a state where those who know are restrained in what they do with the knowledge they have about us.

Privacy is the protection you need when your affairs are not confidential!

Encryption is a limited measure for enhancing privacy.  As the SXSW panelists agreed, today’s encryption tools really are the preserve of deep technical specialists. Ben Wizner quipped that if the question is how can average users protect themselves online, and the answer is Tor, then “we have failed”.

And the problems with cryptography are not just usability and customer experience.  A fundamental challenge with the best encryption is that everyone needs to be running the tools. You cannot send out encrypted email willy-nilly – you need to first make sure all your correspondents have installed the right software and they’ve got trusted copies of your encryption keys, or they won’t be able to unscramble your messages.

Chris Soghoian also nailed the practical matter that current digital business models are largely incompatible with encryption. To a significant degree, we’ve become rusted on to free services from the Googles and Facebooks of the world. These corporations fund their fabulous offerings by mining our data streams and monetising what they can figure out about our interests, habits and connections.  That is, the web is actually fueled by surveillance – by Big Business as opposed to government.

End-to-end encryption prevents data mining and would ruin the revenue model of the companies we love. If we were to get serious with encryption, we may have to cough up the true price for our digital lifestyles.

The SXSW privacy and security panelists know all this. Snowden in particular spent much of his time carefully reiterating many of the basics of data privacy. For instance he echoed the Collection Limitation Principle when he said of large companies that they “can’t collect any data; [they] should only collect data and hold it for as long as necessary for the operation of the business”. And the Openness Principle: “data should not be collected without people’s knowledge and consent”.

It’s still early days for the digital economy. We’re experiencing an online re-run of the Wild West, with humble users understandably feeling forced to take measures into their own hands. But privacy is more about politics and regulation than technology.

I hope that people listen more closely to Ed Snowden on policy, and that his lasting legacy is more about legal reform and transparency than Do-It-Yourself encryption.