Imagine if you waved to someone and, without your knowledge, a high-resolution camera took a photograph of your hand, capturing your fingerprints. You might be upset. Or—if you were visiting Disneyland, where they already make an image of your fingerprint to save you from waiting in a long line—you might find the novelty of the technology, and the immediate benefits…gratifying. The ambivalence we sometimes feel about new technologies that reveal identifiable personal information balances threats to privacy against incremental advantages. Indisputably, the trends toward miniaturization and mass-market deployment of cameras, recording devices, low-power sensors, and medical monitors of all kinds—when combined with the ability to digitally collect, store, retrieve, classify, and sort very large amounts of information—offer many benefits, but also threaten civil liberties and expectations of personal privacy. George Orwell’s vision in 1984 of a future in which the government has the power to record everything seems not so farfetched. “But even Orwell did not imagine that the sensors would be things that everybody would have,” says McKay professor of computer science Harry Lewis. “He foresaw the government putting the cameras on the lampposts—which we have. He didn’t foresee the 14-year-old girl snapping pictures on the T. Or the fact that flash drives that are given away as party favors could carry crucial data on everybody in the country.”
It’s a Smaller World
Information technology changes the accessibility and presentation of information. Lewis gives talks on the subject of privacy to alumni groups in private homes, and often begins with an example that puts his hosts on the hot seat. He projects a Google Earth view of the house, then shows the website Zillow’s assessment of how much it is worth, how many bedrooms and bathrooms and square feet it has. Then he goes to fundrace.huffingtonpost.com, an interface to the Federal Elections Commission’s campaign-contributions database. “Such information has always been a matter of public record,” says Lewis, “but it used to be that you had to go somewhere and give the exact name and address and they would give you back the one piece of data. Now you can just mouse over your neighborhood and little windows pop up and show how much money all the neighbors have given.” In the 02138 zip code, you can see “all the Harvard faculty members who gave more than $1,000 to Barack Obama,” for example. “This seems very invasive,” says Lewis, “but in fact it is the opposite of an invasion of privacy: it is something that our elected representatives decided should be public.”
Technology has forced people to rethink the public/private distinction. “Now it turns out that there is private, public, and really, really public,” Lewis says. “We’ve effectively said that anyone in an Internet café in Nairobi should be able to see how much our house is worth.” Lewis has been blogging about such issues on the website www.bitsbook.com, a companion to Blown to Bits:Your Life, Liberty, and Happiness after the Digital Explosion, the 2008 book of which he is a coauthor. “We think because we have a word for privacy that it is something we can put our arms around,” he says. “But it’s not.”
One of the best attempts to define the full range of privacy concerns at their intersection with new technologies, “A Taxonomy of Privacy,” appeared in the University of Pennsylvania Law Review in 2006. Its author, Daniel Solove, now a professor at George Washington University Law School, identified 16 privacy harms modulated by new technologies, including: information collection by surveillance; aggregation of information; insecurity of information; and disclosure, exposure, distortion, and increased accessibility of information.
That privacy would be a concern of the legal profession is not surprising. What is surprising is that computer scientists have been in the vanguard of those seeking ways to protect privacy, partly because they are often the first to recognize privacy problems engendered by new technologies and partly because the solutions themselves are sometimes technological. At Harvard, the Center for Research on Computation and Society (CRCS) has become a focal point for such inquiry. CRCS, which brings computer scientists together with colleagues from other schools and academic disciplines, was founded to develop new ideas and technologies for addressing some of society’s most vexing problems, and prides itself on a forward-looking, integrative approach. Privacy and security have been a particular focus during the past few years.
Database linking offers one such area of concern. If you tell Latanya Sweeney, A.L.B. ’95, nothing about yourself except your birth date and five-digit zip code, she’ll tell you your name. If you are under the age of 30 and tell her where you were born, she can correctly predict eight or nine digits of your nine-digit Social Security number. “The main reason privacy is a growing problem is that disk storage is so cheap,” says the visiting professor of computer science, technology, and policy at CRCS. “People can collect data and never throw anything away. Policies on data sharing are not very good, and the result is that data tend to flow around and get linked to other data.”
Sweeney became interested in privacy issues while earning her doctorate at MIT in the mid 1990s. Massachusetts had recently made “anonymized” medical information available. Such data are invaluable for research, for setting up early infectious-disease detection systems, and other public-health uses. “There was a belief at the time that if you removed explicit identifiers—name, address, and Social Security number—you could just give the data away,” she recalls. That dogma was shattered when Sweeney produced a dramatic proof to the contrary.
The medical data that had been made available included minimal demographic information: zip code, birth date, and gender, in addition to the diagnosis. So Sweeney went to the Cambridge City Hall and for $25 purchased a voter list on two diskettes: 54,000 names. By linking the demographic information in the voter database to the demographic information in the publicly available medical records, Sweeney found that in most cases she could narrow the demographic data down to a single person, and so restore the patient’s name to the record. She tried this data-linking technique for then-governor William F. Weld ’66, J.D.’70. Only six people in Cambridge shared his birthday. Just three of them were men. And he was the only one who lived in the right zip code. Sweeney had reidentified someone in a putatively anonymous database of private medical information. The system had worked, yet data had leaked. Newspaper coverage of her testimony to the state legislature about what she had discovered ultimately brought a visit from the State Police. “That was my introduction to policy,” she says with a laugh. (She was recently named to the privacy and security seat of the Health Information Technology policy committee in the Obama administration.)
Later, she proved that her results were not unique to Cambridge. Fully 87 percent of the United States population is uniquely identified by date of birth, five-digit zip code, and gender, she says: “So if I know only those three things about you, I can identify you by name 87 percent of the time. Pretty cool.” In fact, Sweeney’s ability to identify anyone is close to 100 percent for most U.S. zip codes—but there are some interesting exceptions. On the west side of Chicago, in the most populated zip code in the United States, there are more than 100,000 residents. Surely that should provide some anonymity. “For younger people, that’s true,” she says, “but if you are older, you really stand out.” Another zip code skews the opposite way: it is on the Stony Brook campus of the State University of New York and includes only dormitories. “Here is a tiny population,” she says, pulling up a graphic on her computer. “Only 5,000 people.” But because they are all college students of about the same age, “they are so homogenous…that I still can’t figure out who is who.”
A potentially even more serious privacy crisis looms in the way Social Security numbers (SSNs) are assigned, Sweeney says. “We are entering a situation where a huge number of people could tell me just their date of birth and hometown, and I can predict their SSN. Why is this a problem? Because in order to apply for a credit card, the key things I need are your name, your date of birth, your address, and your SSN. Who is the population at risk? Young people on Facebook.”
Facebook asks for your date of birth and hometown, two pieces of information that most young people include on their pages simply because they want their friends to wish them a happy birthday. The problem is that SSNs have never been issued randomly—the first three digits are a state code, the second two are assigned by region within state—and the process is described on a public website of the Social Security Administration. Starting in 1980, when the Internal Revenue Service began requiring that children have SSNs to be claimed as dependents on their parents’ tax returns, the numbers started being assigned at birth. Thus, if you know a person’s date and location of birth, it becomes increasingly simple to predict the SSN.
One way or another, says Sweeney, someone is going to exploit this privacy crisis, and it “is either going to become a disaster or we’ll circumvent it.” (Canada and New Zealand, she notes, may have similar problems.) “But there are many easy remedies,” she adds. She has proposed random assignment of SSNs from a central repository. She has also devised solutions for setting up public-health surveillance systems that don’t reveal personal information, but still work as early-warning systems for infectious-disease transmission or bioterror attacks.
Sweeney believes that technological approaches to privacy problems are often better than legislative solutions, because “you don’t lose the benefits of the technology.” One of her current projects, for example, aims to make sure that technologies like photographic fingerprint capture are implemented in such a way that personal privacy is maintained and individuals’ rights aren’t exposed to abuse.
