understanding the importance and impact of anonymity and authentication in a networked society
navigation menu top border

.:home:.     .:project:.    .:people:.     .:research:.     .:blog:.     .:resources:.     .:media:.

navigation menu bottom border
main display area top border
« Bouquets and brickbats: the informational privacy of Canadians | Main | Technologies of Identification: Geospatial Systems and Locational Privacy »

Why Definitions Matter: an Example Drawn from Davis on Privacy

posted by:Jason Millar // 02:09 PM // October 17, 2006 // ID TRAIL MIX

trailmixbanner.gif

Concepts inform our interpretations of the world. As such their definitions are important for our common understanding. On a multidisciplinary project like the Identity Trail, confusion over definitions can undermine our ability to discuss certain issues that rest on complex concepts like privacy. Along these lines I would like to comment on one philosophical project undertaken by Steven Davis during his trip down the Identity Trail, namely his attempt to find a definition of privacy, as outlined in his forthcoming publication (initially entitled) “Privacy, Rights, and Moral Value”. For those who have not (and will not) read the paper I will offer a preamble on the general problem at hand.

The preamble: Haven’t we heard this before!?

Much of my time on the Identity Trail has been spent being exposed to a number of multidisciplinary perspectives on privacy. Some of those perspectives are legal ones, offering up descriptions of how current laws are challenged by the various privacy implicating technologies being used and created every day. Others are sociological, describing how technologies are approached and used with specific focus being placed on the effects or implications of privacy on a technologically mediated interaction. Still others are technologically focused, proposing interesting privacy-enhanced/enhancing technologies often as (partial) solutions to many of the current problems highlighted in the legal and sociological streams of the project. Of course, this description fails to capture the breadth of privacy research being performed on the Identity Trail [1] but it is sufficient to point to a common thread underpinning the work, namely the general concept of privacy.

For anyone interested in understanding privacy, our agreement on the nature of the general term has implications on how we might go about discussing the theories or issues that rely on it (like those mentioned above), just as we might have to understand what is meant by the word ‘equality’ in order that we might have a meaningful discussion about laws or public policies that implicate it. Of course, even the importance of understanding the nature of privacy generates much debate in and among the various fields concerned. Exasperated privacy advocates argue that we could better spend our time focusing on new policies in order to deal with the existing backlog of relatively uncontested privacy concerns, while on the other end of the spectrum academic theorists—philosophers and the like—seem uneasy (as they tend to do) about the grounds upon which the issues are being fought. However, it is clear that arguments centered on privacy, in whatever discipline they reside, rely to some degree on an understanding of the general concept of privacy for their force. Whether the parties are content to implicitly borrow concepts of privacy already established in the literature, or act to modify them (explicitly or implicitly) in some way in response to new research, some particular version of the concept of privacy is nonetheless present in the arguments. Often times discussions and disagreements over the particulars of laws, policies or technologies are largely motivated by disagreements over the particulars of the concepts underscoring them. This should not ring controversial. If we are to agree on the implications of privacy in ethics, law, technology or elsewhere, we can make progress by engaging the concept explicitly on some level, given its omnipresence in the discourse. With that in mind, it is a valuable undertaking to pose the question, “What is the nature of privacy?”, even if privacy issues are of interest yet philosophy is not [2].

Davis’ Definition of Privacy and Some Implications

In response to Davis’ definition I will focus on a tension that it draws out between one’s own preferences and others’ preferences. I believe the tension points to interesting consequences in our understanding of how generalized privacy laws operate relative to the operation of our individual notions of privacy.

Davis defines privacy as the following:

In society T, S, where S can be an individual, institution, or a group, possess privacy with respect to some proposition, p, and individual U if and only if

(a) p is personal information about S.
(b) U does not currently know or believe that p.

In society T, p is personal information about S iff and only most people in T would not want it to be known or believed that q where q is information about them which is similar to p, or S is a very sensitive person who does not want it to be known or believed that p. In both cases, an allowance must be made for information that most people or S make available to a limited number others.
...

