Recomendaciones • Continuar fortaleciendo las estrategias

Privacy is an ever-evolving concept with myriad, and often conflicting, defin- itions and applications. Warren and Brandeis’ late 19th century definition of privacy as “the right to be left alone” [137] informed substantial public de- bate about privacy throughout the next century, in a culture where technology risked exposing the lives of the individual to the masses. Rejecting the breadth of this definition, Gavison defines privacy as concern for limited access to the self: the extent to which we are known, physically accessible, or the subject of others’ attention [35], and rejects the notion that privacy is a form of control over information, as articulated by Westin [138].

The difficulty in arriving at a definition of privacy which is sufficiently ex- pressive but not overly broad remains an open problem. In this thesis, we ad- opt the principle of privacy as a form of maintaining limited access to the self, however this is insufficent to measure the privacy impacts of a process, and to recommend best practices to mitigate these impacts. Solove proposed a tax- onomy of privacy which models the relationship between the data subject and data holders, and the role of information collection, processing, dissemination, and potential invasion [117]. Solove’s framework is intended to help broaden the understanding of privacy violations and their impacts, but is not comprehens- ive enough to identify and mitigate issues in individual processes. We therefore assess the applicability of a conceptual framework for identifying and resolving privacy breaches. Our focus in studying SNSs is to consider the ethical and pri- vacy implications of the study of such systems, as well as the issues associated with the design of the systems themselves. Therefore, we adopt contextual in- tegrity, a theoretical framework proposed by Nissenbaum [100] for considering information privacy. Avoiding the narrow definitions of her contemporaries, Nissenbaum does not define privacy so much as propose a model for identify- ing the source and impact of privacy violations. She argues that information is not inherently public or private, but governed by context-specific norms, which determine to whom it is appropriate for information to be transmitted to, and

for what purpose. Individuals, organisations, and sections of society each have their expectations about what constitutes the appropriate flow of information, and any actor can perceive a privacy violation if these expectations are not met. For example, in order to receive a diagnosis for a medical condition, a patient accepts that they must communicate sensitive information about their health to a doctor. The information might generally be considered “private”, but both actors have an understanding of the norms governing this sharing of inform- ation, and thus there is no privacy violation. If, however, that doctor was to subsequently gossip about this condition to someone else, the expectations of the patient have been violated, and so has their privacy.

Self-reported scales are often used to capture people’s qualitiative concern about information-sharing practices. Westin’s privacy indexes have been used in a number of studies [72] to show emerging concerns in domains such as consumer and medical privacy, since the early 1990s. Concern about the rise of direct marketing and, later, online information collection, led to the de- velopment of domain-specific models such as the Internet Users’ Information Privacy Concerns (IUIPC) scale [82]. These scales are attractive because they provide a means of operationalising an inherently difficult concept such as pri- vacy. In this thesis, however, we choose to adopt contextual integrity as our model for studying privacy issues rather than some of these extensively stud- ied and validated scales, as they are focused on the individual’s perception of privacy violation, which can be difficult to assess where information collection and processing is unseen or too complex for laypeople to articulate. In addition, these scales are not sufficient for identifying the source of a privacy breach, or the wider societal impacts of these practices. As such, contextual integrity’s at- traction is that it provides a vocabulary for examining and mitigating the issues with emerging systems.

Decision heuristic

To aid the analysis of information-sharing practices with contextual integrity, Nissenbaum provides a nine-step “decision heuristic” to analyse the signific- ant points of departure created by a new process, thus determining if the new practice represents a potential violation of privacy. The first six steps involve modelling the existing and new contexts, allowing a prima facie judgement to be rendered as to whether the new process significantly violates the entrenched norms of the context. The final steps of the heuristic involve a wider examin- ation of the moral and political implications of the process to make a recom- mendation as to whether the new practice should be adopted. These steps are as follows:

1. Describe the new practice in terms of its information flows.

2. Identify the prevailing context in which the practice takes place, which should be suitably broad such that the impacts of any nested contexts can be considered.

3. Identify the subjects, senders, and recipients of information.

4. Identify the transmission principles: the conditions under which inform- ation ought (or ought not) to be shared between parties. These might be social or regulatory constraints, such as the expectation of reciprocity when friends share news, or the obligation for someone with a duty of care to report when their ward is in danger.

5. Identify any applicable entrenched informational norms in the context, and identify any points of departure the new practice introduces.

6. Making a prima facie assessment: there may be a violation if there are discrepancies in these parameters, or if there are incomplete normative structures in the context to support the new practice.

it affect people’s freedom or autonomy, impact on power structures, justice, or the execution of democracy?

8. How does the new practice affect the goals or values of the prevailing con- text? If there were any implications identified in the previous step, how do they effect the goals of this context?

9. Finally, make a determination as to whether the new process violates con- textual integrity based on a consideration of these wider factors.

As a diagnostic tool, the decision heuristic further supports our decision to study privacy with contextual integrity, as it provides a consistent mechanism for assessing the impacts of an emerging process, which consumer-focused privacy scales do not extend to.