The Difference Between Privacy and Security

Privacy and cyber security go hand in hand in that they are about keeping your data yours, but they are two different sides of the same idea.

Privacy focuses on the actions of the company / entity you give your data to. What can be done with data ranges from literally passing it in full to the highest bidder, through providing analytics of usage, to where Mashoom sits; your data is only your own and we do everything we can to keep it that way. Privacy often gets overlooked as you can say “we are secure” without mentioning that you are passing some or all of your data onwards.

Security on the other hand is protection against people that never should have access to your data; hackers! This is much better respected as we are used to the idea of protecting “assets” against people stealing them. The mainstream media often talks about data theft as if it's state sponsored hacking of government secrets, all very high tech and secret. The reality is the majority of hacks are someone putting together a crawler for a known vulnerability then using a few other tools circulating on the dark web to apply ransomware; they are after a quick buck rather than anything particularly interesting.

Do They Matter?

I think most would agree that security matters. Everyone is used to the concept of stealing in the physical world and with that comes a basic understanding that it's something you don't want to happen.

On the privacy front, if everyone was asking this question we would be in a much healthier place in terms of industry's relationships with tech. The biggest concern at the moment is people simply not knowing about this side of things when sending data to services; they don’t know the choice they are making.

The line I use many times is that if people understand but don’t care if their data is seen by someone else, they can feel free to use non privacy centric platforms. But if you don’t want your data viewed by someone else, and most firms would be in this boat, then the matter of privacy should be known about and respected.

I think there is a lack of understanding shown by many businesses on privacy issues. Strangely I think individual consumers are more clued up than businesses at the moment! I wonder whether because it’s company data and no-one can or does check, people are more relaxed on the privacy front. In the majority of cases, people are judged on getting a job done rather than how the data got moved around, and there probably isn’t the same emotional connection to company data as there is for personal data.

How Could Privacy Directly Affect Me or My Business?

For personal data, the most noticeable use is the personalization of the adverts you see. However there are many other uses, for instance your data could train an artificial intelligence algorithm to recognize people like you from how you move your mouse on the screen; never underestimate your data's value or the ingenuity of how it can be used.

Spending and behavioral data is very valuable and is collected from both individuals and businesses. Personal data can be aggregated into metrics like "how many people in London bought X”, these are probably not so scary to be a part of. However once you start getting into business data, the details of a contract, the price of a construction project etc are hugely valuable to the right eyes. The issue is that behind closed doors it’s possible for your (your company's) data to be shared in this way; in many cases you have agreed to a policy where they are free to do this!

Another worrying issue is that there are examples where although the company collecting the data doesn't "officially" make use of it, there are relaxed (at best!) controls in place to stop an employee getting this data and using it elsewhere. If a company has no commercial incentive to keep your data safe, nor a contract, then they are unlikely to take every precaution required to keep your data safe.

There are more examples, but one ends up sounding a bit like a conspiracy theorist as it’s impossible to quite know what is going on, and the picture is ever changing. On a fundamental level, companies are bought for their data and companies make money from collecting it, so there is a clear value. Unlike being charged a price for a product, you don't know what value you are providing to a company. This is a recipe for more "value" being taken from you than you would normally concent to.

Another much simpler comparison is the practice of signing NDAs (Non Disclosure Agreements) before doing business, which is fairly common in many industries, "just incase”. If you are a company or individual that does this as standard, you should be using privacy centric services by extension of the same logic.

Where States Fit Into The Picture

This topic is inevitably political, but without passing judgment on various foreign policies, it should be mentioned.

Firstly, many governments are building teams and tools to launch sophisticated cyber attacked on a variety of targets, online services to military installations. This doesn't (as many IT providers say) mean "you can never be safe". States are in a bug hunting race (along with regular hackers) against private companies and open source software and there is certainly no clear winner. Look at the difficulties law enforcement have unlocking iPhones as an example. The result is that if you (as a company or individual) follow good security guidance and store you data with reputable providers, you can sleep easy at night on this front.

However, basically all governments can ask tech companies to hand over data, and the government's laws etc dictates how this is done. In the UK, US and others this is done via a court order, in China and other examples the state can ask for data from a company and it must be provided without question. This is why where, and under what jurisdiction your data is held is important. In many ways you can see your data as being protected by, or vulnerable to, the legal framework it's held under.

Mashoom's T&Cs will never be able to grant protection from every government; you can’t write yourself into being above the law! However, Mashoom is a UK registered company with its data stored in Ireland; we are only legally bound to obey UK and (potentially) Irish data requests. In both these cases a valid court order would need to be issued. This follows much the same framework as you could expect for raiding physical properties of suspected criminals, seizing bank assets and so forth, getting data is just another version of the same idea.