Value Conflicts in Cybersecurity

Value Conflicts in Cybersecurity

Value Conflicts Overview

  • Value conflicts in cybersecurity are examined, emphasizing that their presence depends on the specific context.

  • Christen et al. (2017) provide a graphical representation of potential value conflicts.

Components of Value Conflicts

  • Values: Represented by grey rectangles (e.g., information harm prevention, physical harm prevention, privacy, personal freedom, fairness, equality, social justice).

  • Clusters: Security (harm prevention), privacy, and fairness.

  • Accountability: Seen as a procedural value, ensuring responsibility for actions.

  • Relationships: Full arrows indicate support, dotted arrows indicate potential tensions.

  • Cybersecurity instruments harm prevention, impacting personal security.

  • Monitoring and surveillance, personal efforts, and economic costs can negatively impact values.

Privacy Versus Security

  • The relationship between privacy and security is complex.

  • Situations:

    1. Security at the cost of privacy: Full cable monitoring.

    2. Security helping privacy: Targeted monitoring preventing data leaks.

    3. Privacy requiring cybersecurity: Cybersecurity maintains limits on access to personal information.

    4. Privacy at the cost of security: Anonymity exploited by malicious agents.

    5. Privacy contributing to security: Confidential user information prevents spear-phishing.

  • Cybersecurity is required to guarantee privacy.

  • Philosophical Views:

    • Himma (2016): Security trumps privacy because security is indispensable for a worthwhile life.

    • Moore (2016): Privacy and accountability trump security, debunking arguments for sacrificing privacy for security.

  • Fallacious arguments for sacrificing privacy:

    1. "Just trust us": Assume officials won't override individual rights without cause.

    2. "Nothing to hide": The idea that if you have nothing to hide, you shouldn't worry about surveillance.

    3. "Security trumps": Always prioritize security over privacy.

    4. "Consent argument": People voluntarily offer private information.

  • Trumping arguments are too general and require specific contextual judgment.

  • Conflicts arise when:

    1. All data is gathered/monitored (security at the cost of privacy).

    2. No data is gathered/monitored (privacy at the cost of security).

  • The conflict involves conflicting requirements about what data should be collected, stored, and shared, and for what purpose.

  • Questions to consider:

    • How much data and what data need to be gathered?

    • What data should be accessible to whom?

    • For how long should these data be stored?

  • Individuals may consent to monitoring for cybersecurity ends if privacy is understood in control terms.

  • Contextual integrity: The information monitored varies for different spheres like business, healthcare, and personal life.

  • Fine-grained technical and institutional infrastructure is needed to fine-tune data monitoring and sharing with informed consent.

Privacy Versus Fairness

  • Privacy and fairness are often seen as supportive.

  • Privacy limits data collection, preventing unfair treatment and discrimination.

  • Privacy for officeholders is required for independent functioning in a democracy to prevent blackmail.

  • Democracy supports privacy as a civil liberty.

  • Conflicts arise when fairness requires sharing information with the government, such as income for fair taxation.

  • Transparency of governmental decisions may conflict with privacy.

Privacy Versus Accountability

  • Privacy and accountability initially seem to conflict.

  • Accountability requires accounting for actions and decisions, needing transparency.

  • Tension: Individuals may not want to share information needed for accountability.

  • Privacy can be used to evade accountability.

  • Control conceptualizations of privacy can be problematic in terms of accountability.

  • A control notion of privacy should be grounded in moral autonomy and responsibility.

  • Conflicts can be addressed by focusing on what information should be shared with whom.

  • Accountability doesn't require disclosing all information, and privacy doesn't require keeping all personal information confidential.

  • Political accountability requires disclosure of who made what decision and why but not other personal information.

  • Privacy can serve political accountability by avoiding holding officeholders accountable for private matters.

  • The main point is determining what information should be shared or kept confidential in light of privacy, accountability, democracy, fairness, and security concerns.

Security Versus Accountability

  • (Cyber)security measures require accountability due to potential harm from a lack of appropriate measures.

  • Revealing cybersecurity measures may conflict with cybersecurity due to malicious agents adapting their strategies.

  • Cybersecurity is like an arms race where public accountability may undermine its effectiveness.

  • Conflicts arise when cybersecurity weaknesses are exploited for national security as revealing strategies decreases security..

  • Institutional mechanisms can alleviate tension without full public disclosure, such as parliamentary or cybersecurity committees.

  • These institutions work under confidentiality requirements.

  • Trade-offs between accountability and security should consider privacy, fairness, and values served by computer systems under attack.

Security Versus Fairness (and Democracy)

  • Security can conflict with fairness and democracy, especially with state surveillance programs.

  • Such activities may put civil liberties and privacy at risk.

  • Requires democratic legitimacy and accountability but is often secretive.

  • National security should not be seen as an intrinsic value but derive its moral importance from personal security.

  • Measures to increase national security may endanger personal security if they diminish civil liberties without democratic legitimacy.

  • Address conflicts of security versus fairness by examining the effect on personal security.

  • National security and cybersecurity measures may increase personal security for some while diminishing it for others, raising fairness questions.

  • Fairness requires some minimal level of basic rights, including personal security, civil liberties, and privacy protection for all.

  • In value tensions, always keep in mind the effect on personal security rather than focusing on national security and cybersecurity.

Conclusions: Beyond Security Versus Privacy

  • Ethical and value issues in cybersecurity go beyond security versus privacy.

  • Consider a broader range of values, including fairness and accountability.

  • Address value issues in specific domains like business, health, or national security.

  • Use a contextual approach when identifying and addressing value conflicts.

  • Values are varieties of goodness that require an appropriate response and correspond to moral considerations.

  • A value analysis of cybersecurity requires contextual judgments.

  • Values are usually not conflicting in the abstract.

  • Address value conflicts by understanding what specific values require in a situation.

  • A crucial issue is what data/information should be monitored, collected, stored, and shared for what purposes, and who can access it.

  • Zoom in on what values require in a specific situation and reconcile requirements through technical and institutional solutions.