Back to basics on Data Protection Day

Security, privacy, and information security – Protecting personal information in 2022

Information security, (cyber) security, and privacy are concepts so interconnected that it’s easy to get them mixed up. A slip of the tongue (or keyboard) is common even in our offices, and we work in the space. So, let’s try and clear things up. Tag along for the details.

The analogy problem

Analogies are great for making technical concepts easier to understand. Taking habits out of the digital world and finding real-life parallels can also highlight just how absurd the things we do online are. We’ve all heard the classic “posting on social media is like shouting your ideas at strangers in the middle of the street” parallel. But the truth is there have always been people randomly shouting ideas in the middle of the street. It’s even a tradition in some places… looking at you Speakers’ Corner.

The problem with analogies is that they generally highlight one side of complex phenomena. For example, the above can’t address social media being both a platform for fighting authoritarian regimes, and for spreading misinformation and destabilizing countries. Not to mention the problems around pervasive ad targeting.

Now that we’ve established that not all analogies hit the mark, let’s dive into one that we’ve come up with at Tresorit. (Yes, we see the irony…) We hope the analogy will help you understand the fundamental differences between a few key concepts: privacy, security, and information security. However, remember, analogies highlight certain aspects of these complex ideas, so be sure to search for further resources for more information.

My computer is my house

Just as we live in physical houses, our computers, tablets, and smartphones are the homes of our digital selves. As a result, considering the concepts in the frame of a physical house is a great way to separate them. Let’s get started.

Privacy is a right. In essence, it’s your right to have a home and to go home. When at home, you have a right to not be observed, bothered, or monitored. You have the right to decide who can come into your house and when and when to leave your home and be visible to wider society. How you live in your house also depends on personal preferences and cultural traditions. You have the right to choose how much of your home society can see: erect a fence, plant tall trees, or pull the drapes over windows. Some may need more privacy, and others may be okay with less. Ideally, privacy is an individual, conscious choice that depends on several factors. Society can only barge in through a court of law in selected and targeted cases. (This is what differentiates law enforcement requests for data – i.e., digital search warrants – from undifferentiated mass surveillance carried out by governments.)

It is also your right to separate yourself from others you live with when needed. Thus, some areas of your house are more private than others. For example, you may close the bathroom door and a shower curtain when you shower.

Security is the various tools and means you can use to protect these rights and make sure those you don’t want to can’t access your home. There are different forms and levels of security. For example, pulling the drapes on an open window will block others from seeing inside but not from climbing in through the window. Closing the door is different than having bars on your front door.

Again, some areas will need more security than others, the bathroom door, and shower curtain, or a safe built into the wall. Each security measure guards against different things, and, most importantly, no security measure will protect you from everything. Just as in the real world, you are the first line of defense: if you let someone into your home, defending yourself from any threat they may pose becomes much more difficult.

Information security policies define and outline how you use the concept of defending yourself in several layers, with various purpose-built tools. For example, you may store some valuables in a hidden safe built into the back wall of a cupboard in your home office. Because the room itself contains sensitive information, you lock the door. Then you close and lock your house’s windows and doors and turn on the alarm system before leaving.

The policy also outlines what kinds of valuables you store in different places. For example, your microwave oven is easy to replace if stolen and does not pose any long-term threat. So, you can leave it on the kitchen counter behind a locked front door. Your bank statements are better left in your locked office because they contain personal information. Finally, your grandmother’s diamond engagement ring and things of similar value should always be kept in the safe.

Where does data protection fit in?

Data protection connects to all the above. In the digital world, your personal data is your most valuable asset. Data protection outlines both the tools available to protect your data and how you can use them. It also details how others can interact with your security measures. For example, the government shouldn’t be allowed to simply turn your alarm off, break into your house and read your mail when it wants to. Unfortunately, this is essentially what the UK government hopes to continue doing by trying to block end-to-end encryption.

Similarly, who wants an always-on telescreen from Orwell’s 1984 in their home? A company shouldn’t be able to install a camera in the corner of a room or place an always-on microphone in your living room.

Oh wait… that’s exactly what we’re letting them do. By default, these microphones only record anything said after their trigger word (Siri, Alexa, Hello Google, etc.). Nevertheless, anyone who has used any smart assistant will know these tools often misinterpret everyday conversations as triggers. Not to mention that malicious actors could hack devices to exploit their always-on microphones. Remember, as this article from the ACLU states: “Overall, digital assistants and other IoT devices create a triple threat to privacy: from government, corporations, and hackers.”

The Privacy and Security Connection

Why is sharing personal data online so problematic? Continuing our analogy, sharing your personal data online is similar to taking your passport over to a stranger’s house and putting it in a safe they have the keys to. The problem is you may not have a clear picture of the security practices they have in place. For all you know, they could store the key on a hook next to the safe without locking their front door.

A data breach happens when a company is the victim of an attack, and malicious third parties access the safe with your passport. They can now use your data for their own nefarious goals or sell it to the highest bidder. Worst of all, when it comes to digital data, you may never know a breach has even happened unless it’s disclosed because digital files are so easy to copy.

Another kind of privacy violation is when companies use the data entrusted to them for unethical means or in a way for which they were not authorized. In our analogy, this could be putting financial documents in the safe mentioned above, only for the house owner to read them, and then start bombarding you with loan offers (how Google ads work). They could even sell your files to a bank to help them make better financial decisions (remember Cambridge Analytica?).

Some opponents of encryption claim that individuals must sacrifice privacy to allow states to ensure security. This has led to a debate about encryption backdoors and mass surveillance. But that’s a question we’ve addressed before, turn the clocks back a year to learn more.

This is why all individuals must understand the risks of sharing and storing their personal information online. But, even more importantly, businesses must learn what they can do to protect the data they are entrusted with.

To help companies and individuals alike, we’ve decided to launch a new series of blogs on Data Protection Day (or Privacy Day for our friends in the US) to discuss the major threats of 2022 to our data. Check back over the coming five weeks to learn about how:

• social engineering (phishing, smishing) is always becoming more sophisticated;
• ransomware is going nowhere in 2022, but cyber security tunnel vision is also a threat;
• supply chain attacks, vulnerabilities in third-party software, and sideloading could affect businesses globally;
• and how DDOS attacks are simple to carry out and extremely damaging;
• man in the middle attacks are now circumventing TLS encryption in certain settings.

We’ll explore the tech behind each threat, what companies and individuals alike can do to counter them, and where end-to-end encryption can help. Watch this space.