August 1, 2011 12:55PM

Privacy Is Security

Here’s a point that ought to seem obvious: “Security”—whether physical or electronic—is always a function of the thing you’re trying to secure. If I were to tell you that my Washington apartment has barred windows, an outer front gate, a deadbolt on the inner door, and an alarm system to boot, you’d probably say my home sounds highly secure. If I told you that the precise same measures were the complete security system for a bank, you’d laugh. The reason is obvious: Unless I finally push the NSA over the line, my apartment only needs to withstand attacks from local thugs. A bank’s security must be able to withstand assaults from seasoned teams of professional criminals who — with millions as a potential jackpot — may be willing to spend weeks in planning, take extraordinary personal risks, and “invest” thousands of dollars in burglary equipment or bribes to insiders. My Apple gadgets and comic book art — though precious to me — are unlikely to inspire such extraordinary expenditures of time, effort, and money. Put another way: My apartment is “secure” when my security system makes the risk‐​adjusted cost of a break‐​in attempt higher than the value of my stuff to a prospective burglar.

Many people don’t find this as obvious, however, in the context of data security—a point I allude to glancingly in a New York Post op‐​ed this morning that takes aim at a data retention mandate wending its way through Congress. If I started storing big piles of gold bullion and precious gems in my home, my previously highly secure apartment would suddenly become laughably insecure, without my changing my security measures at all. If a company significantly increases the amount of sensitive or valuable information stored in its systems — because, for example, a government mandate requires them to keep more extensive logs — then the returns to a single successful intrusion (as measured by the amount of data that can be exfiltrated before the breach is detected and sealed) increase as well. The costs of data retention need to be measured not just in terms of terabytes, or man hours spend reconfiguring routers. The cost of detecting and repelling a higher volume of more sophisticated attacks has to be counted as well.

One very simple security measure a company can practice, then, is to simply avoid retaining enough data to attract the interest of the most skilled professionals (or, alternatively, those willing to hire out botnets to aid their attacks). Because the adequacy of a security system is always a function of the payoff of breach to the attacker, then, privacy is an important component of security, as well as a value worth respecting for its own sake.