Cybersecurity is an interesting and important topic, one closely connected to those of online privacy and digital surveillance. Many of us know that it is difficult to keep things private on the Internet. The Internet was invented to share things with others quickly, and it excels at that job. Businesses that process transactions with customers and store the information online are responsible for keeping that information private. No one wants social security numbers, credit card information, medical history, or personal e-mails shared with the world. We expect and trust banks, online stores, and our doctor’s offices to keep our information secure and safe.
Keeping private information safe and secure is, however, a challenging task. We have all heard of security breaches at J.P Morgan, Target, Sony, Anthem Blue Cross and Blue Shield, the Office of Personnel Management of the U.S. federal government, University of Maryland at College Park, and Indiana University. Sometimes, a data breach takes place when an institution fails to patch a hole in its network systems. Sometimes, people fall for a phishing scam, or a virus in a user’s computer infects the target system. Other times, online companies compile customer data into personal profiles. The profiles are then sold to data brokers and on into the hands of malicious hackers and criminals.
Cybersecurity vs. Usability
To prevent such a data breach, institutional IT staff are trained to protect their systems against vulnerabilities and intrusion attempts. Employees and end users are educated to be careful about dealing with institutional or customers’ data. There are systematic measures that organizations can implement such as two-factor authentication, stringent password requirements, and locking accounts after a certain number of failed login attempts.
While these measures strengthen an institution’s defense against cyberattacks, they may negatively affect the usability of the system, lowering users’ productivity. As a simple example, security measures like CAPTCHAs can cause an accessibility issue. As another example, the USPS website does not provide a way for a user who forgot the password to reset the password at all. I do not know if this is for a security reason, but let’s assume for a second that it is the case. Clearly, the system that does not allow a password reset would be more secure than the one that does since it makes it impossible for anyone to pretend someone else without knowing the password. But needless to say, this security measure creates a huge usability issue for average users who often forget their own passwords and are locked out of the system permanently as a result.
Imagine that a university IT office is concerned about the data security of cloud services and requires all faculty, students, and staff to only use cloud services that are SOC 2 Type II certified. SOC stands for “Service Organization Controls.” They are a series of standards that measures how well a given service organization keeps its information secure. For a business to be SOC 2 certified, it must demonstrate that it has sufficient policies and strategies that will satisfactorily protect its clients’ data in five areas known as “Trust Services Principles,” which include the security of the service provider’s system, the processing integrity of this system, the availability of this system, the privacy of personal information that the service provider collects, retains, uses, discloses and disposes of for user entities, and the confidentiality of the information that the service provider’s system processes or maintains for user entities. And the SOC 2 Type II certification means that the business had maintained relevant security policies and procedures over a period of at least six months and therefore will keep the clients’ sensitive data secure. The Dropbox for Business product is SOC 2 certified but it costs money. While Dropbox is not as secure but many faculty, students, and staff in academic use this cloud service frequently. If a university IT department bans people from using Dropbox and does not offer an alternative that is as easy to use as Dropbox, people will undoubtedly suffer.
Or suppose that your organization requires you to reset the password to your computer and all the various systems you have to log in every week, your PC, the network that it is connected to, and those other systems may be more secure. But it will be a nightmare having to manage and reset all those passwords every week. Most likely, people will start using less complicated passwords or may even start using one password for all of them across different services and may stick to the same password every time the system requires them to reset it if the system does not prevent it.
Security is important, but users also want to be able to do their job without being bogged down by unwieldy cybersecurity measures. The more user-friendly and the simpler the cybersecurity guidelines are to follow, the more users will observe them, thereby resulting in a secure system. Users who encounter cumbersome and complicated security measures, may ignore or try to bypass them, increasing security risks.
Usability and productivity may be a small issue, however, compared to the risk of mass surveillance resulting from aggressive security measures. In 2013, the Guardian reported that the communication records of millions of people were being collected by the National Security Agency (NSA) in bulk, regardless of suspicion of wrongdoing. A secret court order prohibited Verizon from disclosing the NSA’s information request. After a cyberattack against the University of California at Los Angeles, the University of California system installed a device that is capable of capturing, analyzing, and storing all network traffic to and from the campus for over 30 days. This security monitoring was implemented secretly without consulting or notifying the faculty and those who would be subject to the monitoring. The San Francisco Chronicle reported the IT staff who installed the system were given strict instructions not to reveal it was taking place. Selected committee members on the campus were told to keep this information to themselves.
