Our mission at Cape Privacy is to protect privacy-by-default. As a company headquartered in New York and Halifax, Cape Privacy is based in two countries where denizens place a high importance in privacy.
The Pew Research Center in the United States found, “Some 81% of the public say that the potential risks they face because of data collection by companies outweigh the benefits, and 66% say the same about government data collection. At the same time, a majority of Americans report being concerned about the way their data is being used by companies (79%) or the government (64%).”
According to the Office of the Privacy Commissioner of Canada, “Approximately nine in 10 Canadians (89%) are at least somewhat concerned about people using information available about them online to attempt to steal their identity, including almost half (48%) who said they are extremely concerned about identity theft. The proportion of Canadians concerned about identity theft has not changed since 2018. The vast majority of Canadians also are at least somewhat concerned about social media platforms gathering personal information that they (88%) or someone else (89%) posted online to create a detailed profile of their interests and personal traits. In addition, 88% of Canadians are at least somewhat concerned about how companies and organizations might use information available about them online to make decisions about them, such as for a job, an insurance claim or health coverage.”
However, at an individual level, people have different understandings of privacy. This blog breaks down some definitions of privacy and how privacy relates to data security.
Privacy as a Human Right
According to Privacy International, an UK-based charity that advocates for the right to privacy, : “Privacy is a fundamental right, essential to autonomy and the protection of human dignity, serving as the foundation upon which many other human rights are built.” Privacy International expands on this by explaining that, “Privacy enables us to create barriers and manage boundaries to protect ourselves from unwarranted interference in our lives, which allows us to negotiate who we are and how we want to interact with the world around us. Privacy helps us establish boundaries to limit who has access to our bodies, places and things, as well as our communications and our information.”
Furthermore, the United Nations Declaration of Human Right states in 1948, Article 12: “ “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
At this high level, privacy is a bedrock for democracy. Privacy allows people to selectively express themselves. Tied with this are notions of bodily autonomy and integrity and the ability freely without worry about surveillance.
Aside from these heady principles, the iapp also defines information privacy with regards to how much data is collected in our present day: “Information privacy is the right to have some control over how your personal information is collected and used.
As the technology gets more sophisticated (indeed, invasive), so do the uses of data. And that leaves organizations facing an incredibly complex risk matrix for ensuring that personal information is protected.”’
Data breaches and the lack of control over what happens to our data have become an endless drumbeat in our lives. In the literal few days I was drafting this post, the following data breaches were in the headlines:
According to IBM, the average data breach will cost $9.44M in the United States with a global average of $4.35M.
To provide a tangible example of what can happen to an individual if data is not managed properly is how a Roomba recorded a woman on the toilet and the screenshots ended up on Facebook.
Image above from MIT Magazine
This is an example that, “represents something bigger than any one individual company’s actions. They speak to the widespread, and growing, practice of sharing potentially sensitive data to train algorithms, as well as the surprising, globe-spanning journey that a single image can take—in this case, from homes in North America, Europe, and Asia to the servers of Massachusetts-based iRobot, from there to San Francisco–based Scale AI, and finally to Scale’s contracted data workers around the world (including, in this instance, Venezuelan gig workers who posted the images to private groups on Facebook, Discord, and elsewhere).”
In this case, iRobot didn’t explicitly have a data breach, but the data was shared without proper controls. The level of information scale had an inherent risk. This risk is shared across many products.
At this point, the iapp articulates it best: “Organizations that don’t “do privacy” right are at risk—of government enforcement, class action lawsuits, financial ruin, damaged reputation and loss of customer loyalty. Privacy is now a necessity of doing business.”
So what does it mean to keep data private? At the lowest level, there is the mathematical definition of privacy, known as differential privacy, that individual-level information is protected even with modification. To provide a concrete example, it means that information in a dataset should not be able to be manipulated to reveal information about an individual person. A classic example is one of Netflix’s original famous contests.
Privacy is primarily also about personal control. While the above examples are concerned about revealing individual information in a way that can be compromising or have financial consequences, there’s also a matter of fairness. Privacy has become a feature for consumer trust: “The previous practice of consumer data being captured by one company and then sold to another without consent led to mistrust. In fact, privacy has become a competitive differentiator now.”
Data Privacy laws tend to concern themselves with individuals having control over how their personal data is used. Laws such as GDPR, CCPA, etc. have this notion as their underlying principle. While Data Privacy is about control over data, Data Security is about protecting data.
Data Security is a subcategory of cybersecurity. Cybersecurity concerns itself with protecting systems from external threats. Data Security is about protecting information from unauthorized access, tampering, threats, and corruption. This relates closely to Infosec. Data Security is one pillar that helps protect Data Privacy.
Given all of the above, why aren’t people more up-in-arms about privacy and companies more mindful of protecting data? One explanation is the privacy paradox.
“First coined in 2001, the privacy paradox is a dichotomy in how a person intends to protect their online privacy versus how they actually behave online — and how they don’t protect their information online. This is usually because of an unwillingness to break convenient habits or behaviors.” In other words, while people claim to care about privacy, their behaviors don’t quite match.
There’s a counterpoint to this that people don’t fully understand how their data is being used or how to evaluate the tradeoff behind convenience and privacy, in the example above it’s possible the individual may have behaved differently if she knew the Roomba could potentially leak pictures of her in the bathroom.
Additionally, both companies and individuals often find themselves overwhelmed. For companies, it can be about figuring out how to implement a myriad of cybersecurity solutions to protect against both external and internal threats.
For individuals, so much of the typical user experience with apps, software, and individual websites are filled with T&Cs and optimized Consent Forms that are difficult to understand and arguably not fully voluntary. Even when users do opt out, digital traces can be used in ways that violate privacy.
At Cape, we believe by encrypting everywhere and only using data in secure environments can solve part of the security puzzle and keep data private as a result.
We became a Confidential Computing company in 2022 after previously focusing solely on cryptography-based privacy preserving machine learning because we believe that encrypting data and only processing in secure containers is the most viable technology path to empower privacy at scale due to performance, availability, and investment. Cape Privacy focuses on increasing data security by enabling easy encryption of data at the source and provides a secure processing environment to use the data. Confidential Computing uses hardware-based security modules that severely limit access. With increasing migration to the cloud, this is an important additional barrier against breaches in data security, and thus having an effect of protecting privacy.