The following is an email I sent to my father who recently read this piece at The Atlantic (The Philosopher Whose Fingerprints Are All Over the FTC’s New Approach to Privacy), which is all about Professor Helen Nissenbaum’s idea that the privacy of information is all a matter of context and breaches of privacy are not so much about “invasions” of your life as they are about inappropriately taking information from one social context and sharing it with another. If any of you feel weird about me re-publishing on the web, verbatim, a conversation I had with my father, then you instinctively understand this idea of privacy.
Which brings us to the conversation. My father asked “How realistic is this context stuff?”, to which I replied:
I actually audited one of Nissenbaum’s graduate seminars on privacy and technology two years ago when my boss was thinking of writing a book on the subject. Philosophically, I have great respect for the idea; it is powerful and elegant, and seems to neatly summarize what people really care about with these issues. For instance, it explains why Google’s change in data handling this month raised so many hackles: when you start using a particular google service, there are clear expectations about how your data is used and generally you can see it happen, as your searches turn up targeted ads or your email text does the same in gmail, but Google’s decision to pool that /exact same information/ system wide feels like a betrayal of the terms under which you gave the information to them originally.
Part of what has stymied the discussion for a decade is that it makes little sense to talk about this kind of profound shift in how data is processed and used as an “invasion” of privacy. People have, after all, already volunteered the data to Google, or to Facebook, whose many changes designed to push more of your social data into the public represent a string of this kind of context changing. Once you stop talking about “Invasions” your description of the problem becomes both easier for people to understand, and more accurate. You gave Google your email as a postman, it is inappropriate for them to now decide to filter what news you receive based on those messages, just as it would be inappropriate for your postman to cut articles out of your newspaper.
In that sense, I think the context framework will be very helpful to the discussion of privacy related issues and to those people having to decide what actions of regulated organizations are appropriate or inappropriate. Whether the regulations based on this will work, I am not expert enough to venture a guess. This framing of suffers the same weakness as the Supreme Court’s “reasonable expectation” view of privacy in that it relies on ill-defined social norms. This unfortunately comes with the territory since “privacy” is such a norm itself. In the world of technology, where the limits of what is possible and the ways in which those possible ends are achieved shift every year, defining social norms and relating them to individual actions by people in the industry seems a difficult task to say the least. Given how thoroughly the banking and telecoms industries have captures their relevant regulators, I don’t expect any piece of regulation to transform the data-mining industry right now.
That is why I continue to help push technological tools like FreedomBox that are designed to keep as much information as possible decentralized and why I continue to use discrete services, for which I pay, for web hosting, mail, and search. On the plus side, having more people talking about the context sensitive nature of personal information makes advocacy and education much easier, which I am quite pleased about.