Privacy & Context


January 22, 2024

Last time

  • What is security?
  • Why do we need a human-centered approach to security?


  • What is privacy?
    • What are some different ways of conceptualizing privacy?
    • What are their strengths and weaknesses?
  • What is the Contextual Integrity model for privacy?


This presentation borrows from Michelle Mazurek, Helen Nissenbaum, Noah Apthorpe, and others.

Let’s talk about privacy

Do you care about privacy?

How concerned are you about how your personal data is being used by companies?
…by the government?

  • Very
  • Somewhat
  • Not too
  • Not at all

Do people care about privacy?

How concerned are you about how your personal data is being used by companies?
…by the government?

  • Very
  • Somewhat
  • Not too
  • Not at all

People care

…or do they?

“Privacy paradox”

People’s privacy behaviors don’t always align with their expressed attitudes

Privacy examples


  • antivirus informs you that your information was stolen
  • notifications when someone tries to log in as you
  • 2FA
  • Safari tells you about trackers

  • credit card info leaked
  • CV and contact info leaked
  • apply for one job, other companies find out
  • Steam credentials leaked, account wiped

Why should we care privacy?

Privacy is a human right

Privacy is protected by law

Why do we need to know what privacy is?

  • Is privacy being violated?
  • Is this good for privacy?

Defining privacy

How would you define privacy?

  • keep your sensitive info private
    • securing and protecting sensitive information
  • only share it with your consent
    • unauthorized people can’t access information
    • right to manage your personal information
  • resources (rules and people) whose job it is to protect your privacy

Privacy is hard to define

“Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.”
— Robert C. Post. Three Concepts of Privacy, 89 Geo. L.J. 2087 (2001)

Privacy defined by the dictionary

pri·va·cy |ˈprīvəsē | 

  • the state or condition of being free from being observed or disturbed by other people: she returned to the privacy of her own home.
  • the state of being free from public attention: a law to restrict newspapers’ freedom to invade people’s privacy.

New Oxford American Dictionary

Privacy defined by LLM

  • Control over information: Privacy is about having a say in how your personal information (like your thoughts, actions, and data) is collected, used, and shared.
  • Freedom from intrusion: It’s about having boundaries around your physical and digital spaces, allowing you to choose who accesses them and when.
  • Expression & autonomy: Privacy enables you to be yourself without fear of judgment or harm, fostering freedom of thought, association, and self-expression.

Privacy is control over information

“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others. … Each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication.”
— Alan Westin, Privacy and Freedom, 1967

Privacy is about personal boundaries

“The right to be let alone”
— Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890)

“Our concern over our accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others’ attention.”
— Ruth Gavison, Privacy and the Limits of the Law, Yale Law Journal 89 (1980)

Privacy goals

  • Solitude, uninterrupted
  • Unseen, unheard, unread
  • Not talked about
  • Not judged/misjudged
  • Not profiled, targeted, treated differently
  • Free to practice, make mistakes
  • Being unknown
  • Being forgotten
  • Intimacy
  • Control
  • Boundaries

Good privacy practices

  • limit collection
  • keep it correct
  • have a purpose for collecting it
  • limit its uses
  • have safeguards
  • make it accessible
  • let people update it
  • stay accountable

OECD Privacy Principles

  • Collection Limitation
  • Data Quality
  • Purpose Specification
  • Use Limitation
  • Security Safeguards
  • Openness
  • Individual Participation
  • Accountability

Fair Information Practice Principles

Privacy defined by the GDPR

Privacy defined through rights

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights re: automated decision making and profiling

Limitations of the definitions we saw

What are the strengths and weaknesses of the definitions we saw?


  • dictionary defn
    • provides clear end goal
  • FIPPs
    • good coverage
  • GDPR / rights
    • concrete

  • dictionary defn
    • not tech-specific
  • FIPPs
    • specific to organizations
    • compliance may not be what people want
  • GDPR
    • doesn’t actually define privacy

Summary of limitations

  • (Too?) open-ended
  • FIPPs are necessary but not sufficient
    • Ditto with rights
  • Tenuously applicable to individuals

What are our goals for the definition?

  • Is privacy being violated?
  • Is this good for privacy?

Looking for a model

  • Explanatory
  • Predictive

Questions about privacy definitions

Contextual Integrity


  • invented and elaborated by Helen Nissenbaum

Principle 1: privacy is about how information flows

Not secrecy, data minimization, etc.

Example information flow

flowchart LR
    A[Student] --> B[LMS]
    B --> C[Instructor]
    C --> B
    B --> A

Principle 2: norms determine whether flow is appropriate

Privacy = contextual integrity = information flow follows norms

flowchart LR
    A[Student] --> B[LMS]
    B --> C[Instructor]
    B -..-> D[Advertiser]
    C --> B
    B --> A

Examples of norms

  • In a job interview, an interviewer is forbidden from asking a candidate’s religious affiliation
  • A priest may not share congregants’ confessions with anyone
  • A citizen of the U.S. is obliged to reveal gross income to the IRS under conditions of confidentiality except as required by law
  • One may not share a friend’s confidences with others, except, perhaps, with one’s spouse
  • Parents should monitor their children’s academic performance

Your examples of norms

  • opening your laptop
  • sharing your salary
  • who you voted for

Principle 3: norms are composed of 5 parameters

  • data type
  • data subject
  • sender
  • recipient
  • transmission principle

Updated flow

flowchart LR
    A[Student] --> |Assignments| B[LMS]
    B --> |Assignments| C[Instructor]
    B -..-> |??| D[Advertiser]
    C -->  |Grades| B
    B -->  |Grades| A

Data types

Demographic, biographical, transactional, what you read, movies you’ve seen, metadata, purchases, salary, address, medical diagnosis, facial image, SSN, how much you paid for your house, grades, sexual orientation

Examples of actors

Physician, merchant, bank, friend, merchant, police, telecom, shopper, investor, reader, advertiser, voter, insurance company, parent, spouse, teacher, friend, student, FBI, CIA, neighbor

Actors are roles, not identities

Transmission principle

Consent, buy, in confidence, with notice, with a warrant, with authorization, reciprocal, as required by law, Chatham House Rule

Principle 4: new norms are evaluated through context

What happens when there’s a novel flow?

Establishing legitimacy of contextual norms

  • Interests and preferences of affected parties (individual)
  • Ethical and political principles (societal)
  • Contextual functions, purposes, and values (societal)

Contextual functions, purposes, & values

  • Healthcare: cure disease, alleviate pain and suffering, equity
  • Politics: democracy, autonomy, accountability, justice
  • Home and social: trust, autonomy, stability
  • Education: knowledge, intellect, creativity, fair distribution
  • Commercial marketplace: sell, buy, compete, profit, trust

Questions about CI

Applying CI

CI summary

  1. Privacy as appropriate flow
  2. Appropriate flow as conformance with legitimate contextual-informational privacy norms
  3. Five parameters of privacy norms: subject, sender, recipient, information type, transmission principle
  4. Ethical legitimacy of privacy norms based on I) interests, II) ethical/political values, III) contextual functions, purposes and values

Lessons from CI for practice

  • Don’t treat data as “private” vs “not private”
  • Practices are important, but expectations determine acceptability
    • These will differ across contexts!
  • Examine all contextual parameters
  • Remember contextual goals & values

Lessons from CI for research

  • Can use to explain privacy violations
  • Can use to predict privacy needs