Computing has spread into almost every aspect of our lives, creating a vast amount of data.

How can we achieve the right balance between unlocking the potential of this data andpeople-crowds protecting individuals’ privacy? This question continues to challenge companies, law-makers, technologists and academic experts around the world.

What solution is there to this dilemma of the internet age?

‘Cybersecurity’ stops our digital data from falling into the hands of unauthorised people. Criminals use cyber-attacks to steal customer data from companies, as demonstrated in the recent hacks of Ashley Madison and Carphone Warehouse.

To explore the balance between privacy and data collection and other dilemmas in cybersecurity policy, the Royal Society held a joint Sackler forum with the US National Academy of Sciences, ‘Cybersecurity Dilemmas: technology, policy and incentives’. The report of this meeting covers the different options presented by UK and US experts from industry, academia and government to address these challenging issues.

Conflicting interests

Individuals may want greater privacy protections for their data, but there is a trade-off between the privacy of data and its utility and value. Fine-grained data can reveal information about an individual’s preferences and behaviours and this data can be used by companies, for instance analysing data about browsing habits to target advertising. But this use can also be harmful to the individual. Data from one source can be fused with other data to reveal private information or behaviour. The challenge for society is to find the balance between regulation and protecting these different interests.

Technology development outpaces policy

As cybersecurity improves, a pertinent privacy issue concerns the policy surrounding what data can be collected and what others can and cannot do with an individual’s data. Current UK data protection law only applies if the data is considered to be personal data. However, as technology develops and more and more data about individuals is available, the distinction between what is personal and non-personal data becomes more difficult to determine.

Different approaches

The report outlines the differing US and European approaches to protecting privacy rights and promoting the economic potential of data. In the European Union (EU), privacy is considered a fundamental human right. In 2012, the EU proposed a new General Data Protection Regulation (GPDR) with strengthened data protection rights, to update a 1995 Directive. The legislation has received thousands of amendments, largely due to the competing interests weighing in on this complex issue. As a member state of the EU, the GDPR will apply directly to the UK.

By contrast data protection in the US is determined by a patchwork of federal laws and market-led self-regulatory guidelines. The US Government has proposed a Consumer Privacy Bill of Rights Act, which would provide protections for financial account information, online usernames and passwords, information about a person’s location, and other sensitive data.

Once enacted, the question will be whether EU or US legislation will be able to keep up with developments in technology and establish a better balance between privacy and data collection and use.

Read the report for a deeper dive into the balance between privacy and data collection and other dilemmas related to cybersecurity, including;

  • how international companies have to respond to conflicting legal regimes in different countries;
  • how to create incentives for rational cybersecurity; and
  • how to ensure security when users want flexible and complex computer systems.

Read other blog posts about the Royal Society’s cybersecurity work.