Contextual Integrity as a Normative Guide for Privacy

Helen NissenbaumNew York University

*School of Information, UC Berkeley

April 2, 2008

*Supported by NSF ITR-0331542:

Sensitive Information in a Wired World (PORTIA)

The privacy conundrum+Controversial socio-technical systems --

track and monitor, aggregate and analyze, and publish and disseminate personal informationE.g. CCTV, RFID, DRM, Choicepoint, public records online, Facebook.

+Non-controversial socio-technical systemsE.g. body function monitoring in hospitals

+Need for a moral/political “justificatory framework”E.g. distinguish oppressive from benign surveillance

Some other approaches

Resort to private/public distinctionE.G Canadian physicians and PIPEDA (2001)

Support control by subjectAll out interest brawl Values tradeoffs

Contextual Integrity{bringing the social layer into view}

is a measure of how closely the flow of personal information conforms to context-relative informational norms. Contextual integrity is violated when these norms are breached.

Contexts …Structured social settings (“Institutions”)Characterized by roles, relationships, power structures, canonical activities, strategies, norms (rules), enforcement mechanisms, and internal values (goals, ends, purposes)E.g. health-care, education, politics, religious observance

more about contexts…

Evolve over time in cultures and societies, subject to historical, cultural, geographic contingencies

May be nested, overlap, conflictMay be more or less explicit,

formalized, institutionalized (e.g. class clown vs. judge)

May be more or less “complete”

Among the normscontext-relative Informational NormsIn a context, the flow of information of a certain type (attributes) about a subject (acting in a particular capacity/role) from a sender (possibly the subject, acting in a particular capacity/role) to a recipient (acting in a particular capacity/role) is governed by a particular transmission principle.

key parameters: contexts, attributes, actors, transmission principles

Transmission Principles** e.g.

Consent (subject controls)Notice (subject is/is not aware of transmission) Compulsion (e.g. earnings to IRS)ConfidentialityFiduciarySaleBarterReciprocityEntitlement, desert NeedSecrecy?Etc…

Contextual Integrity in a nutshell …

Context-Relative Informational Norm expressed in linear temporal logic

A. Barth, A. Datta, J. Mitchell, and H. Nissenbaum, (2006) “Privacy and Contextual Integrity: Framework and Applications,” Proceedings of the IEEE Symposium on Security and Privacy.

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Contextual Integrity

Contextual Integrity holds when context-relative informational norms are respected; it is violated when they are breached.

~ When people complain privacy is violated, look for violations of CI!

~ Surveillance is NOT always problematic~ Privacy is NOT control over information about oneself~ Privacy is NOT secrecy; it is appropriate flow~ Many of our privacy laws reach for CI ~The U.S. sectoral approach is NOT a bad thing

Q: Is CI conservative? A: Yes, in a sense.

{problems with the “reasonable expectations” test}

Opportunity Costs“perhaps there is something better…”

Tyranny of the Normal “entrenched practice wins the day …”{engineering away privacy}

I. Evaluating the merits of new practices against entrenched norms …

Moral and political considerations Harms to information subjects (e.g. stigma, discrimination, identity theft)Impacts on justice, balance of power, fair distribution of goodsImpacts on freedoms, autonomy, democracy, property

Impacts on security, efficiency

CI as a normative guide

II. Evaluating the merits of new practices against entrenched norms …

Explore impacts on ends-purposes-values of a context

{The MEANING of impacts within contexts} Healthcare (hospital surveillance, psychotherapy) Workplaces

Friendship (Tripp/Lewinsky)* Democratic elections vs. Congressional votingTMN and websearch privacyCASSIE in public librariesMobility on the roads (VSCS)

CI as a normative guide

Review

When novel practices violate entrenched informational norms,

Presumption favors entrenched norms {Why?}

Novel practices may legitimately overrule entrenched norms if shown to fulfill evaluation requirements

Conclusion: lots more work to be done.

Understand contexts and informational normsExpand understanding of transmission principlesExplore the relation between information flows

and ends-purposes-valuesStudy privacy law through the lens of contextual

integrity (e.g. GLBA, Video Privacy Protection Act, Drivers Privacy Protection Act, FERPA, HIPAA Privacy Rules)

* * *