Scientists have long been excited by the possibilities of using biometric information such as fingerprints, palmprints, or iris scans for positive identification: people could use them to open their cars or their homes. But just how private are fingerprints? With a grant from the National Institutes of Justice, Sweeney and her students have shown that inexpensive digital cameras are already good enough to capture fingertip friction-ridge information at a range of two to three feet, and image resolution and capture speed are improving all the time, even as the cost of the technology keeps dropping. As a result, because it is contactless and very cheap, photographic fingerprint capture could become “the dominant way that prints are captured in a lot of public spaces,” Sweeney explains. That means fingerprint databases are everywhere, and “you don’t have any control over the use of those prints, if somebody wanted to make a false print, or track you. It is like walking around with your Social Security number on your forehead, to an extent. It is a little different because it isn’t linked to your credit report or your credit card”—but it does not require a tremendous leap of imagination to picture a world where credit cards require fingerprint verification.
Sweeney began working with fingerprints because of concerns that, given the huge numbers of fingerprints in linked databases, there would be false positive matches to the FBI’s crime database. “To the extent that fingerprint matching has been successful, it might be because only criminals are fingerprinted and criminals tend to repeat crimes,” she says. But she was “ridiculed a lot by law enforcement for making those statements,” until the Madrid train bombings in 2004. When a print at the scene was falsely matched by the FBI to a lawyer in California, it became clear that the science of fingerprint matching needed to be studied more deeply. (Palmprints ultimately may have a better chance at providing a unique match.) Furthermore, Sweeney points out, “What if someone advocated replacing Social Security numbers with fingerprints? If something goes horribly wrong with my number, I can get a new one. I can’t really get new fingerprints.”
Photograph by Jim Harrison
Tyler Moore, left, and Allan Friedman
A Legal Privacy Patchwork
As the Facebook/SSN interaction and the ability to capture fingerprints with digital photography illustrate, social changes mediated by technology alter the context in which privacy is protected. But privacy laws have not kept up. The last burst of widespread public concern about privacy came in the 1970s, when minicomputers and mainframes predominated. The government was the main customer, and fear that the government would know everything about its citizens led to the passage of the Privacy Act of 1974. That law set the standard on fair information practices for ensuing legislation in Europe and Canada—but in the United States, the law was limited to circumscribing what information the government could collect; it didn’t apply to commercial enterprises like credit-card companies. No one imagined today’s situation, when you can be tracked by your cell phone, your laptop, or another wireless device. As for ATM transactions and credit-card purchases, Sweeney says “pretty much everything is being recorded on some database somewhere.”
The result is that even the 1974 law has been undermined, says CRCS postdoctoral fellow Allan Friedman, because it “does not address the government buying information from private actors. This is a massive loophole, because private actors are much better at gathering information anyway.”
As new privacy concerns surfaced in American life, legislators responded with a finger-in-the-dike mentality, a “patchwork” response, Friedman continues. “The great example of this is that for almost 10 years, your video-rental records had stronger privacy protection than either your financial or your medical records.” The video-rental records law—passed in 1988 after a newspaper revealed Supreme Court nominee Robert Bork’s rentals—was so narrowly crafted that most people think it doesn’t even apply to Netflix. “Bork didn’t have much to hide,” Friedman says, “but clearly enough people in Congress did.” Medical records were protected under the Health Insurance Portability and Accountability Act in 1996, but financial records weren’t protected until the Gramm-Leach-Bliley Act of 1999. (Student records are protected by the Family Educational Rights and Privacy Act, passed in 1974, while the Children’s Online Privacy Protection Act, passed 1998, prohibits the online collection of personal information from children under the age of 13.) “Legally,” Friedman concludes, “privacy in this country is a mishmash based on the common-law tradition. We don’t have a blanket regulation to grant us protection,” as Europe does.
The End of Anonymity
Friedman co-taught a new undergraduate course on the subject of privacy last year; it covered topics ranging from public policy and research ethics to wiretapping and database anonymity. “If there is a unified way to think about what digital systems have done to privacy,” he says, it is that they collapse contexts: social, spatial, temporal, and financial. “If I pay my credit-card bill late, I understand the idea that it will affect a future credit-card decision,” he explains. “But I don’t want to live in a society where I have to think, ‘Well, if I use my card in this establishment, that will change my creditworthiness in the future’”—a reference to a recent New York Times Magazine story, “What Does Your Credit-Card Company Know about You?” It reported that a Canadian credit-card issuer had discovered that people who used their card in a particular pool hall in Montreal, for example, had a 47 percent chance of missing four payments during the subsequent 12 months, whereas people who bought birdseed or anti-scuff felt pads for the legs of their furniture almost never missed payments. These disaggregated bits of information turn out to be better predictors of creditworthiness than traditional measures, but their use raises concerns, Friedman points out: “We don’t know how our information is being used to make decisions about us.”
Take the case of someone with a venereal disease who doesn’t want the people in his social network to know. “If I go to the hospital and the nurse who sees me happens to live down the street,” says Friedman, “maybe I don’t want her peeking at my medical records.” That particular threat has always been there in charts, he notes, but problems like this scale up dramatically with online systems. Now the nurse could check the records of everyone on her street during a coffee break. He cites a related example: “Massachusetts has a single State Police records system and there have been tens of thousands of lookups for Tom Brady and other local sports stars.” Unlike celebrities, ordinary people have not had to worry about such invasions of privacy in the past, but now computers can be used to find needles in haystacks—virtually every time. There are nearly seven billion people on the planet: a big number for a human brain, but a small number for a computer to scan. “John Smith is fairly safe,” says Friedman, “unless you know something critical about John Smith, and then all of a sudden, it is easy to find him.”
Digital systems have virtually eliminated a simple privacy that many people take for granted in daily life: the idea that there can be anonymity in a crowd. Computer scientists often refer to a corollary of this idea: security through obscurity. “If you live in a house, you might leave your door unlocked,” Friedman says. “The chances that someone is going to try your front door are fairly small. But I think you have to lock your door if you live in an apartment building. What digital systems do is allow someone to pry and test things very cheaply. And they can test a lot of doors.”
He notes that computers running the first version of Windows XP will be discovered and hacked, on average, in less than four minutes, enabling the criminal to take control of the system without the owner’s consent or knowledge (see online Extra at www.harvardmag.com/extras). Botnets—networks of machines that have been taken over—find vulnerable systems through brute force, by testing every address on the Internet, a sobering measure of the scale of such attacks. (Another measure: the CEO of AT&T recently testified before Congress that Internet crime costs an estimated $1 trillion annually. That is clearly an overestimate, says Friedman, but nobody knows how much Internet crime actually does cost, because there are no disclosure requirements for online losses, even in the banking industry.)
The durability of data represents another kind of contextual collapse. “Knowing whether something is harmful now versus whether it will be harmful in the future is tricky,” Friedman notes. “A canonical example occurred in the 1930s, when intellectuals in some circles might have been expected to attend socialist gatherings. Twenty years later,” during the McCarthy era, “this was a bad piece of information to have floating around.” Friedman wonders what will happen when young bloggers with outspoken opinions today start running for political office. How will their earlier words be used against them? Will they be allowed to change their minds?
Because personal information is everywhere, inevitably it leaks. Friedman cites the research of former CRCS fellow Simson Garfinkel, now an associate of the School of Engineering and Applied Sciences and associate professor at the Naval Postgraduate School, who reported in 2003 that fully one-third of 1,000 used hard drives he had purchased on eBay and at swap meets still contained sensitive financial information. One that had been part of an ATM machine was loaded with thousands of credit-card numbers, as was another that a supermarket had used to transmit credit-card payments to its bank. Neither had been properly “wiped” of its data.
