In 1991, at the start of the Crypto Wars, the idea of digital privacy was radical. Today it’s required to do business. Without an expectation our data is secure, online banking cannot work and doctors cannot store medical records electronically.
But I’m concerned we sometimes forget that it’s privacy we want; security is just one way we achieve that. Your phone may connect securely to a social network, but if that network is plundering your intimate contacts and revealing them to the world, your privacy has still been lost.
So when I see what happened to Sony recently — the data stored on their servers leaked to the world — my mind goes to that difference between privacy and security. I’m sure Sony had firewalls and VPNs, intrusion detection and antivirus, policies and procedures — all the usual artifacts of corporate information security. Those things securely delivered a mountain of information to Sony’s servers, where it was lost all at once.
When it was lost, the privacy of Sony’s partners and employees went with it. That’s what corporate privacy is — the privacy of the people in and around the corporation.
If we focus on their privacy rather than the corporation’s security maybe we can make better choices. Many kinds of information don’t need to be stored for long, or at all. If only participants keep a copy of their correspondence the company can’t lose it. Imagine how much worse the damage of a security breach would be if companies routinely kept years of recordings of all employees’ phone calls.
Protecting the privacy of individuals is why I started PGP, and why Mike and I started Silent Circle. But at Silent Circle we’ve come to realize that protecting individuals at work may be the strongest form of corporate security possible. That’s what we’re working on, and we hope that you’ll join us.