BreachExpress

Cybersecurity, explained for the rest of us.

VPN & Privacy

Privacy vs Security: Not the Same Thing

Margot 'Magic' Thorne@magicthorneMay 9, 202611 min read
Split illustration showing a locked door (security) and closed curtains (privacy)

Privacy and security are not the same thing. You hear them paired constantly, treated as synonyms, bundled into the same marketing promises. But they protect different things, fail in different ways, and require different solutions. Confusing them weakens both.

Here's the distinction that matters: security is about protection from unauthorized access. Privacy is about control over who gets authorized access in the first place. A system can have perfect security and zero privacy. A system can promise privacy but deliver weak security that makes the promise meaningless.

This article compares privacy and security on the dimensions that actually matter. Not philosophical definitions. Not marketing claims. The mechanisms, the threats each one addresses, where they overlap, where they diverge, and what you lose when you treat them as interchangeable.

What Security Actually Protects

Security is the set of controls that prevent unauthorized access to data, systems, or accounts. The core question security answers is: can an attacker who shouldn't have access get in anyway?

The mechanisms are technical. Encryption protects data in transit and at rest. Authentication verifies identity before granting access. Access controls limit what authenticated users can do. Firewalls, intrusion detection, vulnerability patching, all of it serves the same goal: keep out the people who aren't supposed to be there.

When security fails, the failure is usually concrete. An attacker cracks a password, exploits a software vulnerability, intercepts unencrypted traffic, or tricks someone into handing over credentials. The breach is measurable. You can count the accounts compromised, the records stolen, the systems accessed.

Security doesn't care who the authorized parties are. It doesn't ask whether the organization holding your data should have it, or what they do with it once they have it. Security's job is to make sure that if you've granted access to Party A, Party B can't get in. Whether Party A deserves that access is outside security's scope.

This is why a company can tout strong security while engaging in extensive data collection. The FTC's privacy and security enforcement actions frequently involve companies with robust technical security but problematic data practices. Security kept the data safe from attackers. It didn't stop the company from using that data in ways users didn't expect or want.

What Privacy Actually Protects

Privacy is control over who has access to your information and what they can do with it. The core question privacy answers is: even among the parties I've granted access to, are there limits on what they can see, infer, share, or retain?

The mechanisms are a mix of technical controls and policy commitments. End-to-end encryption can enforce privacy by ensuring the service provider can't read your messages, even though you're using their infrastructure. Data minimization limits collection to what's necessary. Anonymization strips identifying details. Deletion policies set retention limits. But privacy also depends on legal frameworks, user agreements, and organizational restraint, which makes it harder to verify and easier to erode.

When privacy fails, the failure is often invisible. You don't get a breach notification when a company shares your data with third parties under terms you didn't read. You don't get an alert when an algorithm infers your health status from your search history. You don't get a warning when your location data gets sold to a data broker. The harm is diffuse, long-term, and hard to measure.

Privacy asks whether the people who can access your data should have it, and what constraints apply once they do. Security assumes that question has already been answered. Privacy is the answer.

Where They Overlap

Privacy and security aren't opposites. They overlap in meaningful ways, and some controls serve both goals.

Encryption is the clearest example. When you use HTTPS to connect to a website, encryption protects the data in transit from interception. That's a security control. It stops attackers from reading your traffic. But encryption also has privacy implications. If the website you're visiting uses end-to-end encryption and doesn't log your activity, the encryption also limits what the site operator can see. Security and privacy, both served by the same technical mechanism.

Strong authentication supports both. Two-factor authentication makes it harder for an attacker to access your account, which is a security win. It also reduces the risk that someone impersonating you can access data you intended to keep private, which is a privacy win. The control protects against unauthorized access and helps ensure that only you control what gets shared.

Access controls can serve both. If a company limits which employees can view customer data, that's a security measure that also supports privacy. Fewer people with access means fewer opportunities for misuse, whether that misuse is malicious or careless.

But the overlap doesn't make them the same. Encryption protects data in transit, but if the recipient logs everything you send, you have security without privacy. Two-factor authentication keeps attackers out, but if the service you're logging into tracks your every action, you have security without privacy. Access controls limit internal access, but if the company's business model is selling your data to third parties, you have security without privacy.

The overlap is real. The distinction still matters.

Where They Diverge

The divergence shows up most clearly in business models. A company can implement strong security to protect your data from attackers while simultaneously building its revenue model around accessing, analyzing, and monetizing that same data. The security is genuine. The privacy is not.

