Understanding the security in isolation is easy. Understanding Privacy is confusing. Can both exist independently? Are they interdependent? Usually, Privacy and Security are used interchangeably and it is difficult for a common person to understand the differences and distinctions between the two. Because it is a very thin-line difference. Well, let us understand what is the difference between Privacy & Security. Why does it matter today to understand that difference?
I will start with a personal example from my life, which might help us set the context.
It’s an almost five-year-old story. I was out of the country on a long-term business assignment and I was living with my partner in London. Though we were in a live-in relationship for almost a year, we had our own private lives. I was the person of “going slow” nature, but he was impatient I think. Just like Google, he wanted to know everything about me as early as he could. I wanted to take some time to fully trust him before I could be more vulnerable in front of him.
He had the opinion that whenever you want to watch any movie, you realize that it’s neither available on Netflix nor Amazon. So, he used to keep some of his favorite movies downloaded on a USB drive, and we used to watch those movies sometimes.
One day, he was out with his friends, I was getting bored at home. So I thought that let me just watch a movie from his favorites archive. I plugged his USB drive into my laptop and then what I got to know was shocking.
I saw a folder in my name on his USB drive. It got me curious enough to open it and I did. I found lots of my pics which he has taken without my knowledge. I also found a copy of all my personal data. He must have transferred it all from my laptop.
I was furious. Why the hell on earth he would do that for?
So, what would you think? Was it the issue of data privacy, data security, or a mixture of both? It is confusing, right?
Well, it was actually the issue of both Privacy and Security. First, it was a privacy issue because I didn’t do enough to protect my private and personal data. Second, it was the issue of security as well, because this was the data breach and my data was stolen, however, you can say that it was the easiest beach of data anyone can have.
The moral of the story is that you never know who you can trust and you shouldn’t and finally why all of us need to follow the concept of ZERO TRUST.
What is ZERO TRUST
Zero Trust is an information security framework that states that organizations or individuals should not trust any entity inside or outside of their perimeter at any time. It provides the visibility and IT controls needed to secure, manage, and monitor every device, user, app, and network being used to access data. It also involves the detection and remediation of threats.
Well, let us try & understand and find out
- The difference between Privacy & Security, and
- How these two are related to data breaches, and
- Why it is important for normal people like you and me to understand
Understanding the difference between privacy and security is not easy. Even the IT and security personnel sometimes can’t identify the difference. Most of the time, Privacy and Security policies overlap with each other. Usually, it is very hard to make everyone understand that it’s a collective effort by everyone to protect privacy and security.
Policymakers are being reactive rather than proactive, organizations are struggling to implement best practices, and the normal public either doesn’t understand or doesn’t care, because consequences are almost invisible.
What Is Data Security
The simplest definition of data security is to protect data from theft and unauthorized access. From an individual’s perspective, the most common example of data security can be:
- Protecting your online accounts from the hackers, e.g. email account, social media accounts, or your cloud drives (Google Drive, OneDirve, or iCloud Drive)
- Protecting your bank accounts, insurance and retirement accounts, or any other financial information from the hackers.
On average, it takes at least 201 days for any organization to detect a data breach.
What is Data Privacy
Privacy is often confusing for an average person because different people look at privacy differently.
In order to simplify this understanding, let us break down the information (or data) into two categories:
Personally Identifiable Information (PII)
Any information (or collection of information), which can identify you as an individual is considered personal information. This can be your name, address, location, your social media accounts, your credit card number, bank account, social security number, etc.
It’s a common practice to share PII with various government or non-government organizations. We are bound to provide this information, otherwise, we can not open a bank account, we can not get our government ids issued (e.g. passport), we cannot open an online account e.g Facebook, Google, or Apple account.
In the case of the above, we don’t have a choice.
Not So Personally Identifiable Information (non-PII)
Everything else you share everywhere is also a piece of personal information, however, that can’t identify you as an individual, e.g. your views on recent political affairs.
For example, I don’t like Google or Apple products are my personal views, but I decided to make it public when I shared this online. Even if I share this online with my friends only in a personal message, it is public information now.
This includes everything you willingly share online on Facebook, Twitter, and everywhere else.
Non-PII also includes the information collected about you without your knowledge. We call it tracking. Unfortunately, sometimes this collection also includes PII i.e. location coordinates, IP address of your device, email id, etc.
Any privacy advocate gets too concerned about the biggest threat to an individual’s privacy when PII and non-PII information is combined together (called profiling).
This whole information collection of PII and non-PII is so intermingled that it becomes confusing to understand what to share and what not to share.
You should be aware of at least the following basics before you use any product or service:
- What data will be collected and why?
- How your data will be stored and maintained? — Companies are liable for penalties if they can’t protect your Personally Identifiable Information (PII) in a data breach.
- How your data will be used?
- How long your data will be retained.
- How your data will be shared with 3rd parties? — And then, it’s an infinite chain, because the same set of rules apply to 3rd parties as well.
All the above explanations are part of the Privacy Policy document, which don’t read and understand.
Difference between Privacy & Security
In order to understand the difference, let us take a very simple example, which everyone is very well familiar with.
You go to the bank to open a new checking account. You have no choice but to share the PII with your bank, without which the checking account can’t be opened.
Now, let us see what can happen next with the help of the following three scenarios:
- Both Privacy and Security of your personal information is maintained by the bank. The bank uses your information ONLY to open your account and provide you with products and services. They also protect your information from hackers and data breaches. — All Good So Far.
