Schneier on Security
A blog covering security and security technology.
« Another Perspective on the Value of Privacy |
| Musing on Secret Languages »
July 9, 2013
The Effectiveness of Privacy Audits
This study concludes that there is a benefit to forcing companies to undergo privacy audits: "The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a breach of privacy related to credit cards are more likely to disclose privacy risks afterwards. Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading."
Posted on July 9, 2013 at 12:17 PM
• 6 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Could you comment on what you see as the difference between security and privacy considerations?
Personally, I treat the two the same, except that privacy involves a unique set of risks.
The paper also uses "privacy breach" and "security breach" interchangeably.
In that light, I don't see anything surprising or unexpected in this paper: audits are a way to enumerate and evaluate risks and mitigations (for features, security, privacy, ...), so they should improve those. Otherwise, what's the point?
Privacy isn't so much a subset of security, as it has its own goals. While the most classical security goals would aim a availability, integrity, and confidentiality, the basic privacy goals go beyond by striving to achieve
- Transparency (in the meaning that the works of the system are NOT obfuscated towards the user but rather in such a way that the user can understand what happens)
- Intervenability (the user is able to interfere with data processing when it concerns him)
- Unlinkability (only the data absolutely needed should be processed to avoid all-embracing profiling of persons)
These complement (and sometimes contrast) the security goals. Therefore, privacy is not the same, even though admittedly, there are many overlaps. :)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.