Data insecurity is not just accidental, however. Most Web-based data transmitted over wireless networks is sent “in the clear,” unencrypted. Anyone using the same network can intercept and read it. (Google is the only major Web-based e-mail provider that offers encryption, but as of this writing, users must hunt for the option to turn it on.) Harry Lewis smiled at the naiveté of the question when asked what software the laptop used to write this article would need to intercept e-mails or other information at a Starbucks, for example. “Your computer is all set up to do it, and there are a million free “packet sniffers” you can download to make it easy,” he said. And the risk that somebody might detect this illegal surveillance? “Zero, unless somebody looks at your screen and sees what you are doing,” because the packet sniffers passively record airborne data, giving out no signals of their presence.
Civil libertarians are more concerned that the government can easily access electronic communications because the data are centralized, passing through a relatively few servers owned by companies that can legally be forced to allow surveillance without public disclosure. Noting that the conversation tends to end whenever privacy is pitted against national-security interests, Friedman nevertheless asks, “Do we want to live in a society where the government can—regardless of whether they use the power or not—have access to all of our communications? So that they can, if they feel the need, drill down and find us?”
Photograph by Jim Harrison
Paralleling changes in the way digital systems compromise our security are the evolving social changes in attitudes toward privacy. How much do we really value it? As Lewis points out, “We’ll give away data on our purchasing habits for a 10-cent discount on a bag of potato chips.” But mostly, he says, “people don’t really know what they want. They’ll say one thing and then do something else.”
Noting young people’s willingness to post all kinds of personal information on social networking sites such as Facebook—including photographs that might compromise them later—some commentators have wondered if there has been a generational shift in attitudes towards privacy. In “Say Everything,” a February 2007 New York Magazine article, author Emily Nussbaum noted:
Younger people….are the only ones for whom it seems to have sunk in that the idea of a truly private life is already an illusion. Every street in New York has a surveillance camera. Each time you swipe your debit card at Duane Reed or use your MetroCard, that transaction is tracked. Your employer owns your e-mails. The NSA owns your phone calls. Your life is being lived in public whether you choose to acknowledge it or not…. So it may be time to consider the possibility that young people who behave as if privacy doesn’t exist are actually the sane people, not the insane ones.
Some bloggers, noting that our hunter-gatherer ancestors would have lived communally, have even suggested that privacy may be an anomalous notion, a relatively recent historical invention that might again disappear. “My response to that,” says Lewis, “is that, yes, it happened during the same few years in history that are associated with the whole development of individual rights, the empowerment of individuals, and the rights of the individual against government authorities. That is a notion that is tied up, I think, with the notion of a right to privacy. So it is worrisome to me.”
Nor is it the case that young people don’t care about privacy, says danah boyd, a fellow at the Law School’s Berkman Center for Internet and Society who studies how youth engage with social media. “Young people care deeply about privacy, but it is a question of control, not what information gets out there,” she explains. “For a lot of teenagers, the home has never been a private place. They feel they have more control on a service like Facebook or MySpace than they do at home.”
She calls this not a generational difference, but a life-stage difference. Adults, boyd says, understand context in terms of physical space. They may go out to a pub on Friday night with friends, but not with their boss. For young people, online contexts come just as naturally, and many, she has found, actually share their social network passwords with other friends as a token of trust or intimacy (hence the analogy to a safe space like a pub).
Teens do realize that someone other than their friends may access this personal information. “They understand the collapse of social context, but may decide that status among their peers is more important,” she notes. “But do they understand that things like birth dates can be used by entities beyond their visibility? No. Most of them are barely aware that they have a Social Security number. But should they be the ones trying to figure this out, or do we really need to rethink our privacy structures around our identity information and our financial information?
“My guess,” boyd continues, “is that the kinds of systems we have set up—which assume a certain kind of obscurity of basic data—won’t hold going into the future. We need to rethink how we do identity assessment for credit cards and bank accounts and all of that, and then to try to convince people not to give out their birth dates.”
Friedman agrees that financial information needs to be handled differently. Why, he asks, is a credit record always open for a new line of credit by default, enabling fraud to happen at any time? “Is it because the company that maintains the record gets a fee for each credit check?” (Security freezes on a person’s credit report are put in place only ex post facto in cases of identity theft at the request of the victim.) Friedman believes that the best way to fight widespread distribution and dissemination of personal information is with better transparency, because that affords individuals and policymakers a better understanding of the risks involved.
“You don’t necessarily want to massively restrict information-sharing, because a lot of it is voluntary and beneficial,” he explains. Privacy, in the simplest of terms, is about context of information sharing, rather than control of information sharing: “It is about allowing me to determine what kind of environment I am in, allowing me to feel confident in expressing myself in that domain, without having it spill over into another. That encompasses everything from giving my credit-card number to a company—and expecting them to use it securely and for the intended purpose only—to Facebook and people learning not to put drunk pictures of themselves online.” Some of this will have to be done through user empowerment—giving users better tools—and some through regulation. “We do need to revisit the Privacy Act of 1974,” he says. “We do need to have more information about who has information about us and who is buying that information, even if we don’t have control.”
There is always the possibility that we will decide as a society not to support privacy. Harry Lewis believes that would be society’s loss. “I think ultimately what you lose is the development of individual identity,” he says. “The more we are constantly exposed from a very young age to peer and other social pressure for our slightly aberrant behaviors, the more we tend to force ourselves, or have our parents force us, into social conformity. So the loss of privacy is kind of a regressive force. Lots of social progress has been made because a few people tried things under circumstances where they could control who knew about them, and then those communities expanded, and those new things became generally accepted, often not without a fight. With the loss of privacy, there is some threat to that spirit of human progress through social experimentation.”
1. Conceptions of privacy and the value of privacy
Discussions about privacy are intertwined with the use of technology. The publication that began the debate about privacy in the Western world was occasioned by the introduction of the newspaper printing press and photography. Samuel D. Warren and Louis Brandeis wrote their article on privacy in the Harvard Law Review (Warren & Brandeis 1890) partly in protest against the intrusive activities of the journalists of those days. They argued that there is a “right to be left alone” based on a principle of “inviolate personality”. Since the publication of that article, the debate about privacy has been fueled by claims for the right of individuals to determine the extent to which others have access to them (Westin 1967) and claims for the right of society to know about individuals. The privacy debate has co-evolved with the development of information technology. It is therefore difficult to conceive of the notions of privacy and discussions about data protection as separate from the way computers, the Internet, mobile computing and the many applications of these basic technologies have evolved.
1.1 Constitutional vs. informational privacy
Inspired by subsequent developments in U.S. law, a distinction can be made between (1) constitutional (or decisional) privacy and (2) tort (or informational) privacy (DeCew 1997). The first refers to the freedom to make one's own decisions without interference by others in regard to matters seen as intimate and personal, such as the decision to use contraceptives or to have an abortion. The second is concerned with the interest of individuals in exercising control over access to information about themselves and is most often referred to as “informational privacy”. Think here, for instance, about information disclosed on Facebook or other social media. All too easily, such information might be beyond the control of the individual.
Statements about privacy can be either descriptive or normative, depending on whether they are used to describe the way people define situations and conditions of privacy and the way they value them, or are used to indicate that there ought to be constraints on the use of information or information processing. Informational privacy in a normative sense refers typically to a non-absolute moral right of persons to have direct or indirect control over access to (1) information about oneself, (2) situations in which others could acquire information about oneself, and (3) technology that can be used to generate, process or disseminate information about oneself.
1.2 Accounts of the value of privacy
The debates about privacy are almost always revolving around new technology, ranging from genetics and the extensive study of bio-markers, brain imaging, drones, wearable sensors and sensor networks, social media, smart phones, closed circuit television, to government cybersecurity programs, direct marketing, RFID tags, Big Data, head-mounted displays and search engines. There are basically two reactions to the flood of new technology and its impact on personal information and privacy: the first reaction, held by many people in IT industry and in R&D, is that we have zero privacy in the digital age and that there is no way we can protect it, so we should get used to the new world and get over it. The other reaction is that our privacy is more important than ever and that we can and we must attempt to protect it.
In the literature on privacy, there are many competing accounts of the nature and value of privacy. On one end of the spectrum, reductionist accounts argue that privacy claims are really about other values and other things that matter from a moral point of view. According to these views the value of privacy is reducible to these other values or sources of value (Thomson 1975). Proposals that have been defended along these lines mention property rights, security, autonomy, intimacy or friendship, democracy, liberty, dignity, or utility and economic value. Reductionist accounts hold that the importance of privacy should be explained and its meaning clarified in terms of those other values and sources of value (Westin 1967). The opposing view holds that privacy is valuable in itself and its value and importance are not derived from other considerations (see for a discussion Rössler 2004). Views that construe privacy and the personal sphere of life as a human right would be an example of this non-reductionist conception.
More recently a type of privacy account has been proposed in relation to new information technology, that acknowledges that there is a cluster of related moral claims (cluster accounts) underlying appeals to privacy (DeCew 1997; Solove 2006; van den Hoven 1999; Allen 2011; Nissenbaum 2004), but maintains that there is no single essential core of privacy concerns. A recent final addition to the body of privacy accounts are epistemic accounts, where the notion of privacy is analyzed primarily in terms of knowledge or other epistemic states. Having privacy means that others don't know certain private propositions; lacking privacy means that others do know certain private propositions (Blaauw 2013). An important aspect of this conception of having privacy is that it is seen as a relation (Rubel 2011; Matheson 2007; Blaauw 2013) with three argument places: a subject (S), a set of propositions (P) and a set of individuals (I). Here S is the subject who has (a certain degree of) privacy. P is composed of those propositions the subject wants to keep private (call the propositions in this set ‘personal propositions’), and I is composed of those individuals with respect to whom S wants to keep the personal propositions private.
Another distinction that is useful to make is the one between a European and a US American approach. A bibliometric study suggests that the two approaches are separate in the literature. The first conceptualizes issues of informational privacy in terms of ‘data protection’, the second in terms of ‘privacy’ (Heersmink et al. 2011). In discussing the relationship of privacy matters with technology, the notion of data protection is most helpful, since it leads to a relatively clear picture of what the object of protection is and by which technical means the data can be protected. At the same time it invites answers to the question why the data ought to be protected. Informational privacy is thus recast in terms of the protection of personal data (van den Hoven 2008).
1.3 Personal Data
Personal information or data is information or data that is linked or can be linked to individual persons. Examples include date of birth, sexual preference, whereabouts, religion, but also the IP address of your computer or metadata pertaining to these kinds of information. Personal data can be contrasted with data that is considered sensitive, valuable or important for other reasons, such as secret recipes, financial data, or military intelligence. Data that is used to secure other information, such as passwords, are not considered here. Although such security measures may contribute to privacy, their protection is only instrumental to the protection of other information, and the quality of such security measures is therefore out of the scope of our considerations here.
A relevant distinction that has been made in philosophical semantics is that between the referential and the attributive use of descriptive labels of persons (van den Hoven 2008). Personal data is defined in the law as data that can be linked with a natural person. There are two ways in which this link can be made; a referential mode and a non-referential mode. The law is primarily concerned with the ‘referential use’ of descriptions, the type of use that is made on the basis of a (possible) acquaintance relationship of the speaker with the object of his knowledge. “The murderer of Kennedy must be insane”, uttered while pointing to him in court is an example of a referentially used description. This can be contrasted with descriptions that are used attributively as in “the murderer of Kennedy must be insane, whoever he is”. In this case, the user of the description is not—and may never be—acquainted with the person he is talking about or wants to refer to. If the legal definition of personal data is interpreted referentially, much of the data about persons would be unprotected; that is the processing of this data would not be constrained on moral grounds related to privacy or personal sphere of life.
1.4 Moral reasons for protecting personal data
The following types of moral reasons for the protection of personal data and for providing direct or indirect control over access to those data by others can be distinguished (van den Hoven 2008):
- Prevention of harm: Unrestricted access by others to one's passwords, characteristics, and whereabouts can be used to harm the data subject in a variety of ways.
- Informational inequality: Personal data have become commodities. Individuals are usually not in a good position to negotiate contracts about the use of their data and do not have the means to check whether partners live up to the terms of the contract. Data protection laws, regulation and governance aim at establishing fair conditions for drafting contracts about personal data transmission and exchange and providing data subjects with checks and balances, guarantees for redress.
- Informational injustice and discrimination: Personal information provided in one sphere or context (for example, health care) may change its meaning when used in another sphere or context (such as commercial transactions) and may lead to discrimination and disadvantages for the individual.
- Encroachment on moral autonomy: Lack of privacy may expose individuals to outside forces that influence their choices.
These formulations all provide good moral reasons for limiting and constraining access to personal data and providing individuals with control over their data.
1.5 Law, regulation, and indirect control over access
Data protection laws are in force in almost all countries. The basic moral principle underlying these laws is the requirement of informed consent for processing by the data subject. Furthermore, processing of personal information requires that its purpose be specified, its use be limited, individuals be notified and allowed to correct inaccuracies, and the holder of the data be accountable to oversight authorities (OECD 1980). Because it is impossible to guarantee compliance of all types of data processing in all these areas and applications with these rules and laws in traditional ways, so-called privacy-enhancing technologies and identity management systems are expected to replace human oversight in many cases. The challenge with respect to privacy in the twenty-first century is to assure that technology is designed in such a way that it incorporates privacy requirements in the software, architecture, infrastructure, and work processes in a way that makes privacy violations unlikely to occur.
2. The impact of information technology on privacy
2.1 Developments in information technology
“Information technology” refers to automated systems for storing, processing, and distributing information. Typically, this involves the use of computers and communication networks. The amount of information that can be stored or processed in an information system depends on the technology used. The capacity of the technology has increased rapidly over the past decades, in accordance with Moore's law. This holds for storage capacity, processing capacity, and communication bandwidth. We are now capable of storing and processing data on the exabyte level. For illustration, to store 100 exabytes of data on 720 MB CD-ROM discs would require a stack of them that would almost reach the moon.
These developments have fundamentally changed our practices of information provisioning. Even within the academic research field, current practices of writing, submitting, reviewing and publishing texts such as this one would be unthinkable without information technology support. At the same time, many parties collate information about publications, authors, etc. This enables recommendations on which papers researchers should read, but at the same time builds a detailed profile of each individual researcher.
The rapid changes have increased the need for careful consideration of the desirability of effects. Some even speak of a digital revolution as a technological leap similar to the industrial revolution, or a digital revolution as a revolution in understanding human nature and the world, similar to the revolutions of Copernicus, Darwin and Freud (Floridi 2008). In both the technical and the epistemic sense, emphasis has been put on connectivity and interaction. Physical space has become less important, information is ubiquitous, and social relations have adapted as well.
As we have described privacy in terms of moral reasons for imposing constraints on access to and/or use of personal information, the increased connectivity imposed by information technology poses many questions. In a descriptive sense, access has increased, which, in a normative sense, requires consideration of the desirability of this development, and evaluation of the potential for regulation by technology, institutions, and/or law.
As connectivity increases access to information, it also increases the possibility for agents to act based on the new sources of information. When these sources contain personal information, risks of harm, inequality, discrimination, and loss of autonomy easily emerge. For example, your enemies may have less difficulty finding out where you are, users may be tempted to give up privacy for perceived benefits in online environments, and employers may use online information to avoid hiring certain groups of people. Furthermore, systems rather than users may decide which information is displayed, thus confronting users only with news that matches their profiles.
Although the technology operates on a device level, information technology consists of a complex system of socio-technical practices, and its context of use forms the basis for discussing its role in changing possibilities for accessing information, and thereby impacting privacy. We will discuss some specific developments and their impact in the following sections.