Consider a webmail provider that encrypts your messages in transit and at rest, uses strong authentication, and has never had a breach. That's solid security. But if the provider scans your email to serve targeted ads, sells anonymized metadata to data brokers, or shares your activity with third-party partners under vague terms of service, the privacy picture is different. The data is secure from unauthorized access. It's not private from the company you've authorized.

The FTC's business guidance on privacy and security draws this distinction explicitly. Security measures are necessary but not sufficient for privacy. A company that collects more data than it needs, retains it longer than necessary, or shares it more broadly than users expect has a privacy problem, even if its security is airtight.

Privacy can also fail independently of security. A company might have weak security and strong privacy commitments, or strong security and weak privacy practices. The two dimensions don't move in lockstep.

Data minimization is a privacy principle with no direct security analog. Collecting only the data you need reduces privacy risk by limiting exposure. It also reduces security risk, because there's less data to protect, but the motivation is different. Security asks, "How do we protect this data?" Privacy asks, "Do we need this data at all?"

Anonymization is another privacy tool that doesn't map neatly onto security. Stripping identifying information from a dataset limits what can be inferred about individuals, which is a privacy goal. It doesn't make the data more secure from unauthorized access. It makes authorized access less invasive.

Transparency and user control are privacy mechanisms that have no security equivalent. Telling users what data you collect, why you collect it, and giving them the ability to delete it or opt out doesn't make the data more secure. It gives users more control over their privacy, which is a separate concern.

The Marketing Problem

Companies conflate privacy and security in their marketing because it's easier to deliver security than privacy, and because privacy sells better than it delivers.

You'll see phrases like "secure and private" used to describe services that encrypt your data but log everything you do. You'll see "military-grade encryption" touted as a privacy feature when encryption alone doesn't limit what the service provider can see. You'll see "zero-knowledge architecture" claims from companies that still collect metadata, track usage patterns, and share data with partners.

The conflation isn't always malicious. Sometimes it's sloppy thinking. Sometimes it's genuine confusion about where the line falls. But the effect is the same: users believe they have privacy protections they don't actually have, because the security measures are real and the privacy promises are vague.

The Electronic Frontier Foundation's privacy resources emphasize this gap repeatedly. A company can be entirely truthful about its security practices while being misleading about its privacy practices, simply by letting users assume that "secure" means "private."

The way to cut through the marketing is to ask specific questions. Does the company have access to my data in plaintext, or is it encrypted in a way that prevents the company from reading it? What data does the company collect beyond what I explicitly provide? Who does the company share my data with, and under what terms? How long does the company retain my data, and can I delete it?

Security questions are different. Can attackers intercept my data in transit? Can attackers access my data at rest? What happens if my password is compromised? What happens if the company's servers are breached?

Both sets of questions matter. They're not the same questions.

The Threat Model Difference

Privacy and security address different threat models. Understanding the difference clarifies when each one matters and what each one protects against.

Security protects against external attackers. The threat is someone who shouldn't have access trying to get in. The attacker might be a lone hacker, an organized criminal group, a nation-state actor, or an opportunistic script kiddie. The goal is to keep them out, detect them if they get in, and limit the damage if they succeed.

Privacy protects against the organizations you've granted access to. The threat is not unauthorized access. The threat is authorized access used in ways you didn't anticipate, didn't consent to, or wouldn't accept if you understood the full scope. The organization might be a tech company, an employer, a government agency, a data broker, or any entity that collects, stores, or processes your information.

These are not hypothetical distinctions. A 2023 FTC privacy and data security report detailed enforcement actions against companies for both security failures and privacy violations. The security cases involved breaches, inadequate safeguards, and failure to patch known vulnerabilities. The privacy cases involved deceptive data practices, unauthorized sharing, and failure to honor user deletion requests. Different harms, different mechanisms, different legal frameworks.

Your threat model determines which protections you need. If you're worried about an attacker stealing your data, you need strong security. If you're worried about a company selling your data, you need strong privacy. If you're worried about both, you need both, and one doesn't substitute for the other.

Technical Controls Compared

Some technical controls serve security. Some serve privacy. Some serve both, but in different ways. Here's how the major categories compare.

Encryption protects confidentiality, which is a security goal. It also limits who can read your data, which is a privacy goal. But the privacy benefit depends on who holds the decryption keys. If you hold the keys, encryption enforces privacy. If the service provider holds the keys, encryption provides security but not privacy from the provider.

