Security advocates tend to posit that privacy is impossible to achieve if we want true security. Privacy advocates do not advocate the position that security is impossible to achieve if we want true privacy. Why is this?
Privacy advocates want a world where when you arrive in a physical or digital space,
At a first glance, we see that there is a tension between several security measures and privacy. For instance, if sex offenders are allowed to enter physical or digital spaces without being re-identified as such, how can we prevent them from being around our children?
An example of a security measure which is privacy-invasive, but mitigates this type of risk in public spaces, is facial recognition. Widely deployed already in some societies, this technology uses your face itself as a unique identifier for each individual. Thus, as you go from place to place, all of your interactions in these places can, in principle, be traced with you. Thus, the problem of tracking sex offenders as they enter public spaces has been solved, but at the cost of the privacy advocate's goal.
How would a privacy advocate like myself approach this problem? Well, the reality here is that we don't need longitudinal identification to solve it. We merely need a single bit. In particular, when you enter a space which has children in it, we can swipe an anonymous identity card which proves that you are not a federally registered sex offender. In particular, you can prove that you have an identity document issued by the government, and the name on the document is not in the public list of sex offenders, all without showing the verifier who you are or anything else about your identity.
The security advocate would now suggest: you've imposed a cost on everyone to protect their security, whereas the pervasive tracking solution is free. At least, it is free in the sense that the "good" individuals don't have to do anything to be marked as safe. They would also suggest that there is a significant risk of fraud by holders of these identity documents. In particular, they might claim that people would share trusted identity documents to forge proofs that they are not a sex offender. Because these documents are not being presented directly, they might claim that it is even more likely that they will be forged.
The privacy advocate can come back with a very strong argument. No, it is not free. The cost imposed upon everyone by a pervasive lack of privacy is that of security precisely. If I cannot guarantee that my movements, preferences, etc. are not being tracked, then my basic operational security is at a major risk. Security advocates might say, "we are the good guys", but I think it's clear that there are no such neat dichotomies in life. In particular, the majority of cases of sexual assault happen around the victim's home, by people they know. If we can't tell who "the good guys" are when we're inviting friends and family, how can we tell that the vast numbers of public and private employees with access to this data are "the good guys". Significant numbers of police have been shown to be perpetrators of domestic violence, and aren't they supposed to be the good guys? Do we really think that anyone should have access to data tracking their own families' movements?
Now, the security advocate might suggest that we can control carefully who has access to this data. They'll say that the risks of not tracking people are too high. The most advanced incarnation of this idea is to track people inside of special, super private computer, where we can run programmatic decision making on whether they've violated some policy or another. However, who writes the programs that decide? How can we be sure that the data within the computers cannot be leaked? In principle, the privacy advocate believes that the existence of this data anywhere which can be plausibly accessed by a human is an unacceptable security risk.
To address the risks of fraud by users holding these documents, the privacy advocate can point to the current situation of identity documents being shown, photographed, and scanned by everyone for the purposes of tracking. Thus, the current risks of identity fraud are severe as well, as your information can be directly transcribed from records on a new document. We should be careful and implement systems to mitigate risks of identity fraud, but we should not act as if they are unique to the privacy preserving systems which are being proposed.
As an advocate for both privacy and security, I am hopeful that the tensions we experience eventually will be seen to have been false. We will see that privacy is required for security, and that the security we'll feel in a private world will vastly outstrip the security we thought we felt earlier.