Filed under: Civil Liberties, Economics, Politics, Risk, Security, Security Theater
For those of you who haven’t already found it, Bruce Schneier’s blog is a must-read for anyone who has an interest in privacy and security. He presents rigorously analysed, rational views in an extremely easy to read manner. As an example, one of his most useful concepts is “security theater” defined by wikipedia as “security countermeasures that provide the feeling of security while doing little or nothing actually to improve security”. It’s a description that perfectly encapsulates a lot of policy since the WTC attacks.
His latest article – Does secrecy help protect personal information? – is a good illustration:
Personal information protection is an economic problem, not a security problem. And the problem can be easily explained: The organizations we trust to protect our personal information do not suffer when information gets exposed. On the other hand, individuals who suffer when personal information is exposed don’t have the capability to protect that information.
Credit card companies make more money extending easy credit and making it trivial for customers to use their cards than they lose from fraud. They won’t improve their security as long as you (and not they) are the one who suffers from identity theft. It’s the same for banks and brokerages: As long as you’re the one who suffers when your account is hacked, they don’t have any incentive to fix the problem.