The Internet, originally conceived in the 1960s and developed in the 1980s as a scientific network for exchanging information, was not designed for the purpose of separating information flows (Michener 1999). The World Wide Web of today was not foreseen, and neither was the possibility of misuse of the Internet. Social network sites emerged for use within a community of people who knew each other in real life—at first, mostly in academic settings—rather than being developed for a worldwide community of users (Ellison 2007). It was assumed that sharing with close friends would not cause any harm, and privacy and security only appeared on the agenda when the network grew larger. This means that privacy concerns often had to be dealt with as add-ons rather than by-design.
The recent development of cloud computing increases the many privacy concerns (Ruiter & Warnier 2011). Previously, whereas information would be available from the web, user data and programs would still be stored locally, preventing program vendors from having access to the data and usage statistics. In cloud computing, both data and programs are online (in the cloud), and it is not always clear what the user-generated and system-generated data are used for. Moreover, as data is located elsewhere in the world, it is not even always obvious which law is applicable, and which authorities can demand access to the data. Data gathered by online services and apps such as search engines and games are of particular concern here. Which data is used and communicated by applications (browsing history, contact lists, etc.) is not always clear, and even when it is, the only choice available to the user may be not to use the application. In general, IT services have more and different privacy issues than IT products (Pieters 2013).
Some special features of Internet privacy (social media and Big Data) are discussed in the following sections.
2.3 Social media
The interactive web, known as Web 2.0, where users generate much of the content themselves, poses additional challenges. The question is not merely about the moral reasons for limiting access to information, it is also about the moral reasons for limiting the invitations to users to submit all kinds of personal information. Social network sites invite the user to generate more data, to increase the value of the site (“your profile is …% complete”). Users are tempted to exchange their personal data for the benefits of using services, and provide both this data and their attention as payment for the services. In addition, users may not even be aware of what information they are tempted to provide, as in the abovementioned case of the “like”-button on other sites. Merely limiting the access to personal information does not do justice to the issues here, and the more fundamental question lies in steering the users' behavior of sharing.
One way of limiting the temptation of users to share is requiring default privacy settings to be strict. Even then, this limits access for other users (“friends of friends”), but it does not limit access for the service provider. Also, such restrictions limit the value and usability of the social network sites themselves, and may reduce positive effects of such services. A particular example of privacy-friendly defaults is the opt-in as opposed to the opt-out approach. When the user has to take an explicit action to share data or to subscribe to a service or mailing list, the resulting effects may be more acceptable to the user. However, much still depends on how the choice is framed (Bellman, Johnson, & Lohse 2001).
2.4 Big Data
Users generate loads of data when online. This is not only data explicitly entered by the user, but also numerous statistics on user behavior: sites visited, links clicked, search terms entered. Data mining can be employed to extract patterns from such data, which can then be used to make decisions about the user. These may only affect the online experience (advertisements shown), but, depending on which parties have access to the information, they may also impact the user in completely different contexts.
In particular, Big Data may be used in profiling the user (Hildebrandt 2008), creating patterns of typical combinations of user properties, which can then be used to predict interests and behavior. An innocent application is “you may also like …”, but, depending on the available data, more sensitive derivations may be made, such as most probable religion or sexual preference. These derivations could then in turn lead to inequality or discrimination. When a user can be assigned to a particular group, even only probabilistically, this may influence the actions taken by others. For example, profiling could lead to refusal of insurance or a credit card, in which case profit is the main reason for discrimination. Profiling could also be used by organizations or possible future governments that have discrimination of particular groups on their political agenda, in order to find their targets and deny them access to services, or worse.
Big Data does not only emerge from Internet transactions. Similarly, data may be collected when shopping, when being recorded by surveillance cameras in public or private spaces, or when using smartcard-based public transport payment systems. All these data could be used to profile citizens, and base decisions upon such profiles. For example, shopping data could be used to send information about healthy food habits to particular individuals, but again also for decisions on insurance. According to EU data protection law, permission is needed for processing personal data, and they can only be processed for the purpose for which they were obtained. Specific challenges, therefore, are (a) how to obtain permission when the user does not explicitly engage in a transaction (as in case of surveillance), and (b) how to prevent “function creep”, i.e., data being used for different purposes after they are collected (as may happen for example with DNA databases (Dahl & Sætnan 2009).
One particular concern could emerge from genetics data (Tavani 2004). Like other data, genomics can be used to predict, and in particular could predict risks of diseases. Apart from others having access to detailed user profiles, a fundamental question here is whether the individual should know what is known about her. In general, users could be said to have a right to access any information stored about them, but in this case, there may also be a right not to know, in particular when knowledge of the data (e.g., risks of diseases) would reduce the well-being—by causing fear, for instance—without enabling treatment. With respect to previous examples, one may not want to know the patterns in one's own shopping behavior either.
2.5 Mobile devices
As users increasingly own networked devices like cellphones, mobile devices collect and send more and more data. These devices typically contain a range of data-generating sensors, including GPS (location), movement sensors, and cameras, and may transmit the resulting data via the Internet or other networks. One particular example concerns location data. Many mobile devices have a GPS sensor that registers the user's location, but even without a GPS sensor, approximate locations can be derived, for example by monitoring the available wireless networks. As location data links the online world to the user's physical environment, with the potential of physical harm (stalking, burglary during holidays, etc.), such data are often considered particularly sensitive.
Many of these devices also contain cameras which, when applications have access, can be used to take pictures. These can be considered sensors as well, and the data they generate may be particularly private. For sensors like cameras, it is assumed that the user is aware when they are activated, and privacy depends on such knowledge. For webcams, a light typically indicates whether the camera is on, but this light may be manipulated by malicious software. In general, “reconfigurable technology” (Dechesne, Warnier, & van den Hoven 2011) that handles personal data raises the question of user knowledge of the configuration.
2.6 The Internet of Things
Devices connected to the Internet are not limited to user-owned computing devices like smartphones. Many devices contain chips and/or are connected in the so-called Internet of Things. RFID (radio frequency identification) chips can be read from a limited distance, such that you can hold them in front of a reader rather than inserting them. EU and US passports have RFID chips with protected biometric data, but information like the user's nationality may easily leak when attempting to read such devices (see Richter, Mostowski & Poll 2008, in Other Internet Resources). “Smart” RFIDs are also embedded in public transport payment systems. “Dumb” RFIDs, basically only containing a number, appear in many kinds of products as a replacement of the barcode, and for use in logistics. Still, such chips could be used to trace a person once it is known that he carries an item containing a chip.
In the home, there are smart meters for automatically reading and sending electricity consumption, and thermostats and other devices that can be remotely controlled by the owner. Such devices again generate statistics, and these can be used for mining and profiling. In the future, more and more household appliances will be connected, each generating its own information. Ambient intelligence (Brey 2005), and ubiquitous computing, along with the Internet of Things (Friedewald & Raabe 2011), also enable automatic adaptation of the environment to the user, based on explicit preferences and implicit observations, and user autonomy is a central theme in considering the privacy implications of such devices.
Government and public administration have undergone radical transformations as a result of the availability of advanced IT systems as well. Examples of these changes are biometric passports, online e-government services, voting systems, a variety of online citizen participation tools and platforms or online access to recordings of sessions of parliament and government committee meetings.
Consider the case of voting in elections. Information technology may play a role in different phases in the voting process, which may have different impact on voter privacy. Most countries have a requirement that elections are to be held by secret ballot, to prevent vote buying and coercion. In this case, the voter is supposed to keep her vote private, even if she would want to reveal it. For information technology used for casting votes, this is defined as the requirement of receipt-freeness or coercion-resistance (Delaune, Kremer & Ryan 2006). In polling stations, the authorities see to it that the voter keeps the vote private, but such surveillance is not possible when voting by mail or online, and it cannot even be enforced by technological means, as someone can always watch while the voter votes. In this case, privacy is not only a right but also a duty, and information technology developments play an important role in the possibilities of the voter to fulfill this duty, as well as the possibilities of the authorities to verify this. In a broader sense, e-democracy initiatives may change the way privacy is viewed in the political process.
