Privacy

How is privacy similar to and different from security? What do we need to know about this important topic?

Privacy vs. Security

Similar but different.

Security

Protection from harm

Privacy

Protection from being observed or identified

You can have one without the other, but they often go together.

Exercise: Give examples of security and privacy assisting each other.

Exercise: Give examples of security and privacy being independent from each other.

Exercise: Give examples of security and privacy being in opposition to each other.

A little table of differences:

Security	Privacy
Goal is protection from harm	Goal is protection from being observed or identified
Emphasizes confidentiality of data	Emphasizes confidentiality of persons
Focused more on what people can and can not access within an application or system	Focused more on ensuring that certain information within a disseminated dataset is anonymized, de-identified, or withheld
Security Rules defined and set by the system (via roles and permissions)	Privacy Preferences set and controlled by the users themselves

One of the areas in which security and privacy intersect is the User Enumeration attack on a site on which users do not want others to know they have an account. Troy Hunt has a video explaining user account enumeration with a couple of those...uh...sites used as examples.

Let’s ask Chat GPT for some differences, in the form of a rap battle:

Information Privacy

Just like security, privacy can apply to both persons and organizations.

What kinds of things might a person have an expectation of privacy for?

Educational performance, grades, test results
Television viewing
Browser behavior
Financial records
Communication
Membership in certain organizations
Political affiliation
Votes
Medical records
Where one has been (your phone can track you)
Criminal records
Residence
Genetic makeup

People should expect PII, for Personally Identifiable Information, namely data that someone can use to infer the identity of a person, to be (very) private.

General Resources

Start at the Wikipedia article on Privacy and the article on Information Privacy.

Topics in Information Privacy

Information Safeguards

How do we prevent leaks of PII or other information with an expectation of privacy? A web search for “how to safeguard PII” will lead you to a large number of articles and reports.

Exercise: Collect a number of best practices for protecting PII.

Right to be Forgotten

Read about the RTBF at Wikipedia.

Differential Privacy

This is a huge subfield! It is concerned with how one can disseminate or share information about people or groups of people without consumers being able to ascribe attributes to individuals in the dataset.

Read about it at Wikipedia.

And please go through this excellent presentation on differential privacy by Jordan Freitas.

Privacy Policies

A privacy policy is a document that lays out in detail which data an organization will collect from its visitors or customers, and how it will store it and keep it safe—or not.

If you are looking to create your own privacy policy, there are plenty of folks that will give you a template and many in the business of helping you craft it properly.

A Fun Read

The New York Times reviewed 150 of these and found them to be “an Incomprehensible Disaster.”

Case Studies

PGP

Pretty Good Privacy (PGP) is a classic program (written in 1991) for securing email and lots of other data.

PGP follows the Open PGP Standard.

There’s a Wikipedia article in Open PGP.

GDPR

Read about the European Union’s General Data Protection Regulation at Wikipedia.

Read Troy Hunt’s post about it.

Summary

We’ve covered:

Differences between privacy and security
Information with an expectation of privacy
PII
Topics in information privacy
Two case studies