The detail of security law is found within operational security itself, due to the twinning of the subjects, as explained in Part 1 and Part 2 of this blog. So to progress our understanding, we have to begin with the question “what is security?”.
The idea of security encompasses many concepts, but we may immediately default to the idea that it is about the protection of someone or something from a threat. Therefore, when we think about the concept of “social security” we recognise a need for the State to provide a basic level of support to all citizens for their social, personal and economic wellbeing. This might be delivered through the payment of State benefits, so that the most vulnerable people in society are protected from the threats of poverty, hunger and homelessness. That’s the theory at least. If we think about the idea of Nationality Security we contemplate the protection of our country and territories from aggressors, which involves our military forces, and the ability of the State to protect its democracy and critical components thereof, including the economy. If we think about the idea of Public Security, this includes protecting citizens from harms, which can span Nationality Security issues, such as protection from terrorism, through to protection from the threats posed by ordinary criminals.
This blog is concerned with security in the sense of computers and communications systems, the cyberspace and the processing of data. Of course, due to the central role of these things in society, the security of them can be integral elements of the other forms of security discussed above.
Before moving further into the discussion of operational security as it relates to computers and the like, it’s worth noting that some commentators divide the idea into concepts of negative and positive security. Negative security is concerned with the steps and measures taken to protect someone or something from a threat, such as the use of computer access controls like usernames, passwords and biometrics. The idea of positive security reflects the idea of empowerment and freedoms, such as the freedom to use the Internet. The bridge between the two ideas seems to be that if we take measures to protect our computers from online threats, we can then exercise our freedom to enjoy the Internet. In a legal sense there are many implications that flow from an understanding of the differences between negative and positive security.
For example, if our goal is to protect online accounts through the use of different, complex passwords for each account, which can be very difficult to manage in practice without tools such as computer-based password manager apps, how do we manage the inherent risks that flow from the computer itself being a shared asset in a household which can give all of the users access to passwords in the password manager? In other words, we need to be aware of the risk that steps and measures taken for operational security might have unintended consequences for diversity and inclusion purposes.
A failure to appreciate that the design of security system can involve cognitive, emotional, physical or economic vulnerabilities at the user side could be disastrous. Thus, in the household with the shared computer, what would be the implications of the use of a password manager app if the household was abusive? Could the app be used to further abusive, controlling or coercive behaviour? In that case, could it be said that the security control has the potential to limit the freedoms of victims of abusive relationships? While these raise complex issues, they are not fanciful or matters purely of academic concern. For example, in 2023 the Government ran a test of a national emergency alert system, which forms part of the country’s approach to National and Public Security. The test involved the sounding of an alarm over the cellphone system, with an accompanying text message. Many concerns were expressed about the risk of the alarm revealing “hidden phones” in abusive households, which are hidden by victims of abuse so that they can call for help in an emergency.
So when we ask the question “what is security?” we find that it involves two cojoined ideas, which is security to protect against threats and security to enable freedoms. An operational security system that applies negative security controls in such as a way to inhibit freedom is not a security system at all, but, arguably a tool of oppression. At this point we then realise that security is clearly a human rights issue, as the preamble on the Home page of this website tries to explain.