Thursday, December 27, 2012

what is privacy?

Often times when I find myself in a conversation about Privacy, there's a lack of clarity around what exactly we're discussing.  It's widely accepted that people who are experts on privacy all speak the same language and have the same goals.

I'm not so sure this is true.

This came up in a discussion with Jishnu yesterday, and we needed a common starting place.  So I'd like to take a little time to lay out what I'm thinking when I talk about Privacy, especially since I'm mainly focused on empowering individuals with control over data sharing and not so much on keeping secrets.
Privacy is the ability for an individual to have transparency, choice, and control over information about themselves.
At the risk of sounding too clich√©, I'm gonna use a pyramid to explain my thinking.  There are three parts to establishing privacy:

First, an organization's (or individual's) collection, sharing and use of data must be transparent.  This is crucial because choice and control cannot be realized without honesty and fairness.

Second, individuals must be provided choice.  This means data subjects (those people whose data is being collected, used or shared) must be able to understand what's going to happen with their data and have the ability to provide dissent or consent.

Third, when it's clear what's happening and individuals have an understanding about what they want, they must be given control over collection, sharing or use of the data in question.

This means control depends on choice which depends on transparency.  You cannot make decisions unless you're given the facts.  You cannot make your desires reality unless you've decided what you want.

For the engineers out there (like me), this dependencies can be modeled as such:
[Transparency] = Awareness of Data Practices
[Choice] = [Transparency] + Individual's Wants
[Control] = [Choice] + Organizational Cooperation
Control is the goal, but it requires Transparency and Choice to work -- as well as some additional inputs.  Privacy is the whole thing: all three pieces acting together with support from both data controllers and data subjects to empower individuals with a say in how their data is used.

The privacy perception gap is a symptom of ineffective transparency and choice; it is the result of peoples' inability to really understand what's going on so they have no chance to establish positions about what is okay.  When transparency and choice are built into a system, the gap shrinks and people have most of what they need to regain control over their privacy.

What is privacy to you?


Arvind Narayanan said...

"It's widely accepted that people who are experts on privacy all speak the same language and have the same goals."

Wait, what? If anything, the opposite of this is widely accepted. It's a cliche to observe that everyone means something different when they use the word privacy.

Sid Stamm said...

@Arvind: Yeah, that didn't come out right. Maybe I should have said something like "It's generally expected by non-experts that those who are experts on privacy agree on what it means."

We privacy geeks surely don't agree on what privacy means, but I think those outside the field expect us to.

Ian Tommins (thelem) said...

I don't understand your distinction between choice and control. Surely if you offer me choices about what you're allowed to do with my data, then that is putting me in control? Unless you ignore my choices, but then you're talking about honesty, which the whole pyramid relies on.

Tim said...

Going on from the point Ian made, I don't think privacy should always be build or depend on trust and honesty or transparency.

For me privacy is about what I share with whom. And "having privacy", for me means not having to share something with a certain entity.

So I guess my view of privacy is easier modeled by a directed graph. Where each edge also has an "amount or type of information" property.

Sid Stamm said...

@thelem: the way I think about it, choice is being armed with enough information and motivation to decide what you want whereas control is making your choice reality. I can choose not to share my birthday with the whole world, but unless there are appropriate "share-with-whom" settings on sites like facebook I don't actually have control. Sometimes I hear both of these collapsed into one concept, but I want to tease them out. Do Not Track (as-is in Firefox) mostly provides choice. Control is only realized when sites decide to act on the signal.

@Tim: good point, yeah, I guess this post is really organization-centric and focused on how to design privacy into products. I'm curious: how can you feel like you have control when you're not aware what organizations/entities do with your data (lack of transparency)? My impression is that transparency (whether voluntary or forced by reverse-engineering, for example) is required to construct your graph.

JC said...


Thanks for attempting to tackle this issue and start a conversation on privacy.


Anonymous said...

"Control over the use of my data in a social context" I think danah boyd used this definition.

This is pretty close to your definition, but seemed easier to me. I am not sure about the value of having a choice in the pyramid: I think control implies choice.

Anonymous said...

Wow, I'm glad you think this is simple enough to sum up in a blog post. Or perhaps that worries the crap out of me.

Sid Stamm said...

@Anonymous 3:44PM: Yes, control implies choice and choice implies transparency (you can't choose unless you know from what you're choosing, and you cannot have control unless you know how you want something controlled).

@Anonymous 11:09AM: I don't think this is everything -- just the way I begin to think about privacy. The real meat is in how concepts like this map to online interactions. That's not simple enough for a blog post. ;)

Unknown said...

Could you please elaborate on "Control"? We are compelled to ignore 5 pages of privacy agreement. Having the option to press "I agree / Decline" button doesn't sound like control; does it?

Sid Stamm said...

@Nurul: the presence of two buttons is not enough for control. Control requires the user to make a choice first (you can't have control unless you know what you want). Control comes in when you can project your privacy choices on the behavior of the system. Agree/Disagree is not real control at all since it's basically giving you the option to accept the terms or go buzz off.