My attempt to define and explain privacy and security in the way I understand them. Comments about what I perceive to be definitional problems are at the bottom end, most of which I comment with less confidence or is opinionated.
Privacy is one’s autonomy about who/what to allow into their own life (or keep out). More narrowly, related to information, privacy is the ability of someone to determine what/how/who/why information about themselves is revealed (or withheld). Privacy is essential to human dignity, and free and democratic society. This is recognized by several laws worldwide that declare privacy a human right. Privacy may be achieved simply by being given respect (for example, not having the bathroom door opened on you while bathing), or by security measures (encryption, locks, etc.).
Security is the protection of someone or something from adversarial actors. Highly context-dependent, security is employed to protect life, health, freedom, property, activities, society, information, etc. against adversaries who may try to undermine those.
Aside: safety
I often use “safety” instead of “security” to refer to protection from non-adversarial risks (accidents, mistakes, failures, etc.), but “safety” and “security” (or their similar words) are sometimes interchangeable.
While privacy and security are not the same, they are practically inseparable. Privacy often relies on effective security measures that protect identities, content, metadata, etc. Conversely, privacy loss often amounts to security risks, for example by enabling phishing, blackmail, violence, etc. If someone knows what property you have or where it is, they may be able to steal it from you.
The exception I see to this inseparability is when privacy is not a goal of security and privacy loss does not amount to security risk. A security service can provide security to someone but at the cost to that person’s privacy from the security service, in which case, that someone would need to place significant trust in the security service.
In this forum, I see a need for terminology like information security, opsec, device security, etc. as and when appropriate. In specific contexts, for example a hardware project, “security” without adjectives could potentially be used without loss of meaning.
The word “security” is problematic because its meaning is highly context-dependent. Security for who? From which adversaries? What kind of security? Here’s an example:
A prisoner in a cell is secure, but has no privacy.
In this case, it’s clear that “secure” doesn’t mean the prisoner’s privacy is protected, but it could mean the prisoner is protected from violence by other prisoners or guards, or it could mean the prisoner cannot escape or cannot hurt other prisoners or guards.
Different perspectives in the context of digital technology and the internet may be security for a software project, security for users, security for services, security for service operators, etc. This can complicate discussions about security because these may have different goals, sometimes conflicting goals.
It’s apparent that many people involved in digital technology, information security, etc. define privacy and security such that they are orthogonal, in contrast to security including protection of privacy. I don’t know what definitions are frequently used, what origins these have, how many people use them, or how these are best termed.
An example of this is A Holistic Security Analysis of Monero Transactions, a presentation of an analysis of Monero’s monetary security. Contrary to what the title suggests, the presenter is explicit that the analysis is limited to concluding that an adversary cannot steal or create coins (jump to 3:04 and 24:26), without considering security risks related to transaction privacy: linkability, deanonymization, leakage of amount, consequences of sharing a Monero address, etc. Maybe assurance of monetary security, but the presentation was not a holistic security analysis that I would have expected, considering what I understand to be Monero’s goal of financial privacy. I don’t use Monero, so I invite Monero users to correct my claims or elaborate.
Cybersecurity risks like vulnerabilities to privilege escalation, MITM attack, denial of service, etc. are treated with high priority. This is good and certainly better than security as an afterthought. On the other hand, privacy risks (security risks that affect privacy) that fall out of the cybersecurity scope are treated as lesser, irrelevant, even desirable. More skeptically, I wonder if attempts to separate privacy from security have an agenda. Surveillance capitalism and governments may want cybersecurity but not want people to have privacy.
Similarly, there is a problem that privacy is sometimes defined narrowly. Many data protection laws/policies define “privacy” narrowly to mean protection of personal information, and additionally, may define personal information narrowly to mean specific information: name, gender, address, religion, etc. Unavoidable maybe, but this risks making people think privacy is a narrow concept.
Finally there is the “privacy vs security” rhetoric. As I have explained above “security” is a problematic word and “privacy” is likewise defined differently by different people. With few exceptions I presume, this rhetoric either conflates these differences or deliberately exploits them to deceive people.
but what you said here resonates with my own thoughts on the topic:
