Security Is Not Privacy, Part 1: The Mobile Target

In technical fields like information technology, definitions are fundamental. They are the building blocks for constructing useful applications and systems. Yet, despite this, it’s easy to assume a term’s definition and wield it confidently before discovering its true meaning. The two closely related cases that stand out to me are “security” and “privacy.”

I say this with full awareness that, in my many writings on information security, I never adequately distinguished these two concepts. It was only after observing enough conflation of these terms that I resolved to examine my own casual treatment of them.So, with the aim of solidifying my own understanding, let’s properly differentiate “information security” and “information privacy.”

Security vs. Privacy: Definitions That Matter

In the context of information technology, what exactly are security and privacy?

• Security is the property of denying unauthorized parties from accessing or altering your data.
• Privacy is the property of preventing the observation of your activities by any third parties to whom you do not expressly consent to observe those activities.

As you can see, these principles are related, which is one reason why they’re commonly interchanged. This distinction becomes comprehensible with examples.

Let’s start with an instance where security applies, but privacy does not.

Spotify uses digital rights management (DRM) software to keep its media secure but not private. DRM is a whole topic of its own, but it essentially uses cryptography to enforce copyright. In Spotify’s case, it’s what constitutes streaming rather than just downloading: the song’s file is present on your device (at least temporarily) just as if you’d downloaded it, but Spotify’s DRM cryptography prevents you from opening the file without the Spotify application. The data on Spotify (audio files) are secure because only users of the application can stream audio, and streamed content can’t be retained, opened, or transmitted to non-users. However, Spotify’s data is not private because nearly anyone with an email address can be a user. Thus, in practice, the company cannot control who exactly can access its data.

A more complex example of security without privacy is social media.

When you sign up for a social media platform, you accept an end-user license agreement (EULA) authorizing the platform to share your data with its partners and affiliates. Your data stored with “authorized parties” on servers controlled by the platform and its affiliates would be considered secure, provided all these entities successfully defend your data against theft by unauthorized parties.