Privacy and security are different things.
Security is the low-level lockdown: The password on the database, the encryption on the file-server, the lock on the door. Security means exposing data only to authenticated users, those who have the password, the thumbprint, the key, etc.
Privacy is protecting information based on business purpose: The need-to-know. Security is a pre-requisite for privacy, but privacy is much harder to enforce: Once an employee or other user has a password to the application or a key to the door, how can we ensure that they see only what they need to ?
That's what the Redaction system does. The privacy policies, based on regulations, don't just say what documents the reader can see, or what sorts of text-strings need to be deleted. The policies protect semantic types, such as personal names or telephone numbers, cross-referencing them against the role of the person who will see the document.
The Obama passport case makes a good example. There was no security problem. State Department subcontractors had legitimate permission to access to passport records. But they had no business reason in this case, which is why there was a security problem.
Redaction means more creating blacked-out copies of documents. Live, automated redaction, when used as part of a document viewer, becomes a form offine-grained access control for documents: Users should be able browse to documents in an Electronic Content Management system, and view them with the sensitive information redacted.
If they do have a real reason to see the information, they can ask to see it. Then, if permissions allow, the blank rectangle is filled in. The request is logged, and since the user is authenticated, the auditor knows and the user knows that the auditor knows that they asked to see this information.
This approach has the side-benefit of balancing the risks of automated over-redaction and under-redaction. We can err on the side of over-redaction, knowing that users can ask to see the information if they have a valid business purpose.
In this way, redaction becomes a layer of privacy protection on top of a generic document viewer. No longer are we just blacking out text--we're controlling access to precise units of data, live, on a need-to-know basis.
Privacy and Security