Is Privacy the new Security Standard?

Tuesday, July 13, 2010

Mark Gardner


I was watching and listening to Merlin Mann's ( keynote speech from WebVisions 2010 (, when he produced a slide which got me thinking and is the catalyst for this post.

I have found Merlin to be an inspiration to me for some time and this talk was no different. You can view the keynote at

This is the slide: -



The thought that went through my head was "what comes first, Privacy or Security?" You cannot have one without the other, but it struck me that for the user, Privacy is the security standard.

As a security professional Confidentiality, Integrity and Availability are the standard terms worked to. Should Privacy be added to the list?

Confidentiality and Privacy are essentially the same thing, at least according to the Thesaurus. However, in the media, on other blogs, and on podcasts I listen to, the major issues of the past few months have been classified as Privacy issues, rather than security issues, I cite the Google Wi-fi issue and the Facebook user settings as two cases in point.

Our "mission" as security professionals as I see it, is to keep data secure, thereby assuring user privacy through the actions undertaken on a daily basis, be they compliance or architecture activities.

Given the close definition of Confidentiality and Privacy, is the issue one of terminology or does it show a disconnection between Security professionals and the user base? Should the Security community, be doing something slightly alien and highlight the positive aspects of our work about protection of their information to counterbalance the disclosures of data losses?

This is not to say that we highlight our vulnerabilities, it is merely trying to connect more with the customer. The idea is not to disclose information which could lead to compromise, more to highlight the volume of work that goes on to protect their information, much of which goes on unnoticed.

Is Privacy the new Security Standard? is the title of this post. In conclusion, I don't believe it is, I think it's the latest term used to discuss security issues in the media. The constant highlighting of which, can be used by Security professionals to highlight the work we undertake and be used to increase the levels of security awareness within our respective environments.

This was originally posted on my blog at 

Possibly Related Articles:
Post Rating I Like this!
drew simonis In my experience, privacy is a hybrid legal/technical area dealing with, among other things, the confidentiality of personal information. The other things include restrictions on usage for those that we share the information with, our right to correct mistakes, etc. These other things are where privacy diverges from security.

Security diverges from privacy fairly rapidly when you consider the other dimensions of security, such as integrity, availability and non-repudiation. For example, though there are obviously integrity concerns with private personal information, I don't think those differ too much from the integrity concerns for any arbitrary type of necessary information.

I guess what I am saying is that privacy is its own domain, with distinct security requirements being part of that domain. This doesn't make it the same as security, however.
drew simonis And I meant to add:

"For example, though there are obviously integrity concerns with private personal information, I don't think those differ too much from the integrity concerns for any arbitrary type of necessary information. "

... and something doesn't necessarily have to be private to have integrity generally.
Mark Gardner Hi Drew,

Thanks for your comments. I agree with you. I think Privacy and Security are separate, however, in the media they are treated as the same.

I still maintain that concerns over privacy offer an opportunity for us to increase awareness of our security policies and practices to our own benefits, irrespective of the definitions that may be attached.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.