Privacy & Context
Last time
- What is security?
- Why do we need a human-centered approach to security?
Today
- What is privacy?
- What are some different ways of conceptualizing privacy?
- What are their strengths and weaknesses?
- What is the Contextual Integrity model for privacy?
Acknowledgments
This presentation borrows from Michelle Mazurek, Helen Nissenbaum, Noah Apthorpe, and others.
Let’s talk about privacy
Do you care about privacy?
How concerned are you about how your personal data is being used by companies?
…by the government?
- Very
- Somewhat
- Not too
- Not at all
Do people care about privacy?
How concerned are you about how your personal data is being used by companies?
…by the government?
- Very
- Somewhat
- Not too
- Not at all
People care
…or do they?
“Privacy paradox”
People’s privacy behaviors don’t always align with their expressed attitudes
Privacy examples
+
- antivirus informs you that your information was stolen
- notifications when someone tries to log in as you
- 2FA
- Safari tells you about trackers
–
- credit card info leaked
- CV and contact info leaked
- apply for one job, other companies find out
- Steam credentials leaked, account wiped
Why should we care privacy?
Privacy is a human right
Privacy is protected by law
Why do we need to know what privacy is?
- Is privacy being violated?
- Is this good for privacy?
Defining privacy
How would you define privacy?
- keep your sensitive info private
- securing and protecting sensitive information
- only share it with your consent
- unauthorized people can’t access information
- right to manage your personal information
- resources (rules and people) whose job it is to protect your privacy
Privacy is hard to define
“Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.”
— Robert C. Post. Three Concepts of Privacy, 89 Geo. L.J. 2087 (2001)
Privacy defined by the dictionary
pri·va·cy |ˈprīvəsē |
noun
- the state or condition of being free from being observed or disturbed by other people: she returned to the privacy of her own home.
- the state of being free from public attention: a law to restrict newspapers’ freedom to invade people’s privacy.
— New Oxford American Dictionary
Privacy defined by LLM
- Control over information: Privacy is about having a say in how your personal information (like your thoughts, actions, and data) is collected, used, and shared.
- Freedom from intrusion: It’s about having boundaries around your physical and digital spaces, allowing you to choose who accesses them and when.
- Expression & autonomy: Privacy enables you to be yourself without fear of judgment or harm, fostering freedom of thought, association, and self-expression.
Privacy is control over information
“Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others. … Each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication.”
— Alan Westin, Privacy and Freedom, 1967
Privacy is about personal boundaries
“The right to be let alone”
— Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890)
“Our concern over our accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others’ attention.”
— Ruth Gavison, Privacy and the Limits of the Law, Yale Law Journal 89 (1980)
Privacy goals
- Solitude, uninterrupted
- Unseen, unheard, unread
- Not talked about
- Not judged/misjudged
- Not profiled, targeted, treated differently
- Free to practice, make mistakes
- Being unknown
- Being forgotten
- Intimacy
- Control
- Boundaries
Good privacy practices
- limit collection
- keep it correct
- have a purpose for collecting it
- limit its uses
- have safeguards
- make it accessible
- let people update it
- stay accountable
OECD Privacy Principles
- Collection Limitation
- Data Quality
- Purpose Specification
- Use Limitation
- Security Safeguards
- Openness
- Individual Participation
- Accountability
Fair Information Practice Principles
Privacy defined by the GDPR
Privacy defined through rights
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights re: automated decision making and profiling
Limitations of the definitions we saw
What are the strengths and weaknesses of the definitions we saw?
+
- dictionary defn
- provides clear end goal
- FIPPs
- good coverage
- GDPR / rights
- concrete
–
- dictionary defn
- not tech-specific
- FIPPs
- specific to organizations
- compliance may not be what people want
- GDPR
- doesn’t actually define privacy
Summary of limitations
- (Too?) open-ended
- FIPPs are necessary but not sufficient
- Ditto with rights
- Tenuously applicable to individuals
What are our goals for the definition?
- Is privacy being violated?
- Is this good for privacy?
Looking for a model
- Explanatory
- Predictive
Questions about privacy definitions
Contextual Integrity
Background
- invented and elaborated by Helen Nissenbaum
Principle 1: privacy is about how information flows
Not secrecy, data minimization, etc.
Example information flow
Principle 2: norms determine whether flow is appropriate
Privacy = contextual integrity = information flow follows norms
Examples of norms
- In a job interview, an interviewer is forbidden from asking a candidate’s religious affiliation
- A priest may not share congregants’ confessions with anyone
- A citizen of the U.S. is obliged to reveal gross income to the IRS under conditions of confidentiality except as required by law
- One may not share a friend’s confidences with others, except, perhaps, with one’s spouse
- Parents should monitor their children’s academic performance
Your examples of norms
- opening your laptop
- sharing your salary
- who you voted for
Principle 3: norms are composed of 5 parameters
- data type
- data subject
- sender
- recipient
- transmission principle
Updated flow
Data types
Demographic, biographical, transactional, what you read, movies you’ve seen, metadata, purchases, salary, address, medical diagnosis, facial image, SSN, how much you paid for your house, grades, sexual orientation
Examples of actors
Physician, merchant, bank, friend, merchant, police, telecom, shopper, investor, reader, advertiser, voter, insurance company, parent, spouse, teacher, friend, student, FBI, CIA, neighbor
Actors are roles, not identities
Transmission principle
Consent, buy, in confidence, with notice, with a warrant, with authorization, reciprocal, as required by law, Chatham House Rule
Principle 4: new norms are evaluated through context
What happens when there’s a novel flow?
Establishing legitimacy of contextual norms
- Interests and preferences of affected parties (individual)
- Ethical and political principles (societal)
- Contextual functions, purposes, and values (societal)
Contextual functions, purposes, & values
- Healthcare: cure disease, alleviate pain and suffering, equity
- Politics: democracy, autonomy, accountability, justice
- Home and social: trust, autonomy, stability
- Education: knowledge, intellect, creativity, fair distribution
- Commercial marketplace: sell, buy, compete, profit, trust
Questions about CI
Applying CI
CI summary
- Privacy as appropriate flow
- Appropriate flow as conformance with legitimate contextual-informational privacy norms
- Five parameters of privacy norms: subject, sender, recipient, information type, transmission principle
- Ethical legitimacy of privacy norms based on I) interests, II) ethical/political values, III) contextual functions, purposes and values
Lessons from CI for practice
- Don’t treat data as “private” vs “not private”
- Practices are important, but expectations determine acceptability
- These will differ across contexts!
- Examine all contextual parameters
- Remember contextual goals & values
Lessons from CI for research
- Can use to explain privacy violations
- Can use to predict privacy needs