Consider the following scenario. On Saturday, Jane is not sensitive about others knowing her sexual orientation. Other people are able to ascertain her sexual orientation though she never offers it up, and other people, in fact, do ascertain her sexual orientation. In addition, most people in Jane’s society are also not sensitive about others knowing their sexual orientation on Saturday. For some reason, on Sunday most people in Jane’s society develop a severe sensitivity to the idea of others coming to know their sexual orientation. Jane does not develop a similar sensitivity on Sunday, and other people continue to ascertain Jane’s sexual orientation through no action on her part.

On Davis’ account Jane suffers a loss of privacy sometime on Sunday. This seems counterintuitive. Jane’s privacy is linked to sensitivities that others develop—the fact that they stop wanting their sexual orientation to be known is presumably due to some sensitivity to the information—without her having to develop the sensitivity on her own. I will call this type of sensitivity a privacy preference, since the definition links preferences about which information is personal, and which is not, directly to the notion of privacy. In this case the privacy preferences of others seem to place some sort of demand on Jane, though it is not clear what the nature of this demand is. Perhaps it suggests that she should consider her sexual orientation to be a sensitive topic. Whatever the case may be, Jane’s continued indifference to the fact that others are able to ascertain her sexual orientation must be squared with the demand resulting from the claim that Jane has suffered a loss of privacy on Sunday due to the privacy preferences of others.

This tension seems even more problematic when we note that one’s own control over personal information features heavily in the definition yet is undermined by it. Not wanting others to know p is at the core of both the sensitive S’s notion of personal information, as it is at the core of the majority’s notion of personal information. The disjunctive in the definition of personal information causes problems in the way that Jane apparently suffers doubly on Sunday; she has apparently suffered a loss of privacy due to the shifting privacy preferences of others while at the same time suffering a loss of control of the very nature of information about her. Though the shifting nature of the information may not strike one as something over which they need to maintain control, many privacy theorists have placed a premium not just on the control of the flow of information, but also on control of the nature of it in order to maintain the contextual integrity that is seen as necessary for privacy [3]. I would suggest further that a loss of control over the scope of personal information is what leads to the strange new demand that is apparently placed on Jane.

I think we can understand where the demand plays out by addressing an underlying tension between the law’s need for a normative conception of privacy and individuals’ need to navigate privacy on their own terms. As a legal (largely instrumental) definition of privacy, I think Davis’ account gains considerable traction [4]. If a majority of individuals feel that certain information is personal in that they are sensitive to others coming to know it indiscriminately, and if there is a demonstrable harm associated with others coming to know it, then the law can justify prohibiting people from trying to come to know personal information.

However, Davis’ definition of privacy loses traction on the level of the individual. If Jane does not consider a privacy loss to have occurred, the normative claim placed on her by society (and the law) will not change this. The result is that we must question whether privacy, as defined by Davis, addresses the same kind of transgression that our concern for personal control over information, i.e. the moral kind, seeks to protect us against? Privacy laws, in the sense that they can be used in cases where individuals suffer harm, certainly address moral privacy concerns. But a focus on the legal/instrumental conception of privacy and control over personal information ignores the sensitivity that motivates our individual, moral, privacy concerns in the first place. If Jane does not feel that her privacy has been violated on Sunday, then the moral notion of privacy may differ necessarily from the legal one, if only so the law may function efficiently.

It has been suggested on the Identity Trail that many people don’t seem to care about their privacy [5]. A great deal of the resulting research has focused on trying to understand why this seems to be the case. Perhaps one factor in the equation is that we mistake the legal notion of the concept for the moral one when evaluating the sensibility of people’s actions in certain contexts. Understood this way the assertion that Jane has suffered a loss of privacy may be isolated to legal concerns. Convincing Jane otherwise may do nothing to secure her privacy.

Notes:
[1] It undoubtedly also fails in its attempt to describe the nature of the work being done in the various streams by the various researchers. To that end I would invite everyone reading this entry to browse the research that has accumulated on the Identity Trail in order to appreciate the full scope of it.
[2] Several collaborators on the Identity Trail have done this explicitly, including Marsha Hanen, Steven Davis and Dave Matheson, to name a few. Others have offered research into privacy implicating activities or technologies, always (I think) with an implicit view to informing or reaffirming our understanding of the concept.
[3] Nagel, T. (1998). Concealment and exposure. Philosophy and Public Affairs, 27(1), 3-30.; Nissenbaum, H. (1998). Protecting privacy in an information age: The problem of privacy in public. Law and Philosophy: An International Journal for Jurisprudence and Legal Philosophy, 17(5-6), 559-596.; Rachels, J. (1975). Why privacy is important. Philosophy and Public Affairs, 4, 323-333.; Scanlon, T. (1975). Thomson on privacy. Philosophy and Public Affairs, 4, 315-322.
[4] I invite the legal theorists to correct me in my discussion of the nature and function of laws if they feel compelled to do so.
[5] For example, Jaquelyn Burkell in this ID Trail Mix piece.

