Privacy and Security, Though Distinct Concepts, Are Interdependent

Security and Privacy are often used interchangeably but they are distinct. It’s important, though, that we understand the difference so that we know how to protect ourselves and what to do if things go awry.

Security protects our information from those whom we don’t want to have it. Privacy keeps those who legitimately have our information from misusing it or collecting what we don’t want them to have.

Alternatively, Security keeps us safe; Privacy helps us maintain sovereignty and control.

Security does not itself provide Privacy and the reverse is also true. They need to work in tandem to safeguard our digital well-being. In this piece, I dive deeper into the differences between Security and Privacy and more importantly, what you can do to protect yourself in an ever more digital world.

Security is hard…

Security is often technical, usually hard in the details, and needs to be implemented in layers. Bad security implementation can be worse than no security insofar as it provides a false sense of being safe.

Some of the security technologies in the public-eye now are encryption and Multi-Factor-Authentication (MFA). Encryption makes data unreadable unless you have the key – but can be broken if it’s poorly implemented or if keys are not themselves stored securely. MFA helps us make accessing systems more secure by adding extra layers of security on top of a password. Usually, this other factor is either something only we have (like a USB fob or an authenticator app on your phone) or something only we are (like an iris scan or a thumbprint).

As an individual, you can help secure your digital self by:

• Making sure you use strong encryption when communicating with others such as on messaging apps, websites, video & voice calls, and over email.
• Turn on MFA everywhere it’s offered (for instance, Amazon offers this if you shop there) and choose authenticator apps over text messages where possible.
• Use a different password for every app and website, making use of a Password Manager to generate secure passwords that can’t be guessed and keep track of them, so you don’t need to individually remember each one
• Only install apps on your smartphone and computer that you trust and allow each app access to as little data as possible. Whether you are on Apple’s iOS or MacOS, have an Android phone or a Windows computer, knowing where the security settings are can go a long way to helping you keep apps and unwanted intruders in check

There’s not enough room here to go into building a secure infrastructure as a business, however, one thing you may not be doing is regular reviews and updates to the organization's cybersecurity approach and implementation with a cross-functional team.

Make time at several points in the year to test your organization's readiness for a cyber incident or breach – this means testing both technical and human elements (see below). Look for independent advice, and support, to plan and execute a thorough test for both resisting a breach and how you respond in the unfortunate event one occurs.

…and its not just about technology

However, as much as security is often seen through technology and tools, the weakest links in our security are often people and our own behaviors – it’s as much a mindset as a toolbox. Many ‘hacks’ that we hear about are often not down to a bad actor breaking the technical security with programming wizardry, but to them manipulating people into revealing their passwords or doing something they shouldn’t – this has been the actual cause of several high-profile breaches in the last few months like the Uber and Twilio/Cloudflare breaches.

A few steps to take are:

• Never give out any password or PIN to anyone over the phone or text that you did not contact first. Most banks now have processes in place, so you do not have to reveal whole PINs or passwords for them
• Don’t download any email attachments you were not expecting
• Don’t let anyone install any software on your machine that you don’t understand or haven’t asked for
• Always verify the identity of anyone asking you to take any actions – for instance, if someone in either a personal or work context asks you to send documents or money or do something in a system

Privacy is about respect and sovereignty

Privacy would be difficult to have without security but is primarily about human rules, ethics, and procedures as to how we handle, respect, and value data (albeit enabled by technology). Maintaining your privacy means you retain control over the use of your data and sovereignty over the decisions made using it.

Even the best security doesn’t necessarily provide you any Privacy on its own. Whoever has your data and is keeping it safe still needs to have strong rules and processes regarding:

• how they use it / what they use it for
• transparency – i.e., tell you everything they are doing with it
• not collecting more data on you than they should have for what they are doing for you.

For an organization or business to respect individuals’ privacy requires them to have a culture that inspires their people to have the right mindset. The most respectful organizations encourage their people to consider the impact of their work on end users, including only collecting what’s necessary.

Conversely, we have organizations with poor Privacy behaviors who consider it their right to have any piece of data about you, conceal what their collecting, and use it in ways that only benefit and enrich them. In the worse cases, there are consequences like the Cambridge Analytica or Ring Doorbell footage scandals.

Privacy is so important that governments are becoming involved with regulations like GDPR in Europe and the CCPA in California, serving as best practice models for privacy laws being progressively introduced around the world. However, laws alone don’t protect you – they offer a backstop for the prosecution of egregious offenders but there are still organizations out there that push the envelope to see what they can get away with or simply disregard regulations until they get caught. We all need to take steps to safeguard our privacy.

As an individual, you can:

Do a Digital De-Clutter

• Uninstall apps you no longer use – just having them installed means they may be able to collect data from you
• Unsubscribe from newsletters and email alerts you no longer need
• Delete any unnecessary old records or files from your drives or cloud storage

Clean up your online presence

• Review privacy and security settings on accounts you use (personal & business)
• Check what information you have entered on different sites – keep as little information on there as possible. If they seem to insist on entering personal details that they obviously don’t need like birthdays and phone numbers, don’t use your real ones.
• Clean up your social media presence by deleting old or unnecessary photos and by deleting accounts no longer in use

Be aware of how your information is used

• Make sure you understand the Privacy Policy of any services you use. Particularly, look at ‘free’ services and websites that may be using your data to make money
• If you’re not sure what information an organization holds on you, put in a request for them to provide you with what they have
• Consider using services that are privacy first or where privacy is their prime objective e.g., DuckDuckGo
• Be careful when being asked to provide ‘consent’. Make sure you understand how you can revoke your consent and whether that consent will enable your data to be shared with others
• As individuals, we can work to improve the ownership and sovereignty of our data by lobbying authorities to be tighter on when and how consent is used as a basis for processing. We can also let our regulators know we want them to be much stricter on deciding that when consent is used it is only on a demonstrably informed basis and our data is not forever in the hands of those whom we did not intend it to be.

As a business consider your Privacy stance and whether you are a Privacy-first organization. Conduct a proper review of what data your business collects and stores. Assess whether you need that information for a real and specific business purpose such as the information being central to the service you are providing. If you don't need the data you have collected, safely dispose of the information, and stop collecting it.

If you are a commercial organization using consent as a basis for processing, you can help the community improve its data sovereignty by moving away from consent as your basis and looking to offer a service as an equal exchange. If your organization cannot move away from consent, consider helping by improving the transparency of what you are doing with peoples’ data, ensuring everyone has received a proper privacy notice.

Being privacy-first and directly connected to individuals whose data is in your care can seriously improve your data quality and lead to better and more effective use of data.

Imagine that a privacy-first organization is one that

• only has data it understands well
• has more reliable data because of how it is sourced
• has better quality data because the individuals they serve have access to their data and can be part of keeping it up to date

Two concepts, working together for a better environment

We’ve seen how Privacy and Security are different in what they provide and how they are provided to us and that we need them both. We’ve looked at how we can take steps, as organizations and individuals, to be more secure and safeguard our privacy. Lastly, we saw how being privacy-first can provide real benefits to data-dependent organizations by building a connection with people. In contrast, a world without the protections offered by good security practices and a privacy-first mindset can lead to lasting harm done to individuals.

We can all work together to keep our data secure and give people control over their data, but only if we know all the moving parts that make it up and we approach them in the right way.

Also published here.

About the Author

John Michaelides, is a Data Privacy, Security, and Ethics Senior Principal with Slalom UK, a progressive consulting firm pioneering Modern Culture of Data and AI for All.