Security is often described as a combination of Confidentiality, Integrity and Availability of information. Privacy is another way of looking at Confidentiality. So yes, it is a component of Security.

Regards

Javed

posted June 30, 2007

I think privacy and security are opposite sides of the same coin. If I give you my personally identifiable information, I expect you to keep it private where as from your perspective, you will keep it secure.

posted June 30, 2007

I think it's important to define what you mean by security and privacy first. For example, in the context of protecting personal or other sensitive information, security PROTECTS privacy by: (a) ensuring the integrity of information; (b) controlling access to information; (c) tracking actions and behavior to be able to detect misuse and identify the perpetrator (accountability). You can't protect privacy without security, but security can also violate privacy in tracking actions.

But fundamentally I don't see privacy and security as directly comparable. Privacy is a cultural value, a principle and a societal underpinning. Security is a means (often a risk assessment) by which we achieve privacy or ensure the integrity of our resources (or of our own safety).

posted July 1, 2007

I agree with Kent, Privacy and Security are not directly comparable, but may be complimentary. In reality, far too often Privacy is not seen as a concern.

I have a friend who is a data protection officer in Germany, and she regularly has problems with IT people who think that secure data is private data, when in fact they are two very different things. The penalties for not understanding this point are quite severe.

To illustrate the differences between Privacy (and the Expectation of Privacy) and security, take for instance the Open Skies deal between the EU and the USA which governs trans-Atlantic flights. The American government data-mines the PNR without any privacy guarantees which is in breach of EU law (see Outlaw article, link attached). The DHS in fact broke it's own rules on how to handle this data (see DHS report, linked below) and has publicly stated that it will be sharing this data with commercial data-mining operators. So now my private details are on any number of commercial databases in the US. Secure, perhaps, but private? Absolutely not.

Another example is the US datamining of SWIFT international financial transactions. See attached outlaw article. Again, now my private financial details are spread on various servers in the US and I have no right to privacy.

Links:

• http://www.out-law.com/default.aspx?page=7626
• http://www.dhs.gov/xlibrary/assets/privacy/privacy-secure-flight-122006.pdf
• http://www.out-law.com/default.aspx?page=7912

posted July 2, 2007

Wole,
While security is traditionally represented using CIA (Confidentiality, Integrity, Availability), there is one more component - Compliance.
Compliance is being in line with policies/ rules/ laws and regulations.

While confidentiality overlaps to some extent with privacy (Information should be visible only to the authorised/ need basis), privacy has an additional connotation or protection of sensitive personal details which should also be considered in the light of the Compliance aspect [e.g. If my policy assures my users that I can be trusted with their personal sensitive information, then compliance with this policy will require me to give high value to privacy of the data I collect]

Further as I said in response to another of your questions, 'Trust' within two parties (B2B / B2C even C2C) is built on the foundation of 'PAIN' [Privacy / Authentication / Integrity / Non-repudiation], which is again considering the privacy of the information shared from any third party.

Hope this helps.
Best Regards
Gautam

Links:

• http://www.isaca.org/cobit

posted July 5, 2007

No. For one thing, privacy entails individual choice and control over who may know what about a person, and the uses to which that knowledge may be put.

To illustrate the breadth of the notion of "privacy:" In US common law, privacy torts (grounds for lawsuits) include: intrusion into a person's solitude, private affairs, or concerns; placing an individual in a "false light;" publication of (true) private facts about a (nonpublic) person; and commercial appropriation of a person's identify, name, voice, or likeness.

Security may be used to implement aspects of privacy -- for example, the responsibility of data owners to protect personally identifiable information from unauthorized access (the security attribute of confidentiality).

posted July 5, 2007

It is probably better viewed that security is an attribute of privacy.

Privacy involves the the freedom of an individual to be able to take actions and participate in activities without having to disclose personally identifiable data, OR, to the extent that it is necessary to disclose some data, that the individual has control over how that data is subsequently used and how long it is maintained.

One element that helps in this endeavor is security, but privacy is not guaranteed by the implementation of secure processes. It is guaranteed by the control that the individual in question has over the acquisition, maintenance and disposal of the data that identifies them and their movements.

posted July 6, 2007

Good afternoon Wole,

Privacy is a specific metric and security is an holistic metric. Privacy can be measured in term of compliance with regards to two specifics set of control which are classification/labelling of information and confidentiality of those information.

It is nearly impossible to demonstrate that privacy related material is adequatly protected if you do not know precisely what are those information, where they are located, how and by whom they are accessed.

Assuming that the objective of security is to insure an adequate level 0confidentialy, availability and integrity of an asset, we can therefore say that privacy can only be measured if we track security, making security an underlying condition of privacy assurance.

Last but not the least, privacy focus on a subset of data and asset that are typically regulated and that needs a specific level of security while security covers all the asset and data up to a different level based on the risks and business requirements for those assets and data.

I hope this will help you make your mind around privacy vs. security.
Martin Dion (CISM/CISSP)
ISO:27001 Lead Auditor and Trainer
CTO @ Above Security

posted January 23, 2009

there is the security acronym: PAIN

P ... privacy
I ... integrity
A ... authentication
N ... non-repudiation

lots of existing security, related to idenity theft ... is not disclosing privacy information.

we had been tangentially involved with the cal. breach notification legislation. we had been called in to help word-smith the electronic signature act and several of the parties were also heavily involved in privacy issues. the had done detailed, in-depth consumer privacy studies ... and the number one consumer privacy issue was "identity theft" ... a lot of which involved crooks using harvested financial information from breaches to perform fraudulent transactions ... which there was little or nothing being done about. They seemed to believe that the publicity from breach notifications would motivate countermeasures.

Later we were invited to co-author the x9 financial x9.99 privacy standard .... which required taking into account things like GLBA, HIPPA, and EU-DPD. For that effort, i did a privacy subset of the merge security taxonomy & glossary ... reference here
http://www.garlic.com/~lynn/index.html#glosnote

Links:

• http://www.garlic.com/~lynn/index.html#glosnote
• http://www.garlic.com/~lynn/x959.html#x959

posted January 25, 2009