6.6.3 Privacy

Privacy is a right to the appropriate flow of information.

A third area where researchers may struggle is privacy. As Lowrance (2012) put it quite succinctly: “privacy should be respected because people should be respected.” Privacy, however, is notoriously messy concept (Nissenbaum 2010, Ch. 4), and as such, it is difficult to use when trying to make specific decisions about research.

A common way to think about privacy is with a public/private dichotomy. By this way of thinking, if information is publicly accessible, then it can be used by researchers without concerns about violating people’s privacy. But this approach can run into problems. For example, in November 2007 Costas Panagopoulos sent everyone in three towns a letter about an upcoming in election. In two towns—Monticello, Iowa and Holland, Michigan—Panagopoulos promised/threatened to publish a list of people who had voted in the newspaper. In the other town—Ely, Iowa—Panagopoulos promised/threatened to publish a list of people who had not voted in the newspaper. These treatments were designed to induce pride and shame (Panagopoulos 2010) because these emotions had been found to impact turnout in earlier studies (Gerber, Green, and Larimer 2008). Information about who votes and who doesn’t is public in the United States; anyone can access it. So, one could argue that because this voting information is already public, there is no problem with the researcher publishing it in the newspaper. On the other hand, something about that argument feels wrong to many people.

As this example illustrates, the public/private dichotomy is too blunt (boyd and Crawford 2012; Markham and Buchanan 2012). A better way to think about privacy, one especially designed to handle issues raised by the digital age, is the idea of contextual integrity (Nissenbaum 2010). Rather than considering information public or private, contextual integrity focuses on the flows of information. For example, many people would be unbothered if their doctor shared their health records with another doctor but would be unhappy if their doctor sold this same information to a marketing company. Thus, according to Nissenbaum (2010), “a right to privacy is neither a right to secrecy or a right to control but a right to appropriate flow of personal information.”

The key concept underlying contextual integrity is context-relative informational norms (Nissenbaum 2010). These are norms that govern the flows of information in specific settings, and they are determined by three parameters:

  • actors (subject, sender, recipient)
  • attributes (types of information)
  • transmission principles (constraints under which information flows)

Thus, when you as a researcher are deciding whether to use data without permission it is helpful to ask, “Does this use violate context-relative informational norms?” Returning to the case of Panagopoulos (2010), in this case, having an outside researcher publish lists of voters or non-voters in the newspaper seems likely to violate informational norms. In fact, Panagopoulos did not follow through on his promise/threat because local election officials traced the letters to him and persuaded him that it was not a good idea (Issenberg 2012, 307).

In other settings, however, thinking about context-relative informational norms requires a bit more consideration. For example, let’s return to the possibility of using mobile phone call logs to track mobility during the Ebola outbreak in West Africa in 2014, a case that I discussed in the introduction to this chapter (Wesolowski et al. 2014). In this setting, we can imagine two different situations:

  • Situation 1: sending complete call log data [attributes]; to governments of incomplete legitimacy [actors]; for any possible future use [transmission principles]
  • Situation 2: sending partially anonymized records [attributes]; to respected university researchers [actors]; for use in response to the Ebola outbreak and subject to the oversight of university ethical boards [transmission principles]

Even though in both of these situations call data are flowing out of the company, the informational norms concerning these two situations are not the same because of differences between the actors, attributes, and transmission principles involved. Focusing on only one of these parameters can lead to overly simplistic decision-making. In fact, Nissenbaum (2015) emphasizes that none of these three parameters can be reduced to the others, nor can any one of them individually define informational norms. This three-dimensional nature of informational norms explains why past efforts—that have focused on either attributes or transmission principles—have been ineffective at capturing common-sense notions of privacy.

One challenge with using the idea of context-relative informational norms to guide decisions is that researchers might not know them ahead of time and they are very hard to measure (Acquisti, Brandimarte, and Loewenstein 2015). Further, even if some research would violate contextual-relative informational norms that does not automatically mean that the research should not happen. In fact, Chapter 8 of Nissenbaum (2010) is entirely about “Breaking Rules for Good.” Despite these complications, context-relative informational norms is still a very useful way to reason about questions related to privacy.

Finally, privacy is an area where I’ve seen many misunderstandings between researchers who prioritize Respect for Persons and those who prioritize Beneficence. Imagine the case of a public health researcher who secretly watches people taking showers because understanding hygiene is key to preventing the spread of a novel infectious disease. Researchers focusing on Beneficence would focus on the benefits to society from this research and might even argue that there is no harm to participants if the researcher does her spying without detection. On the other hand, researchers who prioritize Respect for Persons would focus on the fact that the researcher is not treating people with respect and is in fact doing them harm by violating their privacy. Unfortunately, it is not easy to resolve the conflicting views of this situation (although the best solution in this case might just be to ask for consent).

In conclusion, when reasoning about privacy, it is helpful to move beyond the overly simplistic public/private dichotomy and to reason instead about context-relative informational norms, which are made of up three elements: actors (subject, sender, recipient), attributes (types of information), and transmission principles (constraints under which information flows) (Nissenbaum 2010). Some researchers evaluate privacy in terms of harm that could result from the violation of privacy, whereas other researchers view the violation of privacy as a harm in and of itself. Because notions of privacy in many digital systems are changing over time, vary from person to person, and vary from situation to situation (Acquisti, Brandimarte, and Loewenstein 2015), privacy is likely to be a source of difficult ethical decisions for researchers for some time.