End-to-end encryption is the privacy-preserving variant. The service provider can't decrypt your messages because they don't have the keys. This limits their ability to read, analyze, or share your data. It's a stronger privacy guarantee than transport encryption, which only protects data in transit.

Authentication controls who can access a system. That's a security function. But authentication also determines who can access your data, which has privacy implications. If authentication is weak, unauthorized parties can access data you intended to keep private. If authentication is strong but the authorized party is a company with broad data-sharing practices, authentication protects security but not privacy.

Access controls limit what authenticated users can do. Role-based access control, least-privilege principles, and separation of duties all reduce the risk that insiders misuse data. These are security controls that also support privacy by limiting exposure. But they don't prevent the organization from using data within its authorized scope, even if that scope is broader than users expect.

Anonymization and pseudonymization are privacy controls. Anonymization strips identifying information. Pseudonymization replaces identifiers with pseudonyms. Both reduce the risk that data can be linked back to individuals. Neither makes the data more secure from unauthorized access. They make authorized access less invasive.

Data minimization is a privacy principle. Collect only what you need, retain it only as long as necessary, and delete it when you're done. This reduces privacy risk by limiting exposure. It also reduces security risk, because there's less data to protect, but the primary motivation is privacy.

Audit logs and transparency reports serve accountability, which supports both privacy and security. Logs help detect unauthorized access, which is a security function. Transparency reports show users what data is collected and how it's used, which is a privacy function. But logs and reports are only useful if someone reviews them and acts on what they find.

Legal and Policy Frameworks

Privacy and security are governed by different legal frameworks, which reflects their different goals.

Security regulations focus on safeguards. You must implement reasonable security measures to protect data from unauthorized access. You must notify affected parties if a breach occurs. You must patch known vulnerabilities within a reasonable timeframe. The FTC's data security enforcement holds companies accountable for failing to implement basic protections.

Privacy regulations focus on data practices. You must obtain consent before collecting personal information. You must disclose what data you collect and how you use it. You must honor user requests to access, correct, or delete their data. You must limit data sharing to what users have consented to. The European Data Protection Board's guidelines detail these obligations under GDPR, which is the most comprehensive privacy framework currently in force.

The two frameworks overlap in some areas. Both require organizations to protect data. Both impose penalties for violations. Both give users some rights over their information. But the emphasis is different. Security law asks, "Did you protect the data adequately?" Privacy law asks, "Should you have collected this data in the first place, and what did you do with it once you had it?"

Some jurisdictions treat privacy and security as separate concerns with separate regulations. Others bundle them together. The California Consumer Privacy Act, for instance, includes both privacy rights and security requirements. But even when they're bundled, the provisions are distinct. The privacy sections give users rights to know, delete, and opt out. The security sections require reasonable safeguards and breach notification.

The legal distinction matters because compliance with security regulations doesn't guarantee compliance with privacy regulations, and vice versa. A company can meet every security requirement and still violate privacy law by collecting data without consent, sharing data beyond what users agreed to, or retaining data longer than necessary.

Practical Implications for Users

Understanding the privacy-security distinction changes how you evaluate services, configure settings, and respond to threats.

When you're choosing a service, ask both privacy questions and security questions. Does the service encrypt your data in transit and at rest? That's security. Does the service have access to your data in plaintext, or is it end-to-end encrypted? That's privacy. Has the service ever had a breach? That's security history. What does the service do with your data once it has it? That's privacy practice.

When you're configuring settings, separate the two concerns. Enable two-factor authentication, use a strong password, and review connected devices. Those are security settings. Review what data the service collects, disable optional tracking, and limit third-party sharing. Those are privacy settings. Both matter. They're not the same settings.

When you're responding to a breach, the privacy and security implications differ. If an attacker stole your data, you need to secure your account and monitor for misuse. That's a security response. If a company you trusted shared your data without consent, you need to review your privacy settings, consider whether to continue using the service, and potentially file a complaint. That's a privacy response.

The tools you use for privacy and security overlap but aren't identical. A password manager improves security by generating strong, unique passwords. A VPN can improve privacy by hiding your traffic from your internet provider, but it doesn't improve security unless you're on an untrusted network. An ad blocker improves privacy by reducing tracking. It doesn't improve security unless it also blocks malicious ads.

Some threats require both privacy and security defenses. Phishing attacks exploit weak security, but they also exploit trust in organizations that have access to your data. If an attacker can impersonate your bank because they know details about your account, that's a security failure enabled by a privacy failure. The bank had access to your data, which is authorized. The attacker shouldn't have been able to use that data to fool you, which is a security problem. But if the bank had collected less data in the first place, the attacker would have had less to work with, which is a privacy principle.

