How are privacy and security different?

Online security includes all the measures used to protect data from unauthorized access, which involves hackers or anyone beyond those you have chosen to share with. In systems protected by end-to-end encryption, this protection extends to the company that stores the data and to third parties that might otherwise gain access, such as advertisers, data brokers, or surveillance systems.

Security threats include hackers, malware(new window) (including spyware and ransomware), phishing attacks that trick people into revealing information, identity theft, and account takeovers.

Online security raises questions like:

• Who is authorized to access my data?
• How is access verified and enforced?
• What protections are in place to prevent unauthorized access?
• How is my data protected while stored and while being transmitted?
• What happens to my data if a system is compromised?
• How quickly can threats be detected and mitigated?

Security supports privacy by preventing data from being stolen, leaked, or tampered with. Without security, privacy promises cannot be enforced, as anyone could access your data regardless of policies or consent.

However, security alone does not guarantee privacy. A service can use strong encryption and secure servers while still collecting large amounts of personal data to process or share it in ways you may not be aware of, such as for advertising or analytics.

For example, the Meta and Google ecosystems rely on your data as part of their business models, despite using strong security protections to protect that data from unauthorized access.

When you create an email account, you trust a service with sensitive information, such as messages, attachments, contacts, and often years of private communication. What happens next depends on both privacy and security:

Your emails are protected with end-to-end encryption, meaning only you and your intended recipients can read the message contents. Because the provider cannot access your messages, they cannot be scanned for profiling, selling, or targeted ads. Strong security measures like two-factor authentication (2FA) further protect your account from unauthorized access.

For example, Proton Mail uses end-to-end encryption by default when emailing other Proton users, and provides password protection when communicating with external recipients.

The email provider promises not to scan or sell your data, but poor authentication and outdated encryption leave your account vulnerable. Even though the company intends to respect your privacy, attackers may still gain access to your emails.

For example, Yahoo was breached between 2013 and 2014(new window), where attackers gained access to billions of user accounts due to weak and outdated security practices.

Your inbox is well protected against hacking due to strong encryption, but the email provider scans email contents to personalize ads, train algorithms, or build behavioral profiles. No breach occurs, yet your personal communications are still being analyzed and processed in ways you did not intend.

For example, Gmail historically scanned email content for ad targeting until 2017(new window). Today, with AI features like Gemini integrated into Gmail, questions have re-emerged about how email data is handled when you interact with AI features, and how those interactions relate to Google’s wider data ecosystem.

Staying safe online means taking small, consistent actions that reduce privacy and security risks. Here’s what you can do:

• Review app permissions regularly and remove access that isn’t necessary (such as location or contacts).
• Be mindful of what you share online, especially on social media like Instagram or Snapchat, where information can spread beyond your intended audience.
• Choose services with clear, user-friendly privacy policies that explain how data is collected and used.
• Limit data collection where possible, such as disabling ad personalization or unnecessary tracking features.
• Use strong, unique passwords for each account, ideally with a password manager.
• Enable 2FA to add an extra layer of protection.
• Treat unexpected emails, messages, or links with caution, even if they appear legitimate.
• Use a VPN(new window) to protect your activity on public or untrusted WiFi networks, reduce tracking based on your IP address(new window) and location, and prevent internet providers from monitoring your online activity.
• When sharing files using cloud storage, limit access to specific people, grant the minimum permissions needed, and set expiration dates.
• If you need an AI assistant(new window), choose a private one that doesn't log your data or train on your conversations, especially when handling sensitive information.
• Use end-to-end encrypted services, so only you and the intended recipient can access the data — not hackers, advertisers, or even the service provider.