Similar but different.
Protection from harm
Protection from being observed or identified
You can have one without the other, but they often go together.
A little table of differences:
Security | Privacy |
---|---|
Goal is protection from harm | Goal is protection from being observed or identified |
Emphasizes confidentiality of data | Emphasizes confidentiality of persons |
Focused more on what people can and can not access within an application or system | Focused more on ensuring that certain information within a disseminated dataset is anonymized, de-identified, or withheld |
Security Rules defined and set by the system (via roles and permissions) | Privacy Preferences set and controlled by the users themselves |
One of the areas in which security and privacy intersect is the User Enumeration attack on a site on which users do not want others to know they have an account. Troy Hunt has a video explaining user account enumeration with a couple of those...uh...sites used as examples.
Let’s ask Chat GPT for some differences, in the form of a rap battle:
Just like security, privacy can apply to both persons and organizations.
What kinds of things might a person have an expectation of privacy for?
People should expect PII, for Personally Identifiable Information, namely data that someone can use to infer the identity of a person, to be (very) private.
Start at the Wikipedia article on Privacy and the article on Information Privacy.
How do we prevent leaks of PII or other information with an expectation of privacy? A web search for “how to safeguard PII” will lead you to a large number of articles and reports.
Read about the RTBF at Wikipedia.
This is a huge subfield! It is concerned with how one can disseminate or share information about people or groups of people without consumers being able to ascribe attributes to individuals in the dataset.
Read about it at Wikipedia.
And please go through this excellent presentation on differential privacy by Jordan Freitas.
A privacy policy is a document that lays out in detail which data an organization will collect from its visitors or customers, and how it will store it and keep it safe—or not.
If you are looking to create your own privacy policy, there are plenty of folks that will give you a template and many in the business of helping you craft it properly.
A Fun Read
The New York Times reviewed 150 of these and found them to be “an Incomprehensible Disaster.”
Pretty Good Privacy (PGP) is a classic program (written in 1991) for securing email and lots of other data.
PGP follows the Open PGP Standard.
There’s a Wikipedia article in Open PGP.
Read about the European Union’s General Data Protection Regulation at Wikipedia.
Read Troy Hunt’s post about it.
We’ve covered: