massyn The AWS Security guy

Privacy is not Security

While privacy and security are two concepts that closely follow each other, they are two different things. What exactly is the difference between these topics?

When we talk about security (or infosec), we generally refer to the practice of protecting information assets, data, systems or processes from unauthorised access. Practices like access control, identity management, encryption and the like are all used to ensure data can be protected.

Privacy is a bit more subtle. When we talk about privacy, we generally refer to how the data would be used.

An example of privacy misuse

Earlier this week, I received an email from a security service provider, for a service I signed up to to evaluate their service. The sales representative’s email said:

I noticed you did not use the service to its full extent, and I would like to help you reach it's full potential.

What struck me about this is - How did you know that? I went back and reviewed the provider’s security policy, and there was nothing mentioned about using my sensitive data for marketing purposes.

Now you may argue that this is silly, and I’m raising a fake alarm for something that is not really of concern. Perhaps… The issue however is that individuals within the company have access to data that is in direct contradiction to what is stated in their privacy policy.

That’s a concern.

Good security

When we store data with a 3rd party, we do expect a certain level of security. We expect the operator to implement good security practices, protect our data, and keep things secure. When the same provider however use their internal controls for their own purposes and bend the rules of what is expected from them, that’s when we enter this dangerous area.


It’s quite easy for a service provider to justify their use of your data, it doesn’t however make it right, or legal for that matter.

Ownership of data

So who owns the data? That’s a tricky one. When you’re the customer, you would typically be the owner of your data, that is, the data you provide to the system. You may load some data in there, and the system would process the data on your behalf. In this instance, the provider has no right to access your data for their own purposes.

What about banking transactions? Every time you use your credit card, an entry will be written into the banking database. Can you claim ownership of this data? No. In this case, the data does not belong to you. Here you are a user of their system, and the bank has the right to use this data how they see fit.


Where does this leave us? Quite simply, as security professionals, it is our job to ensure the data and systems are secure. It is typically the role of your Data Privacy Officer, or Legal department to define how the data is to be used. Data privacy regulations like GDPR provide very strict rules on the usage and governance of data privacy. Every country has different rules, so be sure to contact your local legal department to understand what your specific regulations require.