Privacy is one of the most urgent issues associated with information technology and digital media. This book claims that what people really care about when they complain and protest that privacy has been violated is not the act of sharing information itselfmost people understand that this is crucial to social life but the inappropriate, improper sharing of information.
Arguing that privacy concerns should not be limited solely to concern about control over personal information, Helen Nissenbaum counters that information ought to be distributed and protected according to norms governing distinct social contextswhether it be workplace, health care, schools, or among family and friends. She warns that basic distinctions between public and private, informing many current privacy policies, in fact obscure more than they clarify. In truth, contemporary information systems should alarm us only when they function without regard for social norms and values, and thereby weaken the fabric of social life.
|Publisher:||Stanford University Press|
|Edition description:||New Edition|
|Product dimensions:||6.00(w) x 8.90(h) x 0.70(d)|
About the Author
Helen Nissenbaum is Professor of Media, Culture and Communication, and Computer Science and Senior Fellow of the Information Law Institute at New York University. She is the coeditor of Academy and the Internet (2004) and Computers, Ethics, and Social Values (1995), and the author of Emotion and Focus (1985).
Read an Excerpt
PRIVACY IN CONTEXTTechnology, Policy, and the Integrity of Social Life
By Helen Nissenbaum
Stanford University PressCopyright © 2010 Board of Trustees of the Leland Stanford Junior University
All right reserved.
Chapter OneKeeping Track and Watching over Us
The world is filled with devices, systems, and devices embedded in systems that have been designed to notice, watch over, and follow people; to track their actions, take in their attributes, and sometimes simply be aware of their presence. The frequency with which we are monitored and tracked by any given system can vary enormously, from one time only to episodically or continuously, as long as we are in the scope of its sensorium. Although increasingly enabled by technology, monitoring and tracking is not a new addition to the range of human social activities. Nor is it necessarily mediated, as there are countless mundane ways in which people are tracked and monitored: teachers take attendance, parents watch toddlers in a park, and coaches keep track of athletes' performance. Further, although privacy concerns accompany many contemporary monitoring and tracking practices, this does not necessarily need to be a factor, as when physicians monitor the heart rates of their patients or Olympic judges scrutinize and evaluate athletes' routines.
Yet with advances in digital media we have witnessed a dramatic risein technically mediated monitoring, oft en emerging as a first-round solution to a wide range of social needs and problems. Not only is there an increase in sheer frequency of technology-mediated monitoring and tracking but a resulting shift in its nature-automated, undiscriminating, and accommodating new subjects, monitors, and motives. Following at the heels of these changes, there is growing discomfort, suspicion, and perplexity. In this chapter a variety of devices and systems, currently in play or under consideration, that have surfaced in the general consternation over information technology and its threats to privacy are surveyed.
A word on terminology: the term surveillance is frequently used to cover much of what I discuss in this chapter. The reason I opt for monitoring and tracking instead is that surveillance is usually associated with a set of political assumptions; namely, that monitoring is performed "from above" as subjects of surveillance are monitored by those in authority or more powerful than them for purposes of behavior modification or social control as sought or determined by those conducting the surveillance. Although surveillance studies are an important neighboring field, my initial goal here is to describe a range of technology-based systems and practices ("socio-technical" systems) without simultaneously theorizing about the uses to which they are put.
Direct and Indirect Monitoring and Tracking
In some cases, monitoring is an explicit and intended feature of a system. In one familiar example, video surveillance (commonly called closed-circuit television, or CCTV in the United Kingdom), video-recording cameras are placed in strategic locations such as the workplace, airports, train and subway stations, public streets, squares and parks, shopping malls and stores, parking garages, and schools (Duong 2005). The CCTV cameras capture visual images, which may be viewed in real time on closed-circuit monitors, recorded and stored for later viewing, or communicated off-site via electronic networks. Cheaper equipment and advances in performance, combined with social and political drivers such as fear of crime and terror, have resulted in the proliferation of video surveillance to the extent that people going about their daily business in urban settings can expect to have their images monitored and recorded an average of 300 times a day by thirty separate CCTV systems (Rosen 2004). In the United Kingdom, an enthusiastic proponent of these systems, estimates suggest that close to one-fifth of the world's CCTV cameras are housed there, with more than 4.3 million installed as of 2004 (Frith 2004). Ongoing improvements in this technology offer higher-resolution images (2048 x 1536, or 3 megapixels) (Bodell 2007), more comprehensive coverage through greater range of camera motion and wider-angled lenses, digital encoding and compression techniques to enhance storage, ease of communication, and data processing.
