IGF 2018 WS #164
Privacy and Security: aligned or conflicting goals?

Organizer 1: Maarten van Horenbeeck, FIRST
Organizer 2: Alexandrine Pirlot de Corbion, Privacy International
Organizer 3: Lucy Purdon, Privacy International
Organizer 4: Cristine Hoepers, CERT.br

Speaker 1: Éireann Leverett, Technical Community, Western European and Others Group (WEOG)
Speaker 2: Kaja Ciglic, Private Sector, Eastern European Group
Speaker 3: Nighat Dad, Civil Society, Asia-Pacific Group

Moderator

Cristine Hoepers

Online Moderator

Maarten Van Horenbeeck

Rapporteur

Maarten Van Horenbeeck

Format

Panel - 90 Min

Interventions

3-5 Speakers will be given three minutes to kick start the conversation and present their views. This will be a catalyst for conversation including the rest of the participants. Co-moderators will also have questions prepared in advance to keep the dialogue going.

Diversity

50% male/female. Stakeholder groups and geographic spread of speakers/participants: tech community, industry, global civil society from Africa, Latin America, Asia, Middle East and Europe.

This panel, proposed by FIRST, an international association of CSIRT, and Privacy International, aims to promote a healthy debate on whether security and privacy are typically seen as supporting each other, or can in some cases end up in conflict. The goal of the session is for each stakeholder community to understand the needs of the others, and document and study both areas of alignment, and areas of difference.

During the session, we will cover:
- Views of the tech community (FIRST representative) incident response, challenges and observations from the ‘front line'. How have incident responders dealt with these challenges, and what methodologies have they used to ensure sensitivity to privacy concerns? How has the WHOIS case study shown that there is still some room for improvement?
- Views of industry - What duty exists to protect customers, and what challenges are common dealing with privacy in a security context? For instance, the need to cooperate with law enforcement.
- Views of government- Does security need to impact human rights? Or are there balances and places where the two can contribute to eachother? What are the areas of tension?
- Views of civil society- Governments often propose intrusive regulation in the name of security, which are damaging for human rights including privacy. Civil society are at the forefront of pushing back. How do these concerns differ from a global perspective?

The second half of the session will focus on discussion with all participants on how these different perspectives can be reconciled.

This is a roundtable discussion, which encourages participation from all participants, as opposed to a panel format. Two co-moderators will lead the session and will have prepared questions for the room in advance.

In order to kick start the discussion, the moderators will select each of the speakers to make opening remarks on the tensions between privacy and security. These speakers will represent different stakeholder groups and geographic spread eg. tech community, government. civil society and industry. Questions collected from each community ahead of the meeting will be shared with panelists, so they can focus on them and address them in their opening statements.

Following the opening statements, the moderators will lead discussion with the audience and remote participants, narrowing in on areas where there is either strong alignment, or strong divergence, between the goals of security and privacy models. Where possible, best practices and solutions to these challenges will be highlighted and noted by the rapporteur for later distribution.

How can tensions between privacy and security be reconciled across different stakeholder groups for the good of all? This discussion builds on those discussions by highlighting some barriers for progress in different stakeholder groups perception of privacy and security.

The typical view is that “there can be no privacy without security”. This is true in a large amount of cases. Information that is not protected and accessed in a reliable way cannot be considered private. However, there are also areas where both disciplines run into challenges trying to address eachother’s needs. As just one current example, the European GDPR legislation has resulted in a significantly higher bar for the collection of personal information. This has collided with at least one internet protocol, WHOIS, which the security community has relied upon to improve security.

Other examples include the need for log collection and analysis, storing information collected during security incidents. Work has been done to align these goals, both in standards bodies and simply in technical precedent, which will be highlighted during the session.

The learnings from this panel will be widely shared within the IGF and FIRST communities, as well as in civil society, and will create an opportunity for both communities to learn from each other’s needs and challenges.

Online Participation

- Privacy International will create social media cards and a hashtag promoting the session prior to the IGF, and will gather questions via social media in advance. PI will also reach out to our civil society network to ask for questions in advance, so as to represent the global organisations involved in advocacy, policy and tech, who are unable to travel to the IGF.
- FIRST will consult with the incident response community to get questions ahead of time that can be leveraged through the panel.