In honor of Cyber Security month, I figured I talk about about the difference between privacy and security a bit. Privacy and security are terms that tend to be used interchangeably by some. While they are related, they aren’t the same. For example, your home’s bathroom door may have a lock you can open with a screwdriver or simply slipping a credit card between the door and frame. That security is quite lacking, but assuming social norms of not bypassing that weak security are followed, it does offer privacy. Similarly, you could have your house made of 20 inch thick bullet-proof glass and you’d have a bunch of security, but not much privacy.
That difference established and examples used, the difference tends to get a bit more fuzzy when you start talking about the scale of the internet. On the internet, you can’t expect everyone to respect social norms, and you can’t expect everyone to look the other way when you expose something private. So when we start talking about the scale of the internet, privacy and security starts to become closer together. Arguably, you can’t have privacy online without security. Simply put, you need good security in order to have good privacy.
While you need security in order to have privacy, good (or even great) security doesn’t equal good privacy. Google may be a perfect example of this. While I believe their security is pretty good, you aren’t gonna have much privacy using their services. So you can care about security without caring about privacy, and if that’s the case you’re probably using Google. Unfortunately, that also means you can’t care about privacy without caring about security.
So while the end goals may be different, my recommendations on where to start on the privacy journey to people who have a new interest in gaining online privacy tend to be security related. Use a password manager, unique passwords for everything, and setup 2FA. Those aren’t only going to help build a foundation for your privacy journey, but they’re going to improve your security quite a bit. A password manager is going to allow you start realizing how many accounts you have and how many you don’t really need. You can delete old accounts you don’t need, you can close out accounts you don’t want linked to your real identity anymore, you can setup unique emails for accounts as easily as you setup unique passwords, you can store answers to security questions you feel aren’t good enough to answer truthfully. It’ll give you a good foundation to start.
After those initial steps are taken, I’d probably say the next step is to consider your threat model and decide what you’re trying to protect and from who. Those considering will influence what actions you should take next. That may be deleting your social media, or getting a secure email account, or setting up a VPN, but some things are going to bring more benefit to your threat model than others and with most things you want to maximize the impact of your efforts. Some of the things are so far down the list that they become pointless to do before others. What good is getting an untraceable phone paid with cash under a fake name with a carrier you pay using private transactions, if you’re going to login to Facebook with your real identify (again, depending on your threat model).
So my point is, on your privacy journey, don’t ignore security, and think about your threat model. Keep your software up to date, and do your best to secure your accounts. On the scale of the internet, you can’t have privacy without security.
Bryan's Blog 