the difference between privacy and security

Posted on January 26, 2011 by ben

Facebook today rolled out new security features, both of which are awesome: SSL everywhere, and social re-authentication. True, SSL everywhere should probably be a default, even though I continue to believe that the cost is significantly underestimated by many privacy advocates. Regardless, this announcement is great news.

The only nitpick I have, and I point it out because I think it’s significant in Facebook’s case, is that the announcement confuses privacy and security. The first paragraph mentions Data Privacy Day, then the general concept of controlling your data, then transitions to the new security features. But those are quite different.

Security is about stopping the bad guys from stealing your data. Privacy is about controlling the good guys’ handling of your data. (Ron Rivest is said to have phrased this most eloquently, but I can’t find his quotation.)

So, SSL and social re-authentication provide security because they prevent bad guys from seeing your network traffic at the coffee shop or stealing your login. That’s fantastic, but it has little to do with privacy. If Facebook wanted to celebrate Data Privacy Day specifically, they might consider giving users more control over their data on Facebook. Maybe letting users control who gets to tag them in photos (i.e. not my stalker). Or letting users indicate fields by which advertisers cannot target them (i.e. sexual orientation.) Those would be privacy features.

I don’t mean to knock Facebook’s announcement: it’s great. But it’s about security, not privacy.

This entry was posted in privacy, security, web. Bookmark the permalink.
  • http://twitter.com/edulix edulix

    You hit the nail in the head as usual =).

  • http://arvindn.livejournal.com randomwalker

    Hmm, I don’t think there’s nearly as clean a dividing line as that.

    The main reason why the average Facebook user needs HTTPS is to prevent someone at the coffee shop from snooping. And if you asked the average Facebook user which term better fit this use-case, I’d bet it would be privacy nine times out of ten.

    Edit. Oh, you already mentioned the coffee shop thing. I have no idea why you say “it has little to do with privacy.”

    Edit 2. Thinking about it a little bit more, I guess I can see where you’re coming from. You have a clearly-defined access-control model in your head, and wireless snooping violates this model. To the average person, these lines are fuzzy at best. Coffee shop snooping, then, is no different from looking over someone’s shoulder. Your characterization would probably elicit a reaction such as

    “But I’m not a hacker! I was just trying to see if she’d mentioned me to her friends yet.”

  • http://ben.adida.net Ben Adida

    I agree that the line may not be quite as clean as I implied, but I think it’s still useful to try to draw the line, otherwise it’s too easy to truly confuse everything, like SSL vs. privacy control tools.

    I think of privacy as follows: you’re in a coffee shop talking on your cell phone to your spouse about your recent doctor’s visit. Someone who is in the coffee shop, doing their perfectly legitimate coffee drinking, overhears your conversation. A privacy tool here would be a phone booth. I don’t think snooping on the wire is in the same realm of casual, legitimate overhearing.

    Now, in the digital space, there’s no such thing as accidental overhearing. Facebook *enables* overhearing through the tools they build, e.g. seeing when a friend of yours posts on another friend’s wall. It’s all overhearing by design. So that’s where the delineation is more difficult.

    In the end, you’re right that most people don’t think of privacy and security in different ways. I’d like them to, though. That would seriously help the debate.

  • Pingback: Tweets that mention Benlog » the difference between privacy and security -- Topsy.com

  • Pingback: Benlog » the difference between privacy and security | Dr. G on Facebook