Which Is It: Privacy vs. Security, or Privacy and Security?

Posted on by Christopher Burgess

The age-old question: is it "privacy vs. security" or "privacy and security"? This year, we’ve seen data breach after data breach affecting companies of all sizes and across all industries. We’ve also seen victims grapple with privacy headaches in the aftermath. It would seem, then, that security and privacy are intertwined. But when considering the users and how they interact with company data, the two don’t seem to be hand-in-hand.

Keep It Secret From Yourself

The frontend of every company's website is designed to identify and provide data on qualified leads, and to move those leads into the sales funnel. Marketing teams use content to encourage users to provide their private information in exchange for something the company is offering.

In exchange, users expect the company will protect the collected private information . George Orwell wrote in 1984, "If you want to keep a secret, you must also hide it from yourself." So based on that, is your customer-facing infrastructure designed to keep the customer's information secret? Is it secret even from yourself? Orwell was on to something. He was advocating "TNO"—Trust No One.

Trust No One

The doctrine of TNO covers the same ground as the  "privacy vs. security, or privacy and security" discussions. A US court recently ordered Microsoft to provide the contents of a customer's e-mail account, even though the data was stored on a mail server located in another country. National laws sometimes muddle expectations. If the data in the customer's e-mail account is world-readable, there should be no assumption of privacy by both the customer and the service provider.

The service provider can’t just maintain secure infrastructure. Content encryption, with the customer holding the keys used to encode the content, helps maintain privacy. The user needs to realize the headers, footers, and metadata of the files will always be legally available for review. However, the revelation of the content should be in the hands of the data's owner.

There is a cost. Implementing a capability that guarantees privacy and security will cause "free" services to quickly shut down. Advertising revenue drives the search engines and free e-mail services of the world. Those free services would cease to exist if advertisers could no longer scan e-mail content to display appropriate ads.

Less Privacy for the Greater Good?

There are those who will advocate that maintaining overall security—but sacrificing a bit of privacy—might be in the interest of the greater good. In Houston, Texas, for example, Google's algorithm recently discovered that an individual was sharing illegal images, and the company turned that information over to law enforcement. The company did the same thing to an individual in New Mexico, who also was trafficking illegal images, a month earlier. Had it not been for automated scanning to drive ads, these criminals may still be engaging in illegal behavior.

With My Consent

We can actually have it both ways. Consensual sharing, utilized by the likes of tech giants such as Facebook, Google, Microsoft, and a plethora of others bury the details in the site. Transparency with how a customer's data is being protected and shared is crucial to suppliers and manufacturers. As for the user, when you review those terms of service or privacy statements, take a moment and search for share. This will reveal how your information is shared with others, and then you can make an educated decision as to whether or not you have privacy vs. security, or privacy and security.

Christopher Burgess

, Prevendra Inc.



Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community