The Cultural Reference That Fits

In You've Got Mail, Kathleen Kelly runs a small independent bookstore. She knows her customers, remembers their preferences, and recommends books based on conversations. That's a privacy model built on trust and limited data. She doesn't track every purchase, doesn't sell customer lists, doesn't build profiles. The relationship is personal, and the data stays minimal.

Then Fox Books opens across the street. Fox Books has security: inventory systems, point-of-sale encryption, corporate firewalls. But Fox Books also has scale, which means data. Every purchase gets logged, analyzed, and fed into recommendation algorithms. Customer data flows to corporate headquarters, gets aggregated with data from other stores, and drives decisions Kathleen's customers never see.

Fox Books isn't insecure. The data is protected from unauthorized access. But the privacy model is different. More data collected, more data retained, more data shared internally, more opportunities for use beyond the immediate transaction. The security keeps attackers out. It doesn't limit what Fox Books does with the data once it has it.

That's the distinction. Kathleen's bookstore has limited data and limited security infrastructure. Fox Books has robust security and extensive data practices. Neither model is inherently wrong, but they protect different things. Security keeps the data safe from outsiders. Privacy limits what insiders do with it.

The same dynamic plays out with every service you use. A small provider might have weaker security but stronger privacy, simply because they collect less data and have fewer resources to analyze it. A large provider might have excellent security but weaker privacy, because their business model depends on data collection and analysis. You're choosing between threat models, not just between good and bad.

Why the Distinction Matters

Conflating privacy and security lets companies claim privacy benefits from security measures that don't actually limit their access to your data. It lets regulators treat privacy violations as security failures, which misses the point. It lets users believe they're protected when they're only protected from some threats, not others.

The distinction matters because the threats are different, the solutions are different, and the trade-offs are different. Security protects you from attackers. Privacy protects you from the organizations you trust. Both are necessary. Neither is sufficient.

When a company says "we take your privacy and security seriously," ask which one they're actually delivering. When a product claims to be "secure and private," ask what each word means in practice. When a breach happens, ask whether it was a security failure, a privacy failure, or both.

Privacy and security are not the same thing. Treating them as synonyms weakens both. Understanding the difference strengthens your ability to evaluate services, configure protections, and decide who to trust with your data.

You need both. You can't assume one gives you the other. And you can't protect what you don't understand.

Venn diagram showing privacy and security overlap but remain distinct concepts
→ Filed under
privacysecurityencryptiondata protectiononline privacycybersecurity basics
ShareXLinkedInFacebook

Frequently asked questions

Security protects data from unauthorized access. Privacy controls who gets authorized access in the first place. You can have strong security with zero privacy, or strong privacy claims with weak security.
Not really. If your data isn't secured, anyone can access it, which destroys privacy. But you can absolutely have security without privacy—a company might lock down your data perfectly while still reading everything you do.
Encryption secures data in transit and at rest, but it doesn't control who can decrypt it. If a company encrypts your messages but holds the decryption keys, you have security but limited privacy.
Because 'secure and private' sounds better than 'secure but we read everything.' Conflating the terms lets companies claim privacy benefits from security measures that don't actually limit their own access to your data.
Both matter, but for different threats. Security protects you from attackers. Privacy protects you from the organizations you're trusting with your data. You need both, and neither substitutes for the other.

You might also like

Traveler working on laptop in airport terminal with public WiFi network list visible on screen
VPN & Privacy

Airport WiFi Safety in 2026: Reality Check on What Actually Matters

Airport WiFi isn't the universal threat security advice suggests. Here's what actually matters when you connect in 2026, what's changed, and what hasn't.

11 min · Margot 'Magic' Thorne · May 14

Laptop open on a coffee shop table with a privacy screen, hands typing, coffee cup beside it
VPN & Privacy

Working from Coffee Shops Securely: A Step-by-Step Guide

Public spaces create specific security risks for remote workers. Here's what to configure, what to skip, and why each step matters when working from coffee shops.

12 min · Margot 'Magic' Thorne · May 13

Abstract visualization of data flowing between browser window and multiple server nodes
VPN & Privacy

How Online Tracking Actually Works: The Mechanism Behind the Surveillance

Websites track you through cookies, fingerprints, and pixels. Here's the technical mechanism, what gets collected, and how tracking follows you across the web.

12 min · Margot 'Magic' Thorne · May 12