Keep Data Secret, Keep Data Safe.

Privacy and Security are two different words, so it is reasonable to ask if there is a difference between “Data privacy” and “Data Security.” The terms seem to be used interchangeably a lot, but I think there is a difference that affects how we think about the issues and that guides how we approach solutions to protecting information.

The standard industry analysis is that Data Security is “confidentiality, integrity, and availability,” while Data Privacy is about the “appropriate use” of the data (I think this is better understood as asking “are only the right people seeing the data?”).

If you’ve seen the movie (and you should have), you remember this moment:

When Gandalf leaves Frodo with the One Ring, he admonishes him: “Keep it Secret. Keep it Safe.” Is this one instruction, or two? Are safety and security of a thing the same thing, or two different dimensions of protection?

  1. Secrecy as Privacy.

One of the most interesting discussions I had in law school began with a professor asking “What good is Privacy?” Some academics and jurists, like Judge Posner, have challenged privacy as inefficient; it is the right of criminals to hide their activities and avoid detection or evade conviction by concealing evidence. Advocates of this position assert that non-criminals do not need privacy, while privacy greatly advances the efforts of criminals.

However, privacy is also how we keep information away from criminals. In the digital world, information is everything, so keeping information away from criminals prevents harm. While non-criminals might not fear other non-criminals accessing financial information, certainly they would not want criminals to have the tools to access their bank accounts.

Privacy is an element of security, but it is not the same thing as security. One of the best ways to keep a secret is for people to not know you have a secret; people don’t rob vaults they don’t know exist. However, you wouldn’t leave your valuables unguarded and rely solely on the hope that no one ever finds out about them. Security is always a prudent consideration. (Though there might be interesting strategic choices in minimizing security to maximize secrecy…)

  1. Safety as Security.

I thought it was a little odd that the US government considers “integrity” one of three prongs of data security. “Confidentiality” makes sense (see the point on secrecy), and “availability” is an often over-looked part of security. Your money would be very safe if you shot your life savings into space, but that’s the kind of security plan we might call “not thought through to step two.” But why would the reliability and accuracy of the data be part of the security of the data? We don’t evaluate the security of a bank value on the basis of whether the currency it protects is undermined by inflation or monetary policy decisions.

I think this prong shows one of the dissimilarities between physical security and cybersecurity. We are rarely concerned about the sabotage of physical things we protect, just as we are not often concerned about physical objects being copied (as data can be copied). Data is subject to minor alterations that can corrupt it to render it unreadable or unsafe to use. In some cases, the fact of the data being shared might render the data less valuable (particularly for military intelligence).

  1. So, Gandalf has a pretty good privacy policy. By keeping a Ring secret, it is easier to keep safe; by recognizing the difference between safety and secrecy, he is able to give Frodo a more robust policy to guard the fate of Middle Earth.

Of course, if Gollum yelps out “SHIRE! BAGGINS!” the data will be compromised and new measures and methods will become necessary… But “The Fellowship of Data Protection” is a blog post for another day.