Comments

I appreciate Jason’s thoughtful comments about my paper and his points about the importance that conceptual work on the notion of privacy should play in research connected to the notion. I think that the lack of clarity about what privacy is has adversely affected court judgments, especially in the United States, that appeal to the notion. I am thinking of Griswold v Connecticut and Roe v Wade, for example, and the cases which site these as precedents, which appeal to an implicit right to privacy in the US Constitution and construe this as a right to control personal information. I think that this confuses privacy with the right to privacy and is confused about what privacy is, since I do not think that it is control over information. The point can be generalized to any research about privacy or any complex notion; it is important to have a clear idea what the concept is before undertaking legal or technological research that employs the concept.

Jason offers a counter example which he claims cuts against my analysis of privacy. I think that this is not the case. My analysis comes in two parts: my account of privacy and my account of personal information. If Jason’s counter example is a counter example to anything, it is to my account of personal information. Let me repeat Jason’s counter example.

Consider the following scenario. On Saturday, Jane is not sensitive about others knowing her sexual orientation. Other people are able to ascertain her sexual orientation though she never offers it up, and other people, in fact, do ascertain her sexual orientation. In addition, most people in Jane’s society are also not sensitive about others knowing their sexual orientation on Saturday. For some reason, on Sunday most people in Jane’s society develop a severe sensitivity to the idea of others coming to know their sexual orientation. Jane does not develop a similar sensitivity on Sunday, and other people continue to ascertain Jane’s sexual orientation through no action on her part.
On Davis’ account Jane suffers a loss of privacy sometime on Sunday. This seems counterintuitive. (p. 4)

What is supposed to change in Jason’s scenario is that on Saturday, calls this t, the information that Jane is sexually oriented towards X’s (JSO), which some of those in her society know or believe, is not personal information, since neither Jane nor most people in her society are sensitive about people’s sexual orientation. In Jason’s scenario, most people in Jane’s society change their sensitivity about sexual orientation suddenly so that on the next day, Sunday, they are sensitive about sexual orientation. Hence, JSO, although not personal information on Saturday becomes personal information on Sunday. Let us consider S¸ one of the people who on Saturday knows JSO. His knowing JSO does not constitute either a lack of privacy or a loss of privacy on Jane’s part, since on Saturday, JSO is not personal information. But in Jason’s scenario, since on Sunday most people in Jane’s society become sensitive about sexual orientation, JSO becomes personal information. On Sunday, JSO is now personal information, leads Jason to claim that Jane has suffered a loss of privacy with respect to JSO. But with respect to whom?
For a counterexample to bite, it must be plausible, but it is not plausible that in a society, from one day to the next most people in the society could change their sensitivity about sexual orientation. To make the counter example more plausible, suppose that the change in sensitivity occurs over a period of months or even years. Let us consider a time, t1, when the sensitivity of most of the people in Jane’s society has changed. As before, Jane does not change her lack of sensitivity about JSO nor does S forget what he knows about Jane’s sexual orientation; he still knows that JSO at t1. Is it the case that once Jane’s society changes its sensitivity about sexual orientation, Jane losses her privacy with respect to S and JSO. Let us look more closely at my account, which I shall repeat here.
In society T, S, where S can be an individual, institution, or a group, possess privacy with respect to some proposition, p, and individual U if and only if
(a) p is personal information about S.
(b) U does not currently know or believe that p.
In society T, p is personal information about S if and only if most people in T would not want it to be known or believed that q where q is information about them which is similar to p, or S is a very sensitive person who does not want it to be known or believed that p. In both cases, an allowance must be made for information that most people or S make available to a limited number of others.
What my analyses of personal information and privacy yield for Jane with respect to S and JSO is that in Jason’s scenario at t Jane does not possess privacy with respect to JSO and S, since condition (a) of my analysis of privacy is not met at t. JSO is not personal information at t. Notice that at t condition (b) is also not met for S since he knows JSO. Let us now fast forward several years when most people in Jane’s society are sensitive about sexual orientation. Thus, at this time, t1, condition (a) of my analysis is met. But with respect to S condition (b) is not met. Hence, with respect to S and JSO Jane has not moved from possessing privacy to not possessing privacy. Jane with respect to S and JSO still does not possess privacy. Hence, with respect to S and JSO from t to t1 there is not a loss on Jane’s part of her privacy. Now let us consider someone else, T, who at t does not know JSO, but also at t condition (a) is not met, since JSO is not personal information about Jane. Thus, at t with respect to T and JSO Jane does not possess privacy. Let us now consider t1 and Jane’s privacy with respect to T and JSO. JSO is personal information; so condition (a) is met and T does not know JSO; so condition (b) is met. Hence, Jane possess privacy with respect to T and JSO. Let us now consider a time after t1 , t1+n, when T comes to know JSO. My analysis has it that at t1+n Jane does not possess privacy with respect to T and JSO. Thus Jane has suffered a loss of privacy with respect to T and JSO. No change has occurred with respect to Jane; she does not change her sensitivity about others knowing about her sexual orientation about the sexual orientation of others. What has changed is that Jane’s society has changed its sensitivity AND T comes to know JSO. Jason concentrates only on the change of sensitivity about sexual orientation among the people in Jane’s society and not on some individual’s change in his knowledge or belief about Jane’s sexual orientation. I do not find it counter intuitive that after Jane’s society changes its sensitivity about sexual orientation, Jane would cease to possess privacy with respect to someone who after the change comes to know what her sexual orientation is. What Jason seems to disregard is that my account of privacy is with respect to an individual and a proposition, a point that I have taken from David Matheson. Hence, Jason has not provided a counter example to my analyses of either privacy or personal information.

