security is not privacy

Go back to the directory of Risks messages
Date: Tue, 22 Nov 94 18:49:40 PST
From: RISKS Forum <risks@csl.sri.com>
Subject: RISKS DIGEST 16.57

RISKS-LIST: RISKS-FORUM Digest  Tuesday 22 November 1994  Volume 16 : Issue 57

----------------------------------------------------------------------

Date: Tue, 15 Nov 1994 12:04:08 -0800
From: Phil Agre <pagre@ucsd.edu>
Subject: security is not privacy

*The New York Times* has an article about an attempt by tobacco company
lawyers to subpoena reporters' travel and telephone records in an indirect
attempt to identify their sources for stories asserting that the companies
deliberately added nicotine to their cigarettes.

  William Glaberson, A libel suit raises questions about the ability of
  journalists to protect sources in the electronic age, *The New York Times*,
  14 November 1994, page C10. 

Many readers of RISKS probably remember other attempted strategic uses of
the discovery process by tobacco companies, including at least one attempt
to subpoena raw survey data from smoking researchers and an attempt to
obtain an electronic mailing list of anti-smoking activists.  (Actually, the
article doesn't explicitly say that the companies want the subpoenas issued
as part of the discovery phase of the trial, just that they want them and
the major press organizations are trying to stop them.)

In any event, this case is an excellent example of why data security, while
obviously important, does not guarantee privacy.  I am sure that those
travel and telephone records are as secure as they need to be, but that may
not provide enough protection against the legal strategies of tobacco
companies.  Maybe this point is obvious to Risks readers, but it is
certainly not obvious to many others, including many of the politicians who
make laws about such things.  So remember to let these folks know:

  Security is not privacy.

The only guarantee of privacy is anonymity.  Fortunately, technologies such
as digital cash to implement anonymity are on their way.  Insist that they
be used in any new system that gets developed near you.  And spread the
word, because once privacy-invasive systems get standardized and installed
they're hard to regulate and even harder to change.

Phil Agre, UCSD

------------------------------

End of RISKS-FORUM Digest 16.57 
************************
Go back to the top of the file