Of course, both! Unanimously, and unequivocally!
During a recent discussion with a client, I was asked “How do you ensure our data is secure?“. I rambled about infrastructure and software security until I realised that I had lost him. This is not what the client was interested in. I tried to quiz the client further on his concerns. “How do you ensure that my data is not shared elsewhere?“, he asked.
Aha, that question!
Now with a clear question (and a relevant answer), I wondered what we really mean when we ask a question? What is the context of a question? My initial answer on security was based on the keyword ‘secure’, whereas the context really was ‘privacy’. Are Security and Privacy different? Of course! Well.. Yes and No. Ummm.. depends upon the context of the question 🙂
One case in mind wherein the context has totally been misunderstood relates to the raging debate around universal correlation IDs such as the Aadhar. Most of the concerns around the privacy issues surrounding Aadhar are actually answered with a rhetoric related to how secure it is! That’s the same mistake I did for answering the client’s question.
If we conceptually look at it, Security is about Controls and Privacy is about Policy. Rather than delving into the venn diagram of Security and Policy, let us take that up as an example.
- When we visit an office or workplace, typically we are asked to identify ourselves, prove our intent and log our entry. That is the simplest form of Security: To prevent unauthorised access, and monitor authorised access.
- Now that I am in the office or workplace, what can I do? Can I enter a meeting room even if it is not booked for me? Am I allowed to read only the magazines in the public area, or can I peer into anyone’s workplace ‘litter’? The simplest interpretation of Privacy: what an authorised person should do even if you allow access.
- Okay, if that was clear enough then lets crank up the confusion a notch. Can I pick up the obligatory magazine in the public area or the workspace ‘litter’ and walk out with it? Needless to say, I will be stopped at the door by the burlesque guard (not smiling anymore). Yes, some of the privacy policies need to be enforced with security controls.
Here are some more quirky comparisons of Security and Privacy.
Security: What I am allowed to do
Privacy: What I am supposed to do
Privacy: Moral fibre
Security: You hear it in the news when someone makes money by hacking into systems, steals and then sells data
Privacy: You hear it in the news when someone makes money without hacking, without stealing but selling data
Security: You are told that it could happen
Privacy: You are told that you agreed for it to happen
Security: Experts end-up making money
Privacy: Lawyers end-up making money
In either case, once it hits you, you start looking for options to minimise and mitigate the risks. And you lose trust. Sometimes even money. I forgot which one was more important.
But hey, how do we really prevent lapses in security or privacy? Since the answer is neither quick or easy, you would need to wait for the continuum.