How to Balance Security and Privacy?

Can your employer's IT department view your internet browsing? Can they spy on you with their mobile device management software? I get this question commonly. The answer depends on the software, but I often say, "Assume they can".

Balancing security and privacy is tricky. I work daily with the privacy compliance team, to the point we call each other cousins. So how can we get at odds? To detect malicious activity, we need full visibility into network activity. On the other hand, privacy is about giving people the right to consent for what purposes they will allow companies to track them online. Whose interest takes priority?

The frustrating answer is "it depends". Based on the problems I've met, I adopted contradictory stances. Ambiguity is terrible for efficient communication but remains necessary.

Let me share some anecdotes where I encountered this tension. Hopefully, you'll be better prepared if you run into them in your work.

Privacy is not about "hiding"

One of the smartest security analysts I've met was a privacy freak. Before they were cool, he'd use a Librem privacy phone and many privacy gadgets such as TailsOS and Telegram.

He wasn't involved in hacktivism or citizen research. So why go to these lengths? To an extent, it was a game for him: how to defeat all these trackers?

On the other side of the spectrum, you have people shrugging off when they learn about Meta's extensive data collection and misuse: "I got nothing to hide". I bet you've heard that one.

I believe both extremes look at the problem in a "binary" fashion.

I see privacy as a choice rather than a "right to hide". Individuals must be informed of tracking and they must consent. That's not an entitlement to anonymity, nor an open bar for the trackers. I'll explore two cases to show you what I mean.

Mobile device management

I am still debating the merits of MDM software capabilities. As a security specialist, I need to enforce configurations such as password protection and block certain malicious apps and files from executing, plus perform a remote wipe of the device is stolen. This is "Mobile Security 101".

On the flip side, users are entitled to a degree of personal use of their machines. I would be deeply uncomfortable if a manager asked security for MDM logs to justify a firing. I'm not even delving into the legality behind these questions!

Can MDM protection be achieved without unintended consequences? This is where data about actual attacks can ultimately inform the decision:

• are cyberattackers delivering mobile-based malware or social engineering?
• could the MDM stop them?
• what does the organization stand to lose if nothing is done?

In the end, I have yet to fully flesh out a cost-benefit assessment to make up my mind about the current MDM solutions. Despite being a fundamental defensive measure, the privacy tradeoffs forced me to put into question the expected value I wanted to derive from an MDM.

Audit logs

As a security specialist, I need systems to generate logs of events that allow forensics investigators to establish events behind a cyber attack. Their conclusions must hold up in Court and follow the chain of custody.

As far as I'm concerned, cybercriminals do not have the right to be forgotten.

Nevertheless, it can appear silly to collect everything about users' activity on your public website for security purposes while your engineering team is building privacy-enhancing technologies to effectively avoid IP address collection in website analytics! As an engineer pointed out: "How long until the ads team figures out they've got all the data unmasked in the security logs?"

My conclusion remains to keep the breadth of the audit logs and compensate for privacy invasiveness with access controls, data lifecycle and monitoring. But I found the exercise of wondering about logs fascinating: as a security individual, I took for granted that audit logs were necessary. I had never wondered about them being used for other purposes!

Privacy is a supplemental cost of security measures

When teaching, I must deliver content about the ethics of cybersecurity. The crux of my interventions revolves around the idea that security analysts gain privileged access to sensitive information.

What I learned from being interested in privacy is that this "sensitive" information is not merely generated by "business applications" (customer records, trade secrets intellectual property, etc.) but that our security tooling could be misused for privacy invasiveness.

Another takeaway is the necessity to inform users. Sure, one cannot consent to being part of an audit log, this would defeat the purpose. However, users can know which measures we are implementing to guarantee minimum access.

Perhaps I could measure the rise of overall security transparency by the number of times people ask me worryingly if their employer is reading their SMS.

What do you think about the tradeoffs between security tooling and privacy? Tell us in the comments!