3. How can information technology itself solve privacy concerns?
Whereas information technology is typically seen as the cause of privacy problems, there are also several ways in which information technology can help to solve these problems. There are rules, guidelines or best practices that can be used for designing privacy-preserving systems. Such possibilities range from ethically-informed design methodologies to using encryption to protect personal information from unauthorized use.
3.1 Design methods
Value Sensitive Design provides a “theoretically grounded approach to the design of technology that accounts for human values in a principled and comprehensive manner throughout the design process” (Friedman et al. 2006). It provides a set of rules and guidelines for designing a system with a certain value in mind. One such value can be ‘privacy’, and value sensitive design can thus be used as a method to design privacy-friendly IT systems. The ‘Privacy by Design’ approach as advocated by Cavoukian (2009) and others can be regarded as one of the value sensitive design approaches that specifically focuses on privacy. The Privacy by Design approach provides high-level guidelines in the form of seven principles for designing privacy-preserving systems. These principles have at their core that “data protection needs to be viewed in proactive rather then reactive terms, making privacy by design preventive and not simply remedial” (Cavoukian 2010). Privacy by design's main point is that data protection should be central in all phases of product life cycles, from initial design to operational use and disposal. The Privacy Impact Assessment approach proposed by Clarke (2009) makes a similar point. It proposes “a systematic process for evaluating the potential effects on privacy of a project, initiative or proposed system or scheme” (Clarke 2009). Note that these approaches should not only be seen as auditing approaches, but rather as a means to make privacy awareness and compliance an integral part of the organizational and engineering culture.
There are also several industry guidelines that can be used to design privacy preserving IT systems. The Payment Card Industry Data Security Standard (see PCI DSS v3.0, 2013, in the Other Internet Resources), for example, gives very clear guidelines for privacy and security sensitive systems design in the domain of the credit card industry and its partners (retailers, banks). Various International Organization for Standardization (ISO) standards (Hone & Eloff 2002) also serve as a source of best practices and guidelines, especially with respect to security, for the design of privacy friendly systems. Furthermore, the principles that are formed by the EU Data Protection Directive, which are themselves based on the Fair Information Practices (Gellman 2014) from the early 70s—transparency, purpose, proportionality, access, transfer—are technologically neutral and as such can also be considered as high level ‘design principles’. Systems that are designed with these rules and guidelines in mind should thus—in principle—be in compliance with EU privacy laws and respect the privacy of its users.
The rules and principles described above give high-level guidance for designing privacy-preserving systems, but this does not mean that if these methodologies are followed the resulting IT system will (automatically) be privacy friendly. Some design principles are rather vague and abstract. What does it mean to make a transparent design or to design for proportionality? The principles need to be interpreted and placed in a context when designing a specific system. But different people will interpret the principles differently, which will lead to different design choices, some of which will be clearly better than others. There is also a difference between the design and the implementation of a computer system. During the implementation phase software bugs are introduced, some of which can be exploited to break the system and extract private information. How to implement bug-free computer systems remains an open research question (Hoare 2003). In addition, implementation is another phase wherein choices and interpretations are made: system designs can be implemented in infinitely many ways. Moreover, it is very hard to verify—for anything beyond non-trivial systems—whether an implementation meets its design/specification (Loeckx, Sieber, & Stansifer 1985). This is even more difficult for non-functional requirements such as ‘being privacy preserving’ or security properties in general.
3.2 Privacy enhancing technologies
A growing number of software tools are available that provide some form of privacy (usually anonymity) for their users, such tools are commonly known as privacy enhancing technologies (Danezis & Gürses 2010, Other Internet Resources). Examples include communication-anonymizing tools such as Tor (Dingledine, Mathewson, & Syverson 2004) and Freenet (Clarke et al. 2001), and identity-management systems for which many commercial software packages exist (see below). Communication anonymizing tools allow users to anonymously browse the web (with Tor) or anonymously share content (Freenet). They employ a number of cryptographic techniques and security protocols in order to ensure their goal of anonymous communication. Both systems use the property that numerous users use the system at the same time which provides k-anonymity (Sweeney 2002): no individual can be uniquely distinguished from a group of size k, for large values for k. Depending on the system, the value of k can vary between a few hundred to hundreds of thousands. In Tor, messages are encrypted and routed along numerous different computers, thereby obscuring the original sender of the message (and thus providing anonymity). Similarly, in Freenet content is stored in encrypted form from all users of the system. Since users themselves do not have the necessary decryption keys, they do not know what kind of content is stored, by the system, on their own computer. This provides plausible deniability and privacy. The system can at any time retrieve the encrypted content and send it to different Freenet users.
Privacy enhancing technologies also have their downsides. For example, Tor, the tool that allows anonymized communication and browsing over the Internet, is susceptible to an attack whereby, under certain circumstances, the anonymity of the user is no longer guaranteed (Back, Möller, & Stiglic 2001; Evans, Dingledine, & Grothoff 2009). Freenet (and other tools) have similar problems (Douceur 2002). Note that for such attacks to work, an attacker needs to have access to large resources that in practice are only realistic for intelligence agencies of countries. However, there are other risks. Configuring such software tools correctly is difficult for the average user, and when the tools are not correctly configured anonymity of the user is no longer guaranteed. And there is always the risk that the computer on which the privacy-preserving software runs is infected by a Trojan horse (or other digital pest) that monitors all communication and knows the identity of the user.
Another option for providing anonymity is the anonymization of data through special software. Tools exist that remove patient names and reduce age information to intervals: the age 35 is then represented as falling in the range 30–40. The idea behind such anonymization software is that a record can no longer be linked to an individual, while the relevant parts of the data can still be used for scientific or other purposes. The problem here is that it is very hard to anonymize data in such a way that all links with an individual are removed and the resulting anonymized data is still useful for research purposes. Researchers have shown that it is almost always possible to reconstruct links with individuals by using sophisticated statistical methods (Danezis, Diaz, & Troncoso 2007) and by combining multiple databases (Anderson 2008) that contain personal information. Techniques such as k-anonymity might also help to generalize the data enough to make it unfeasible to de-anonymize data (LeFevre et al. 2005).
Cryptography has long been used as a means to protect data, dating back to the Caesar cipher more than two thousand years ago. Modern cryptographic techniques are essential in any IT system that needs to store (and thus protect) personal data. Note however that by itself cryptography does not provide any protection against data breaching; only when applied correctly in a specific context does it become a ‘fence’ around personal data. Cryptography is a large field, so any description here will be incomplete. We'll focus instead on some newer cryptographic techniques, in particular homomorphic encryption, that have the potential to become very important for processing and searching in personal data.
Various techniques exist for searching through encrypted data (Song et al. 2000), which provides a form of privacy protection (the data is encrypted) and selective access to sensitive data. One relatively new technique that can be used for designing privacy-preserving systems is ‘homomorphic encryption’ (Gentry 2009). Homomorphic encryption allows a data processor to process encrypted data, i.e., users could send personal data in encrypted form and get back some useful results—for example, recommendations of movies that online friends like—in encrypted form. The original user can then again decrypt the result and use it without revealing any personal data to the data processor. Homomorphic encryption, for example, could be used to aggregate encrypted data thereby allowing both privacy protection and useful (anonymized) aggregate information. The technique is currently still in its infancy; it does not scale yet to the large amounts of data stored in today's systems. However, if homomorphic encryption could be made to work more efficiently the results have the potential to be revolutionary, at least for privacy-preserving systems.
3.4 Identity management
The use and management of user's online identifiers are crucial in the current Internet and social networks. Online reputations become more and more important, both for users and for companies. In the era of ‘Big Data’ correct information about users has an increasing monetary value.