Jason draws some puzzling conclusions from his putative counter example to my analyses, but these seem to involve him smuggling in a normative notion into my analyses, something that I was careful to avoid, since I want to distinguish privacy from the right to privacy and from the question about whether privacy is a good thing. But I shall not take up here the further points that Jason makes. I would like to thank him again for his comments.

Posted by: Steven Davis at October 21, 2006 09:19 AM

Thanks to both Jason and Steven for this very interesting exchange. Since it pertains to an aspect of the theory of privacy in which I have a particular interest, I thought I’d add my two cents.

I take one of the larger points that Jason is after in his piece to be, roughly, that it is counterintuitive to suppose that losses of privacy can occur merely by virtue of changes in sensitivity. Something more is required, e.g. a change in the epistemic position of others vis-à-vis information about an individual, a change with respect to whether they know that information. And, even if we grant the soundness of Steven’s response to the particular example that Jason raises, it remains the case that on Steven’s account of privacy (taken in conjunction with the account of personal information on which it builds), losses of privacy can occur merely by virtue of changes in sensitivity.

To illustrate, let’s slightly modify Jason’s original example. Suppose that in October of 1996 Alita, along with virtually all other members of her society, are understandably sensitive about the details of their romantic lives. They don’t want those details widely known by others. Suppose further that during this period, very few people in Alita’s society know the details of her romantic life. Consider a member of Alita’s society, Zelig, who is clueless about these details. On Steven’s account, we can say that in October of 1996, Alita has privacy relative to those details about her romantic life and to Zelig.

Now skip ahead to October of 2006. During the course of the last ten years, a significant shift has occurred in Alita’s society: now, in contrast to October 1996, virtually no one in her society -- including Alita -- cares about whether the details of their romantic lives are widely known. Zelig still lives in Alita’s society, and he remains as ignorant now of the details about Alita’s romantic life as he was in October 1996. But notice: on Steven’s account of privacy, which builds on a sensitivity approach to personal information, it follows that Alita now no longer has privacy relative to those details about her romantic life and to Zelig. (Why? Well, according to Steven’s account, those details now no longer count as personal information about Alita, given the shift in sensitivity about them that occurred over the last decade, and so Alita now can’t have privacy about them -- with respect to anyone at all.) That strikes me -- and I assume Jason as well -- as quite counterintuitive. Zelig hasn’t changed his epistemic position vis-à-vis the details of Alita’s romantic life. How then can we say that, relative to Zelig, Alita has lost her privacy about those details? The mere shift in sensitivity doesn’t seem to be enough.

