This document only concerns the privacy of individuals (as is made fairly clear in sections 1 and 2, although perhaps it is not explicit enough). Does that help?
Alissa On Feb 26, 2013, at 3:11 PM, Claudia Diaz <[email protected]> wrote: > > On 26 Feb 2013, at 09:45:38, SM wrote: > >> Hi Claudia, >> At 13:15 25-02-2013, Claudia Diaz wrote: >>> If that entity is a gov/commercial organization, then "security" is the >>> term likely to be used for the properties you want to achieve, while for >>> those same properties "privacy" is the usual term when the entity is a >>> private individual. >> >> There is currently a security considerations section in every IETF RFC. The >> draft recommends having a privacy considerations section too. The question >> which can arise is in which section the perspective should be covered. In >> other words it is about how to disambiguate between security and privacy. > > > It's a tough one: I am not sure you can fully disambiguate the two terms if > you are considering general-purpose protocols. > > To me, given the way the term "privacy" is used in computer security (not in > social sciences or in everyday language), the clearest disambiguation is that > privacy is "security for private individuals". I do not think there are > differences in the "essence" of what it means to provide security/privacy, > but rather in the stakeholder (individual or organization) to whom we want to > guarantee the security/privacy properties. > > Some examples: > > 1) A has confidential data and B gains unauthorized access to the data > > - If the data is internal to an organization (e.g., the strategy of a > corporation, or military plans), then we talk about a "security breach" > - If the data relates to individuals (e.g., health records), then we talk > about a "privacy breach" > > 2) A wants to communicate with B anonymously with respect to an eavesdropper C > > - If A and B are organizations (e.g., two military units in foreign > territory), then we talk about communications "security" > - If A and B are individuals, then we talk about "privacy" > > 3) A wants to publish/access information and B prevents A from doing so. > > - If A is an organization, then we talk about "denial of service", and we > relate it to "security". > - If A is an individual (eg, a blogger, or someone trying to access > Facebook), then we call it "censorship" and we relate it to "privacy". > > 4) Even if we think about deploying surveillance, the distinctions would > still apply, I think. > > - Law enforcement being able to locate and take down child pornography is > "security" > - Imagine an application for private individuals that would search the web > looking for publicly available pictures of themselves (so they can ask for > the pictures to be removed). We would say that this is an application for > "privacy". > > > > > > _______________________________________________ ietf-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-privacy
