July 14, 2011

Privacy as a concept – Controlling information

Privacy, my fellow digital citizens, is a hydra of a beast. Many heads and many faces for sure, all of which enjoy a bevy of threats.

Digital Footprints

The notion that we leave digital footprints all over is not new. As well, the idea that privacy and digital citizenry are inherently at odds has been well discussed. For now, let’s grant the validity of these statements as I wouldlike us to consider a few other points regarding privacy. For, even with so much awareness and training available all over our beloved internet, I sometimes wonder how many of us really understand privacy. How many of us tend to believe that privacy is really just security in a different flower-print sundress?

Thus, the point of this blog series will be to cultivate a better understanding of privacy as a concept (part one), understand threats to privacy (part two), and finally to understand how to assure privacy (part three). With all of that said, let’s get started…

Privacy Is Not Security

To begin, privacy is not security. The two endeavors certainly have overlap but they are not synonymous terms. Security is all about protecting assets from harm. On the other hand, privacy is about controlling information. An important note here is that the information can be your information or it can be others’ information. Additionally, the term control in this context does not mean prevent. Prevention is a  security construct and belongs in that realm. Instead, with privacy, we seek to control a number of aspects or properties associated with information. Examples with be forthcoming but first there is an additional point to discuss.

It’s All Relative

Privacy is relative; security is not. Current security thinking is concerned with threats and vulnerabilities. And despite the argument that the resultant risk could be relative, if all of us have the same vulnerability and there is a viable threat we are all open to compromise. It is simply the probability that will be relative between us. However, the information that you consider sensitive is entirely relative to you. The information that Company A considers sensitive is entirely relative to Company A and will quite different from Company B.

Example time: Let’s consider the privacy difference between my hat size and my credit card number. Would you agree that one of the two pieces of information is innately more private than the other? Yes?

Keeping in mind the relative nature of privacy, what if I value the confidence of my hat size higher than my credit card? Apart from levying a criticism as to the mental stability of such a decision, how could you question my choice to value the confidence higher of one piece of information versus the other? You cannot and that is the point we’re making; privacy is relative.

Your list, my list

Although many of us would make highly similar lists of sensitive information (e.g., full name, birth date, SSN, address, etc.) I would put forth that many of us would also have dissimilar items on our sensitive information lists. Again, this is a fundamental difference from security. Security is security is security to all of us and is security in the same way. My firewall works the same way as your firewall despite our ACLs varying (perhaps you allow SSH in and I don’t, for example). However, even when we both consider hat size to be sensitive we very well may go about controlling that information differently.

That’s a good working concept of privacy for now. In the next part of this series we’ll discuss threats to privacy and advance our understanding of privacy in more detail. Until then, fellow digital citizens, let’s start to critically think about what information we consider sensitive and by what means we control disclosure of that information.