There can be no question that Security and Privacy are strongly related. It would be easier if they were the same thing. But they’re not, of course; there are differences. This blog has never shied away from stating the obvious. This post tries to enumerate the significant differences between privacy and security:
I. They come from different traditions
Security comes from a “fortifications” model. Consider this passage from Gregory of Tours history of the Merovingians:
Then the king ordered an army to get under way by which Munderic could be overwhelmed by force and punished. Munderic found out about it, and unable to defend himself, sought the protection of the fortress of Vitry, taking his property with him; he busied himself with its defenses with the help of those he had won over to his side. The army that had set out then invested the fortress and laid siege to it for seven days.
Munderic and his followers fought back.
“Let us be strong,” he said, “and together fight to the death without giving in to our enemies.”
When the army had cast its missiles from its positions outside the fortress to no avail, they reported the situation to the king.
The fortress, an intrusion prevention system if ever there was one, actually kept out the attackers. Gregory, writing in the middle of the 6th century A.D., was not familiar with the phrase “social engineering” but he would have recognized the concept. A representative of King Theuderic offered to put Munderic in touch with the medieval equivalent of a former Nigerian finance minister who needed his help transferring 100 million Euro (i.e., he promised him if he came out, he would not kill him). When Munderic came out, he was killed. Then, as now, technical controls are only part of keeping the enterprise and its valuables safe.
Privacy comes from a “keeping secrets” model. The Oath of Hippocrates is said to date back to about 1,000 years before Munderic sought the protection of the fortress at Vitry. It binds the healer to keep a promise:
Whatever I see or hear in the lives of my patients, whether in connection with my professional practice or not, which ought not to be spoken of outside, I will keep secret, as considering all such things to be private.
The keeper of secrets kept the secret in their head not in a treasure chest or behind a walled fortress.
II. What is protected
Privacy does not concern itself with the individual trying to protect themselves, it is the obligation of others to protect someone’s secret.
Whether it is self-regulation, ethical codes or actual laws, privacy is based on regulations. Security may be compelled by a regulatory framework but it is motivated by the idea that we are protecting our own information or at least the information in our care.
III. Under attack
Security traditionally believes that it is “us” against” them” and “they” want to attack us. Privacy can deal with protecting celebrities from Paparazzi, preventing “neighbor snooping” of medical records and trying to make sure that access is “least privileged”. Security deals with other types of attacks as well. A DDOS attack by itself is not a threat to someone’s privacy. Malware that just wipes out (or locks up) a user’s hard drive was not written to discover secrets. It was written by a bad “guy” intent on doing bad things.
IV. Under control
Privacy requires controls that security does not. And vice versa. But not for the same reason. Security needs to protect against attacks aimed at disrupting the availability of data. Privacy requires processes in place to regulate the relationship between data subjects, collectors, distributers and users. Try talking to a network security engineer about changes to the organization’s notice of privacy practices and you are likely to get the same blank stare you get if you talk to a privacy compliance analyst about allowing UDP on port 2160.
“So how did you two meet?”
The obvious answer to how privacy and security became so wrapped up with one another is that security concerns itself with the general access principle of “confidentiality” and privacy was once only about that. Privacy regulations and principles actually try to subsume security by listing security safeguards as one component of an overall privacy program.
When you separate out the “org chart” of it all (i.e., ignore who reports to who and where they sit), you find that security and privacy professionals have one fundamental thing in common: the data. The reason the two get closer all the time is that what privacy traditionally called a “secret” and what security traditionally called “the treasure” are increasingly one and the same. Not just in terms of what is being protected, but where it is stored.
There will always be differences and there should be. If for no other reason, because we should never lose sight of the fact that protecting something is not identical to keeping a promise to keep a secret.