On 26 Feb 2013, at 09:45:38, SM wrote: > Hi Claudia, > At 13:15 25-02-2013, Claudia Diaz wrote: >> If that entity is a gov/commercial organization, then "security" is the term >> likely to be used for the properties you want to achieve, while for those >> same properties "privacy" is the usual term when the entity is a private >> individual. > > There is currently a security considerations section in every IETF RFC. The > draft recommends having a privacy considerations section too. The question > which can arise is in which section the perspective should be covered. In > other words it is about how to disambiguate between security and privacy.
It's a tough one: I am not sure you can fully disambiguate the two terms if you are considering general-purpose protocols. To me, given the way the term "privacy" is used in computer security (not in social sciences or in everyday language), the clearest disambiguation is that privacy is "security for private individuals". I do not think there are differences in the "essence" of what it means to provide security/privacy, but rather in the stakeholder (individual or organization) to whom we want to guarantee the security/privacy properties. Some examples: 1) A has confidential data and B gains unauthorized access to the data - If the data is internal to an organization (e.g., the strategy of a corporation, or military plans), then we talk about a "security breach" - If the data relates to individuals (e.g., health records), then we talk about a "privacy breach" 2) A wants to communicate with B anonymously with respect to an eavesdropper C - If A and B are organizations (e.g., two military units in foreign territory), then we talk about communications "security" - If A and B are individuals, then we talk about "privacy" 3) A wants to publish/access information and B prevents A from doing so. - If A is an organization, then we talk about "denial of service", and we relate it to "security". - If A is an individual (eg, a blogger, or someone trying to access Facebook), then we call it "censorship" and we relate it to "privacy". 4) Even if we think about deploying surveillance, the distinctions would still apply, I think. - Law enforcement being able to locate and take down child pornography is "security" - Imagine an application for private individuals that would search the web looking for publicly available pictures of themselves (so they can ask for the pictures to be removed). We would say that this is an application for "privacy". _______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
