- There are two concepts at play in this discussion -- Information Security and Information Privacy:
- Information Security: The state of being able to view information. Can you understand a piece of information or not.
- Information Privacy: The administrative rules over the rights view understandable information. Who has the right to view information that is understandable?
- Information Security: The state of being able to view information. Can you understand a piece of information or not.
- Even if Information Security is totally successful, there is a need for Information Privacy because at some point Information must be in the clear to someone who does not "own" the information. For example, if you are applying for health insurance, you want the health insurance organization deciding whether or not to provide you insurance the ability to read sensitive information sent securely to them but which belongs to you and you alone. Information Privacy laws dictate how the health insurance insurance organization must protect, how they can use and how and when they must dispose of your information.
- There are two types of information when it comes to talking about Information Security: Government Information (e.g. military secrets) and Citizen Information (e.g. credit card transactions, civil legal agreements, etc).
- My comments are about Citizen Information Security and Citizen Information Privacy. None of my comments are about Government Information Security. I'm not sure if Government Information Privacy is a separate concept from Citizen Information Privacy: It's all Information Privacy achieved by rules built on top of different types of Information Security.
- Information Privacy (Government or Citizen) must be built on top of an unbreakable Information Security mechanism.
- The basic technology for achieving good information security exists for both the Government and Citizen sectors.
- There is far more Citizen Information than Government Information and far more actors (people, organizations) in the Citizen sector than the Government sector. What is lacking for the Citizen sector are the refinements in performance and ease of use that result over time when experience is gained with any technology development.
- The experience of the last 40 years of Government involvement in the development, implementation and deployment of Citizen Security technology is that the Government has tried to pull the wool over people's eyes by insisting that weak, breakable encryption systems with Government accessible backdoors become standard.
- Add to that the failure in the last 40 years of the Government to effectively prosecute with any long-term effect crimes in the big-business sector of breaches of Citizen information security and privacy. The Government's willingness and ability to protect Citizens Information is highly suspect.
- So, rather than rely on weak laws created by the Government for Citizen Information privacy, technologists prefer to develop provably secure Citizen Information security mechanisms that can be used without any Government Involvement.
- Where the Government can still help is in the Citizen Privacy regulations, as Governments in the EU have done.