Contextual Integrity and the Privacy-Transparency Tradeoff

View

So far in the course, we've focused on the harms caused by abuse and excessive collection of personal data. The harm that can be done is significant. Does that mean that, to be as privacy-conscious as possible, we should build products that never collect any personal data?

Of course not! Think of the software products you use in your daily life and imagine what they'd look like if they weren't allowed to collect any user identifiers:

  • How would you login without providing your email, a username, or some other identifier?
  • How would you be able to edit a document you'd previously saved online without an account or some other ownership information linking it to you as the owner?

With the document example, perhaps you would still be able to retrieve the document without providing an identifier, but only if the document were made publicly available to everyone. For most documents, this wouldn't be appropriate, and the privacy 'harm' of some identifier being stored for you (if you perceive any harm at all) would be much preferable to the greater privacy harm of making the document available for everyone online to access. Even if you are happy to share the document publicly, never being able to edit it again after the first draft is inconvenient, so you might be comfortable trading some privacy for convenience, providing an identifier so that you can login as the owner of the document and continue editing.


Contextual Integrity

"A central tenet of contextual integrity is that there are no arenas of life not governed by norms of information flow, no information or spheres of life for which "anything goes." Almost everything - things that we do, events that occur, transactions that take place - happens in a context not only of place but of politics, convention, and cultural expectation. These contexts can be as sweepingly defined as, say, spheres of life such as education, politics, and the marketplace or as finely drawn as the conventional routines of visiting the dentist, attending a family wedding, or interviewing for a job." - Helen Nissenbaum, Privacy as Contextual Integrity (2004).

The information you are willing to share in any given situation depends on the context and the tradeoffs involved. Privacy isn't violated just because an information flow exists from ourselves to someone else - it's violated when that flow of information doesn't match our expectations. Consider some of the scenarios Helen Nissenbaum lists above:

  • In the context of a job interview, you expect to share extensive details about your work experience and discuss your salary expectations, whereas you would be alarmed if your interviewer asked you for intimate details about your health. There is an information flow from you to your interviewer and their company. The tradeoff for sharing your data is that you might be offered a job.
  • In contrast, while lying in your dentist's chair, you expect to discuss your health - as a tradeoff to get the best care for your teeth - but might be uncomfortable (and suspect that your dentist is assessing your ability to pay!) if you were suddenly asked about your salary. Sharing your salary seems like an inappropriate information flow in this context.

This idea that what kinds of information sharing are normal (the privacy norms) varies by context is the basis of Helen Nissenbaum's Theory of Contextual Integrity. The definition of a context includes the following:

  • Data type being shared - e.g. email, location, health insurance number, salary, political affiliation
  • Data subject - who is this data about?
  • Sender - who is sharing? It might not be the data subject.
  • Recipient - who is the data being shared to?
  • Transmission principle - on what basis is this information being shared? For example: consent, parental consent if the subject is a child, government warrant or other legal obligation.
  • Purpose - what will the data be used for?
Contextual integrity provides us with a tool to assess whether an information flow is ethical. It is not the only perspective available to answer this question, but it is a very useful addition to your toolkit.

The Privacy-Transparency Tradeoff

📚 Reading Assignment: Society Runs on Information Flows - Johannes Stutz, OpenMined (2021)

Due to the potentially harmful use of data, we have to constantly make trade-offs and decide whether to share information, while carefully weighing the benefits and the risks.

A privacy dilemma is a trade-off on whether or not to reveal information, where revealing that information causes some social good but could also lead to harm. Example: medical records can be used for scientific research, but we don't want information about individuals being leaked.

A transparency dilemma is when someone is forced to make a decision without having access to the information they need to make it. Sometimes the necessary information flows don't exist at all, such as deciding if you could trust a stranger to fix your car's engine. Sometimes they exist, but their content is not verified, as in online product reviews.

❓ Consider:

  • Have you recently faced a privacy or transparency dilemma?
  • How does the article's assertion that 'everything can be private data' change your understanding of personal data?
  • Can you think of a fact about yourself that would be very revealing, although another person might not consider it sensitive?

Further Reading