fencers dueling
PHOTO: Eugene Lim

As the privacy space continues to grow and consumers' awareness of their privacy online increases, I’ll occasionally come across an article or a mention of how security and privacy conflict with one another. It’s often said that for security to exist, we need to be willing to sacrifice some form of privacy. Isn’t that how mass surveillance programs like the USA PATRIOT Act came to exist? Setting aside politics, this notion of security and privacy being at odds fails to recognize a critical element: without privacy AND security, there is no trust. And trust, as I’ve written before, is highly valuable in the digital age.

Privacy and Security Are Not the Same

To understand how the two can, and should, co-exist we need to define what we mean by “privacy” and “security.” I like to think of it this way: privacy refers to what the data is and why it’s being used. Typically, “privacy breaches” refer to sensitive data such as phone numbers, emails and similar, whereas “data breaches” can often mean anonymous data such as user_ids or hashed usernames. It’s important to understand the difference between the two as they’re so often used synonymously. 

Security, on the other hand, is how you protect that data, whether at the point of collection or at rest inside your database. When viewed through that lens, you can see how privacy and security complement one another, not oppose. Your customers and website visitors expect that not only are you using their data in an appropriate manner, but that you’re securely handling and storing it. It’s why major data privacy laws like California’s Consumer Privacy Act (CCPA) and the GDPR have provisions requiring “industry-best” security practices for firms that store and use consumer data. 

Privacy by Design Framework

Major data privacy legislation like the GDPR mentions the terms “privacy by design and default,” referencing the Privacy by Design Framework first created by Dr. Ann Cavoukian, the former head of the Information and Privacy Commission in Canada. The framework outlines key principles that must be adhered to when looking to implement a privacy-centered user experience (aka Privacy UX). The seven principles are:

  1. Proactive not Reactive; Preventative not Remedial.
  2. Privacy as the Default.
  3. Privacy Embedded into Design.
  4. Full Functionality — Positive-Sum, not Zero-Sum.
  5. End-to-End Security — Lifecycle Protection.
  6. Visibility and Transparency.
  7. Respect for the User Privacy.  

I’ve purposely highlighted the fifth principle as it’s important to note that security, as a key element of privacy by design, has been a foundational principle from the earliest days of the internet. This framework was first developed in the 1990s! This is well before the era of “big data” where tech firms interested in boosting their valuation sought to squeeze every ounce of user data possible from their site visitors. Security plays an important and critical role in ensuring a sound privacy practice. 

“The ‘Security’ principle has special relevance here because, at its essence, without strong security, there can be no privacy.”  Ann Cavoukian, Privacy by Design, The 7 Foundational Principles

Related Article: Privacy by Design Is About to Become Law: Is Your Organization Ready?

Privacy and Security Merge

In this post-GDPR era, consumers — empowered by new data privacy laws — are becoming more privacy-minded while browsing online, resulting in an interesting trend. Data privacy violations are being treated with the same level of scrutiny and concern as a security breach. Take for instance the recent decision to add tracking prevention to Webkit, the open source engine powering the Safari web browser and many other iOS apps. On the surface it seems like any other privacy-minded update, following a spell of recent privacy-related news from the tech industry. In short, the team at Webkit suggests that they’ll treat any “workarounds” with the same level of urgency as they would any security breach. Just like Apple, Google, and others furiously work to patch security vulnerabilities the moment they discover them, Webkit suggests it will do the same if it catches trackers or advertisers finding back-door ways to get around the tracking protection. This merging of security and privacy is why many organizations are considering fusing the role of the CPO (Chief Privacy Officer) with the CISO (Chief Information Security Officer) as they begin to realize how privacy and security share common goals.

The internet is littered with “privacy” standards that were created to protect users but ultimately failed to do anything useful (remember Do Not Track?). But seeing Webkit’s commitment to privacy, Apple’s continued development of ITP, and Mozilla’s updates to Firefox to block cross-site tracking by default, suggests that maybe privacy will start to get the same level of attention that security has rightfully received these last few years. It’s not hard to see why, given that data privacy laws are increasingly including various security provisions in their requirements. 

In reflecting back on what the Privacy by Design framework stated nearly 30 years ago, I think we can safely say that privacy and security must co-exist and that without strong security measures, real privacy is not possible. And without privacy, there is no real customer trust. 

Related Article: Should the Chief Privacy Officer and Chief Information Security Officer Roles Merge?