Is Privacy Awareness the Same as Security Awareness?

The short answer to the question posed in the title of this piece is…no. But of course, I can’t leave it there.

To answer this question, I need to go into some of the detail of what privacy is and how it differs from security. But, before continuing I will say this:

security and privacy are intrinsically linked.

They are two sides of a coin that is called control and respect. With this in mind, let’s talk about privacy awareness.

What has Privacy Got to Do with Anything?

The world of digital privacy was once one of conferences and meetings of Information Privacy Commissioners. But because of certain events, privacy hit the big time to become a water cooler topic. This upping the privacy ante is often attributed to the Edward Snowden leaks back in 2013. Snowden worked at Booz Allen Hamilton when he stole top-secret files from the National Security Agency (NSA). These files showed the agency was purposely collecting personal data via a program called Prism. The data was collected and used without the knowledge, never mind consent, of U.S. citizens. It caused a lot of anger and upset. As the whistle-blower, Snowden had to leave the country to avoid prosecution.

Since this awakening of our privacy consciousness, every company and its dog has come under the intense gaze of privacy professionals and ultimately the public. Tech giants, like Facebook and Google, have proven themselves to be less than respectful of our personal data. Amazon has been accused of “spying on kids” and a lawsuit against Amazon Alexa has started. The Facebook/Cambridge Analytica debacle has become one of the highest profile privacy cases in history.

Privacy, in the digital context of the word, is a human right to determine what happens to a thing (like data) that represents an individual.

And, this human right is getting some weight behind it. Yes, I am talking about legislation. The General Data Protection Regulation (GDPR) has personal data privacy at its heart. The UK’s Data Protection Act (DPA 2018), reflects many of the privacy mandates of the GDPR. Legislation like these, and others across the world, are trying to redress the balance of the tech companies that are less than respectful to our right to do with our data what we will and not what they will.

How Security Augments Privacy

Privacy is not about security, it is about self-determination, control, and respect. But certain aspects of security can augment and even enforce privacy. For example:

• Encryption can preserve data integrity. This applies to data when it is collected and transferred from a web form you have filled in – if the data is sent using the SSL/TLS protocol it will be encrypted. It also applies to data that is sitting in a database. The Breach Level Index notes that of the 14.7 billion data records lost since 2013, only 4% of them were encrypted.
• Robust authentication.Methods like two-factor authentication and risk-based access control can help to prevent data loss through account exposure.
• Anonymising technologies. These are solutions that take data, then anonymise it so the data can’t be linked and traced back to a specific individual. This is easier written down than actually achieved.
• Virtual Private Network (VPN).VPN’s are used to mask your data, including IP address, when you use the internet. They can also be used to circumvent things like TV channel blockers that are country specific. In terms of privacy, advocates like them as they prevent governments and associated entities snooping on your online life.

What is Privacy by Design?

Privacy by Design or PbD is a set of seven principles developed by Ann Cavoukian, the ex-Privacy and Information Commissioner for Ontario, Canada. The principles are:

1. Proactive not Reactive; Preventative not Remedial
2. Privacy as the Default
3. Privacy Embedded into Design
4. Full Functionality – Positive-Sum, not Zero-Sum
5. End-to-End Security – Lifecycle Protection
6. Visibility and Transparency
7. Respect for User Privacy

PbD is something that is aimed at people who design IT systems or software or organisations that put these systems together for their customers’ use. It is about ‘baking in’ privacy from the start of a project so that it becomes intrinsic. Privacy by Design is a framework to help you to make a decision about what to include in those systems. The GDPR dovetails with the ethos of PbD and extends it to Privacy by Design and Default, in other words, enforcing privacy. This includes:

• Data subject rights, i.e. eight areas that need to be accommodated by any service, this includes the right for individuals to access their data and have it erased.
• Consent to share, clear opt-in has to be the default when choosing to share data with a service. It is up to the service to collect this consent and abide by it. And, the consent has to be explicit and granular.

There are mixed views on the effectiveness of GDPR with respect to privacy protection. However, it is shaking up the world and privacy is being discussed outside of the academic circles it once remained within.

Does Privacy Awareness Matter?

From an individual perspective, it is entirely up to that person to decide if the right to a private digital life is important. But from a commercial aspect, it seems to be very important.

Consumer expectations for privacy, and in turn, trust, are at an all-time high. Survey after survey finds that digital privacy has commercial value. For example, a recent report from TRUSTe pointed out that 89 percent of British Internet users were “worried” about data privacy. Another key piece of research from Kirsten Martin of George Washington University found that a customer’s trust in a website drops as soon as their privacy is violated.

And a final thought, in yet another survey, this one by Acxiom on this most nuanced of technological discussions, an important thing came out. Trust in a company was seen to be one of the most important factors when a customer decided to share personal data. And, of course, being respectful of privacy in the digital realm, as in the real world, builds trust.

Privacy is not security and security is not privacy, but together they make more trusted relationships between customers and services.  In a modern world where digital data makes the wheels of our online world turn, we have to be aware of both.

Raising the awareness of both security and privacy matters has never been so important. Help your employees stay safe in the fight against cyber-crime and ensure privacy is upheld– sign up for a free security and privacy awareness training demo.  We help address cyber and privacy risk, both at work and at home.