Security and privacy

Security and privacy are intertwined but distinct pursuits.

What are they, how do they different, and what's their relationship?

I’ve done security for a while and privacy only briefly, here is my view so far.

Definitions

Here is how I would define each thing

Analogy: Lets pretend your house, and everything in it (tools, money, records, couch) is your data.

Security: Avoid objectively bad things. Companies getting hacked. Users being exploited.

Analogy: Security is what protects your stuff from bad guys and other harms. The locks on the door, the fence, the security cameras. Its the building codes that ensures your house doesn’t collapse in a windstorm.

Privacy: Respecting users' choices about their data. Making and upholding commitments around data.

Analogy: All the stuff in your house can be used for certain purposes and not other purposes. All the stuff should be treated with care. Don't use a knife to hammer a nail. Don't scribble on your birth certificate. Carefully store your birth certificate. The rules about who gets to come, or see, inside your house. The police can come but need a warrant, the mailman can put mail in your mailbox. You can give your friend a key to your house.

Obligation: A law, regulatory decree, investigation, standard, or recommendation that has privacy implications. A thing a company must do, or at least consider doing. Must be evaluated and eventually converted into work to satisfy that obligation.

Analogy: You are not allowed to have a tiger as a pet in your house.

Commitment: A statement about your data that a company ensures is true. For ex: We will delete all your data within 30 days of your request to do so. Commitments can be self-imposed, or imposed by privacy laws like GDPR.

Analogy: Your house has a self-imposed “no shoes inside” rule.

Differences

• Adversary. In security your adversary is an actual person out in the world. In privacy, we are the adversary! Security adversaries can be governments, teenagers, or just people who send you fake invoices until you pay them 122 million. Basically, a real human has to do something to incite a security incident.
  
  In contrast, a privacy incident might look like a technical architecture that allowed sensitive health data to be used to target ads, in violation of a privacy law. Privacy incidents seem more self-inflicted, to say it another way

• Origin. Privacy work originates from laws/regulations. Security work originates from risk reduction to a company and their users. This has a lot of knock-on effects

• Finish line. Privacy is more clear cut. A law is an attempt to define what good and bad look like, so it is easier to say you crossed the finish line. Done with DMA or GDPR is pretty black and white. Of course words like “comprehensive” and “reasonable” exist to create legal gray areas.
• Penalties. If you screw up privacy, you can predict the penalties. See list of GDPR fines
• Interpretation. Privacy has a whole pre-execution step in the lifecycle where you must dedupe and interpret the laws to figure out what position you want to hold on each part of the law. Security doesn’t have this step, or much of it.
• Proof. Privacy requires a lot more “prove it” type work. You can’t just do the work, you have to prove you did it with accompanying documentation and testing and paperwork. This gets into this whole auditing world's 1st line 2nd line concept.

• Politics. The global political landscape affects both privacy and security, but privacy more. The current political climate, who is up for reelection, what the current news cycle is seem to be heavily weighted inputs into the penalty a regulator might impose on a privacy mishap. Those things all mix in with the actual privacy strengths of weaknesses of a company to create the privacy perception of that company. That perception matters a lot.

• Surface area. A company's security is easier to test as a random outsider (ex: bug bounty person) vs that company's privacy. This is because a higher % of “security surface area” is externally accessible (for ex: the website, mobile app, sending phishing emails, etc) vs the companies “privacy surface area”. Imagine trying to confirm or deny that a given user's data deletion request was honored, that flows through 20 internal systems which is difficult to test as an outside person.

• Getting work done. Some contrasting attributes of security work vs privacy work are

• Shape of work - The nature of security work is that more of it can be done in one region of a big company in contrast to privacy which is a lot of little changes across 20 products so must be more widely distributed. The Digital Markets Act involves refactoring the software plumbing across most of the company.
• Its easier to convince people to do privacy work instead of security work because “we shouldn’t break the law” is a compelling argument. In security you often make the weaker argument of “we should do this work because it reduces our chances of getting hacked by 3%”. This has been nice.

Relationship

Privacy and security are intertwined.

Privacy depends upon security.

If you can’t secure data, you can’t guarantee privacy. If a badguy has RCE in production, it nullifies all privacy commitments you make.

Security does not depend on privacy. Security is heavily influenced by privacy shaping what work a security team performs. This mostly happens because privacy declares some types of data more or less important.

Conclusion

All of this is oversimplification. Its from my experience working at a big company, under lots of scrutiny. I’m not sure how much it applies across other organizations. I’m writing this up to hear other perspectives.

Privacy has been a lot of fun so far, parsing a law, breaking it down into controls, then building those controls out of code/process/systems has been satisfying.