For the sake of this post, we'll define privacy as the goal of protecting sensitive or confidential information related to our personal lives (whatever that may be). Furthermore, we'll define security as the goal of protecting valuable data (this includes trade secrets, credit card information etc.). Of course, these definitions are far from being comprehensive or even accurate, but they'll suffice for this post.

So, what's more important - or more specifically - what should we be more concerned about: our security or our privacy? Many security advocates state correctly that security is a basic need and so is far more important. This argument is usually used in the context of homeland security, terror etc., but the same argument stands for financial security. It is clearly much worse that someone steals all my money than it is to have my private life posted on the Internet. However, the line is not always so clear. What about leakage of my medical history? This is a privacy issue, but one that can have a great effect on my ability to earn a living! Nevertheless, there is another distinction that is less-often considered, and this is the issue of recovery after the fact.

It is typically possible to recover from a security breach, albeit with a lot of time, hassle and some money. Victims of identity theft can attest to the problems they incur when trying to get back control over their identity. In some cases the damage really is huge, and I am in no way belittling the suffering of these people. However, in most cases, the result is a huge headache and a small financial loss. In contrast, once someone's privacy has been breached, there is no way of recovering! It is impossible to recall information that has been posted on the Internet, or to recover dignity after one's entire community learns a person's secrets (note that the person need not do anything criminal, but it is enough for them to be somewhat deviant in some way). Thus, at least in this sense, a breach of privacy should concern us much more than a breach of security.

Just to set the record straight: I am not saying that we should focus less on our security. Rather, I am trying to make the point that we have to take our privacy seriously as well, and to realize that at least in some ways, a loss of privacy can be worse than a (temporary) loss of security. I also want to encourage everyone to educate youngsters about the importance of their privacy and to stress to them that posting personal information in semi-public domains on the Internet can be very bad for their future. It's bad enough when someone forcibly takes away your privacy; it's much much worse when you voluntarily give it away.

The publication of privacy policies is an important step in providing users with some control over their information. Specifically, a privacy policy tells a user what the given organization may or may not do with their information. Ignoring the fact that we don't really know if the privacy policy is actually followed, it is important to realize that the mere existence of a privacy policy says absolutely nothing about the privacy that users are guaranteed. It may be very obvious that one actually has to read a privacy policy in order to know what is and is not being done with our information. However, most users do not read these policies at all. Furthermore, even if they did, they don't always have a choice to use something else. Of course, it is possible to anonymously search the Internet and there are settings that improve a user's privacy. However, these are far beyond the reach of the average user!

Just to get a feeling of privacy issues that arise, I will look at the issue of sharing information with third parties in Google's privacy policy. In general, the policy looks pretty reasonable. However it is very vague. For example, consider the following two sentences taken from Google's privacy policy:

• "Aggregate non-personal information" is information that is recorded about users and collected into groups so that it no longer reflects or references an individually identifiable user.
  
  
• We may share with third parties certain pieces of aggregated, non-personal information, such as the number of users who searched for a particular term, for example, or how many users clicked on a particular advertisement. Such information does not identify you individually.
  

As a user, I don't know if aggregate non-personal information is really non-personal. Using aggregate statistics to preserve privacy is far from an exact science (and is also not very well understood). The examples given by Google clearly seem harmless. However, it is often possible to triangulate different data in order to identify anonymized users. So, are we really sure that no one can know who has searched for terms like "helping siblings with psychiatric disorders"? Maybe, but maybe not...

Homeland security is all about protecting innocent citizens from terrorism and other threats to their safety. In order to achieve this, governments and intelligence organizations need to gather information about potentially threatening individuals. It is well known that the key to winning wars, and especially guerilla type wars and the war on terrorism, is information (or intelligence). This is also true of computer security: in order to detect intrusions, it is necessary to track user's activities. Furthermore, due to the need for authentication, a server immediately knows who is carrying out what activity.

In summary, security goes together with information. However, the above completely ignores another modern threat to citizens: the threat of not having any privacy. The bottom line is that information is typically a threat to privacy (at least when it is used naively). The problem of balancing security with privacy is arguably one of the biggest challenges in Western society today. The issue becomes most acute in countries with serious terror issues (like the US today).

So, what can be done? In my opinion, before anything can be done citizens have to show that they really care about privacy. A recent article Computer Privacy in Distress raises serious privacy concerns related to information stored on a computer that is owned by one's place of work. The problem is that people prove time and time again that comfort is more important than privacy. Take Gmail and the privacy concerns raised (see Privacy Rights Clearinghouse as an example): despite the severe privacy problems involved in the system (although I admit that this is arguable), Gmail is an undisputed success. Google has a good product and it seems that this is more important to most people than their privacy. Unfortunately, people may change their minds only after someone gets hurt (and even then, it probably won't change anything).

There do exist solutions that can better balance the needs of privacy and security. However, it is unlikely that they will be implemented if people don't demand them (and demanding them means boycotting products that don't balance these needs and being willing to pay more for products that do). Once this happens then companies (and governments) may start paying attention. I urge you - start caring!