Law in the Internet Society

View   r3  >  r2  ...
JohnStewartSecondPaper 3 - 11 May 2013 - Main.JohnStewart
Line: 1 to 1
 
META TOPICPARENT name="SecondPaper"
Changed:
<
<

Review of Helen Nissenbaum’s essay “A Contextual Approach to Privacy Online”

>
>

Regulating Privacy

 
Deleted:
<
<
-- By JohnStewart - 18 Jan 2013
 
Changed:
<
<
Link to essay: “A Contextual Approach to Privacy Online”
>
>
-- By JohnStewart
 
Changed:
<
<
As more services move “on-line” so does more personal information. The past 10 years have seen a meteoric rise in the amount of personal information that has moved online and the next 10 is certain to see exponentially more. This information has moved online so quickly that a system of regulations and social norms have not developed yet in the same way privacy protections and expectations exist in other contexts such as healthcare (doctor patient privilege), legal services (client confidentiality) and even the handling of sensitive tax information.
>
>
As more services move “on-line” so does more personal information. The past 10 years have seen a meteoric rise in the amount of personal information exchanged online and the next 10 is certain to see exponentially more. This information has moved online so quickly that a system of regulations and social norms have not developed yet in the same way privacy protections and expectations exist in other contexts such as healthcare (doctor patient privilege), legal services (client confidentiality) and even the handling of sensitive tax information.
 
Changed:
<
<
The lack of a legal framework to govern the handling of personal information online has led to a variety of privacy concerns in the online context. NYU Professor of Media, Culture and Communication, and Computer Science, Helen Nissenbaum has published a series of works discussing her theory of contextual integrity which is an attempt to provide a conceptual framework to create privacy protections, whether it be through governmental regulations or a company’s privacy policy.
>
>
The lack of a legal framework to govern the handling of personal information online has led to a variety of privacy concerns in the online context. NYU Professor Helen Nissenbaum has published a series of works discussing her theory of contextual integrity which is an attempt to provide a conceptual framework to create privacy protections, whether it be through governmental regulations or a company’s privacy policy.
 
Changed:
<
<
Professor Nissenbaum explains that the traditional approaches to privacy online have been transparency and choice. Under this ideal consumers would be fully informed of how their data is being used and what is being collected. Being fully informed of the privacy implications they would then be free to choose whether they would like to utilize the service or engage in the activity, fully aware of the privacy implications of their choice. This approach is guided predominantly by two considerations: the first is that the right to privacy is generally viewed as a right to control information about oneself; and second, the notice-and-consent approach fits neatly within the paradigm of a competitive free market.
>
>
Her views have begun to make an impact and it is important to take a closer look at the direction they may be pushing policy makers and companies.
 
Changed:
<
<
However, Professor Nissenbaum argues this approach has failed. The now prevalent policy of “opt-out” doesn't model the free market ideal of a consumer freely choosing, there is a question of whether people even are able to choose to use a service or not (given that in many cases the costs, social and otherwise, of not utilizing a certain service such as LinkedIn? or Facebook may be high) and most privacy policies are not comprehensible to the average consumer, and even if they were, companies are able to change them so frequently they aren’t effective at fully informing the consumer of their rights.
>
>
Against a backdrop of industry lobbying and studies, attempting to avoid US adoption of EU-style opt-in advertising tracking regulation, the FTC has begun to make some progress by publishing a proposed framework for business and policymakers, and The White House has made public it’s Privacy Bill of Rights.
 
Changed:
<
<
Professor Nissenbaum states that many view these problems as pointing to a need for changes to the current notice and consent approach, however she takes the more forceful position that the approach itself must be abandoned for one that takes into account the particularities of the relevant online activity. She argues that the notice and consent approach is doomed to fail in large part due to the information paradox. One of the fundamental features of the notice and consent approach is that the consumer is fully informed with respect to the way in which their information is going to be used and what information is going to be collected. The information paradox explains that the more understandable a privacy policy is the less it fully explains important information (and thus leaving out details that matter) but the more complete and accurate it is the less likely people are going to understand it. In the online context there are simply too many technical details of how information is collected and the various ways it may be shared with 3rd parties to effectively explain precisely what is going on. In other technical fields where the notice and consent approach has worked, such as healthcare where patients are informed about the risks of particular surgeries, the patients are able to rely on the system (medical schools, experience of the doctors etc.) whereas online the individual is effectively on their own in making the decisions.
>
>
While a good starting point for discussion, I believe Professor Nissenbaum’s theory is fatally flawed because of her assertion that “the net” is not a distinctive space, and rather is merely an extension of our traditional social life. Whether you are banking in person at a brick and mortar bank, or logging in online she views both situations as analogous. Her theory suggests that privacy norms that govern these activities in the offline world should be applied to analogous activities online.
 
Changed:
<
<
As a result of the flaws in the current system she proposes a new approach termed “contextual integrity.” The goal of the approach is to provide a path to a point where consumers are able to rely on the supporting assurances (as they exist in the healthcare context) to make an informed decision with respect to which services to use.
>
>

The New Information of the Net

 
Changed:
<
<
Professor Nissenbaum argues that “the net” should not be conceptualized as a distinctive space – rather it is deeply integrated into our social life. Activities we normally performed “offline”, such as shopping or banking, may now be performed online, however there is nothing new or inherently different about them. The problem with privacy online is that the Net has created new ways in which information is collected and disseminated. The key to creating a privacy framework for the Net is to establish appropriate constraints on the flow of personal information via these new channels.
>
>
This approach may work when consumers engage in behavior online that has a readily analogous counterparts in the real world – shopping on Amazon vs. shopping in a Target store, interacting with a healthcare provider online vs. in the doctor’s office – presumably one doesn’t expect your doctor to share your health records, whereas it wouldn’t be surprising if Target tracked your buying habits to try to stock more popular items. Applying a stricter privacy standard to healthcare providers than online shopping merchants makes sense.
 
