protectionpersonaldataright[Note: this is an early draft of the second section of a paper I’m working on titled ‘Who Gives a Tweet about Privacy’ and builds from an earlier posted section titled ‘Privacy, Dignity, Copyright and Twitter‘ Other sections will follow as I draft them.]

Towards a Statutory Notion of Privacy

Whereas Warren and Brandeis explicitly built a tort claim to privacy (and can be read as implicitly laying the groundwork for a right to privacy), theorists such as Alan Westin attempt to justify a claim to privacy that would operate as the bedrock for a right to privacy. Spiros Simitis recognizes this claim, but argues that privacy should be read as both an individual and a social issue. The question that arises is whether or not these writers’ respective understandings of privacy capture the normative expectations of speaking in a public space, such as Twitter; do their understandings of intrusion/data capture recognize the complexities of speaking in public spaces and provide a reasonable expectation of privacy that reflects people’s interests to keep private some, but not all, of the discussions they have in public?

Westin asserts that privacy is “the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others” (Westin 1970: 7). Each relationship is judged on its own merits, with individuals potentially providing different information to their various communicative partners. Within the range of social relationships that individuals are caught within there are ongoing adjustments to ‘balance’ one’s sociality and reclusiveness. Westin argues that claims to balancing sociality and reclusiveness are manifest throughout the natural world, from relationships between wild animals, to primitive societies, to contemporary modern societies. While there are differences in the particular instantiations of privacy norms in each human society, such norms are broadly captured across all societies as:

  1. Individual and group norms.
  2. Norms that differentiate between privacy and the total absence of other presences.
  3. Normative understandings of what constitute appropriate curiosity for understanding reality and appropriate degrees of surveillance for maintaining social order.
  4. Norms that demonstrate increasingly sophisticated expectations of anonymity that correspond with the shift from thick to thin social bonds.

The common mode of realizing when a privacy claim is being contested is when we experience an unwarranted or undesired intrusion on our sensory fields (Westin 1970: 30). Such intrusions occur when we unsuccessfully try to make one of the claims listed below, and instead find ourselves subject to forced disclosure(s) of personal factoids, to intrusive surveillance, or to having our communications republished without our consent. The claims to privacy that we make are:

  1. Solitude – where we try to separate ourselves from our social group.
  2. Intimacy – where we act in small groups to experience mental release.
  3. Anonymity – where we enter large groups without providing our identity to engage in self-reflection in a space free of surveillance and identification.
  4. Psychic reserve – where we limit communications with others to provide a claim to privacy even in an intense relationship.

Individuals and organizations alike make these four claims, and each is subject to the aforementioned modes of intrusion. Within a public domain, we might expect to enjoy intimacy by secluding a group from the larger public (e.g. a table in a bar), anonymity by crossing into a digital space using a pseudonym to learn and reflect on choices, and psychic reserve by not disclosing our full life-history in a public space, such as a grocery store. In terms of a public communicative space, what would it mean to enjoy privacy when using Twitter?

Presumably, members of such public environments would not be attempting to seclude themselves from others. They could be engaging in an intimate conversation similar to a discussion in a bar and, given the high noise-to-signal ratio, they might have an expectation of talking without likely being unduly disturbed or surveyed. Despite this hope for intimacy, however, Twitter emphases sharing/reposting other people’s comments, which makes it dubious that an unwarranted republication/retweeting would constitute a substantive infringement on an intimacy-based claim to privacy. At the same time, we might wonder if it is possible for an individual to realize another party is paying more attention to a conversation occurring in public than is socially acceptable without them retweeting a comment.

Without full recourse to the sensory fields we have depended on to notice contestations of our claims to privacy we may not register moments of identification and surveillance, though per Westin’s categories identification and surveillance would infringe on claims to anonymity. While Westin is trying to carve out a claim or right to privacy (he asserts a claim at the beginning of the text, but this claim seems to shift towards a right to privacy in the third chapter) grounded in historical and anthropological evidence, we are left wondering how exactly we would register a challenge to a privacy claim where our centuries-honed senses are of minimal assistance in determining whether someone has invaded our fields. Ultimately, while Westin does note what conditions we would base a reasonable expectation of privacy on, we are left without a clear idea of how to recognize when our expectations are not being met in a digital communicative domain such as Twitter. His work seems well suited for developing a statutory claim to privacy, but less suited for digitized public environments where identifying privacy breeches is largely possible only when another person engages with the norms of the same environment (i.e. reposting another person’s comment(s)).

Turning to Simitis, a former German data protection commissioner, we can learn how a regulator may want to instantiate Westin’s claim to privacy in law. By approaching privacy as the right to control one’s personal data, Simitis transforms the issue from an abstract theoretical argument that is true across time to one that is better “aware of the political and social background” motivating privacy debates (Simitis 1987:709). Privacy is not only something of value to the individual, but is critical to healthy democracies as well. To contextualize the contemporary privacy discussion, he notes three differences born of technology that differentiate contemporary privacy discussions from those of Warren and Brandeis.

