Background

Privacy can (apparently) be easily defined as the protection of personally identifiable information (PII) – that’s the general idea behind EU legislation (GDPR, [1]) and in standards such as ISO 27001 [2]. Strictly speaking I can’t see a formal definition of privacy in either, although it can be inferred from the definition of “privacy breach” (e.g. [3, p7]). The implication is that privacy is a pretty straightforward concept, and that it’s a simple matter to enact legislation to protect it.

This apparently clear-cut view breaks down when security practitioners try to distinguish privacy from security. Privacy is supposedly something different to security, ...