Information Security - Security for whom and why?
An ethical analysis of conditions for morally defensible IS
As a complement to the many efforts to increase Information Security (IS) by means of furthering sound technology-based systems, this article examines the foundations for processing of personal data and information security from an ethical perspective. Importantly, Information Security concerns both the security of system resources (system security) and the security of data/information (data- or information security). Hence, both data collection aiming at safety enhancement and protection of collected data will be subjected to ethical analysis. This is most important since the two aspects: system- and information security tend to give raise to different types of ethical problems and since the various interests and aims involved may conflict. In particular, national security interests may collide with the triptyche of principles; availability, integrity and confidentiality that aims to protect personal data. Ambitions to secure information infrastructures from external threats and (increased) governmental attempts to control public and private information structures may clash (Brey in:. Petcovic and Jonker (Eds), 2007). Paradoxically, the quest for increased safety requires more of what motivates information security, namely the collection and processing of personal data.
Although the increased gathering and processing of data have triggered debates on privacy infringements and an often uneven distribution of such invasions (cf. Gandy, 1993, Lyon, 2003), several aspects of data collection and security are in need of further clarification.
The contended view of this article is that in order to identify morally defensible ways of obtaining and securing personal data the following aspects (at least) must be recognized and further investigated: (1) the purpose of data collection, (2) the type of data collected and the form of data collection and (3) the data subjects’ possibilities of consenting to disclosure of personal data.
First, before addressing the frequently raised question: how much privacy are we willing to give up for a more secure life?, we should articulate what “enhanced security” means, when and under what conditions we have obtained security. That is, an operationalization of security is necessary. Furthermore, security is often framed as a collective good versus the individual interest privacy and we are typically asked to accept the concrete and foreseeable increment of specific individuals’ privacy for the possibility of increased security. This view however, should be contrasted with arguments to the effect that privacy is crucial not only for personal autonomy but for individuals to express and utilize their democratic rights and liberties (Lever, 2007) and for the reason that individuals have a shared interest in privacy and that privacy is socially valuable (Regan, 1995:213).
Second, what types of information are privacy sensitive and why? A brief survey of prevailing privacy protection legislation reveals how the type that enjoys protection is most often of an obviously sensitive kind e.g. information about sexual orientation, political and/or religious views, leaving aside information that may become privacy sensitive in certain contexts (Palm, 2007). Arguably, whether information is perceived as privacy sensitive or not depends to a large extent on the particular situation (Nissenbaum, 1998, 2003). Hence, it is important to identify features of situations that tend to make personal data privacy sensitive. Particular conditions, contexts and the purpose behind data collection may influence individuals’ perception of data collection. Sex and ethnicity are other factors that are likely influence whether and to what degree individuals consider certain information or ways of processing data privacy sensitive are (Zureik, 2003). This discussion will be informed by empirical sociological research on attitudes to collection and processing of data (The Surveillance Project’s “Global Processing of Data project”: http://www.queensu.ca/sociology/Surveillance/?q=research/gpd)
Third, the conditions under which individuals can be said to, in a substantial way, approve of or consent to having their personal data processed (collected, processed, stored, transferred) deserves further investigation. Certainly, versions of the medical principle informed consent has been imported into the field of Information Technology (IT). Data processing law requires that individuals consent to the collection and processing of their data. However, more is needed in order to identify conditions under which individuals’ consent to disclosure of personal data can be considered morally justifiable. John Elster’s discussion on rational preference adaptation (Elster, 1985) will be used to show the moral import of the context in which individuals state their consent and to establish conditions under which the quality of individuals’ consent can be considered acceptable.
This discussion is intended as a probe for the identification of fair conditions of data collection and information security.
Brey, P., “Ethical Aspects of Information Security and Privacy” in: Security and Trust in Modern Data Management (eds. M. Petcovic, W. Jonker), Berlin Heidelberg New York: Springer, 2007.
Elster, J., Sour Grapes: Studies in the Subversion of Rationality. Cambridge, Cambridge University Press, 1985.
Gandy, O. The Panoptic Sort: A Political Economy of Personal Information, Westview Press, Boulder, Colorado, 1993.
Lever, A., “Feminism, democracy and the right to privacy”. Minerva: an Internet journal of philosophy, 2005.
Lyon, D., Surveillance as Social Sorting: Privacy, Risk and Automated Discrimination, London and New York: Routledge, 2003
Nissenbaum H., “Protecting Privacy in an Information Age: The problem of privacy in public”, Law and Philosophy, 17, 1998, 559-596.
Nissenbaum, H., “Privacy as Contextual Integrity”. Washington Law Review, Vol. 79, No. 1, 2004.
Palm, E., The Ethics of Workspace Surveillance, Doctoral Thesis in Philosophy, The Royal Institute of Technology, Stockholm, 2007.
Regan, P. M., Legislating Privacy, University of North Carolina Press, 1995.
Zureik, E., Theorizing Surveillance: The Case of the Workplace, in:. Surveillance as Social Sorting: Privacy, Risk and Digital Discrimination, Edited by David Lyon, New York: Routeledge, 2003.