It seems as if everyone is talking about privacy – or wait, is it security? First there was the WikiLeaks data leak by Julian Assange; then there was the NSA data leak by Edward Snowden which brought to light the NSA’s spying on American citizens; and most recently, several customer data breaches in the retail industry.
According to Wikipedia, privacy is “the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively.”
In simple terms, privacy amounts to the ability of an individual or group to control what data, or in tech terms, personally identifiable information (PII), is given to an organization, specifically data collection agencies or companies.
I usually give the following example about privacy to my students. “Privacy is when somebody comes up to you and asks to borrow five dollars. You have five ones in your pocket but you tell the individual that you only have two dollars. You give two dollars and keep the other three. Or, somebody asks for five dollars, but you say that you have no money. You keep the information that you have five dollars to yourself.”
Of course with websites like Spokeo.com and WhitePages.com – and with the massive amounts of data gathering they do – the person who asks you for five dollars probably already knows you have five dollars, and knows that you’re lying if you say that you don’t have any money.
Here’s another example of how our privacy has been eroded – this story first appeared in both The New York Times and Forbes back in 2012. A girl purchased a variety of products at a general merchandise store over time, but thanks to data mining, the store sent her baby-related sale coupons. The store was able to postulate that she was pregnant before even she knew she was pregnant. The story appeared in mainstream media pubs (The New York Times and Forbes), not information security pubs, so the positive result is that people are becoming more aware of the value of their personal information.
However, many people bring privacy breaches upon themselves. I’ve seen snail mail addresses, phone numbers, and birthdates on Facebook. There is no possible way that people can expect privacy when those types of data are posted out in the open. Public data is mined and can be harvested, packaged, and sold to anyone. The data can then be resold to advertisers who want to entice you to buy their products.
According to Wikipedia, security is “the degree of resistance to, or protection from, harm. It applies to any vulnerable and valuable asset, such as a person, dwelling, community, nation, or organization. Security (also known as cybersecurity) is information security as applied to computers and computer networks and data. The field covers all the processes and mechanisms by which computer-based equipment, information and services are protected from unintended or unauthorized access, change or destruction.”
The three tenets or cornerstones of security are confidentiality, integrity, and accessibility. Based on my experience, security is different from privacy in that security is the protection of information from theft. While others might disagree with me, a breach of any type, network or computer, leads to the theft of some type of information, whether it’s the physical theft or the corruption of information. Unplanned events, both natural and man-made disasters, are part of the security umbrella because they can lead to loss of accessibility to data, which is part of the three tenets of security.
Back to the example I began about the five dollars. Here’s how I explain security: Somebody tries to rob you of the five dollars in your pocket. The police officer comes and arrests the man after he steals your five dollars from you right after he gets away, months later, years later. And sometimes, security is keeping the money in a plastic bag zipped in your pocket while it’s in a washing machine. When you take your pants out of the washing machine, your five dollar bills are still in good shape. This may be a simplistic explanation, but sometimes, simplicity makes the concept understandable.
Businesses are hit from both sides: people and computers trying to breach your privacy as well as those trying to breach your security. It could be argued that businesses should have no expectation of privacy, but specific industries and compliance requirements will determine how much privacy protection are required (for example, banking, government, healthcare, etc.). Security is another issue. All businesses are required to take appropriate security measures regardless of size or industry.
Memorize this reminder: Privacy is a matter of what you are willing to give while security is what someone – whether group, person, entity, disaster – is trying to take from you.
Article in NY Times: How Companies Learn Your Secrets
Image Credit: Stuart Miles via FreeDigitalPhotos.net
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.