Privacy versus Security
I was presenting at a security conference just before Christmas, and someone asked the inevitable question : "If we just encrypt everything, then we'll all be safe - won't we ?".
Like most real problems in the real world, the answer is complex.
Yes - encrypting information between trusted parties is always a good idea.
But - we all entrust our information to outside parties. Banks hold our details, Google holds our details, and so the list goes on. The fact is we share details with organizations because we:
- Want them to use the information to provide a service - that's why we give it to them
- We trust them to protect our personal information - we trust them
Here's the catch - cyber attackers look just like normal customers - if we encrypt everything, then the cyber attackers actions will also be hidden under the veil of encryption - the organizations we entrust with our information will be unable to see those attacks, and unable to protect our information.
These organizations do have people, very very good people, whose job it is to protect our information. Taking away their ability to see everything happening in their systems, their networks, their databases makes them blind.
Security teams inside organizations need to be able to see everything - why would you not want them to ?
So - to those folk who apply the romantic ideal of "encrypt everything" I would simply ask - why would you want to impede the work of those folk bound to protect us, those people we trust.
If you don't trust an organization to protect your data - don't share it.
If you do trust them, let them do their job in protecting that data - let them see it.
Stu