The common explanation of the difference between Privacy and Security is that security is about “protecting” information, and privacy is about users having “control” over their information.
I believe it’s actually a trick question because Privacy is a sub-category of Security. Yes—they’re different, but everything in sub-category is different from the parent category—that’s the reason it’s broken out. Eagles are different from birds, and chocolate cake is different from cake.
If they weren’t different we wouldn’t have different names for them.
To see how this analogy applies to Security and Privacy, let’s look at the definition of Information Security according to Wikipedia:
The practice of protecting information by mitigating information risks
The key phrase there is “protecting information”, and within Information Security there’s something called the CIA Triad, which covers Confidentiality, Integrity, and Availability. Those are the three pillars of what it means to “protect” information.
The first one—confidentiality—is the key to the whole thing. It means making sure only the right people are able to access and read the information being protected.
And what is Privacy again?
It’s making sure that only the right people can collect, manage, and access someone’s personal information, with a key point being that the subject of that data is the one who should determine the policy.
Another way to write this is to say:
- Information Security is about protecting information according to a given policy.
- Privacy is protecting personal information according to a policy set by the user.
Both are about protecting data. The difference is in specific sub-component—the policy, i.e., the expectation of how someone’s personal information is supposed to be used. And who gets to set that policy.
For Information Security proper, we protect any kind of data according to any kind of policy. With Privacy, we’re protecting a particular kind of data (personal), using a policy set by a specific person (the person the data pertains to).
That’s a difference, but it’s not as big a difference as some think it is. All Privacy problems are Security problems, but all Security problems are not Privacy problems.
Let’s look at an example.
This is a fictional service.
Let’s say someone signs up for some new health monitoring service, Health.io, with a DNA test and a mobile app that monitors fitness, etc. And let’s say that somewhere in the 40-page user agreement there was a highly-obscured clause about being allowed to collect and sell the data that was collected.
Scenario 1: They get breached, and all customer data gets put on the Dark Web.
Is that a security problem? Yes, because someone gained access to the data that wasn’t allowed in the policy.
Is it a Privacy breach? Also yes, because someone accessed the data that in a way was not allowed by the user. Also known as, violating that policy.
Scenario 2: The company sells the data to some new overseas drug company because they’re in financial trouble, which they think they’re technically allowed to do because each user accepted the contract before starting.
Is that a Privacy breach? Yes.
Why? Because the user didn’t give adequate permission to the company to share that data, and it can be reasonably inferred that they wouldn’t have wanted them to do so.
Now here’s the big question: is it a security violation?
Lawyers can argue all day about whether or not it was technically legal or not, but it was still wrong.
Of course it is.
An entity gained access to someone’s personal data that they didn’t want to have it, which is a clear violation of the confidentiality of that data—and therefore breaks CIA—and therefore qualifies as a security problem.
Information Security is protecting data—period. And that absolutely includes protecting it from being sold, copied, misused, etc., by a bunch of lawyers who try to pretend the user authorized the activity.
If the user didn’t want a thing to happen to their data, and it happened—that’s a data security problem.
Now keep in mind, this doesn’t mean privacy and security are identical.
The process of gathering acceptable use policies from users, figuring out what data exists that has to be protected according to that policy, and dealing with related government policy—these are all major endeavors. Which is why there is an entire industry focused on the problem.
But definitions matter. Ontologies matter. And clear language matters.
Protection is a very serious word, and when we say we are protecting data, we can’t somehow exclude misuse from that protection.
Privacy is part of security because confidentiality is part of security—it’s that simple.
And if none of that is convincing, consider the etymology of the word “Security”. It comes from the Latin roots of “se” (without), and “cura” (worry).
Security—at its core—is the gift of letting people relax and do their thing without fear. And when we’re talking about people’s personal data and how it’s used—that sub-category of Security is called Privacy.
- January 10th, 2019—Chad Loder has a great point, which results in this discussion, which is that if a DataBroker sells your data to China, it’s going to be hard to convince people that’s a “security” breach. To which I responded that to the user—who presumably still considers themselves the owner of the data—it would absolutely be a security problem. So the discussion just made it crystal clear that the entire issue orbits around the question of who “owns” the data. Because that’s who gets to set the policy.