6.6.3 Privacy

Privacy is a right to the appropriate flow of information.

A third area where researchers may struggle is privacy. As Lowrance (2012) put it quite succinctly: “privacy should be respected because people should be respected.” Privacy, however, is a notoriously messy concept (Nissenbaum 2010, chap. 4), and, as such, it is a difficult one to use when trying to make specific decisions about research.

A common way to think about privacy is with a public/private dichotomy. By this way of thinking, if information is publicly accessible, then it can be used by researchers without concerns about violating people’s privacy. But this approach can run into problems. For example, in November 2007, Costas Panagopoulos sent letters about an upcoming election to everyone in three towns. In two towns—Monticello, Iowa and Holland, Michigan—Panagopoulos promised/threatened to publish a list of people who had voted in the newspaper. In the other town—Ely, Iowa—Panagopoulos promised/threatened to publish a list of people who had not voted in the newspaper. These treatments were designed to induce pride and shame (Panagopoulos 2010) because these emotions had been found to impact turnout in earlier studies (Gerber, Green, and Larimer 2008). Information about who votes and who doesn’t is public in the United States; anyone can access it. So, one could argue that because this voting information is already public, there is no problem with a researcher publishing it in the newspaper. On the other hand, something about that argument feels wrong to some people.

As this example illustrates, the public/private dichotomy is too blunt (boyd and Crawford 2012; Markham and Buchanan 2012). A better way to think about privacy—one especially designed to handle issues raised by the digital age—is the idea of contextual integrity (Nissenbaum 2010). Rather than considering information as public or private, contextual integrity focuses on the flow of information. According to Nissenbaum (2010), “a right to privacy is neither a right to secrecy or a right to control but a right to appropriate flow of personal information.”

The key concept underlying contextual integrity is context-relative informational norms (Nissenbaum 2010). These are norms that govern the flow of information in specific settings, and they are determined by three parameters:

  • actors (subject, sender, recipient)
  • attributes (types of information)
  • transmission principles (constraints under which information flows)

Thus, when you as a researcher are deciding whether to use data without permission it is helpful to ask, “Does this use violate context-relative informational norms?” Returning to the case of Panagopoulos (2010), in this case, having an outside researcher publish lists of voters or nonvoters in the newspaper seems likely to violate informational norms. This is probably not how people expect information to flow. In fact, Panagopoulos did not follow through on his promise/threat because local election officials traced the letters to him and persuaded him that it was not a good idea (Issenberg 2012, 307).

The idea of context-relative informational norms can also help evaluate the case I discussed at the beginning of the chapter regarding the use of mobile phone call logs to track mobility during the Ebola outbreak in West Africa in 2014 (Wesolowski et al. 2014). In this setting, one could imagine two different situations:

  • Situation 1: sending complete call log data [attributes]; to governments of incomplete legitimacy [actors]; for any possible future use [transmission principles]
  • Situation 2: sending partially anonymized records [attributes]; to respected university researchers [actors]; for use in response to the Ebola outbreak and subject to the oversight of university ethical boards [transmission principles]

Even though in both of these situations call data are flowing out of the company, the informational norms concerning these two situations are not the same because of differences between the actors, attributes, and transmission principles. Focusing on only one of these parameters can lead to overly simplistic decision-making. In fact, Nissenbaum (2015) emphasizes that none of these three parameters can be reduced to the others, nor can any one of them individually define informational norms. This three-dimensional nature of informational norms explains why past efforts—which have focused on either attributes or transmission principles—have been ineffective at capturing common-sense notions of privacy.

One challenge with using the idea of context-relative informational norms to guide decisions is that researchers might not know them ahead of time and they are very hard to measure (Acquisti, Brandimarte, and Loewenstein 2015). Further, even if some research would violate contextual-relative informational norms that does not automatically mean that the research should not happen. In fact, chapter 8 of Nissenbaum (2010) is entirely about “Breaking Rules for Good.” Despite these complications, context-relative informational norms are still a useful way to reason about questions related to privacy.

Finally, privacy is an area where I’ve seen misunderstandings between researchers who prioritize Respect for Persons and those who prioritize Beneficence. Imagine the case of a public health researcher who, in an effort to prevent the spread of a novel infectious disease, secretly watched people taking showers. Researchers focusing on Beneficence would focus on the benefits to society from this research and might argue that there was no harm to participants if the researcher did her spying without detection. On the other hand, researchers who prioritize Respect for Persons would focus on the fact that the researcher was not treating people with respect and might argue that harm was created by violating the privacy of participants, even if the participants were not aware of the spying. In other words, to some, violating people’s privacy is a harm in and of itself.

In conclusion, when reasoning about privacy, it is helpful to move beyond the overly simplistic public/private dichotomy and to reason instead about context-relative informational norms, which are made up of three elements: actors (subject, sender, recipient), attributes (types of information), and transmission principles (constraints under which information flows) (Nissenbaum 2010). Some researchers evaluate privacy in terms of the harm that could result from its violation, whereas other researchers view the violation of privacy as a harm in and of itself. Because notions of privacy in many digital systems are changing over time, vary from person to person, and vary from situation to situation (Acquisti, Brandimarte, and Loewenstein 2015), privacy is likely to be a source of difficult ethical decisions for researchers for some time to come.