In CERN's academic environment - a place where academia runs industrial installations, where there must be the academic freedom necessary for the advancement of research and freedom of thought, and where there is a permanent come and go of our colleagues and with them their thousands of personal "bring-your-own" devices - cutting-edge research relies on an open yet to-be-protected digital ecosystem. CERN's Computer Security Office, mandated to protect the operations and reputation of the Organization against any kind of cyberthreat, is well aware of its challenge to find the best balance between academic freedom, personal devices and the defence of our global scientific infrastructure. The right balance means protecting CERN's operations and reputation while guaranteeing the privacy of our staff and users in their workplace. And this requires constant choices, as computer security is, by nature, intrusive.
To protect an account, a device, a system or even an organisation, deep insight is needed into their internal functioning in order to distinguish the good from the bad, the malicious from the benign, the targeted attack from unconscious errors, the (weird) use cases from deep abuse. Indeed, this is how network-based or host-based intrusion protection systems, spam filtering and antivirus and antimalware software work. And this obviously and directly collides with the wish for privacy, for non-intrusiveness, to be left alone. While at home it is entirely up to you how much privacy you want, in an organisation like CERN, the stakes are different and the Organization has an obligation to protect itself. It must therefore always be the goal of any computer security team, at CERN or anywhere else, to find the appropriate balance between the privacy of our individuals and the security of us all.
Therefore, since "privacy" rightly holds a firm place at CERN(1), the Computer Security Office runs its prevention, protection and monitoring tools in alignment with best industrial security standards but also with a deep-rooted consideration for "data protection" and your "privacy". CERN's Computing Rules (i.e. Operational Circular No. 5 and its Subsidiary Rules), which govern the work of the Office, provide the corresponding guardrails in how far "security" impacts "privacy". Actually, while security can exist without privacy, privacy cannot exist without security, which does not imply that security is always paramount. By way of example, "privacy" is the key reason why the Computer Security Office promotes the use of encrypted communication channels while accepting that this inhibits any deep-packet inspection of the network traffic at CERN's outer perimeter firewall. "Privacy" trumps "security".
In other cases, however, the balance is more delicate. Take the CERN-provided antimalware protection as an example. The CERN IT department provides sophisticated software with remote forensics capabilities for a subset of centrally managed Windows computers (the so-called "hardened" PCs), but deploys a lighter version to all other Windows and MacOS devices owned by CERN (i.e. purchased on a CERN budget code)(2). For the latter, the antimalware software just reports virus findings to the central Windows team for follow-up, virus analysis and incident response, but does not grant the team (or the Computer Security Office) any remote investigation possibilities. Personal devices, furthermore, can get the CERN antimalware software for free without any strings attached. CERN "security" balanced with "privacy".
Like the antimalware, CERN's automatic network inspection of unencrypted traffic at the firewall level, the automatic analysis and filtering of any malicious domain resolution (at the DNS level), the automatic spam and malware filtering linked to the CERN email system, and the automatic collection and analysis of all user interactions with CERN computing services like LXPLUS, all touch upon sensitive if not personal data − including of a purely private nature(3). And due to this, but also due to the sheer size of CERN's digital infrastructure, all such data is fully automatically processed with as little expert intervention as possible. Expert intervention always implies a professional need for incident triage and incident response, as is well documented in the Computer Security Office's Privacy Notice (aka "RoPO"), Privacy Statement and the RoPOs of the individual IT services. Admittedly, this still requires a certain level of trust in the IT Department's service managers and the members of the Computer Security Office (and strict accountability!). All of them have a special clause in their MERIT form stating that their "functions, allowing access to personal data or other confidential and/or sensitive information, imply strict conformance to the rules laid down in OC11 and OC5, in particular those governing confidentiality". Any abuse of their function is considered a severe violation of the CERN Computing Rules (OC5) and would subsequently be subject to liabilities and sanctions. There is a zero-tolerance policy. There is no yellow card for misconduct. One red card, and they're out.
So, in the end, "privacy vs security" boils down to trust. The balance between privacy and security at CERN is built on transparent processes, automation wherever possible, strict oversight of necessary human involvement, and trust in the professionalism and respectfulness of CERN's Computer Security Office, the members of the IT department and any other expert within the Organization handling personal data. At CERN, "privacy" and "data protection" play a big role, but outside CERN...? How much more or less do we trust our colleagues compared to those folks running ChatGPT, Gmail, Instagram or TikTok cloud services? Or those providing external software suites or even the whole operating system to us? Isn't it there that we pay for their "free" service with our data?
(1) It is important to recall that "privacy" and "data protection" are not identical concepts: privacy relates to an individual's expectation of being left alone, while data protection governs how personal data is collected, used, accessed and safeguarded under defined rules such as the European General Data Protection Regulation (GDPR) and the CERN equivalent: OC11.
(2) CERN-managed and CERN-owned devices are also initially configured with local disk encryption and remote wiping capabilities as laptops tend to get stolen or lost. Without disk encryption, locally stored data can be accessed despite any password protection as the disk/memory itself is unprotected. For the same reason, remote wiping (like Apple's "Find My") prevents a thief from abusing the device in any way. In both cases, CERN IT provides such a functionality in a privacy-preserving manner.
(3) CERN's OC5 tolerates the use of CERN's computing facilities for personal use (see its annex) as long as this use is in compliance with the Computing Rules.
