Serious Discussion Privacy vs Security — Where Do You Personally Draw the Line?

[RoboMan]

One common misconception about security usually is that "more is always better"… Not only it's not true, but in reality, stronger protection usually comes at a cost, and that cost is often privacy.

Modern security solutions rely heavily on cloud intelligence, telemetry, behavioral monitoring, and even AI-driven analysis. This means that, in many cases, your system is constantly sharing data: files, metadata, browsing activity, and sometimes even unknown samples uploaded for analysis.

So here’s the question:

Where do you personally draw the line between privacy and security?

Some points to consider:

• Are you comfortable with your antivirus uploading suspicious files to the cloud automatically?
• Do you trust cloud-based protection systems more than offline, signature-based approaches?
• Would you sacrifice some privacy if it meant significantly better protection against zero-day threats?
• Do you disable certain features (like web protection or telemetry) to maintain more control over your data?
• How much do you trust big security vendors with your information?

There’s no universal right answer here, it really comes down to personal philosophy, threat model, and how much control you want over your own system.

Some users prefer maximum lockdown with minimal data sharing. Others are fine with extensive cloud integration if it means better real-time protection.

So… where do you stand?

 

[Parkinsond]

Security.
And the more you can achieve security without tools (AV - security extension), the less privacy invasion you are exposed to.

 

[Marko :)]

I still stand for there's no security without privacy.

 

[Moonhorse]

For sure im standing on security, with basic privacy. I dont mind antivirus sending samples to cloud or anything thats security based. Sure i have no social media ( cut them off years ago) and i only take pictures of my dogs, i use windows + grapheneOS...but use edge browser and google search, so im not 100% into privacy im probably not even half way there but i guess my habits go into basic level of privacy...

Sure im always dreaming about going full linux/grapheneOS, but currently my nephew likes to play on my gaming desktop and fortnite doesnt work on linux .... soo...

 

[TairikuOkami]

Security is real, privacy is a dream. I always choose a security over privacy, but lately, they are inseparable. The more companies pride, the more vulnerable people get.

Passkey is supposedly more secure, but it makes you more identifiable, just like IPv6, more secure, maybe, more private, definitely not. I know, what I have chosen. To be left alone.

 

[Sampei.Nihira]

In theory, I’m interested in balancing security, privacy, and fingerprinting equally.
When a single choice for greater security results in a proportional decrease in privacy, I do my research and run tests.
But in the end, I usually avoid that choice because I can find an alternative way to achieve greater security,if I need it,that does NOT involve a decrease in privacy.

So I can’t vote for the third option because, in reality, this balance never exists.

I would feel more comfortable voting for the first option if it were supplemented by the following statement:

Yes, security comes first, but I would always make decisions "cum grano salis".

 

[Digmor Crusher]

Security, its easier to implement than privacy. Its impossible to get anywhere near 100% privacy whereas getting close to 100% security is doable.

 

[Sorrento]

Privacy is almost impossible, for example I don't use FB /IG or similar but others in my family do so I'm on there around? If you use the net or venture outside / drive in the UK etc there is little or no privacy, as mentioned above security is easier & possible & has been in my case so voted for security

 

[oldschool]

@RoboMan - your post appears to refer specifically to AV & OS security but I tend to think about it more broadly. I definitely value security but what other sevices do l use, e.g. email, etc. that are related to it, or support it?

A lot of "privacy" practices or strategies are more about privacy theater that make users more identifiable, not less. Blending in with the herd is a better privacy strategy.

My practice is to use or enable easily and widely available security features like MS Defender or Google Safe Browsing Advanced Protection to blend in with the crowd while also limiting some privacy exposure by using Brave Search, switching my phone to GraphenOS, etc..

There is no escaping Big Tech in our dystopian era but there are ways to travel securely while keeping a low profile.

 

[cartaphilus]

For the US residents the biggest privacy issue and the lowest hanging fruit that 100% everyone will reach for from script kiddie to state sponsor is your PII and past residencies that's free for all whoever asks for it via websites likes Lexis Nexis or spokeo.

Use a service that scrubs those sites and then monitors for any re-emergence of your info back at those sites so they can keep the sites scrubbed.

The rest is in your hand regarding what you are willing to share.