My own inclination is to say that the counterintuitiveness of this sort of result should cause us to rethink whether personal information, and hence privacy to the extent that it involves personal information, should be understood as involving a sensitivity condition. Along with Jason, I don’t think that it should. (In my earlier Blog-on-Nymity posts, here http://www.anonequity.org/weblog/archives/2005/05/sensitivity_and.php and here, http://www.anonequity.org/weblog/archives/2005/08/the_personal_an.php as well as in my forthcoming paper “Unknowableness and Informational Privacy,” I present an account of personal information that does not require a sensitivity condition of the sort Steven suggests.)

To echo both Jason and Steven, I think this issue (however we come down on it) is important for reasons that go beyond conceptual clarity for its own sake. Here’s one example.

It’s not beyond belief to suppose that corporations or government agencies might engage in propagandistic activities designed to convince many members of society not to value certain kinds of information about themselves, in the sense of not caring whether information of that sort is widely known. If one accepts a sensitivity condition on personal information, one might be lead to the conclusion that the very success of such propagandistic activities absolves those who engage in them of inappropriately getting their hands on personal information about members of society. After all, if the activities are successful, sensitivity goes by the wayside, and we can no longer talk of the relevant information as personal information, concerning which the members of society have a right to privacy. But it seems to me the right thing to say about such activities is that, if successful, they may well simply lead to a situation in which many individuals have sadly been convinced for bad reasons not to care about (what remains) their personal information. Merely having been convinced for bad reasons not to be sensitive about the information shouldn’t alone, in my view, be sufficient to render the information non-personal.

Posted by: David Matheson at November 2, 2006 10:57 AM

I argue in my paper that it is possible for S who has privacy with respect to information p about him and T who is a member of S’s society no longer to have privacy with respect to p and T without there being any change in S, p, or T. This can come about if there is a change in the sensitivity with respect to the type of information in p in the society in which S and T are members. I argue if there were such a shift, p would no longer count as personal information about S.

David Matheson presents what he takes to be a counter example to my claim.

"Suppose that in October of 1996 Alita, along with virtually all other members of her society, are understandably sensitive about the details of their romantic lives. They don’t want those details widely known by others. Suppose further that during this period, very few people in Alita’s society know the details of her romantic life. Consider a member of Alita’s society, Zelig, who is clueless about these details. On Steven’s account, we can say that in October of 1996, Alita has privacy relative to those details about her romantic life and to Zelig.
Now skip ahead to October of 2006. During the course of the last ten years, a significant shift has occurred in Alita’s society: now, in contrast to October 1996, virtually no one in her society -- including Alita -- cares about whether the details of their romantic lives are widely known. Zelig still lives in Alita’s society, and he remains as ignorant now of the details about Alita’s romantic life as he was in October 1996. But notice: on Steven’s account of privacy, which builds on a sensitivity approach to personal information, it follows that Alita now no longer has privacy relative to those details about her romantic life and to Zelig. (Why? Well, according to Steven’s account, those details now no longer count as personal information about Alita, given the shift in sensitivity about them that occurred over the last decade, and so Alita now can’t have privacy about them -- with respect to anyone at all.) That strikes me -- and I assume Jason as well -- as quite counterintuitive. Zelig hasn’t changed his epistemic position vis-à-vis the details of Alita’s romantic life. How then can we say that, relative to Zelig, Alita has lost her privacy about those details? The mere shift in sensitivity doesn’t seem to be enough."

Contrary to Dave, I do not think the example he gives, slightly re-described, is counter intuitive. The reason is that Dave’s example is not a loss of privacy, but a case in which privacy no longer applies. The re-description involves how we use ‘loss of a property’ and ‘no longer having a property.’ Someone can no longer have a property without there being any change on his part. Let us take the notion of a bastard and Sam who was born in the thirties to an unwed mother. He was then a bastard, but in our society he no longer is a bastard. The reason is that being a bastard doesn't mean only that someone is born out of wedlock, but it also carries with it a negative implication. To say of someone that they are a bastard (understood literally) is not only to say that the person was born out of wedlock, but also to imply disapproval. When society no longer regards it to be shameful that people are born out of wedlock, the property of being a bastard no longer applies. Notice that it would not be true to say that the person lost the property of being a bastard. For to say this implies the property of being a bastard, although it does not now apply to him, could apply to him.

