For decades privacy and security have been seen by technologists, journalists, investors, and researchers as fundamentally separate concepts and goals. This has been true despite the fact that to achieve both security and privacy we often use the same technological building blocks. That split between “privacy” and “security” might have been true and sensible once, but the world has changed, and the old rules and thinking no longer apply.
Privacy and Security Storytime
We’ve all heard stories – narratives, tales, counterfactuals, cybersecurity playbooks – that explore our data and metadata, our access and control of systems, and the bad things that might happen. The conventional narratives fit into a strict binary: a privacy narrative involving an ordinary user as the protagonist and a security narrative involving an enterprise or large organization as the protagonist.
The Privacy Story
The privacy narrative goes like this:
An ordinary user wants to simply go about their life but is buffeted by the forces of large companies and governments who care little for them. Large companies want user data to mine, aggregate, and sell. Governments want user data to surveil and coerce. A user is helpless: they cannot control their own fate, and have no control over their own data and metadata.
The Security Story
The security narrative goes like this:
An enterprise or government hires a team of professionals to ensure that the organization’s most important secrets – their data and, ideally, metadata – is protected from unauthorized parties and that control over internal systems remains in the hands of the right people within the organization. The enterprise has control over its users, its systems, and its partners.
There’s a lot of truth to these narratives, but the context has shifted underneath our feet. Like all narratives, they eventually overstayed their welcome. In the last few years the world has changed and the technology we all use has changed enough that these narratives, despite still containing shades of truth, are in need of some serious updating.
The main change that’s taken place is that there’s almost no difference between consumer technology and “enterprise” technology any longer. It used to be the case that companies and governments would have special hardware and software, often issued to their workers. Many if not most organizations have shifted to “bring your own device.” While some organizations do still provide devices, they are built on the same hardware platforms as consumer devices. On the software side, organizations largely use the same cloud-based services that ordinary users use in their personal lives, with the only minor difference that they pay for those services rather than getting them for free like individual users do.
A New Privacy and Security Narrative
The only practical difference between privacy and security today is the protagonist of the story. Because of those old narratives, we use the term privacy when we talk about individuals and the term security when we talk about organizations. (Of course this simplified view lacks nuance as privacy is in fact a social, collective good. A world with no privacy has a chilling effect on discourse and behavior, alas.) We say “nobody will pay for privacy, nobody cares” but “everyone has to pay for security, it’s essential.” But we’re talking about the same risks, technologies, and even objectives.
Individual privacy is synonymous with group security. It’s the same hardware, same software, and same network protocols. The same cloud providers provide services for both, and are at risk of the same kinds of breaches and misbehavior in both cases.
This distinction about the protagonist and the words privacy and security is even true when we aren’t talking about computing. When we talk about privacy in medical care, we are talking about protecting an individual’s medical care. When we talk about security in a home, we are talking about protecting a family’s shared dwelling.
Privacy and Security in a Cloudy World
We’re aren’t going to stop using the words privacy and security anytime soon. Privacy will probably still mean “protecting an individual” and security will probably still mean “protecting an organization or group.” But we should be aware that when we’re using these words they don’t have the same underlying distinction they once did. Privacy and security are now largely achieved using the same practices, technologies, and analysis.
We’ll be better off and more safe overall if we focus less on a false distinction between the two and instead on how we can solve security/privacy problems together, for everyone. An important step in that direction is focusing on trust: who do we trust, with what, and in what context. This framing sidesteps the false dichotomy of privacy vs. security and lets us focus on who has what data for what purpose. It also lets us focus on how to decouple access to our data and metadata so that we can still accomplish the things we want without having to sacrifice either security or privacy.