We’ve sacrificed a lot of privacy in the last few years in the name of security. Are we actually safer as a result?
The whole security vs. privacy dichotomy is a false one. There are many security measures—door locks, burglar alarms, tall chain-link fences—that have nothing to do with privacy.
It’s only identity-based security that affects privacy, and there are limits to that approach.
I’ve repeatedly said that exactly two things have made airplane travel safer since 9/11: reinforcing cockpit doors and convincing passengers that they need to fight back.
Those two things have no effect on privacy. Security measures that affect privacy, like ID checks, haven’t made us any safer.
The real dichotomy is liberty vs. control. And real security comes from liberty plus privacy.
Protecting computer security is usually seen as a technological challenge, but you refer to it as an economic problem. Why so?
Because if you don’t get the economic incentives right, no amount of technology will help.
Security is a trade-off, and people will weigh the cost of security against the benefits. It’s easiest to see this in a business environment—for example, is an anti-fraud measure more or less expensive than the fraud it will prevent—but it’s true everywhere: personally through nationally.
These trade-offs aren’t made in some abstract “greatest good” sort of way; they’re made by people based on their own personal situation. And if the costs and benefits aren’t aligned, people won’t make good trade-offs.
An example might make this clearer. A lot of identity theft comes from corporations not securing their databases filled with personal information.
Of course, they could spend more money to increase security, but the economic incentives aren’t aligned: the risk of identity theft is borne by those people in the databases, not by the company.
So it doesn’t matter what kind of technologies you invent; it won’t be worth it for the company to implement them. The way you fix this is by fixing the economics: making these data breaches costly to the company.
I found your writings about the psychology of security to be particularly interesting: about how we may feel we’re secure when we’re not, and vice versa. How does this gap affect our real world efforts to guard our security?
We end up with a lot of security measures that make us feel more secure, regardless of whether they actually make us more secure.
This effect is most pronounced when it’s hard to evaluate the actual effectiveness of a security measure.
Crime prevention measures are relatively easy to evaluate, because you can watch the crime rate go up or down.
On the other hand, anti-terrorism measures can be very hard to evaluate, because there simply aren’t enough events to get a sufficient data sample.
Fears, folk beliefs, and preconceived notions also make it hard to notice when the feeling of security doesn’t match the reality. So we end up with a lot of security theater.
The big question: Our personal PC security. When people ask you—as they often do—what they can do to protect their PCs, you’ve been known to answer “nothing—you’re screwed.” But you readily admit the reality is more complicated. What are the most essential things people need to do?
Backup. Backup, backup, backup. For most people, the biggest security risk is losing their data.
A regular backup will go a long way to making their computer more secure. And be sure to test those backups; they’re no good if the restore doesn’t work.
After that, invest in an anti-virus program and keep your patches up to date. Everything else is in the margins.