‘Single sign on’ frameworks, provided by independent third parties (OpenID) but also by large companies such as Facebook, Microsoft and Google (Ko et al. 2010), make it easy for users to connect to numerous online services using a single online identity. These online identities are usually directly linked to the real world (off line) identities of individuals; indeed Facebook, Google and others require this form of log on (den Haak 2012). Requiring a direct link between online and ‘real world’ identities is problematic from a privacy perspective, because they allow profiling of users (Benevenuto et al. 2012). Not all users will realize how large the amount of data is that companies gather in this manner, or how easy it is to build a detailed profile of users. Profiling becomes even easier if the profile information is combined with other techniques such as implicit authentication via cookies and tracking cookies (Mayer & Mitchell 2012).
From a privacy perspective a better solution would be the use of attribute-based authentication (Goyal et al. 2006) which allows access of online services based on the attributes of users, for example their friends, nationality, age etc. Depending on the attributes used, they might still be traced back to specific individuals, but this is no longer crucial. In addition, users can no longer be tracked to different services because they can use different attributes to access different services which makes it difficult to trace online identities over multiple transactions, thus providing unlinkability for the user.
4. Emerging technologies and our understanding of privacy
In the previous sections, we have outlined how current technologies may impact privacy, as well as how they may contribute to mitigating undesirable effects. However, there are future and emerging technologies that may have an even more profound impact. Consider for example brain-computer interfaces. In case computers are connected directly to the brain, not only behavioral characteristics are subject to privacy considerations, but even one's thoughts run the risk of becoming public, with decisions of others being based upon them. In addition, it could become possible to change one's behavior by means of such technology. Such developments therefore require further consideration of the reasons for protecting privacy. In particular, when brain processes could be influenced from the outside, autonomy would be a value to reconsider to ensure adequate protection.
Apart from evaluating information technology against current moral norms, one also needs to consider the possibility that technological changes influence the norms themselves (Boenink, Swierstra & Stemerding 2010). Technology thus does not only influence privacy by changing the accessibility of information, but also by changing the privacy norms themselves. For example, social networking sites invite users to share more information than they otherwise might. This “oversharing” becomes accepted practice within certain groups. With future and emerging technologies, such influences can also be expected and therefore they ought to be taken into account when trying to mitigate effects.
Another fundamental question is whether, given the future (and even current) level of informational connectivity, it is feasible to protect privacy by trying to hide information from parties who may use it in undesirable ways. Gutwirth & De Hert (2008) argue that it may be more feasible to protect privacy by transparency—by requiring actors to justify decisions made about individuals, thus insisting that decisions are not based on illegitimate information. This approach comes with its own problems, as it might be hard to prove that the wrong information was used for a decision. Still, it may well happen that citizens, in turn, start data collection on those who collect data about them, e.g., governments. Such “counterveillance” or sousveillance may be used to gather information about the use of information, thereby improving accountability. The open source movement may also contribute to transparency of data processing. In this context, transparency can be seen as a pro-ethical condition contributing to privacy (Turilli & Floridi 2009).
It has been argued that the precautionary principle, well known in environmental ethics, might have a role in dealing with emerging information technologies as well (Pieters & van Cleeff 2009; Som, Hilty & Köhler 2009). The principle would see to it that the burden of proof for absence of irreversible effects of information technology on society, e.g., in terms of power relations and equality, would lie with those advocating the new technology. Precaution, in this sense, could then be used to impose restrictions at a regulatory level, in combination with or as an alternative to empowering users, thereby potentially contributing to the prevention of moral or informational overload on the user side. Apart from general debates about the desirable and undesirable features of the precautionary principle, challenges to it lie in its translation to social effects and social sustainability, as well as to its application to consequences induced by intentional actions of agents. Whereas the occurrence of natural threats or accidents is probabilistic in nature, those who are interested in improper use of information behave strategically, requiring a different approach to risk (i.e., security as opposed to safety). In addition, proponents of precaution will need to balance it with other important principles, viz., of informed consent and autonomy.
Finally, it is appropriate to note that not all social effects of information technology concern privacy. Examples include the effects of social network sites on friendship, and the verifiability of results of electronic elections. Therefore, value-sensitive design approaches and impact assessments of information technology should not focus on privacy only, since information technology affects many other values as well.
- Allen, A., 2011, Unpopular Privacy: What Must We Hide? Oxford: Oxford University Press.
- Anderson, R.J., 2008, Security Engineering: A guide to building dependable distributed systems, Indianapolis, IN: Wiley.
- Back, A., U. Möller, & A. Stiglic, 2001, “Traffic analysis attacks and trade-offs in anonymity providing systems”, in Information Hiding, Berlin: Springer, pp. 245–257.
- Bellman, S., E.J. Johnson, & G.L. Lohse, 2001, “On site: to opt-in or opt-out?: it depends on the question”, Communications of the ACM, 44(2): 25–27.
- Benevenuto, F., T. Rodrigues, M. Cha, & V. Almeida, 2012, “Characterizing user navigation and interactions in online social networks”, Information Sciences, 195: 1–24.
- Blaauw. M.J., 2013, “The Epistemic Account of Privacy”, Episteme, 10(2): 167–177.
- Boenink, M., T. Swierstra, & D. Stemerding, 2010, “Anticipating the interaction between technology and morality: a scenario study of experimenting with humans in bionanotechnology”, Studies in Ethics, Law, and Technology, 4(2): 1–38. doi:10.2202/1941-6008.1098
- Brey, P., 2005, “Freedom and privacy in ambient intelligence”, Ethics and Information Technology, 7(3): 157–166.
- Broenink, G., J.H. Hoepman, C.V.T. Hof, R. Van Kranenburg, D. Smits, & T. Wisman, 2010, “The privacy coach: Supporting customer privacy in the internet of things”, arXiv preprint 1001.4459 [available online].
- Cavoukian, A., 2009, Privacy by Design, Ottowa: Information and Privacy Commissioner of Ontario, Canada. [Cavoukian 2009 available online (PDF)].
- –––, 2010, “Privacy by Design: The Definitive workshop”, Identity in the Information Society, 3(2): 121–126.
- Clarke, R., 2009, “Privacy impact assessment: Its origins and development”, Computer law & security review, 25(2): 123–135.
- Clarke, I., O. Sandberg, B. Wiley, & T. Hong, 2001, “Freenet: A distributed anonymous information storage and retrieval system”, in Designing Privacy Enhancing Technologies, Berlin: Springer, pp. 46–66.
- Dahl, J. Y., & A.R. Sætnan, 2009, “It all happened so slowly: On controlling function creep in forensic DNA databases”, International journal of law, crime and justice, 37(3): 83–103.
- Danezis, G., C. Diaz, & C. Troncoso, 2007, “Two-sided statistical disclosure attack”, in Proceedings of the 7th international conference on Privacy enhancing technologies, Berlin: Springer, pp. 30–44.
- DeCew, Judith Wagner, 1997, Pursuit of Privacy: Law, Ethics, and the Rise of Technology, Ithaca, NY: Cornell University Press.
- Dechesne, F., M. Warnier, & J. van den Hoven, 2013, “Ethical requirements for reconfigurable sensor technology: a challenge for value sensitive design”, Ethics and Information Technology, 15(3): 173–181.
- Delaune, S., S. Kremer, & M. Ryan, 2006, “Coercion-resistance and receipt-freeness in electronic voting”, in the Proceedings of the 19th IEEE Computer Security Foundations Workshop, IEEE Computer Society Press, pages 28–39. [Delaune et al. 2006 available online]
- Dingledine, R., N. Mathewson, & P. Syverson, 2004, “Tor: The second-generation onion router”, in Proceedings of the 13th conference on USENIX Security Symposium (Volume 13), Berkeley, CA: USENIX Association, pp. 303–320 [Dingledine et al. 2004 available online (pdf)]
- Douceur, J., 2002, “The Sybil attack”, in Peer-to-peer Systems, Berlin: Springer, pp. 251–260.