For example the only thing you find on me are my professional publications and symposia notes that I have no control over. The rest I do not exist.

 

[Halp2001]

I believe the line isn't fixed, but dynamic: security that sacrifices too much privacy eventually weakens itself, and privacy that ignores security is just a mirage. For me, the balance lies in accepting only the data exchange that provides tangible protection (like cloud-based sample analysis) while rejecting anything that only serves to pad out marketing profiles or unnecessary telemetry.

I agree with @oldschool that 'blending into the crowd' is a smart strategy, as long as we remain conscious of what exactly we are giving away in the process. In the end, it’s not about hiding from the world, but about deciding which doors we leave open and why.

 

[Wrecker4923]

for example I don't use FB /IG or similar but others in my family do so I'm on there around?

BitDefender (and others) has something to say about that:

How to Handle Family Oversharing Online Without Conflict

Struggling with a family member who overshares online? Learn how to set boundaries and protect your privacy without causing conflict.

www.bitdefender.com

 

[Wrecker4923]

Passkey is supposedly more secure, but it makes you more identifiable

How do passkeys make a user more identifiable? The service provider only has the passkey's public key, the username/email, and possibly the authenticator metadata — isn't that correct?

 

[Zero Knowledge]

You can't have privacy without security, but you can have security without privacy. I hope that makes sense. It's a difficult subject to answer. It's not about becoming the invisible anonymous man bouncing of 20 socks5 proxies in offshore countries and chaining 50 TOR+VPNS it's about not making it easy for people to track you and identify you without some effort. While security you can be safe and protected but you have to give up some control over your computer and life.

 

[TairikuOkami]

How do passkeys make a user more identifiable?

They are device (PC/mobile) or hardware (USB key) bound, each with unique serial numbers and other identifiable data, unlike an offline password with an offline 2FA app.

 

[Wrecker4923]

They are device (PC/mobile) or hardware (USB key) bound, each with unique serial numbers and other identifiable data, unlike an offline password with an offline 2FA app.

I think the AAGUID indicates the model of the authenticator rather than the specific instance (i.e., no serial numbers):

• White Paper: FIDO Attestation: Enhancing Trust, Privacy, and Interoperability in Passwordless Authentication | FIDO Alliance
• Passkey Providers: Different Types, AAGUID & Adoption

If the user uses a common authenticator—e.g., a platform authenticator, a password manager, or a YubiKey—they’ll fall into a large pool of people presenting the same AAGUID. I think there is some specific exception in the enterprise environment, but I don't think a device-specifying ID is a problem for general usage. AAGUID would obviously be another tag to your account (if the relying party requests and keeps it).

So, yes, the authenticators you use might put you in specific boxes (in the thousands, at least?), probably not in the box of one, but may make the user more identifiable across accounts.

 

[Sampei.Nihira]

Guys, you're confusing privacy with fingerprinting.
It's not hard to improve your privacy.
Many of the filter lists you subscribe to in your ad blockers are privacy filter lists.
Just go to the website below and look for the “privacy” tag.
To realize this:

Spoiler: Filterlists

 

[Parkinsond]

Guys, you're confusing privacy with fingerprinting.
It's not hard to improve your privacy.
Many of the filter lists you subscribe to in your ad blockers are privacy filter lists.
Just go to the website below and look for the “privacy” tag.
To realize this:

Spoiler: Filterlists

View attachment 296669

I have "privacy" filter lists turned off in Brave shield and I use hagezi tif list, not the multi lists

 

[Sampei.Nihira]

I have "privacy" filter lists turned off in Brave shield and I use hagezi tif list, not the multi listsView attachment 296670

That's not the right approach.
Many infections, even in the recent past, used fingerprinting and privacy-invasive techniques to determine whether a potential target system could be efficiently compromised.
If not, the infection wouldn't even begin on overly secure operating systems.

P.S.

Our ultimate goal is to minimize the collection of information on our system.
It may seem strange, but this isn't done solely for commercial reasons.

 

[Parkinsond]

Many infections, even in the recent past, used fingerprinting and privacy-invasive techniques to determine whether a potential target system could be efficiently compromised.

If malware has landed on drive, would browser fingerprinting help then?