Learning Library

← Back to Library

Security vs Privacy: Understanding the Difference

9mUnknown ChannelsecuritytutorialintermediateWatch on YouTube ↗

Key Points

  • If you don’t pay for a service, you become the product, which explains why free platforms often lack direct customer‑support channels.
  • Security focuses on the CIA triad—confidentiality, integrity, and availability—aimed at protecting data from unauthorized access, alteration, or downtime.
  • Privacy adds layers of notice, informed consent, and transparency, ensuring users know how their data is used and can verify that usage.
  • While security defends against attackers seeking “digital crown jewels” such as intellectual property, privacy safeguards the personal information that users willingly share.

Sections

Full Transcript

# Security vs Privacy: Understanding the Difference **Source:** [https://www.youtube.com/watch?v=x3rg8bttldg](https://www.youtube.com/watch?v=x3rg8bttldg) **Duration:** 00:09:51 ## Summary - If you don’t pay for a service, you become the product, which explains why free platforms often lack direct customer‑support channels. - Security focuses on the CIA triad—confidentiality, integrity, and availability—aimed at protecting data from unauthorized access, alteration, or downtime. - Privacy adds layers of notice, informed consent, and transparency, ensuring users know how their data is used and can verify that usage. - While security defends against attackers seeking “digital crown jewels” such as intellectual property, privacy safeguards the personal information that users willingly share. ## Sections - [00:00:00](https://www.youtube.com/watch?v=x3rg8bttldg&t=0s) **You’re the Product: Privacy vs Security** - The speaker argues that using free services makes users the product, then explores how privacy and security differ yet intersect, urging viewers to assess the value and protection offered by such platforms. ## Full Transcript
0:01if you aren't paying for it you are the 0:03product not the 0:05customer that's true in almost 0:08everything think about your social media 0:11go ahead and try to call customer 0:13support do you know the number I'll give 0:15you a minute to look it up okay you 0:18can't find it you know why you didn't 0:20pay for it that means you are in fact 0:23their product and products don't get to 0:26call customer support so are you getting 0:29a good deal as a product of for this 0:32free service that's what you have to 0:34decide and that's a question of privacy 0:38and are is that organization giving you 0:41enough value for the information you're 0:43giving to them and how they're 0:45monetizing that and in particular do 0:47they have the security mechanisms in 0:49place in order to ensure that privacy 0:52security and privacy are really 0:54important in all of this what's the 0:56relationship between the two sometimes 0:58people use the terms interchangeably are 1:00they the same thing are they different 1:03are they at opposite ends of the 1:05spectrum let's take a look at that in 1:07this video and understand the 1:09relationship between security and 1:12privacy okay let's take a look at this 1:14relationship between security and 1:16privacy and see what we can learn so 1:19let's look at a number of different 1:20factors here first of all the principles 1:22that are involved in security versus 1:24privacy well in security as you've if 1:26you've seen my videos before I do a lot 1:28of talking about this thing called the 1:30CIA Triad where its 1:33confidentiality its Integrity uh and its 1:37availability and these are the three 1:39things that we're doing in security all 1:41the time we're trying to make sure that 1:43only authorized people can read 1:46sensitive data we're trying to make sure 1:48that the data has not been modified that 1:50it has integrity and we're trying to 1:52make sure that the system is up and 1:53available to the people who are supposed 1:55to have access to it so CIA 1:57confidentiality integrity and 1:59availability 2:00that's the concern of security privacy 2:03also adds to that uh some other factors 2:06things like notice in other words if I'm 2:09going to be using your data I should let 2:11you know about that and I should make 2:13sure that you provide consent you agree 2:17to my use of the data and that it's 2:20informed consent not just one of those 2:22things where we've got thousands and 2:24thousands of words and you can't read 2:25through it or understand on the 2:26agreement you just say yes please take 2:28me through but real informed consent 2:30that's what would be involved in real 2:32privacy told you what I'm going to use 2:34your data for you've agreed to it and 2:37then that there is 2:40transparency in the system in other 2:42words I want to make sure that uh the 2:45way the data gets used is in fact 2:48verifiable and these are the kinds of 2:50things that add to your confidence and 2:52add to your sense of privacy in a system 2:55how about the Target in other words what 2:58would an attacker be after 3:00that we're trying to guard against from 3:01a security standpoint well it would be 3:03digital crown jewels it would be things 3:05like intellectual property that the 3:07organization has like patents or plans 3:09or things like that uh business plans as 3:11I just mentioned uh it could be pricing 3:14could be customer databases this kind of 3:17stuff that's what we're really focused 3:19on from a security standpoint typically 3:21with organizations now over here on this 3:24side what are the things from a privacy 3:26standpoint well uh we're going to be 3:28looking at things like personal health 3:30information uh or personally 3:32identifiable information your name your 3:35address uh your date of birth your 3:37social security number national ID 3:40number uh credit card numbers things 3:42like that uh these could all be part of 3:45what we're trying to guard against in 3:47terms of privacy now let's take a look 3:49at threat actors so who are the people 3:51we're trying to guard