What does privacy have to do with running a network? Quite a bit. For instance, maintaining privacy is one of the most important reasons to take security seriously — the privacy of confidential company information and the privacy of individual network users.
However, the importance of the individual user’s privacy is not self-evident to many — ‘if you’ve done nothing wrong, you have nothing to hide,’ right? Or, as Richard Epstein says, “The plea for privacy is often a plea for the right to misrepresent one’s self to the rest of the world.”
So before we dive into the finer points of privacy — a journey that will require a multi-part series on the topic — let’s think about why protecting user privacy is essential.
Privacy is a human right
Privacy is a human right. According to the United Nations Universal Declaration of Human Rights, article twelve: “No one shall be subjected to arbitrary interference with his privacy… Everyone has the right to the protection of the law against such interference or attacks.” Why is privacy a human right? Because it directly impacts the mental development and health of every person.
For instance, Westin and Solove argue that everyone needs “some time to lay aside their masks… to always be on would destroy the human organism;” and again “privacy gives each person the time and space to integrate his experiences into a meaningful pattern and to exert his individuality on events.”
Privacy is also tied to identity formation, the ability for each person to form and maintain their identity. Elizabeth Corey says: “Radical self-exposure leaves no place for the privacy necessary to form an authentic identity, as opposed to a performative one. Human beings need a realm in which we are free to act without anyone watching, without wondering what our recollection of the moment will look like on Facebook, and without having to produce some witty remark that will show how worldly-wise we are. Privacy allows us to engage in activities for their own sake. It also allows us to be sincere without embarrassment and to act without wondering how others may evaluate us.”
A second reason privacy is a human right is that the disclosure of personal information can often lead to what privacy professionals call interference or the ability to shape your decisions. In Nudge, Thaler and Sunstein note that how choices are presented can impact people’s decisions. Knowing a lot about a person allows choices to be presented to override their decisions.
We all have the right to represent ourselves the way we want — not to have our representation appropriated by someone else for their use. We all have the right to be free from social engineering. In short, we all have the right to be left alone.
Privacy can foster change
But privacy isn’t just a human right — it’s also a good idea to give people space within an organization. In Switch, Chip and Dan Heath describe the conditions under which medical internists worked for many years — 30 and 40-hour shifts with few breaks for a year or more. These working conditions led to many mistakes, dissuaded new people from entering the medical field, and ultimately cost money.
Some hospital administrators realized they needed to change the interns’ working hours — but it was deeply embedded in medical culture. One researcher studied hospitals that successfully changed their culture to understand how they had done so. A key ingredient in the change was privacy — giving intern groups time and space, especially out of the view of disapproving superiors, to develop new habits, language, and thinking. These smaller groups spread this new culture through the rest of the hospital.
Cultural change of any kind requires privacy.
Privacy breaches cost money
If these philosophical arguments don’t convince you, money is a more practical reason to care about privacy. According to one yearly report on data breaches, the average cost of a single breach is USD 4.24 million. The cost of the breach itself is often only a tiny part of the overall consequences; almost every government in the world now enforces privacy protection law. Organizations are often subject to multiple overlapping laws.
A word of warning here, however. Just like with security, you don’t want to spend a lot of time focusing on the legal aspects of privacy. You want to develop a risk-based rather than compliance-based approach to privacy.
Okay, so privacy is important. What does the average network engineer do about it? Over the next several posts, we’ll look at privacy from the perspective of transiting traffic through the network, then privacy, and the information the network needs to run. After we’ve established some baselines about what needs to be protected and why we’ll look at fundamental data privacy concepts.
Russ White is a Network Architect at LinkedIn.
This post is adapted from a series at Packet Pushers.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.