Privacy vs. Security vs. Anonymity
posted by Sasha Romanosky
When I first began my PhD, I was keen to properly sort and define any new terms and reconcile them with my own education and experience. Three terms that always seemed to be intermingled were: Privacy, Security and Anonymity. Certainly they are related, but I wanted to be a little more specific and understand exactly when and how they overlapped.
First, let’s establish some basic definitions. For the purpose of this blog post, the following definitions will suffice (I’ll address alternative definitions later):
• Privacy: having control over one’s personal information or actions
• Security: freedom from risk or danger
• Anonymity: being unidentifiable in one’s actions
Next, create a Venn diagram with three overlapping circles (each circle representing one term). Then, within each area, try to provide examples that reflecte those properties. That is, imagine some situation where you would have security without privacy, or security without anonymity. When can you have all three? When can you be anonymous but lack privacy?
This may not be as easy as it seems. Certainly it helps once the definitions are set, but if nothing else, I think it’s a useful way to separate and identify the essence of these words (at least, as each of us sees them) and the contexts in which they may or may not exist. Before you continue, take a minute, examine the diagram above, and try to think of examples to fit each area.
Here are some of my examples:
Privacy only: Two students whispering to each other in class.
Security only: Pope-mobile (he’s completely protected, but everyone knows him and can see him); Bullet-proof vests.
Anonymity only: Riding the bus during rush-hour (you have little security or privacy but no one knows who you are); Paying with cash.
Privacy and Security
- At home with the shades drawn (neighbors know you live there, though you are protected)
- Paying bills online through your bank (you communicate over an encrypted channel)
Privacy and Anonymity
- Camping in the woods with a tent (there may be no one around to identify you, but the tent’s walls offer little protection from a bear)
- Using Tor from a kiosk and not revealing any personal information
Readers will notice two things. First, I mix physical and digital (online) examples. Indeed, security, privacy and anonymity obviously apply to both physical and online domains. Next, I deliberately left a few areas blank. I welcome examples to fill the voids, or additional/better examples than I have given.
I’ve been involved with a privacy class here at CMU for a number of years and I find that getting students to think through this process is very helpful – especially those who are new to privacy and data security. Rather than having them recite the different kinds of privacy intrusions or definitions back to me, this exercise helps them internalize each term.
Here’s the next challenge: likely your definitions of privacy, security and anonymity are different than mine. If you substitute in your own definitions, would the diagram or examples change?
Let me know if they do.
January 4, 2011 at 2:47 pm
Posted in: Privacy, Teaching
Print This Post
Responses (8)
Ken Rhodes - January 4, 2011 at 3:21 pm
Security + anonymity: Attending a St. Louis Cardinals baseball game. Assuming you’re not from St. Louis, you are very secure and totally unknown to everyone around you.
Security + anonymity + privacy: A Pittsburgh Pirates game.
Seriously, though, the first example is quite illuminating, I think. We can achieve security + anonymity by going in a very large crowd of strangers.
Sasha Romanosky - January 4, 2011 at 5:21 pm
Heh, thanks Ken.
Sure, that’s a great example: anonymity from the crowd. That’s the basis for a number of privacy enhancing technologies. (And even some computer games like Assassin’s Creed.)
Dean Procter - January 4, 2011 at 9:23 pm
The puzzle is solved and the diagram isn’t applicable.
I am not centralised.
I don’t know who you are.
I know you are someone.
I can prove who you are without knowing.
We share a secret no-one else knows.
We have never spoken.
You trust me.
I know someone who knows who you are.
They trust me.
They’ll never tell me.
You have privacy and are safe, anonymous, authenticated.
Adam - January 4, 2011 at 9:42 pm
I like the post. I think you should add Obi-Wan’s comment: “Your sister remained safely anonymous.”
chr1s shea7s - January 4, 2011 at 10:47 pm
I do not believe that your definition of anonymity and example of such match. Stealing a laptop, changing your MAC address, using an open wireless network in a residential area that is nowhere near where you live and work, using TOR, and sending an email using a one-time-use email service to send a message to someone -could- be anonymous, if the patterns of speech in your email can’t be matched to previous writing. Oh, and ditching the stolen laptop. Riding a bus is very much an action, and either the passengers on the bus or the camera on the bus will see your physical profile and could later match that information back to you if they so needed.