- Ellison, N. B., 2007, “Social network sites: Definition, history, and scholarship”, Journal of Computer-Mediated Communication, 13(1): 210–230.
- Evans, N.S., R. Dingledine, & C. Grothoff, 2009, “A practical congestion attack on Tor using long paths”, in Proceedings of the 18th conference on USENIX security symposium, Berkeley, CA: USENIX Association, pp. 33–50. [Evans et al. 2009 available online]
- Floridi, L., 2008, “Artificial intelligence's new frontier: Artificial companions and the fourth revolution”, Metaphilosophy, 39(4–5): 651–655.
- Friedewald, M. & O. Raabe, 2011, “Ubiquitous computing: An overview of technology impacts”, Telematics and Informatics, 28(2): 55–65.
- Friedman, B., P.H. Kahn, Jr, & A. Borning, 2006, “Value sensitive design and information systems”, in Human-computer interaction in management information systems: Foundations, P. Zhang & D. Galletta (eds.), Armonk: M.E. Sharp, 4.
- Gentry, C., 2009, “Fully homomorphic encryption using ideal lattices”, in Proceedings of the 41st annual ACM symposium on Theory of computing, ACM, pp. 169–178.
- Goyal, V., O. Pandey, A. Sahai, & B. Waters, 2006, “Attribute-based encryption for fine-grained access control of encrypted data”, in Proceedings of the 13th ACM conference on Computer and communications security, ACM, pp. 89–98.
- Gutwirth, S. & P. De Hert, 2008, “Regulating profiling in a democratic constitutional state”, in Hildebrandt and Gutwirth 2008: 271–302.
- den Haak, B., 2012, “Integrating user customization and authentication: the identity crisis”, Security & Privacy, IEEE, 10(5): 82–85.
- Heersmink, R., J. van den Hoven, N.J. van Eck, & J. van den Berg, 2011. “Bibliometric mapping of computer and information ethics”, Ethics and information technology, 13(3): 241–249.
- Hildebrandt, M., 2008, “Defining Profiling: A New Type of Knowledge?” in Hildebrandt and Gutwirth 2008: 17–45.
- Hildebrandt, M. & S. Gutwirth (eds.), 2008, Profiling the European Citizen: Cross-disciplinary Perspectives, Dordrecht: Springer Netherlands.
- Hoare, T., 2003, “The verifying compiler: A grand challenge for computing research”, in Proceedings of the 12th international conference on Compiler construction, Berlin: Springer, pp. 262–272.
- Hone, K. & J.H.P. Eloff, 2002, “Information security policy—what do international information security standards say?”, Computers & Security, 21(5): 402–409.
- van den Hoven, J., 1999, “Privacy and the Varieties of Informational Wrongdoing”, Australian Journal of Professional and Applied Ethics, 1(1): 30–44.
- –––, 2008, “Information technology, privacy, and the protection of personal data”, in Information technology and moral philosophy, J. Van Den Hoven and J. Weckert (eds.), Cambridge: Cambridge University Press, pp. 301–322.
- van den Hoven, J., G.J. Lokhorst, & I. Van de Poel, 2012, “Engineering and the problem of moral overload”, Science and engineering ethics, 18(1): 143–155.
- Ko, M.N., G.P. Cheek, M. Shehab, & R. Sandhu, 2010, “Social-networks connect services”, Computer, 43(8): 37–43.
- Krishnamurthy, B. & C.E. Wills, 2009. “On the leakage of personally identifiable information via online social networks”, in Proceedings of the 2nd ACM workshop on Online social networks, ACM, pp. 7–12.
- LeFevre, K., D.J. DeWitt, & R. Ramakrishnan, 2005, “Incognito: Efficient full-domain k-anonymity”, in Proceedings of the 2005 ACM SIGMOD international conference on Management of data, ACM, pp. 49–60.
- Loeckx, J., K. Sieber, & R.D. Stansifer, 1985, The foundations of program verification, Chichester: John Wiley & Sons.
- Matheson, David, 2007, “Unknowableness and Informational Privacy”, Journal of Philosophical Research, 32: 251–67.
- Mayer, J.R. & J.C. Mitchell, 2012, “Third-party web tracking: Policy and technology”, in Security and Privacy (SP) 2012 IEEE Symposium on, IEEE, pp. 413–427.
- Michener, J., 1999, “System insecurity in the Internet age”, Software, IEEE, 16(4): 62–69.
- Nissenbaum, Helen, 2004, “Privacy as Contextual Integrity”, Washington Law Review, 79: 101–139.
- OECD, 1980, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, OECD. [OECD 1980 available online]
- Palmer, D.E., 2005, “Pop-ups, cookies, and spam: toward a deeper analysis of the ethical significance of internet marketing practices”, Journal of business ethics, 58(1–3): 271–280.
- Pieters, W., 2011, “Explanation and trust: what to tell the user in security and AI?”, Ethics and information technology, 13(1): 53–64.
- –––, 2013, “On thinging things and serving services: technological mediation and inseparable goods”, Ethics and information technology, 15(3): 195–208.
- Pieters, W. & A. van Cleeff, 2009, “The precautionary principle in a world of digital dependencies”, Computer, 42(6): 50–56.
- Rössler, Beate (ed.), 2004, Privacies: Philosophical Evaluations, Stanford, CA: Stanford University Press.
- Rubel, Alan, 2011, “The Particularized Judgment Account of Privacy”, Res Publica, 17(3): 275–90.
- Ruiter, J. & M. Warnier, 2011, “Privacy Regulations for Cloud Computing: Compliance and Implementation in Theory and Practice”, in Computers, Privacy and Data Protection: an Element of Choice, S. Gutwirth, Y. Poullet, P. De Hert, and R. Leenes (eds.), Dordrecht: Springer Netherlands, pp. 361–376.
- Solove, D., 2006, “A Taxonomy of Privacy”, University of Pennsylvania Law Review, 154: 477–564.
- Som, C., L.M. Hilty, & A.R. Köhler, 2009, “The precautionary principle as a framework for a sustainable information society”, Journal of business ethics, 85(3): 493–505.
- Song, D.X., D. Wagner, & A. Perrig, 2000, “Practical techniques for searches on encrypted data”, in Security and Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on, IEEE, pp. 44–55.
- Sweeney, L., 2002, “K-anonymity: A model for protecting privacy”, International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 10(05): 557–570.
- Tavani, H.T., 2004, “Genomic research and data-mining technology: Implications for personal privacy and informed consent”, Ethics and information technology, 6(1): 15–28.
- Thomson, Judith Jarvis, 1975, “The Right to Privacy”, Philosophy and Public Affairs, 4: 295–314.
- Turilli, M. & L. Floridi, 2009, “The ethics of information transparency”, Ethics and Information Technology, 11(2): 105–112.
- Warren, Samuel D. & Louis D. Brandeis, 1890, “The Right to Privacy”, Harvard Law Review, 4(5): 193–220. [Warren and Brandeis 1890 available online]
- Westin, Alan F., 1967, Privacy and Freedom, New York: Atheneum.
Other Internet Resources
- Danezis, G & S. Gürses, 2010, “A critical review of 10 years of Privacy Technology.”
- Gellman, R., 2014, “Fair information practices: a basic history,”, Version 2.12, August 3, 2014, online manuscript.
- PCI DSS (= Payment Card Industry Data Security Standard), v3.0 (2013), Requirements and Security Assessment Procedures, PCI Security Standards Council, LLC.
- Richter, H., W. Mostowski, & E. Poll, 2008, “Fingerprinting passports”, presented at NLUUG Spring Conference on Security.
- Electronic Privacy Information Center .
- European Commission, Protection of personal data
- US Department of State, Privacy Act.