- Your privacy is compromised, but security is maintained. Your data is still safe and secured, has not been involved in any data breaches. But, the bank sells your information to an advertising company e.g. Facebook. You never wanted this or were never made aware of this explicitly. Please note that you have agreed to this by signing a privacy policy document at the time of opening the account. We do that all the time and think that nothing is wrong with it.) — This is where we need to be smarter. This is what Privacy Advocates always cry for.
- Both the privacy and security of your personal information being compromised. The bank gets hit by a data breach. Your information is stolen and could be sold on the dark web. Your personal information is compromised due to the data breach and your information is in the wrong hands. You never wanted this and also you never signed up for this. — This is beyond your control, but you still need to be smarter and ensure that you can trust any company’s products or services.
Data Security is possible without data privacy, but data privacy is not possible without data security.
Data Breaches Are Inevitable
Let us look at the significant data breaches in just the last 2.5 years. Some of the names may surprise you. The only intention of listing down these names is to let you know that no matter which company it is, even a tiny loophole can make even big names vulnerable.
- First American Financial Corp. — May 2019 — The largest real estate title insurance company in the U.S., exposed transaction records of 885 million individuals including documents related to mortgage deals going back to 2003 including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transactions receipts, and drivers license images.
- Marriott — Mar 2020 and Jan 2019 — Biggest in the history, affecting 5.2 million guests in Mar 2020 and 383 million in Jan 2019, including contact information, personal details like gender and birthday, and linked account data like airline loyalty programs. Marriott was hacked in as well affecting 383 million customers.
- Microsoft — Jan 2020 — A massive breach affecting 250 million customer service and support records.
- Equifax — Sep 2017 — Hackers stole the personal information of 147.7 million Americans, which is nearly half the US population at that time.
- Canva — May 2019 — Affecting 139 million users, includes customer usernames, real names, email addresses, passwords, city, and country information. Besides, of the total 139 million users, 78 million users had a Gmail address associated with their Canva account.
- Capital One — July 2019 — Affecting approximately 100 million
- Facebook — Sep 2018 — Affecting 50 million people.
- LifeLabs — Oct 2019 — Affecting 15 million Canadians — 40% of the country’s population. Hackers compromised lab test results and national health card numbers, which revealed names, birthdates, addresses, login IDs, and passwords.
- EasyJet — May 2020 — Affecting 9 million customers, whose email addresses, names, and travel records were exposed. Besides, roughly 2,200 customers had their credit card details exposed, including the three-digit CVV code.
If you want to go through the exhaustive list of data breaches, you can go through the list on Wikipedia.
Data Privacy Laws and Regulations
The government started realizing the pain of the common public. So, they created the regulations and made companies responsible. If companies are failed to protect your data, they are liable for huge financial penalties.
The biggest problem is that there is no “One World One Policy” concept here. Every country or sometimes states have their own governance policies. This makes it difficult or almost impossible for companies to implement so many rules/guidelines.
The most common policies defined so far are highlighted below for your easy reference.
- US Privacy Act (1974) — Maintains restrictions on how government organizations can collect and use your data. When Snowden raises concerns over online privacy, that’s what he usually refers to.
- HIPAA (1996) — Health Insurance Portability and Accountability Act protects the health information on an individual.
- COPPA (2000) — Children’s Online Privacy Protection Act protects the data of children up to the age of 12 years.
- GDPR (2018) — General Data Privacy Regulation protects the personal data of European Citizens.
- CCPA (2020) — California Consumer Privacy Act restricts how companies can collect and use the data.
Who Is Responsible
Data security must be understood as a common objective. It is a shared responsibility of the organization as well as the common public.
The consequences of any data breach are felt collectively and likewise. Even within an organization data security policy and practices should not be the responsibility of just a bunch of individuals.
For hackers to gain unauthorized access to your or your organization’s data takes only a single click of phishing email by any one individual. Considering the most common cause of a data breach is human error, anyone can be the weak link.
Tips for protecting your privacy and security
It’s good to choose products or services from companies and organizations that value your privacy and take measures to protect your personal information. But your privacy is a joint responsibility. You can do too to help protect your privacy and boost your security.
Here are a few examples:
- Limit what you share on social media and online in general.
- Protect your data and devices. This might include using security software, a secure router, a VPN on public Wi-Fi, and identity theft protection services.
- Understand and become more aware of how the personal information you are sharing will be used. Understand that once you share anything online is public information now and not in your control at all.
- Use privacy-focused search engines like DuckDuckGo.
- Use a password manager to avoid reuse of passwords and generate unique passwords for each account.
- Use ads and tracker blocking software to prevent companies from following your digital footprints across the web.
- Please, please, please read the Terms of Use and Privacy Policy Documents before using any product or service.
You might also be interested in reading best practices to follow to protect your online privacy.
Closing the Gap between Policy and Reality
Just creating the regulations will not help. Blindly accepting the privacy policy and terms of use is not enough.
The best and the only approach is to understand the responsibility to ensure the policy is understood and followed.
First, understanding the policies ourselves, and second, making an effort in spreading awareness within our community is the most important part.
Policymakers and regulators need to do a better job of communicating the impact and consequences of policy implementations. Everyone needs to understand what these policies can and can’t protect an individual from.
Imposing the financial penalties is definitely a great help that forces organizations to rethink their data collection and management policies, but much more needs to be done to close the gap between policy and reality. To achieve this, data security and privacy practices should be followed by everyone and not just by the organizations.