Oops - We didn't mean to do that! - How unintended consequences can hijack good privacy and security policies

Abstract

All privacy laws, security policies, and even individual actions are subject to an often-forgotten factor - the "Law of Unintended Consequences" (LUC.) Yet LUC is not a "law" in the sense of appearing in the Criminal Code, nor is it a Law of Nature like gravity. It is actually a manifestation of our inadequate efforts at foresight, and there are things we can do to counteract it. This paper identifies classes of factors which have lead to unintended consequences in the privacy and computer security domains, though the list is by no means exhaustive. It is primarily intended to inspire further thinking and research. We clearly need to make a stronger effort to "foresee the unforeseeable" or at least "expect the unexpected" to maintain public confidence in technological systems. The disciplines of strategic foresight and automated policy analysis may prove useful in attaining this goal. © 2011 IFIP International Federation for Information Processing.