Changed:
<
<
Contextual integrity suggests that we should “locate contexts, explicate entrenched informational norms, identify disruptive flows, and evaluate these flows against norms based on general ethical and political principles as well as context specific purposes and values.” For example, when you deal with your bank you assume that the rules governing your banking information will not change simply because the interaction takes place online. Contextual integrity would suggest that the same norms that govern your interaction with your bank in person should govern your interaction online. In this way the various activities on the Net through which your personal information is collected should be governed by the norms that guide the activity offline. Where there are no obvious applicable norm/social precedents Professor Nissenbaum suggests we begin by looking at the ends, purposes and values of the service and pull the norms from there.
>
>
The model however begins to break down when one begins to examine all of the ways in which the two contexts are not similar or analogous at all. Professor Nissenbaum acknowledges that “the key to creating a privacy framework for the Net is to establish appropriate constraints on the flow of personal information via these new channels.” However, it isn’t that the net merely provides new channels for information to flow, it’s that it has created entirely new types of personal information that is collectable, analyzed and used, all without the knowledge of the user. By beginning from the premise that “the net” isn’t fundamentally different she is constrained to thinking of information on the net in the context of offline activities, a sort of pre-net mindset.
 
Changed:
<
<
Professor Nissenbaum’s theory provides a promising framework through which government and corporate actors may turn to in crafting privacy regulations. As it currently stands the United States has very little in the way of privacy regulations applicable to the handling of personal information online. The next decade will be an important period during which norms governing online privacy will begin to solidify and dictate the degree of protection we have for many years to come – the theory of contextual integrity is a good starting point.
>
>
While a conceptual framework of privacy might be appealing in the abstract, its inability to offer guidance for the new types of information being collected online is a problem. The second the ink is dry writing regulations dealing with today’s data collection practices new practices will spring up tomorrow. I believe an opt-in tracking regime, mandated by the government, is the only way that the consumer will be protected against ever-changing tracking and uses of personal information online. The advertising companies argue this will cripple the lifeblood of the internet – advertising supported sites. I find this argument arguments unpersuasive. Simply because curbing data collection practices would cause economic harm to certain companies, does not mean that they should be allowed to have developed in the first place.
 
Added:
>
>
Others, as Professor Nissenbaum does, argue that notice and consent approach to privacy has failed in large part because the many ways information is collected online is often too complex to explain to the consumer to give them a meaningful, informed choice to opt-out. However, simply because consumers may not understand how their data is being collecting doesn’t mean, by default, it should be collected. This is exactly why a consumer regulatory agency, like the FTC needs to go beyond publishing an aspirational bill of rights and instead regulate strong, meaningful privacy protections, based along the lines of what the EU has done.
 
Changed:
<
<
This draft isn't yet a review: it's a restatement. You engage with her ideas perfunctorily in the final paragraph, blessing them as "a promising framework." The job of the reviewer, presuming for a moment that the judgment is correct, is to show what the framework promises, and why.
>
>

Searching for a Solution

 
Changed:
<
<
Here one would have wanted the essayist to have something of his or her own to say. Helen's argument works better, for example, for the sorts of information turned up in the course of traditional banking, shopping, etc. But we are now talking about new forms of information subject to new forms of analysis, about which it is already clear that people's ethical intuitions may be challenged by altered realities, and altered material possibilities.
>
>
From a practical standpoint her essay appears to assume that the government and companies are actually interested in working towards a better system of privacy protection. This assumption may be true for companies who’s reputations depends upon consumer confidence that their information is protected, like banks or healthcare providers, pharmacies, universities etc.
 
Changed:
<
<
If that's true, then Helen's argument possesses a quality of nostalgia, assuming that familiar objects and activities (money, shopping, going to a movie, a billboard, a shopfront, a wallet, taking a walk in the park) are still more or less the same as they used to be, and only "the Net" (which we are not to consider something different) has been added. Perhaps what has actually happened is that the advent of a social condition (miscalled, as though it were a thing, "the Net") has changed all these other familiar objects and activities, so that they possess both previously unknown attractions (or conveniences) and previously unknown dangers, riches, conflicts, opportunities? In that case what becomes of Helen's approach, and how might it be reconstructed?
>
>
But, the online companies that present the biggest privacy concerns, again the ones her framework is most likely to overlook, are more likely to resist regulation or changes to the data collection practices. Her theory assumes that the interests of the traditional offline companies and those that exist entirely on the “net” are aligned when they are not.
 
Changed:
<
<
Not that my review of Helen's argument as you've restated it is actually my review of Helen's article, which I'm not writing. Why don't we talk about your ideas instead of hers?

>
>
Any sort of industry self-regulation is only going to co-opt a real regulatory overhaul. What consumers needs is for the government to set a basic floor for privacy protection (a floor much higher than exists today) that companies are free to build upon this as they see fit. While not perfect, this approach is a step in the right direction, and better than the wild-west system we live in today that is a result of the laissez-faire approach taken thus far.
 
Added:
>
>
- John Stewart
  \ No newline at end of file

Revision 3r3 - 11 May 2013 - 20:35:28 - JohnStewart
Revision 2r2 - 31 Mar 2013 - 19:24:19 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM