Whitfield Diffie on Privacy

I am in awe of people with deep technical expertise that seem to reach a higher state of being that transcends their major accomplishments.  Whitfield Diffie is one of those few people, like Bruce Schneier, who has reached what I can only describe as a philosophical level in how he talks about security and the digital world we live in.

Whitfield Diffie

It’s only in the last couple of years that I discovered Gary McGraw’s Silver Bullet Podcast and I’ve been working my way through his back catalog. What an incredible compilation of cybersecurity knowledge Gary has assembled over the years. One that has stuck with me  is Gary’s interview with Whitfield because of some of my recent work on a project with a significant privacy aspect.

The interview covers the invention of public-key cryptography, as you expect, but then in an almost throwaway discussion at the end of the interview Gary brings up the “privacy is dead” statement from Scott McNeally back in 1999. McNeally was the CEO of Sun Microsystems, where Whitfield worked for several years. Whitefield says:

The problem is that the word privacy doesn’t express the difference between the things you want and the things you don’t want. People say things like “there’s no privacy in small towns,” and in a large sense that’s true. Small towns have a lot of accountability because the people who know about you are people you know about. They’re not capriciously going to offend you because they’re just as vulnerable to you as you are to them.

At the same time insightful and obvious, to say that we want privacy is such an oversimplification that it is almost meaningless. There are many situations where we are willing to give up our privacy in some manner, or even expect our privacy to be disregarded, in order to get something or achieve some goal. In many of our interactions with public institutions, for example, citizens (generally) expect that the government is sharing data between its departments in order to deliver services. We often don’t want and don’t expect this in our dealings with private companies.

Sometimes I wonder: do we, as humans, really want privacy? Is this fundamental to being human or is this a need we have constructed?

Painting of the interior of an Iroquois longhouse (source)

Before we had even small towns we lived in small groups where there wasn’t any privacy. Everyone slept together in a longhouse or yurt or whatever shelter and you were rarely alone. Some have said that the current internet environment, where more and more everyone knows what everyone else is doing, is a return to some kind of natural state. This theory seems to me to be missing something fundamental that I could not describe, but I think Whitfield casually points out a key difference: accountability.

He goes on to say:

On the other hand, ChoicePoint and Equifax and such couldn’t care less about us. We have no visibility into their operations, and they have a lot of visibility into ours, so there’s that asymmetry of transparency in which the individual is transparent to the large organizations, but the large organizations aren’t accountable to the individuals.

Asymmetry of transparency is an interesting way to sum up this dynamic between individuals and these institutions holding large amounts of personal data. When I read things like this it makes me think that, despite the hype, self-sovereign identity (Wikipedia’s entry, good article on Medium), can be a truly important advancement in the way we manage identity. This could be a mechanism to help us combat this asymmetry.