There are other properties like this, slut, for example, that no longer applies because people's attitude about women's sexuality has changed. My contention is that the notion of privacy is like these other properties; it is a notion that that has connected to it a society’s sensitivity with respect to certain information. When the sensitivity is no longer there, the notion ceases to apply to this kind of information. The result is that the information is no longer private, but this does not mean that someone with respect to this information has lost his privacy.

Posted by: Steven Davis at November 7, 2006 09:52 AM

In all three examples above, there is an assumption that, just because there is an interest in privacy on Sunday, there is no interest in privacy on Saturday.

In Jason's words:
"Consider the following scenario. On Saturday, Jane is not sensitive about others knowing her sexual orientation. Other people are able to ascertain her sexual orientation though she never offers it up, and other people, in fact, do ascertain her sexual orientation. In addition, most people in Jane’s society are also not sensitive about others knowing their sexual orientation on Saturday. For some reason, on Sunday most people in Jane’s society develop a severe sensitivity to the idea of others coming to know their sexual orientation. Jane does not develop a similar sensitivity on Sunday, and other people continue to ascertain Jane’s sexual orientation through no action on her part."

I admit: I have not read through all the previous posts on the Identity Trail, and may therefore be commiting a fallacy of ignorance, but it is not yet clear to me how there is in fact no interest in privacy on Saturday. The fact that it is not exercised is what the above exegesis seems to address, but not whether it is present in the first case (T) or not.

There is a functional reason for asking this, not just a temporal one.

Consider David's question above about government manipulation--the campaign to convince citizens that they have no, or lesser, interests in privacy and therefore the government can do what it pleases without the trouble of interference from pesky privacy advocates and the like.

While it may be true that government could undertake such a program (think: border passes, universal identifiers, e-Pass, etc.) I think it is entirely too generous. Government may be able to exert some influence of citizen's interest in privacy, but government doesn't hold all the cards, nor is government (or big business for that matter) so well organized as to eliminate all other competing interests that people have.

These other interests are what help to provide the context of our lives, the frames through which we experience our existence. In the example above, society T is homogeneous. What happens to the analysis when we consider that t, t1 and t1+n all assume that if privacy is lost it cannot be regained. Or, put another way, if one does not exercise one's interest in privacy at one point in time (Saturday night), one cannot exercise one's interest in privacy at any other point in time either (t1, t1+n, etc.). But wait--!

Maybe T has the qualities of both being a context where S does not exercise her privacy interests p (i.e. by not restricting the disclosure of her personal information to others in her Saturday night T where it is usually irrelevant), but also where S does want to exercise her privacy interests p from the disclosure to others such as might be the case if a co-worker U suddenly and unexpectedly appears in S's Saturday social context T. (Consider that U does not normally know p on Monday to Friday, but through another colleague becomes part of S's T on Saturday night.) Come Monday morning, S may very well want to express the privacy interests about p when she sees U at the office, but which she chose not express on Saturday night T. Therefore, T remains the same, but must account for a multiplicity such that privacy interests are both expressed in p (this then becomes STU in the case of U showing up unexpectedly) and unexpressed and p (in the case of ST but no U).

In a government context, then, this may be expressed in the scenario where I want (consent) to disclose personal health information to the my doctor, and OHIP (i.e. the Ministry of Health and Long Term Care here in Ontario) for the purposes of public health care, but I do not want (consent) to disclose that same personal health information at the same time (i.e. disclosure to two parties simultaneously) to another ministry, say, the Ministry of the Attorney General.

It is for this reason that questions of privacy and the interests we exert over personal information should consider not only whether if lost it can be reclaimed, but also how it can be disclosed to different degrees (or parties) in multiple, simultaneous contexts--perhaps even during the same transaction.

Posted by: boostailey at November 22, 2006 10:24 PM

Post a comment




Remember Me?


main display area bottom border

.:privacy:. | .:contact:.


This is a SSHRC funded project:
Social Sciences and Humanities Research Council of Canada