As a result of high-profile security breaches, privacy has been greatly diminished over the last few years. ISACA Journal volume 4 author C. Warren Axelrod, Ph.D., CISM, CISSP, discusses the way in which data privacy has changed in his article “The New Age of Near-zero Privacy.”
There seems to be a great deal of confusion as to what privacy actually is; the differences between data privacy and the right to privacy; how privacy is distinct from security, secrecy and safety; and which data should be classified as private or secret and which should not. It is useful to view privacy as a legal right and security technology as a means to achieve it.
First, one must distinguish among physical data privacy, electronic data privacy, physical privacy, secrecy, security and safety.
Privacy vs. Secrecy
In many respects, privacy and secrecy are very similar. The main difference is well expressed by Eric Hughes, as follows: “A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anyone to know.”
Another difference is that private data must be attributable, whereas secrets may be anonymous. Further, secrets do not have to relate to persons; they can be about intellectual property, such as recipes or machine designs.
The same means of protection, authentication and authorization, such as encryption, are often common to privacy and secrecy. However, sometimes secrets might be accidentally disclosed along with privacy-related data, as was the case with Edward Snowden’s leaks, and might lead to dangerous information being made available to enemies as well as intended recipients. For both privacy and secrecy, those for whom the information is meant have to be carefully vetted.
Privacy vs. Security
The terms “privacy” and “security,” as they relate to personal information, are often used interchangeably. Many experts prefer to think of privacy as a legal right with security providing the means (tools, methods, policies and procedures) to ensure that the personal information is protected against unauthorized access and use.
Security vs. Safety
One set of definitions for security and safety, as they relate to software, is:
Safety-critical software—The software must not harm the world.
Security-critical software—The world must not harm the software.
Essentially, security and safety engender different cultures, with the cybersecurity professional focused on protecting systems and data from unauthorized access and use, and safety engineers concerned about what harm the system might inflict on persons or the environment were it to malfunction or fail.
Secrecy vs. Safety
Increasingly, it is becoming possible for privacy and secrecy to affect a person’s well-being. It is clear that breaches of web sites such as Ashley Madison not only damage relationships, but can lead to suicide, as was reported after users’ personal information was made public.
Given the generally observed apathy of many of those whose information has been compromised, (which might result from the enormity of the problem and the lack of confidence that it can be eliminated), there seems to be little hope of a major effort to raise data privacy to a level that will motivate a response large enough to make a difference. If that is indeed the case, then individuals will continue to be inconvenienced by the aftermath of data breaches, companies will still absorb the resulting losses as a cost of doing business, and governments will persist in taking ineffectual potshots at perpetrators of fraud and other crimes. Thus, the acceptance of increasing violations of electronic and physical privacy will grow and little will be done.
The hope is that the immense cost to individuals, organizations and society at large of repeated privacy abuses is recognized and awareness is raised, not only of the resultant losses, but also that the challenge can be met if there is enough resolve to take it on.