As the title of this blog post implies, there seems to be a blurred line in the general rhetoric between “privacy” and “security”. These topics are not the same, and yet I see them lumped together all too often (ahem, CNN & Co). It's tough, however, to weave a coherent single narrative on the subjects, so let me present a few disparate points to help distinguish the two:
- What is the difference? To me, it is akin to the square/rectangle relationship. All squares are rectangles, but not all rectangles are squares. Likewise, all security conversations are privacy related, but not all privacy conversations are about security.
- What’s an example of when security =/= privacy? The case that sparked this blog was the story about freshmen students at Oral Roberts University being mandated to wear Fitbits, which will then send the collected data directly to a school-operated database. Obviously we would hope that the school will keep this data secure. If someone is publicly shamed regarding their laziness, or for a sleep disorder, that is a nightmare situation. But even assuming that the school keeps the data secure (ha), that's a separate conversation from the privacy discussion. Should students be forced to reveal their activity data to the school? Should they be monitored on when they’re asleep, or when they’re walking, or how much they sleep?
My opinion on whether the school should do this or not doesn’t matter (it’s “hell no”, for the record); I just think it’s important to nail down this distinction between privacy and security as the IoT continues to enter into the mainstream. I want all of my private data secured; just because an organization is capable of securing my information, it should not automatically grant them the right to invade my privacy.
- I know I keep harping on Fitbit data collection, but one of my family members wears a Fitbit and his insurance company collects the information. This is optional — for now — and he saves money by doing it. But this becomes an awfully sticky path. Incentivizing customers to give up their privacy is nothing new: Facebook incentivized the world to give up their personal info by offering a free service to connect with people, for example. But it matters more when our health and location are intimately involved. We are headed towards this becoming the norm. We will have no choice but to accept that our self-driving car will report on our whereabouts and destinations at all times. It will come as part of the package. This battle is essentially lost already, but if we are going to keep pretending to debate about it, let’s at least get our terminology right.
- Finding privacy tools for browsing the internet is easy. Tor, Bitcoin, web proxies, and more are all out there to grant you all the privacy anyone could possibly need. And personal security, while more complex, is also there for the taking when it comes to modern personal devices: Kaspersky, Comodo, Malwarebytes, ESET, Microsoft, Symantec, Webroot and many (many) more vendors are dedicated to the consumer security markets. Unfortunately, while some of these tools extend to IoT security, none extend to IoT privacy.
- One final thought: This conversation tends to get especially screwed up when it comes to encryption, because it truly crosses both domains. Encryption is pure security and pure privacy: from a technology perspective, it is unique that way. I sympathize with anyone flipping “security” and “privacy” around interchangeably when discussing that particular issue.