Other modalities besides the visual serve as the basis for monitoring. Sound recording and wiretapping, with its long and controversial history, continue to make front-page news and to inspire court cases and legislation (Lichtblau and Risen 2005; "Spying on Americans" 2007; Lichtblau 2008). Less salient, although as much a part of the landscape, are computerized tracking systems that integrate motion, touch, light, and heat detection; chemical sensors primarily advanced for monitoring environmental conditions-which add another sensory dimension to the field (Estrin 2007); and systems based on the transmission of radio frequency signals that facilitate point-to-point communication between receivers and embedded transmitters. (The case of radio frequency identification [RFID] is discussed at length below.) In some cases, the trend is toward systems of networked sensors that are so small as to be imperceptible by humans, some even on the nanoscale (Wolfe 2003).
Although many existing and envisaged uses of sensor networks may hold no relevance for privacy, it takes no great leap of imagination to extrapolate from these to ones that do raise questions. One application, already a step beyond the laboratory, involves integrated monitoring systems incorporating a variety of sensing devices installed in homes. The positive potential of these systems in monitoring the elderly living on their own carries with it a worrying potential of intrusive surveillance in all homes. (Technologies advertised for in-home use for the elderly include ADT Security's QuietCare, SeniorSafe@Home, and iCare Health Monitoring [Larson 2007]; Intel, among other companies, is substantially investing in research in this area [Intel 2007].) Although constructed with benevolent, if paternalistic ends, the potential application to fine-grained multi-modal surveillance with more sinister, less legitimate ends is clear.
Information itself constitutes a modality for monitoring. Aptly captured by Roger Clarke's term dataveillance (1988), innumerable interactions and transactions can be monitored and tracked through the exchange, extraction, or capture of information. Border crossings; meticulously kept phone records; swipe-card entry points (e.g., subway turnstiles, proximity or "prox" cards ubiquitous at most U.S. college campuses and places of work); airport check-in counters; and purchases made with credit, debit, and frequent shopper cards capture a dynamic record of people's activities. Because doors, turnstiles, and store checkout registers are already points of restriction, seeping dataveillance has not radically altered how people experience these junctures. The difference is that in the move from lock-and-key and case to magnetic strip, these spaces have become points of information capture and passage; commercial transactions and travel are newly enriched with information.
In many instances, however, monitoring and tracking, particularly the mode we call dataveillance, is not the direct aim but an inadvertent consequence of some other goal for which a given system was originally designed. To give a few mundane examples, the convenience of paying with credit cards can provide evidence of a person's whereabouts; telephone bills primarily intended to extract payment provide information about a person's conversations; prox cards intended to provide security for student dorms enable tracking of their comings and goings; and fine-grain monitoring of usage patterns that provide utility companies with valuable information about load can also indicate the presence, absence, and general activities of building occupants. Manufacturers of consumer devices advertise "smart," networked Appliances-refrigerators, toasters, and coffee machines-that can communicate with their owners, and presumably with third parties as well.
Mobile telephony is another instance of a system from which a secondary surveillance capacity has emerged. In order to function, cellular phones must connect with nearby communications towers. It followed from this technical imperative that phone companies would be able to comply readily with the 1996 mandate of the U.S. Federal Communications Commission requiring that a caller's location be determinable to within a radius of 50 to 300 meters for purposes of the "enhanced 9-1-1 emergency call system." This capacity, in turn, enables tracking of telephones (as long as they are on) and their owners to a fairly accurate degree, which raises a complicated set of issues regarding who ought to be allowed access to this information. The urgency of these matters is sure to escalate as new generations of cellular phones come equipped with Global Positioning Systems (GPS), allowing for far more accurate pinpointing of location by GPS ser vice providers, not in an obvious way regulated under the policy rubric governing traditional telecommunications providers.
Although this scenario suggests a classic surveillance relationship in which individual phone subscribers are monitored by powerful, centralized, institutional actors-private and government-mobile telephony has provided a platform for "democratizing" tracking capabilities and, in some instances, even turning the tables. For example, worried parents can subscribe to a service Verizon calls "Chaperone" to keep track of their children's whereabouts. Further, as an inadvertent consequence of equipping the devices themselves with video and still cameras ("cameraphones"), individuals are equipped to monitor and track one another as well as authorities, offering a glimmer of hope at a more level playing field while fueling the worry that watchful eyes are now inescapable.
Public roadways constitute a telling case of the gradual transformation-still under way-of a venue from one in which monitoring and tracking were largely absent to one in which these processes seem increasingly transparent. This state of affairs follows from the incursion of a diverse range of technical devices and systems either designed explicitly for monitoring and tracking or that allow for monitoring and tracking as an indirect consequence of their primary functionalities.
Public roadways have not been entirely free of social control through monitoring, as driving has required operators' licenses and vehicle ownership has demanded registration with state authorities as well as insurance coverage. Over time, however, incremental changes made and under way imply even closer scrutiny of driving and drivers not only at critical junctures, such as when obtaining and renewing a driver's license, but continuously as one drives. Roadway and bridge tolls, for example, previously paid in cash, are increasingly extracted via automated credit or debit payments. Toll plazas, equipped with RFID systems, log the passage of registered vehicles and deduct payment from an account, typically replenished via credit card payment, which in turn constitutes a point of tracking. Surprised drivers share anecdotes about speeding citations arriving in the mail, based on driving times clocked between plazas A and B, uncertain over the rules, if any, governing information accrued at these toll points.
