Is "Privacy and Security" a Zero-Sum Game?

By: chrisc on 15 January 2008
Posted in Surveillance

According to Ed Giorgio, who is working with National Intelligence Director Mike McConnell on a proposed cyber-security plan, "privacy and security are a zero-sum game." (Quoted from The Spymaster, a story about McConnell in the Jan. 21, 2008 New Yorker; story not [yet] available online, but is discussed here.

Calling privacy and security a zero-sum game is not only inaccurate, it is dangerous.

First, a "zero-sum game" is one in which any gain by one side is offset by an equal loss on the other side. This is not necessarily true for tradeoffs between privacy and security; while improving one often comes at the cost of the other, the costs and benefits do not necessarily cancel out. It may be possible to greatly increase security with a small cost to privacy; it may also be possible to slightly increase security with a substantial cost to privacy.

This is not merely a pedantic criticism of a generally accurate description. Thinking of security and privacy as a zero-sum game leads one to conclude that there is no need to actually reflect on the privacy costs of any security-enhancing measure, because those costs are by definition exactly commensurate with the security benefits. Short-circuiting the process of balancing different goods and harms is particularly inappropriate when we are discussing such fundamental values as privacy and security. Existing laws, such as those concerning law enforcement wiretaps, have been designed with just this balance in mind.

Moreover, while increasing either privacy or security often come at the cost of reduction of the other, that is not always the case. Assuming by default that privacy and security are always opposed can cause parties to ignore ways in which either privacy or security can be improved without harming the other. Designing bridges and other critical infrastructure to be less susceptible to terrorist attacks, for example, has substantial security benefits and no clear privacy harms - but this sort of low-hanging fruit can be missed if security actors don't actively seek ways to improve security without harming privacy.

Finally, the assumption that privacy and security is a zero-sum game leads too quickly to another conclusion: there is really no need for oversight. If there is a legitimate actor who is tasked with ensuring national security, the very definition of that task authorizes the actor to intrude upon otherwise private matters. The NSA is mandated with detecting and preventing terrorism, which requires broad access to data, and the FISA court is an unnecessary roadblock en route to the ultimate conclusion. Since privacy and security are a zero-sum game, and security is the agency's mandate, privacy must "take a back seat in the name of security."

The primary role of oversight, whether Congressional, judicial, popular, or in any other form, is to ensure that an authorized actor is in fact weighing the costs and benefits of each action and choosing appropriately. To describe conflicts between privacy and security as a zero-sum game is to obscure the value of such oversight and of careful weighings, and thus is inappropriate whatever one's views of the appropriate tradeoff between privacy and security in any given situation.

Addendum: Ars Technica has a different take on the same issue here, emphasizing that government collection of data can harm both privacy and security interests, and that the best way to secure information is to protect privacy.