A question of trust and identity

What is the right balance between security and privacy?

This is a common starting point in many policy discussions, especially in government. It’s a trick question because it presents the conversation as a balancing act between two values as if they are antithetical. They are not.

In practical terms, privacy is security. It is the first thing a security professional learns as part of the Confidentiality-Integrity-Availability “CIA” acronym. Privacy is the individual’s confidentiality control.

Part of the reason we get into trouble when having these discussions is that most people confuse trust with identity. In our immediate surroundings, identity is the only basis of trust. I trust those I know. But in a larger and interconnected world, I cannot know everyone I need to trust, so I have to use references. I ask my neighbors if they know a good plumber and use their trust as a proxy to extend my trust. Do I care if the plumber is John or Suzy? If they bank with CorpBank or if they are licensed to drive? Not really.

Read more

For more articles on privacy and security issues, visit IT World Canada’s Security Knowledge Centre

In an even broader context I use other proxies for trust. I check an eBay seller’s “feedback” rating, I read product reviews by consumers on Amazon. I read with interest the opinions of blogger “Jerome” on the price of oil because of his track record. Yet truly, I have no idea if Jerome is a he, or if the alias Jerome is “his” real name.

If I need more trust in a transaction I look for “attestation” by a trusted organization. The DMV has attested that I can drive. Fair Isaac has attested that I pay my bills with a confidence level above 750 out of 800. As a society we hope that both the DMV and FICO have a reliable process that leads to predictable results.

But it’s important to differentiate between the narrow aspect of identity they validate (attestation) and the identity itself. If the DMV says I can drive, what difference does it make if my last name is unpronounceable and Greek-sounding? As long as the fact that I am licensed to drive can be securely associated with my person then my name, address and all that other info is irrelevant. Worse, it is a liability because every time I pull out an ID that is “comprehensive” I reveal far more than necessary for a specific transaction.

With advances in cryptography and in an increasingly online world, we don’t have to expose our full identities just to attest to a single fact. No one needs to know my birthday to buy my toaster on eBay. If we differentiate between identity, attestation and trust we can actually achieve both privacy and security. In fact, the more privacy we have, the more secure we can all be.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Featured Reads