Security and privacy are dual obligations, not dichotomous rivals to be traded one for the other in a zero sum game. Designing technical information systems or applications for data sharing, data analysis or data security requires design and development strategies that can accommodate a diverse range of policy, legal and market considerations relating to the presumed tension between security (both national and systems) and privacy. Technical design choices constrain potential policy developments and implementations, and may or may not facilitate market adoptions. Therefore, technologists need to understand policy, legal and market concerns and requirements, and policy makers need to understand technical potentials and constraints.
Real-world procedural mechanisms to protect privacy, in particular those premised on inefficiencies in information acquisition, management and use (for example, doctrines of "practical obscurity" and anonymity through data transience) are challenged by automated information processing, particularly emergent data aggregation and data analysis technologies, as well as new identification, authentication and collection technologies.
Thus, technologists need to understand the policy, legal and market issues in terms of technical design requirements that can provide for rule-based interventions and accountability in automated processes -- thereby enabling familiar political or legal oversight and control mechanisms, procedures and doctrines (or their analogues) to function under novel, technology-enabled conditions. Relevant strategies are rule-based processing, selective revelation, and authentication and audit procedures. Relevant technologies include distributed access tools, intelligent agents, rule-based processing, privacy protocols, proof-carrying code, data labeling, data wrappers, encryption, analytic filtering, self-reporting data, network and systems security, and immutable logging, among others.
This presentation is intended to provide policy insight and practical guidance to technologists engaged in the development of advanced information and communication systems and applications.
K. A. Taipale, "Technology, Security and Privacy: The Fear of Frankenstein, the Myth of Privacy and the Lessons of King Ludd," 7 Yale J. L. & Tech. 123; 9 Intl. J. Comm. L. & Pol'y 8 (Dec. 2004)
K. A. Taipale, "Data Mining and Domestic Security: Connecting the Dots to Make Sense of Data," 5 Colum. Sci. & Tech. L. Rev. 2 (Dec. 2003) [executive summary PDF]
K. A. Taipale, "Designing Technical Systems to Support Policy: Enterprise Architecture, Policy Appliances, and Civil Liberties," Chapter 9.4 in "Emergent Information Technologies and Enabling Policies for Counter Terrorism" (Robert Popp and John Yen, eds., IEEE Press, forthcoming 2005). [introduction available online] See also the Policy Appliance Reference Model.
NSF Science and Technology Center for Discrete & Theoretical Computer Science (DIMACS) Rutgers University