As always, Christopher Allen has an awesomely thorough post. This one is on privacy. I've mentioned before in my discussions on eurekster, that the balance between privacy and improved personalization on the web needs to be continuously questioned and addressed.
Chris takes a step back from "the how do we design our applications to protect people's privacy perspective" and categorizes the different types of privacy that need to be protected. He argues that there are four different types of privacy violation. He calls them, "defensive privacy, human-rights privacy, personal privacy, and contextual privacy."
He defines them in the following ways:
Defensive privacy is the first form: it's about protecting information about myself that makes me vulnerable or makes me feel at risk. This type of information can include things like my social security number, my credit report, or non-financial things such as my medical records or my home address. For some of my female friends this includes things like their photographs and email addresses. All of this information can be misused by other individuals or organizations in one way or another to mess up my life -- and in fact defensive privacy is usually centered around protecting this critical information from those singular individuals or organizations, be they con men, stalkers, or the Mafia. Most of the current privacy issues on the Internet seem to fall into this category. This form of privacy has also not fared well in the US courts -- for instance, in 1974 the Supreme Court decided that your bank records belong to the bank, to do with as they see fit.Closely intersecting defensive privacy is the category of human-rights privacy. When you are speaking with a European about privacy, this often is the type of privacy they are speaking of. This comes from their history: the Netherlands in the 1930s had a very comprehensive administrative census and registration of their own population, and this information was captured by the Nazis within the first three days of occupation. Thus Dutch Jews had the highest death rate (73 percent) of Jews residing in any occupied western European country -- far higher than the death rate among the Jewish population of Belgium (40 percent) and France (25 percent). Even the death rate in Germany was less then the Netherlands because the Jews there had avoided registration. (source: The Dark Side of Numbers). Human-rights privacy differs from defensive privacy in that it is about how governments can abuse information, rather then individuals abusing information. I used to feel safe about human-rights privacy in the US, that there was no way that what happened in Europe could happen here, but now I have lost such confidence because of Bush and Ashcroft.
The third kind of privacy, personal privacy, is more unique to the United States. It is what Supreme Court Justice Brandeis in 1890 called "the right to be left alone". This form of privacy is often what the more Libertarian-oriented founders of the Internet mean when they talk about privacy. Personal privacy covers things like the "do not call registry", the various rights to do as we please in our own houses -- such as view pornography or play S&M games with our partners -- and the general right to not be interrupted or interfered with unnecessarily at home. This form of privacy has more basis in US law; the concept is based on an interpretation of the First, Fourth, and Fifth amendments of the US Constitution, but is not explicitly defined there. However, this form of privacy is guaranteed by the State of California Constitution which assures residents that they may pursue and obtain safety, happiness, and privacy.
Finally, contextual privacy is what Danah Boyd calls the ickiness factor in her blog, and also in her post at Many-To-Many:
Ickiness is the guttural reaction that makes you cringe, scrunch your nose or gasp "ick" simply because there’s something slightly off, something disconcerting, something not socially right about an interaction.
This category is very difficult to define, and is easily confused with other forms of privacy, but I believe it has more to do with an inappropriate level of intimacy. An example of this is when I discovered that my professional colleagues on Orkut could see that I was in a committed relationship, and in turn I could see that some of them were in open marriages. I don't think there is very much harm that can come from this information being revealed, however, it was "icky" because it was an inappropriate level of intimacy for a professional context.All four of these forms of privacy can intersect -- for instance, Orkut allows you to reveal your sexual orientation, which could be used secretly by an employer to discriminate against you (defensive privacy), or by a future Ashcroftian government to violate your civil rights (human-rights privacy), might lead you to being bothered at home because of people who either agree with or disagree with your orientation (personal privacy), and often is inappropriate for casual professional acquaintances to be told about (contextual privacy).
I really really appreciate the thoroughness of his explanation of different reasons people have for keeping certain information private, as well as the historical and cultural perspective that is added in the definitions. However, I am unsure what help this categorization of different types of privacy have for designing software or social networking systems.
The underlying theme of all of the examples (or types) of privacy that Christopher Allen describes is that privacy is uniquely personal and private: Different people have different notions of privacy. Different people prefer to keep different things private. And different people like to keep private the fact that they'd like to keep certain things private from certain people.
Lets take a simple example. On the television show, Will & Grace, Will was dating a sport's television reporter. Will visited his partner in the locker room after a shoot. His partner was obviously very happy to see him and when the camera man was packing up, he was willing to flirt with Will. However, when the reporter's boss entered the room, and asked who Will was, the reporter responded that he was his brother. So, for the reporter, keeping private the fact that he was homosexual to certain people, but not to others was important. Also, in the case of the camera man, he wasn't making it explicit that he was gay, but certainly wasn't keeping it secret. On the othe hand, Will was more than willing to tell the reporter's boss that they were partners.
So, in Christopher's Orkut example of revealing sexual orientation, he explains that all of the different types of privacy can converge. Based on my Will & Grace example above, I would not try to define different types of privacy. Instead, I would say that different people would like to keep different things private. Included in that list of things, keeping private what you would like to keep private is also imperative.
I would argue that privacy is interpreted by everyone in a different way.
So, how do you design a system to enable everyone to maintain the level of privacy that they would like to maintain? Orkut and livejournal both take a stab at allowing you to define what pieces of information you make available to what groups. On Orkut, on specific pieces of content, you can choose who can see it from a predetermined list. The different groups are myself, friends, friends of friends and everyone.
I am not sure exactly how livejournal works. Anyone know?
At WhizSpark, we have taken a slightly different approach. We allow the user to make certain information public or private to them. This is available on each piece of content that they fill out in their profile. They can make it public for the world to see or they can keep it invisible from everyone. The reason that we collect certain information that they'd like to keep private, is so that we can enable transactions with our system. (ie email, address, etc) Further, we aren't collecting the detailed information that orkut or friendster collects.
As you can see, we've designed the system with privacy in mind since we aren't collecting as much information as the other social networking systems and since we allow everyone to hide the information from everyone else, thus avoiding encroaching on all of the types of privacy that Christopher mentioned. We also considered the following scheme:
The next step in designing a social networking system with privacy in mind, is to ultimately enable people to control who can see what on an individual relationship level. For example (using my Will & Grace example again), Will would let every person who knows him, as well as everyone he doesn't, to know his sexual orientation. He doesn't keep that private in his professional or private life. The reporter would allow Will (of course) to know his sexual orientation. He may allow the cameraman. And he wouldn't allow his boss. In order to keep it private from his boss that the cameraman is keeping his sexual orientation private, we would not show sexual orientation in his boss's view of his profile. Since Will, his boss and his co-worker cameraman would probably all be his "friends" on orkut's system, that system would not work for him. The only way to satisfy the tv reporter's privacy concerns would be to allow him to set it on an individual relationship level.
We considered building this in the next version of WhizSpark, soon to be released. However, it didn't make the final cut for new features. It's still on the table for the future. What do people think?
Recent Comments