against over here 3:53well we've got these bad guys these 3:55attackers and they want to try to get 3:58into the system so it's basically 4:00hackers that we're concerned with we 4:01tend to think of them as Outsiders they 4:03could be inside attackers but in in 4:06other words these are the attackers that 4:08we see over here on the Privacy side not 4:11only do we have the threat that of 4:14hackers that I just mentioned from a 4:16security standpoint but in fact we could 4:18even experience an attack from within 4:21the organization that is collecting all 4:24of our information so that company 4:26that's collecting all that information 4:28how are they using your information 4:30they could in fact be the bad actor if 4:32we're not careful if these policies and 4:35procedure are not really followed well 4:38how about regulations well there are 4:40industrywide regulations and it depends 4:42on what Market what industry you're in 4:45as to what regulations will apply to you 4:48but in particular uh for instance the 4:50credit card payment system PCI pedit 4:53card uh the payment card industry data 4:57security standard is a well-known global 5:01standard that must be followed if 5:03organizations are going to process ped 5:05uh credit cards some other things uh a 5:08us specific example sarbanes Oxley is 5:11something that involves companies that 5:13are publicly traded and that their 5:15information has to be secure and 5:17verified there are a lot of other 5:19examples now how about regulations on 5:21this other side on privacy well in 5:24Europe in particular there's the 5:26generalized data protection regulation 5:28gdpr and I say in Europe but in fact it 5:31affects companies all around the world 5:34uh you should talk to your lawyers to 5:35find out whether you are subject to this 5:38but I'll just say just because your 5:40organization doesn't operate in Europe 5:42doesn't mean you're free from from the 5:45the responsibilities of gdpr and they 5:47are extensive and the penalties are 5:49extensive for instance one of the things 5:51gdpr in uh introduces is the right to be 5:54forgotten that is all of my information 5:57that I've given this organization if I 5:59later change my mind and say pretend I 6:01never was here forget you ever knew me 6:03they have to get rid of that and all the 6:05people they've shared it with have to be 6:07able to do the same thing that's not 6:09necessarily an easy thing to do uh We've 6:11also got things like in the US uh the 6:16Hippa uh the health information 6:18portability uh act don't remember the 6:20full acronym but that's what it's about 6:23health information and trying to 6:25preserve that there are other examples 6:27but you see that there regulations on 6:30both sides of this 6:32equation now what's the primary target 6:35of the attacker over here on this side 6:37when we're dealing with a security case 6:39well 6:41it's basically the business trying to 6:43look out for their own bottom line 6:45they're trying to make sure that their 6:46information is not stolen that puts them 6:48out of business and that the their 6:51competitors don't have their information 6:53and things like that so they're looking 6:55to maintain operations however over here 6:58on this side the privacy side of this 7:01the real primary concern is in fact the 7:05individual in other words I'm concerned 7:07about my privacy the business may not be 7:10as concerned about my privacy they're 7:11concerned about security so it tends to 7:14be that businesses need security and 7:17individuals need privacy but hopefully 7:20you have understood from looking at this 7:22that there is a relationship between the 7:24two of these and in fact security is the 7:28Baseline that we need need and we build 7:30privacy on top of that so it's not 7:33security versus privacy it's Security 7:36Plus privacy because I can't have these 7:39things if I don't have these 7:41things so let's take a look at a couple 7:44of different business models when it 7:46comes to security and privacy so one 7:49model is basically this it's your data 7:52equals our business what does that end 7:55up looking like well you've got some 7:57person here and they're going to send 7:59their data into a service again this 8:03could be social media this could be an 8:05e-commerce site it could be a lot of 8:06different things they send their data in 8:09but then this organization also 8:12interacts with other organizations and 8:14they forward that data to a lot of these 8:16other organizations why do they do that 8:19well because they're getting money back 8:21in each one of these cases so in that 8:24case your data that you're putting in 8:26you're paying nothing for this but 8:28they're monetizing Ing and being able to 8:30pay for this on the back end by selling 8:33your data to other organizations so 8:35that's the your data is our business and 8:39uh not so good for this guy unless he's 8:42fully aware of everything that's 8:44happening in that case now another 8:46business model is basically this your 8:49data equals your data in this case our 8:53user sends their data into a service of 8:57some sort that service uses the 9:00information but doesn't send it on so 9:02how are they able to support their 9:03business well it's because you're also 9:05having to probably pay for that so 9:07you're putting something in but in 9:09exchange it's your data remains your 9:12data the bottom line is Enlighten 9:15businesses understand that protecting 9:17customer privacy is in their best 9:20interest even if they have this type of 9:22model they still should follow 9:25procedures and policies that protect the 9:27user's information because as you from 9:29this security and privacy are very 9:32important both to the business and to 9:35users and enlightened businesses realize 9:38they need 9:39both if you like this video and want to 9:41see more like it please like And 9:43subscribe if you have any questions or 9:45want to share your thoughts about this 9:47topic please leave a comment below