Security and Privacy Are Not As Different As People Think
There’s a common belief in InfoSec circles that Security and Privacy are related, but that they’re different enough to constantly mention the distinction.
I don’t think the difference should matter much to defenders much at all, and in fact if you look close enough the distinction nearly vanishes. They are simply different aspects of the unified goal of protecting information.
Security and Privacy are both about preventing unwanted outcomes related to data.
To see what I mean, let’s look at some definitions.
So, based on Google seeing and knowing about dozens of definitions for InfoSec, it summarizes it as protecting data from unauthorized use. I’d agree that’s a decent summary.
Then if we look at the overall Privacy definition we get something similar.
So, it’s the ability for someone to control how their data is shared—and presumably whether and how it’s collected in the first place as well. I also agree with that.
There’s also another red herring here around Privacy vs. Data Privacy. The original concept of Privacy is about hiding and not being made public, where Data Privacy is about participating in a digital society in a way that you feel comfortable with.
In my analysis, the only real difference here is context.
As a society and as consumers we care about controlling who has our information, and we try to make sure those trusted vendors do the right thing with it. That’s privacy in a consumer or public context.
image from teachprivacy.com
But as a security professional—or as a security organization within a company—you are already getting exposed to peoples’ data. The focus at that point is on doing your absolute best to make sure nobody collects or uses it in a way that’s not desirable.
And in that context there is little difference at all between Privacy and Security. In both cases you’re trying to avoid bad things happening to the data you’re protecting.
Image by Lisa Holloway
Let’s look at some scenarios to see what I mean.
And now some scenarios that security people might face.
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
Security professional risks
Think about how these scenarios are the same and how they’re different. In my mind, they’re all basically the same—i.e., both the consumer and the professional are trying to protect unauthorized people from having access to data they care about protecting.
That’s Privacy, and it’s also Security.
As it turns out, the etymology of the word Security is quite informative. It comes from Latin, and “Se” means without, and “Cura” means worry, or concern. So providing Security for your people means they’re free to play and work and enjoy life without constantly looking over their shoulder.
The word Security breaks down as “se” and “cura”, which is Latin for “without worry”.
Without Worry is the most succinct description of the goal of security I’ve ever heard, and it applies equally to both Privacy and InfoSec. It also allows us to reduce the discussion to first principles.
There are people and organizations.
They have data they care about.
They want to control how that data is collected, used, and protected.
As security professionals it’s our job to carry that out.
We’ve just described “Data Security”. We’ve just described “InfoSec”. And we’ve also just described protecting peoples’ Privacy.
All these concepts reduce to avoiding negative outcomes with regard to data we’re trying to protect, so let’s stop drawing thick and sharp lines between them when there’s no reason to do so.
Thanks to my friend Peter Albert for turning me onto the Latin etymology of Security. It’s been enjoyable to track other security terms and see their original meanings, and has also prompted me to keep learning more Latin in general.
If someone knows of a reason for a clear demarcation here that I’m missing, please let me know. I’m open to being wrong about this.