Cybersecurity vs. Privacy
The invasion of privacy and the lack of transparency in these network monitoring programs has caused great controversy. Such wide and indiscriminate monitoring programs must have a very good justification and offer clear answers to vital questions regarding what exactly will be collected, who will have access to the information, when and how the information will be used, what controls will be put in place to prevent information from being used for unrelated purposes, and how the information will be disposed of.
We have recently seen another case in which security concerns conflicted with privacy. In February 2016, the FBI requested Apple to create a backdoor application that will bypass the current security measure that in in place in iOS. This was because the FBI wanted to unlock an iPhone 5C recovered from one of the shooters in San Bernadino shooting incident. Apple iOS secures users’ devices by permanently erasing all data when a wrong password is entered more than ten times. The FBI’s request was met with strong opposition from Apple and others. Such a backdoor application can easily be used for illegal purposes by criminals or used for unjustified privacy infringement by the government or other capable parties. Apple refused to comply with the request, and the court hearing was to take place in March 22. But the FBI withdrew the request saying that it found a way to hack into the phone in question without Apple’s help. Now, Apple has to find out what the vulnerability in its iOS if it wants its encryption mechanism to be foolproof. In the meanwhile, iOS users know that their data on devices are no longer as secure as they believed.
Around the same time as this FBI-Apple encryption case, the Senate’s draft bill title as “Compliance with Court Orders Act of 2016,” proposed that people should be required comply with any authorized court order for data—and if that data is “unintelligible,” that is, encrypted, it must be decrypted for the court. This bill is problematic because it makes any end-to-end encryption, which we use everyday from our iPhones to messaging services like Whatsapp and Signal, practically illegal.
Because security is essential to privacy, it is ironic that certain cybersecurity measures can be used to greatly invade privacy rather than protect it. Because we do not always fully understand how the technology actually works or how it can be exploited for both good and bad purposes, we need to be careful about giving blank permission to any party to access, collect, and use our private data without clear understanding, oversight, and consent. As we share more and more information online, cyberattacks will only increase, and organizations and the government will struggle even more to balance privacy concerns with security issues.
Why Libraries Should Advocate Online Privacy
The fact that people may no longer have privacy on the Web concerns many librarians. Historically, librarians have been strong advocates of intellectual freedom, and libraries have been striving to keep patron’s data safe and protected from unwanted eyes. The Library Freedom Project reflects this type of concern from librarians. It educates librarians and their local communities about surveillance threats, privacy rights and law, and privacy-protecting technology tools to help safeguard digital freedom, and helped the Kilton Public Library in Lebanon, New Hampshire, to become the first library to operate a Tor exit replay, which provides anonymous browsing on the Internet for library patrons.
New technologies brought us unprecedented convenience but it also carries with them the potential for the unparalleled level of invasion of privacy. While the majority of librarians have a very strong stance in favor of intellectual freedom and against censorship, many librarians are unsure about online privacy particularly when it is pitted against cybersecurity. Some argue that those who have nothing to hide do not need their privacy. However, privacy is not identical to hiding a wrongdoing, nor do people keep certain things secrets because they are necessarily illegal or unethical. Being watched 24/7 will derive any person crazy whether s/he is guilty of any wrongdoing or not. Privacy is an essential part of being human, not some instrument that we can do without in the face of a greater concern. Privacy allows us safe space to form our thoughts and review our actions on our own without being subject to others’ judgment.
The Electronic Frontier Foundation states that privacy means respect for individuals’ autonomy, anonymous speech, and the right to free association. If we want to remain as autonomous human beings free to speak our minds and think on our own without worrying about being observed and/or censored, we need to defend our privacy both online and offline and in all forms of technologies and technology devices, which are increasingly part of our everyday lives.