Other systems that monitor drivers include so-called black boxes. Many people know about black boxes in aircraft , oft en discussed in the context of air crash investigations, but most of us are unaware of their presence in cars. Originally installed in 1974 to help with the deployment of airbags, these boxes, called event-data recorders or electronic data recorders (EDRs), record general telemetry data such as engine speed, safety belt status, status of brakes during a crash, and acceleration. The precise number of EDRs is not known because while the National Highway Traffic Safety Administration (NHTSA) and the United States Department of Transportation (DOT) ruled in 2006 that automakers must inform consumers that EDRs are installed in vehicles, this ruling applies only to cars manufactured after September 2010 (DOT and NHTSA 2007). While the use of EDR data as evidence in court has been controversial because its accuracy has been questioned, there also has been debate about its admissibility on the grounds that it constitutes an unacceptable invasion of privacy, particularly because drivers are currently not usually informed that EDRs are installed in their automobiles (DOT and NHTSA 2004; Zetter 2005).
The use of GPS navigation systems installed in private vehicles, whose primary function is to direct drivers to their desired destinations, may allow cars and drivers to be tracked, depending on their design. Some systems have allowed police departments to trace stolen vehicles and rental companies to track vehicles and ensure that drivers have complied with company rules (Ramasastry 2005).
On the roads, networked cameras supplement video surveillance systems located in more typical sites, such as public parks and shopping malls. In the United States, cameras are commonly installed at traffic lights to detect and identify red light off enders. In the United Kingdom, automatic number plate recognition (ANPR) systems operating along national roadways, on roadside posts, in police cars, or at gas stations capture and identify number plate images on camera. At least 50 million number plate images per day are centrally processed by the National ANPR Data Center within the Police National Computer in London (Ballard 2006). The ANPR system not only instantly recognizes number plates, enabling interception of targeted vehicles (such as those known to have been involved in a crime), but is capable of tracking the progress of single vehicles along an entire journey by means of date/time stamps and linked GPS data (Evans-Pugh 2006).
Looking into the future, a planning initiative launched under the aegis of the DOT's Vehicle Infrastructure Integration program aims to harness wireless communication technology to promote safety and efficiency in traffic flow rather than aiding law enforcement. One project proposed by this initiative is the construction of a vehicle safety communication (VSC) system, which could also result in comprehensive monitoring of cars on the roadways. Still in planning, the VSC system would equip every motor vehicle with devices capable of transmitting and receiving data to and from roadside units and to other vehicles equipped with similar devices. Vehicles and roadside units would form autonomous, self-organizing, point-to-multipoint, ad hoc, peer-to-peer communications networks able to transmit time-and date-stamped data at a rate of ten messages per second to one another about their respective location, sudden stops or swerves, vehicle speed, and other telemetry data. Drivers (and their cars) could be warned about hazardous road conditions, imminent collisions, upcoming traffic lights, sharp curves, oncoming traffic for left turns, imminent lane changes, or merely congestion.
Although the explicit purpose of the system is to increase safety on the roads, countless design decisions could potentially determine not only its functional efficacy in meeting explicit primary purposes but supporting features as well. One such feature is security. Communication and data requirements designed with the primary goal of road and vehicle safety might make systems vulnerable to security threats, such as inauthentic or bogus messages like spurious "clear the way" signals to ambient traffic from vehicles posing as emergency vehicles. One way to build assurances that data originates from authentic sources into the system is to include some form of identification in the communications protocol. But, depending on how identification is implemented, the inadvertent result could be a comprehensive and inescapable system of monitoring and tracking on the roads. Recognizing this danger, some security experts have offered preliminary approaches to building secure systems that meet functional requirements while maintaining anonymity. Although, at the time of writing, no final decisions have been publicly announced, approaches that emphasize both security and anonymity are not prevailing. In other words, the worry that a well-intentioned roadway safety communication system could turn into a powerful tool for monitoring and tracking seems less salient to interests of law enforcement and private enterprise in a system with effective and transparent identification.
Excerpted from PRIVACY IN CONTEXT by Helen Nissenbaum Copyright © 2010 by Board of Trustees of the Leland Stanford Junior University . Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
Part I Information Technology's Power and Threat
1 Keeping Track and Watching over Us 21
2 Knowing Us Better than We Know Ourselves: Massive and Deep Databases 36
3 Capacity to Spread and Find Everything, Everywhere 51
Part II Critical Survey of Predominant Approaches to Privacy
4 Locating the Value in Privacy 67
5 Privacy in Private 89
6 Puzzles, Paradoxes, and Privacy in Public 103
Most Helpful Customer Reviews