Privacy basics from Purdue’s internationally known cybersecurity expert

A robot helps a user consider whether to allow permissions from an app on their cellphone.

With a screen smaller than a laptop and weighing in at more than 100 pounds, the groundbreaking IBM Personal System computer was considered revolutionary in 1987. In the same year, someone who would go on to revolutionize the field of cybersecurity joined Purdue’s faculty. 

For 32 years, Gene “Spaf” Spafford has brought his expertise to Purdue’s Computer Science Department. As a world-renowned cybersecurity expert, Spafford has been awarded various honors, including induction into the National Cyber Security Hall of Fame. With research focused in the areas of computer and network security, cybercrime and ethics, as well as the social impact of computing, Spafford’s knowledge about digital privacy spans decades of technological development. We asked him some questions about the direction of cybersecurity and data privacy and what we as users can do about it.

What is privacy? Depends on who you ask.

So, how does the expert on privacy define privacy? He doesn’t. Spafford believes there is “no absolute definition” of privacy, but rather, it is “defined by a community at a point in time.” As a collective, our society decides what is acceptable to share and what should be kept private, both in the physical and digital realms. Examples of this include laws like HIPAA, regulatory bodies like the FCC and legal contracts such as Terms and Conditions.

“Privacy is about control and choice,” Spafford says. “When we share information, we may not realize how widely it’s shared or for how long it’s available. The answers are everywhere and forever.” 

Be an informed provider

We have all been told to be an “informed consumer.” Read the reviews, know the company and compare it to others. When we consume digital technology, like Facebook or other apps, we are no longer just a consumer; we are now a provider. 

“In the United States, we have in law that whoever collects the information owns it.” Spafford points out that tech providers, such as Facebook, provide a service to you, collect your data, and then proceed to use that data as their own private property. 

Don’t like the idea of selling off your private information? “Individuals can express their preferences by whom they do business with,” Spafford says. However, losing one or two consumers may not pop up on Facebook’s radar. If we want to redefine privacy, we need to do so together. “To protect privacy collectively, we need to be aware and start seeking legislative change.”

Become "share-conscious"

Private information is often the cost of convenience online. We connect our Facebook profile to a third-party website to avoid creating another account with another password we probably won’t remember. We allow third parties access to our profiles so we can play a game or see the newest trend. We often share our information without being cautious of who is seeing it and what they are using it for, and Spafford warns against this practice. 

Companies cannot just collect your information without informing you first. That lengthy “Terms and Conditions” document lays out exactly how they collect your information and what they will use it for in the future. Spafford encourages everyone to review the privacy and share settings for all social media accounts, phone applications and other online platforms. 

“Be cautious of sharing,” he says. “If you are deciding to share, consider who can see it.” 

Next steps

Spafford runs into a common problem when warning students about their cybersecurity habits: They think they aren’t at risk. However, Spafford warns that “Purdue students go on to become leading engineers and scientists. Some go into public office, becoming targets later in life.” 

Your privacy settings do matter, if not now then likely in the future. The first step to creating positive cybersecurity habits is defining privacy for yourself. You can do this by reflecting on your current digital footprint and determining what you are okay with being out there and what you wish wasn’t available. After you’ve reflected, take a look at your settings and change permissions accordingly. 

Online privacy keeps evolving, and it’s important that we keep learning. Consider attending the "I've Been Hacked!" cybersecurity escape room on Oct. 17, 18, 22, or 23 (registration required) or the Privacy Matters Panel on Oct. 29. Stay up-to-date with everything cybersecurity, follow ITaP on Twitter (@PurdueIT), Instagram (@Purdue_IT) or Facebook (@PurdueIT). 

This article is part of a series for National Cybersecurity Awareness Month. For more information visit

Writer: Emily Jones, assistant technology writer, Information Technology at Purdue,

Last updated: October 10, 2019