Two things I’ve had the pleasure to explore in classrooms filled with graduate-level cybersecurity zealots are information security and privacy. In more practical settings, like a workplace or home, there’s little reason to parse the two. Information security and privacy go hand-in-hand.
If you want to achieve effective privacy, however, there need be a little more understanding about these complementary and complex terms. They’re relatable, even interchangeable, without having too great of a negative effect. To dig another layer down, though, might lead to more privacy. Or, is it more security?
This can be more than just fodder for a classroom discussion, especially when you care enough to take time to see them from a more nuanced perspective. Information security is the set of practices and processes you might put into place toward ensuring that your personal, financial, healthcare, and other sensitive information stays private. To further complicate things, or from my view to clarify them, let us not confuse privacy with secrecy. The closest relationships between two or more people can maintain a healthy level of privacy without being secretive.
Back to our two tricky topics: information security and privacy. If you can start to see how the former leads to the latter—that privacy can only be enjoyed after implementing security plans—you are already on the way to becoming a better security actor, who might then enjoy more privacy over the information you want to remain private. Let’s go very basic, back to a child’s understanding of these separated and related facets of life. Think of a diary.
I already compelled you to think about diaries in terms of childhood keepers of the private journals. The internet has more “intelligence” about diaries than I ever could’ve conceived, and I only digress for a sentence or two because of my elation at having found potentially valid data on diarists, which is a word. There’s one U.K. study that follow my lead in that it showed 21% of children keep a diary at some point in their youth. One in five impressed me, someone who never diaried, which is not a word. Another study found that half of all of us at one point in life kept a diary, though only 16% of us actively maintain one. That, again, surprised me. Based on the math and even just these two scholarly studies, nearly one billion people are prone to keep diaries.
No matter these studies, using a diary to illustrate my two distinct concepts was where I meant to go. For someone to maintain privacy of their most intimate thoughts that were converted to text after writing them down, information security processes must first be in place. You might think of one such process, locking the diary. Keylocks are common features of blank journals intended for diary musings. Another security protocol would be to hide the diary in the first place. With the diary being undiscoverable since hiding it, there is a good chance that the information therein will continue to enjoy privacy. If it is found it’s possibly impenetrable, so privacy prevails again. To repeat, first you must implement information security activities, and only then is there a chance for privacy. Two similar concepts, separated for better understanding. And, hopefully, providing privacy.
With an academic, and now maybe more practical, understanding of the two cybersecurity facets, I’d like to home in on privacy. Actually, it’s more accurate to explain that I’d like to share some information about privacy. More exactly written than that, I want to share some privacy dealings from the desks of the International Association of Privacy Professionals.
The IAPP is a nonprofit set up in 2000, a time when information security and privacy had evolved greatly within computing and internet technologies. Hacking had evolved in kind, and the IAPP realized it had a real purpose and function. In the idealist’s view, it organized for all our benefits. It is an active, international group of experts, and what they produce is useful for anyone online. I am not a member, for the sake of admission and disclosure.
I bring the IAPP to your attention because, as it is an ideal, you might benefit from knowing about it and what they work on. To shine just a little light, I’d like to highlight its current dealings culled only from one day’s activities, namely last Friday.
First, the IAPP director conveyed his appreciation for the group’s first American in-person conference the week prior. To me this was surprising, but it reflects the global community making up the organization. The Federal Trade Commission, Department of Commerce, European Union, and California government officials all presented. Later last Friday the IAPP published a piece about Google’s new privacy protocols that afforded children 18 and under to simply request their images be removed from the massive search engine. Security action, leading to greater privacy; here, of one’s own image.
The nonprofit reported on the U.K.’s Competition and Markets Authority, the governmental department that regulates competition. Across the pond, they’re dealing with the complexities of healthy competition and privacy with the case at issue surrounding Google’s compliance with privacy standards, generally perceived as higher in the EU and U.K. than in the States. Throughout that one Friday, many more diverse privacy topics were examined: China’s data transfer practices; Microsoft’s expanding cybersecurity hiring; Apple’s App Privacy Tool; cybersecurity insurance; hotel and hospital hacks that week; and so on.
To even take in the entire day’s IAPP privacy news would be daunting for any one consumer. Before even considering whether to embark on that journey, it first behooves you to understand how information security and privacy relate, and yet are distinct. You cannot take all this on, most likely, but for your own sake and that of your family’s privacy, now is already late to begin learning.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.
