Privacy is Not Security, Security Is Not Privacy3 min read
What’s privacy? If you go ask a regular person on the street if they think privacy is important chances are you will get a yes answer. Dig a little deeper and most will respond that privacy means security. If a company has spent millions to improve the security around their data doesn’t mean your data is any more private. Privacy and security are two exclusive entities in the world, they are not interchangeable but they do go hand-in-hand. Securing systems to prevent unauthorized access isn’t going to prevent the authorized users from using your data in ways that put your privacy at risk.
Privacy is an implied trust, it is also subjective, meaning it’s up to the individual to decide if something is private or not. Privacy is the method of defining who has access to what information and what can be done with the data. Security are the controls to ensure that only those that should have access are getting access. But security does nothing on how an individual uses that information.
A business can have the most secure databases in place and your data can be not-private from being used in manners other than the intended purposes. The flip side you can have a business that has very strict procedures to ensure privacy but their systems could be wide open to hackers or threats. When a big company ends up in the news for a breach that is a security breach, not necessarily a privacy breach…yet. Here’s an example of what I mean. A very large retailer has secure systems, no risks of a security breach, however they use your credit data, purchasing habits and builds a profile about you knowing who you buy, when, if you are sick, have kids, etc… Then they sell that information to other marketing services. The data is secure but your privacy is not protected between you and the retailer. This is a common occurrence and is a good picture of the difference between security and privacy. When these large retailers have publicized breaches the first have a security problem. If the hackers use the data stolen to create credit cards, track you, or use the data in any other way then you have a privacy problem.
In the health care industry, security is front and center through HIPAA and other industry regulations, but the privacy of all your health data is up to the processes, procedures and trust of all the authorized nurses, doctors, and medical staff to look at only what they need, not do searches on others or distribute that information. The security is in place, the privacy is trusted.
The discussion between security and privacy is a very intriguing one. One one hand you have the talk about keep the data locked away from prying eyes but there’s not the same focus on watching what the authorized people are doing with it. There is also a fuzzy area around businesses clearly informing customers on how their data will be used, sold, profiled, etc… Tucked away in small print Terms and Conditions probably but we don’t ready those and if we don’t agree to them we can’t get the service anyway. Interesting setup, abide by our rules or go away.
How do you think the coupons you get in the mail are coincidently what you need to buy and when you need to buy it? Big data profiling. Privacy violation or not, that’s up to you to decide.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Follow Me On Twitter