Looking in more detail at privacy this week. I encountered privacy in my first course, Foundations of Cyber Security. It had a profound impact on me: changing the way I manage passwords; locking down my social media accounts; changing the way I pay for goods and OPSEC in my day to day life. Now we are going to delve deeper. But before we continue, let’s look at privacy and confidentiality. They are terms that are often used interchangeably, but they are different. We need to keep this in mind when looking at privacy.
| Privacy | Data Privacy | Confidentiality |
| My private thoughts and actions should be free from public attention. | Data about me should be private. | Those who need access to my data, have access to it. Others do not. |
What is privacy?
When I say privacy, we have a gut feeling for what it is, but can you put it into words? It is difficult to define. The Oxford English Dictionary defines privacy as:
“The state or condition of being alone, undisturbed, or free from public attention, as a matter of choice or right; seclusion; freedom from interference or intrusion.”
OED Online. December 2020. Oxford University Press.
How would I define it? Not as succinctly as OUP. This is challenging, I feel there’s a lot of ignorance in my knowledge of privacy – but this is the learning process, recognising what we do or don’t know and building on it.
Privacy for me has few components:
- Keeping my business to myself: people don’t have a right to know anything about me unless I choose to share it.
- Control: control of my information, being able to decide who knows what about me.
- Visibility: knowing who knows what about me
- Forgettability: probably related to deleting my data from known holders of it.
- Explicitness: if I am going to forgo privacy, I should have to explicitly allow it.
Looking at this list, I can see that my thoughts on privacy focus largely on data privacy.
Types of Privacy
We can break privacy down into three types, data privacy affects all three and it can impinge on them all. When looking at these types of privacy, we need to look at them in the context of the law and society. Obviously if I want to run around the library naked while screaming like a banshee – I’m not free to exercise my behavioural privacy as it breaks the law and the agreement with the library on appropriate behaviour.
| Decisional Privacy | Behavioural Privacy | Physical Privacy |
| We are free to make decisions without intrusion, overt influence or observation from others. | We are free to act as we wish without intrusion, overt influence or observation by others. | This relates to our physical bodies or people. |
Data Users and Uses
In the context of security, we’ll be looking at data security, and that means we’ll be looking at it from the point of view of a large organisation that creates, collects or ingests data in a way that can impinge on privacy. Let’s consider the benefits and disadvantages to individuals of data use by different organisations.
| Organisation | Benefit | Disadvantage |
| Government | Improved services/infrastructure; more efficient; improved targeting of services/infrastructure; improved alignment with electorate; lower taxes (lol) | More power, overreach, authoritarianism; Overtly influence the population to their agenda; bigger target for attack, data loss/leaks; loss of or perceived loss of privacy; |
| Law Enforcement | Catch more criminals faster; larger deterrent to criminals | bigger target for attack; data loss/leak; Powers prone to scope creep; loss of or perceived loss of privacy; |
| Commercial Enterprise | Products/services periople want; greater alignment with society’s values; more efficient; greater innovation; | bigger target for attack; data loss/leak; part of the data economy, commoditisation of data; overtly influence markets demand for their products/services; overtly influence society’s values; loss of or perceived loss of privacy; |
| Advertising | More relevant and timely advertising. We all bemoan it, but it can be useful – I may not have found my degree without it. | Complete loss of data privacy. |
Privacy vs Utility
Data and privacy are linked and privacy and utility can co-exist, but there is a tension between the two. Privacy limits the precision of data, which can limit utility by reducing granularity and availability. Data use can often be prone to scope creep as we saw with the WA Police loopholing check in data and impinge on privacy. Some other examples are:
| Social Media Data | Tagged photos could be used to determine location, time at location device or for training AI.Locations/check ins: Used for tracking by police, burglars or creeps.Social activity can be used in inference attacks |
| Shopping Data | Purchases or combinations of purchases can be used to provide personalised insights and trends.Geolocation data: time spent in areas, stores or sections of stores.Online shopping: a lot of meta data and tracking data is collected. |
| GPS Data | Everything location based: where, when, how fast, real time location.TomTom tried to sell GPS data to law enforcement to help target areas for speeding. |
| Data Brokers | They collect data on individuals and sell it or insights gained from it’s analysis. The source of the data is often a trade secret – combined with a lack of transparency and regulation. This means that people are often unaware of what the data contains or that it even exists. Several data brokers have been hacked, multiple times. So not only is there a privacy issue with their activities but also an overt security risk. They can collect various data, including: Legal and court data, bankruptcy, company registrationOnline platforms, websites, app, domain registrationSubscription servicesPurchase data |
| Genomic Data | Could potentially be sold to pharmaceutical companies.Lots of talk amongst insurance and health providers.Largely untapped. |
Conclusion
There we have it, an overview of privacy. Privacy is a large field that covers a lot of area and it’s one that as a society we are only starting to appreciate. It’s an area that will become more and more entwined with security as the world continues to digitise. It can be easy to dismiss, especially when we have given so much information about ourselves away, but with so many parties interested in obtaining and using it, it’s never too late to start protecting it.
