June 13, 2013

Privacy VS. Security in a PRISM: The Important Difference

by with 8 comments

The events of these last many days certainly raise awareness around the integrity of data and the companies we entrust with it. Many of the articles and posts have poured over the impacts: the good, the bad, the necessity, the importance, the invasive, the threat, the martyr and so on. Given this dearth of commentary, I would like to spend some time writing about a finally emerging concept – privacy. And further – how privacy is substantially differentiated from security.

To begin, let’s review the definitions of these two words (according to Google):

Security – The state of being free from danger or threat

Privacy – The state or condition of being free from being observed or disturbed by other people

Of all the conversations and dialogue about PRISM, none have concentrated on the security measures in place at companies like Google, Facebook, Amazon, Apple, Verizon, and others. Why you might ask? Because this was not a breach of security. No one hacked into their systems. No one confiscated passwords. Rather – according to reports – these companies willingly complied. [Note: It would be appropriate to draw attention to NSA's security breach in light of Eric Snowden's ability to access and confiscate these documents.]

If the world were oriented around privacy, the ability for a 3rd party provider of web-based services (such as Google or Facebook or Dropbox or SpiderOak) to access the plaintext data is removed. In other words, privacy takes away the ability to access the data in a meaningful way such that it cannot be supplied to government agencies or stolen under the threat of hackers.

We are not now nor have we ever suggested that there isn’t a need for security; in fact, security is absolutely critical. And for many implementations of  various services, privacy is not applicable. However – in the world of conversation and creation of personally owned content from photos to chat to calls to spreadsheets to documents – privacy is absolutely a critical component that can be achieved.

My hope is that we – as a society – will now start asking the question: Why? Why do companies have access to my photos and documents and chat conversations? Is it a necessary part of the service they are offering? A convenience for me?If yes, what are these companies doing to keep my data private? And are there alternatives if I do want real privacy? From the NSA? From the company? From anyone?

This dialogue is critical and I am very glad to see the word ‘privacy’ start to weave its way into conversations. Further, that the public is being educated on the important difference between privacy and security and – hopefully – we all can start making choices accordingly.

For more information on this topic, please visit ZeroKnowledgePrivacy.org and/or watch the explainers below on Privacy VS. Security and the important role of the Privacy Policy .

  1. You keep opposing security and privacy, while they are in fact not that opposed. It’s only a point of view, really. If my data are accessible to any rogue Google or Dropbox employee, this is not just a privacy issue, this is also a security issue. If you host important data here or there and they are willingly given away to a third party (be it governmental or not) by the company hosting them, this is not just a privacy issue, this is also a security issue.
    Security isn’t just protecting a system against hackers, it is, among other things, protecting a system against unauthorized use. But the people entitled to give the authorization for use isn’t the entity hosting the data, it’s the entity owning them. In the end, security and privacy are very, although not entirely, overlapping concepts.

    • @ Anonymous: I much appreciate your comments and thoughts above. Regarding your note, privacy and security do overlap for sure. For example – if I had strong privacy but weak security and someone were to steal one of my servers, my privacy would still be intact but of course I would no longer have whatever data was stored on that machine. And the inverse is equally as true. From our perspective, it is more a matter of philosophy and approach and it is through these eyes that these concepts diverge greatly. Applying security vs. building privacy require very different thought processes. Are they linked – absolutely. And they in opposition to each other – no. But it is important to think of them as different conceptually in order to apply them correctly in each case.

    • Anonymous, I think you hit the mark distinguishing between authorized and unauthorized use, and the distribution of that authority. In his posting Ethan provokes the question where the authority lies with respect to popular web services like Google Mail. Most people don’t give it a second thought — but only, I believe, because they make the incorrect assumption that their e-mail “by default” is in a sort of username/password-protected envelope, like a letter they’d send by USPS.
      I like the thought that zero-knowledge privacy solves the question “who has the authority to view, process, archive my data”, beyond the security policies and security mechanisms which are in place.

  2. Hi. What troubles me about the post is that SpiderOak does not acknowledge or deny that it’s participating in the Prism program. I believe you are trying to say that you focus on privacy, which means that the data stored on SpiderOak is not open for prying and encrypted to make it difficult for someone else to use the data, e.g., able to read a document. I am also worried about any discussion on your security.

    • @ Arnold Welz: Thank you for your reply. To respond to your question and to be clear, we have not been asked to participate in the PRISM program at this time. However, had we been asked we would choose not to participate based on the privacy principles SpiderOak was founded around. Either way – due to approach – the data would be meaningless to a government agency as it remains in its fully encrypted state without the keys necessary to unlock it.

      Please let me know if that answers your question and/or if you have further thoughts moving forward.

      • “Either way – due to approach – the data would be meaningless to a government agency as it remains in its fully encrypted state without the keys necessary to unlock it.”
        => Well, the worrying thing is maybe they could force you to put some nasty things into the client… (I believe this was already discussed somewhere on this blog, actually)

        • I agree with the poster above and think that the good folk at SpiderOak should put into place a contingency plan so that if the Feds/NSA ever try and force you to inject nasty stuff into the client to work around the encryption or try something else, you can bail out of the U.S. and set up shop in a more ‘free’ country.

          Sad to say that about the Land Of The Free, but there it is.

          If they do come for you, they will come hard and fast with legal threats and/or force and there won’t be time to work out a Plan B on the fly – it is best to set the ground work now.

    • There’s zero point in asking any company if they participate in PRISM. Remember when this all came out? All the companies denied it. Heh. No company is going to admit to it, needs to be outed by docs or the public will never know.