Current Status

Doctoral Candidate, Science and Technology Studies (STS) at Virginia Tech

Dissertation : In Progress

Question: How should the standard, currently accepted, concept of information and communications security be challenged and reconciled with the post Digital Age conception of security?

In my dissertation I will argue that the standard, currently accepted, concept of security, understood in the realm of information and communications technology (ICT) as a manageable and bounded measure of risk, has been irreversibly changed by two developments: First, the pervasive creation, adoption, and blithe embedding of connectivity and communications technology in an ever increasing number of objects. Second, the public norming of security risk and ignorance, manifested through individual practice (i.e., the steps entities take to protect themselves) and minimized accountability (i.e., the apathetic response to violations of security, privacy, and ethics). We can no longer talk about security in terms of an entity’s exposure to risks, specific consequences resulting from poor choices, or a lack of sufficient defenses to various attacks.

Security ought to be thought of as a measure of awareness, reflected by an individual’s or group’s ability to make decisions and take actions that are authentic (i.e., that demonstrate their sense of and/or desire for free choice). [1] If you think of security awareness on a linear continuum we have, on the one end, those people severely ignorant of the state of security and, on the opposite end,  those people closest to knowing the truth of the present state of security. Individuals in these groups will make choices that are close to being truly authentic. By authentic, I mean choices that are free (or close to free) from judgment from local sociocultural norms of behavior that impose restrictions on actions, desires, and lifestyles that lie within the reasonable bounds of the moral landscape[2]. Those closest to possessing and understanding of the true state of security, take extensive measures and precautions to limit the generation, exposure, collection, and correlation of their personal data to their identity, both online and offline (i.e., in person).[3] As a result, they are able to exercise authentic choices, because they have limited and disaggregated their data generation and dissemination. At the opposing end of the spectrum are those individuals with so little knowledge of security that exercise authenticity because they are unaware of their own exposure. In the simplest of terms, this is akin to individual changes in behavior at home, when they believe no one else is around to observe them.  The remaining portions of the population exercise varying degrees of authenticity, based on their incomplete understanding of the state of security. For example, a person may avoid the use of online banking for fear of their accounts being exposed, while simultaneously using multiple social media platforms, such as Facebook and Twitter, because they do not associate personal risk with the use of these services. Operating under this outmoded sense of security affects more than our ability to act authentically, it also permits violations of trust and ethics by institutions, groups, and individuals we entrust with our data.

[1] For the purposes of this work I will be utilizing a hybrid definition of philosophical authenticity, borrowing from the soft/weak concept of authenticity from the existentialists, as well as from the moral and political philosophies. To wit, to act authentically means to make choices or take actions that accurately reflect one’s true desires, intentions, and individual morality, distinct from broader senses of morality, such as a society’s public morality. For example, a politician that promotes a policy or line of rhetoric that matches their party’s agenda, but does not reflect their true beliefs, would be an inauthentic choice. Whereas that same politician privately (possibly anonymously) contributing funds to a cause they believe in, would be authentic.
[2] I am borrowing from Sam Harris’s concept of the ‘moral landscape,’ from his work with the same title (2010). Within this framing, we ought to accept actions and choices that, morally, promote the wellbeing of conscious creatures and life. In other words, my reasonable authentic actions do not accept murder as a reasonable action, although to some it may be an authentic desire.
[3] For the purposes of this work, ‘personal data’ includes, but is not limited to, the following: Personally Identifiable Information (a class of data unique to an individual, such as U.S. Social Security Numbers, a date of birth, etc.), decision and action data (e.g., what terms a person searches for online, the websites they visit, etc.), and passive data (e.g., data collected by smartphones tracking location changes, biometrics, etc.).