Privacy & Security Are Different – Round 2
24 Dec 2019
I recently wrote a post explaining that I think Privacy & Security Are Different. Following that post I’ve received some feedback questioning my rationale. This post is a response to some of that feedback.
Privacy is part of security
A lot of the feedback I received was stating that privacy is part of security, and without security you can’t have privacy. I don’t feel that is the case. I like analogies, so let’s look at an analogy to explain how I see privacy vs security:
The bank sends a letter marked private and confidential to me. Only I should open the letter because it is private and addressed to me.
Unfortunately, my postman accidentally delivered the letter to my neighbour. Not reading the addressee, my neighbour opens the letter. My privacy has now been breached because the letter was not secured.
As you can see, data can be private, yet insecure.
A better way for my bank to ensure my privacy was maintained, would have been to send the letter to me digitally via my online banking site. Then email me to say a digital letter was waiting.
I would need to log in to my online banking before being able to read the letter. So my bank has secured my letter and maintained my privacy.
Confidentiality
A couple of people mentioned that privacy is part of security because Confidentiality is part of the CIA Triad that I mentioned in the previous post. Confidentiality and privacy are not the same thing.
The CIA triad
This post on findlaw.com explains the differences between confidentiality and privacy really well. But if you don’t want to read the post, I’ll sum up the differences below:
Confidentiality refers to personal or sensitive information that is shared with a person or group. For example medical records or a document that contains sensitive business information. The expectation is that confidential information is not shared any further without express permission.
Privacy on the other hand, refers to the freedom from intrusion into someone’s personal matters or information. For example, my neighbour not opening that letter from the bank.
So when we talk about confidentiality within the CIA triad, it’s referring to the securing of data so that only those who need to see it, see it.
That is why the letter from my bank was marked private and confidential. They are different things.
Conclusion
Hopefully this post helps clarify my position on the differences between privacy, security and confidentiality. All three are different things, albeit closely linked.
I considered editing the original post, but ultimately I feel that a second post was a better way to go.
As with all the posts I put out on this site, this is just my opinion. If you think I’m wrong, feel free to get in touch and I will be happy to discuss the matter further.