Privacy as contextual integrity Helen Nissenbaum New York University September 6, 2007 Ars...

Privacy as contextual integrity

Helen NissenbaumNew York University

http://www.nyu.edu/projects/nissenbaum

September 6, 2007Ars Electronica, Linz

Support from: NSF ITR-0331542: Sensitive Information in a

Wired World.

Nissenbaum/Ars Electronica '07

the conundrum …

Nissenbaum/Ars Electronica '07

Privacy threats of IT and associated socio-technical

practices• Tracking and monitoring

RFID, EZ Pass, online-tracking, ISP “clickstream” monitoring, CCTV, biometrics, VSCS, auto “black boxes,” DRM, ubicomp, etc.

• Aggregation and analysis

databases, data warehouses, data mining, e.g. LM-Households. ChoicePoint, MATRIX, Census, Credit Bureaus, Rapleaf, etc.

• Publication online public records, e.g. court records,

Social networking sites, e.g. blogs, MySpace, Facebook, flickr, etc.

Nissenbaum/Ars Electronica '07

solutions?

Interest-based scuffles: “the privacy preference” vs. competing claims

Privacy a fundamental human right defined as:

Alan Westin: “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.”

Jeffrey Reimann: ”the condition under which others are deprived of access to you at their discretion.”

Michael Froomkin: “the ability to control the acquisition or release of information about oneself.”

Ruth Gavison:”limiting the degree of access others have to you via information, attention, or physical proximity.”

Nissenbaum/Ars Electronica '07

Invoke the private/public dichotomy

The private ~ a realm deserving privacy protection

The public ~ a realm not deserving privacy protection …anything goes?

Public and private what? … actors, realms, information

proves too much and too little

Nissenbaum/Ars Electronica '07

Intuitions, gut reactions …

do not reside primarily at the level of interest based scuffles (privacy is not merely a preference)

nor fully accounted by fundamental, (familiar) moral and political principles.

social contexts as unit of analysis for privacy

Nissenbaum/Ars Electronica '07

Privacy as Contextual Integrity

Contexts …Structured social settings (“Institutions”)Characterized by roles, relationships, power structures, canonical activities, strategies, norms (rules), enforcement mechanisms, and internal values (goals, ends, purposes)E.g. health-care, education, politics, religious observance

Nissenbaum/Ars Electronica '07

more about contexts…

Evolved over time in cultures and societies, subject to historical, cultural, geographic contingencies

May be nested, overlap, conflictMay be more or less explicit,

formalized, institutionalized (e.g. class clown vs judge)

May be more or less “complete”

Nissenbaum/Ars Electronica '07

Among the normscontext-relative Informational NormsIn a context, the flow of information of a certain type about a subject (acting in a particular capacity/role) from one actor (could be the subject) to another actor (in a particular capacity/role) is governed by a particular transmission principle.

key parameters: contexts, attributes, actors, transmission principles

Nissenbaum/Ars Electronica '07

Formal representation of an Informational Norm in Temporal Logic

From:A. Barth, A. Datta, J. Mitchell, and H. Nissenbaum, “Privacy and

Contextual Integrity: Framework and Applications,” Proceedings of the IEEE Symposium on Security and Privacy, Forthcoming 2006

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Nissenbaum/Ars Electronica '07

Transmission Principles** some examples:

Consent (subject controls)Notice (subject is/is not aware of

transmission) Compulsion (e.g. earnings to IRS)ConfidentialitySaleReciprocityEntitlement, desert Etc…

Nissenbaum/Ars Electronica '07

Descriptive power of CI

Contextual Integrity is preserved when informational norms of a context are respected; it is violated when any of the norms are breached.

~ When people complain, look for CI violations not preferences!

~ Surveillance is NOT always problematic~ Privacy is NOT control over information about oneself~ Privacy is NOT secrecy; it is appropriate flow

Nissenbaum/Ars Electronica '07

Is CI conservative?Is a violation of CI always a problem?

traditional wisdom, but …

Opportunity Costs“perhaps there is something better…”

Tyranny of the Normal “change can be liberating…”

Nissenbaum/Ars Electronica '07

How to evaluate challenges to entrenched norms??Two key steps …Moral and political considerations

Harm (e.g. stigma, discrimination, identity theft) Justice, balance of power, fair distribution of goods Freedom, autonomy, democracy, property

Countervailing considerations (security, efficiency, etc.)

Relation to values/goals of context healthcare (psychotherapy)

Friendship (Tripp/Lewinsky)Anonymity in democratic electionsTMN and websearch privacy; CASSIE in public librariesMobility on the roads (VSCS)

Nissenbaum/Ars Electronica '07

Technologies

“Cassie”

VSCS

Rapleaf, Choicepoint

Court records online

Nissenbaum/Ars Electronica '07

TMN: Lightweight Firefox plugin for “privacy through obfuscation”… site of resistance

Available at: http://mrl.nyu.edu/~dhowe/TrackMeNot/Or: https://addons.mozilla.org/enUS/firefox/addon/3173

Nissenbaum/Ars Electronica '07

Does CI have all the answers?