I suppose you could wear a ski mask and wear gloves when handling your money that’s given to the bus driver. But you still provide information of your general profile to people that see you.
I think your privacy and security examples are good.
Using an SSH VPN to surf the Web, paid for by a stolen credit card through a VPN hosting provider that does not retain connectivity information, could prove to be secure, private and anonymous. 100% security is never possible when juxtaposed to theoretical scenarios. Even the pope in an armored car is not safe from a semi-trailer truck traveling at 100 mph and colliding with the pope.
Camping in the woods is an action that requires your physical self to work, aka your identity. So I am not sure how camping is partly anonymous. Whatever is anonymous, even in part, requires complete privacy. In other words, anonymity is a super-position of privacy. The other matter is what kinds of information you reveal by not being present. If you go somewhere (like camping) and your friends know that you are not at home when they try to visit you, that information is revealing.
One rather large problem is that privacy and anonymity are one and the same in many instances. You cannot remain anonymous without privacy, unless you are anonymous to some and private to others. In that case, where you abandon relatively-absolute scenarios, you would increase the complexity of this analysis immensely.
Ken Rhodes - January 5, 2011 at 9:11 am
{{Using an SSH VPN to surf the Web, paid for by a stolen credit card through a VPN hosting provider that does not retain connectivity information, could prove to be secure, private and anonymous.}}
I think you exaggerate. I can go into Best Buy and purchase a brand new laptop for a few hundred bucks cash. The transaction is trivial, and does not require any identification.
The computer comes bundled with Windows, which includes Internet Explorer, and also a 30-day trial version of MS Office. So I can walk into a Starbucks, plunk down a couple of bucks for a coffee, and sit there surfing the web in total anonymity, as well as pretty good security and privacy. Not to mention, create documents, spreadsheets, etc., which I can broadcast out to the Web in total anonymity.
clarinette - January 5, 2011 at 12:29 pm
I do like these diagrams. If I could make them 3D, I would add a ‘magnifying glass’ to the first one that would enable the ‘de-anonymisation’ function- I’m thinking of tools such as facial recognition software or geo-location tracking surreptitiously revealing information. Then, stick in the depth of the intersection of the 3 elements to add the ‘control’ function.
Sasha - January 6, 2011 at 4:28 pm
Clearly this exercise will be fraught with exceptions and nuances, so I caution anyone from taking the examples too literally.
That being said, if one wanted to be more specific, what you might consider is this: replace the 2D venn diagram with 3 perpendicular axes (x, y, z) where each axis represents privacy, security or anonymity. The scale on each axes could be labeled ordinally from 0-10 or just low, medium, high. (Doing this along a cardinal scale doesn’t seem practical. The purpose is to illustrate that one example provides either ‘more’ or ‘less’ privacy relative to another example, and not to say that it provides twice or three times as much.). You could then do two things:
For each example or situation described, plot it in this 3D space. The more examples the more points plotted. Soon you might discover a “cloud” of points. What would this shape look like? Does a pattern emerge? If one is plotting examples from their daily activities (i.e. their digital trail) would the ‘cloud’ look materially different between people? If so, how?
Another use could be this: take a few of the points plotted and introduce some change, either caused by the individual (e.g. a privacy enhancing technology) or the environment (e.g. surveillance). For example, some one starts paying with credit at a retail store but then switches to cash. Certainly this would have an effect on privacy and anonymity (security, too?) and so how would those initial points in 3D space change? i.e. which direction would they move? Applying such changes to a collection of related examples would produce a series of directional arrows, similar to a wind map. There could be many kinds of interesting patterns revealed. For example, does the same change (converting from cash to credit) cause the same directional change in every case, for every person, at all times (i.e. are there dominant behaviors?) Would it be possible to measure the magnitude of these changes?
I should state again that the exercise may be dependent on one’s definitions of privacy, security or anonymity. And so, the first task, as I mentioned, is to settle on an appropriate definition to suit your purpose.
If anyone decides to explore this, I’d love to see the results.
sasha
Leave a Reply