  1. Privacy considerations express conflicts affecting everyone, not just individuals.
  2. Exceptionally high-quality surveillance has become normal.
  3. Personal information is increasingly used to enforce standards of behavior (Simitis 1987: 709-10).

Simitis focuses on the exchange of personal information as the source of privacy problems and, as a result of behavioral analysis and vast data gathering instruments, whole populations are now typically targeted instead of just specific individuals. In the face of this vast data collection assemblage, privacy violations can be limited by establishing regulatory controls which govern how and why personal information is disseminated (Simitis 1987: 737). Given the capacity of government and business alike to shape citizens’ interests, and his concern that such shaping undermines individuals’ abilities to independently make decisions and take actions (Simitis 1987: 733), we would expect Simitis to agree with Daniel Solove’s argument that a set of data points can be used to develop the equivalent of a digital Seurat painting, with the individual citizen as the painting’s subject. Unlike Solove, however, Simitis is working from the position that sufficient regulation along with an independent data commissioner might actually limit the free-flowing retransmission of personal data and thus limit who can legitimately generate such digital paintings. A strong regulatory body with the following characteristics must be established if individuals’ privacy is to be secured, and this will also preventing infringements on citizens’ constitutional rights and thus shield the nation-state’s constitutional foundations from damages. The regulatory body must:

  1. Recognize the unique nature of personal information.
  2. Ensure that data collectors explicitly note what collected personal data will be used for.
  3. Interpret existing regulations fluidly and can quickly develop new regulations in order to keep up with changes in technology.
  4. Operate independently of the legislature and be able to rapidly respond to data transmission and retention problems.

In terms of speaking in public, when surveillance assemblages capture personal data and transmit it automatically there is a danger the social actors will regulate their actions in accordance with popular norms and thus stymie the growth or maintenance of the democratic state. While a network such as Twitter does recognize that individuals ‘control’ their own data, it is now an accepted norm of the Internet that web spiders from major search engines categorize particular pages based on their apparent content and keywords. Contextualized advertising systems may inspect tweets to identify keywords and deliver advertisements based on those words. In both of these cases, there is a collection/observation of personal data accompanied by a transmission of elements of that data to a foreign server. As a result of categorizing the web content it is possible that a particular group of people may be more likely to find your tweets, or delivered particular advertising. In both cases it is possible, and common, for spiders and advertising systems to misidentify keywords, miscategorize web content, and potentially embarrass individuals based on the categories their content is found in and the advertising delivered alongside their content. In the face of these ‘risks’ should data collectors be required to clearly note what any collected data will be used for and, if so, how is this notification performed? Is agreeing to an End User License Agreement (EULA) sufficient to waive your privacy claims in relation to particular third-party data collection and use? These are the kinds of questions that Simitis’ regulatory body would be pressed to engage with.

Furthermore, do individuals have a reasonable expectation to privacy over the entirety of what they tweet, or only on particularly revealing tweets that clearly contain personal data? If someone tweets “loving Ouch,” this is practically meaningless unless a data collector can associate ‘Ouch’ with the DJ N-Dubz. At the same time, “feeling lost after my abortion” is both revealing, arguably addresses a very personal matter, and could be used to injure the person’s reputation if the information were captured, analyzed, and transmitted in inappropriate ways. Given the vast quantities of information divulged in public discourse on Twitter, what heuristic would effectively identify personal information versus noise? How could a regulatory body hope to monitor the enormous amount of personal data that is placed online every day and how individuals and groups subsequently survey and analyze the data?

Effectively, the challenge with Westin’s claim to privacy and Simitis’ regulatory instantiation of it is that privacy becomes something that we have and is affected by the outside – surveillance ‘takes away’ one’s privacy and it is up to a data regulatory to limit how much privacy an individual loses. Further, these regulators are expected to identify appropriate reparations when invasions have taken place, both to compensate the individual and to associate costs with infringements or violations of core democratic rights. We are left wondering, however, whether capturing personal information without any intent to use it to damage a person’s reputation – data may just be collected as part of a data accumulation project (e.g. the Internet Archive) – constitutes an infringement on an individual’s privacy. Given the sheer quantity of surveillance instruments that watch what individuals do in their virtualized lives in Cyberspace, and these instruments’ key role in structuring digital environments, should we be quick to restructure the very foundation of how the ‘net has evolved to work to facilitate the ownership or control of personal space and data? Given the norms of digital networks such as Twitter, which emphasis sharing and collective knowledge development, is a control metaphor accompanied by a strong regulatory body well suited for developing a ‘reasonable expectation of privacy’ in Cyberspace? I would suggest that they are not, at least not as presented by these texts. As we will see in subsequent sections, contextualized understandings of social relationships and privacy norms facilitate nuanced understandings of what individuals expect o remain private online – the challenge for theorists such as Nissenbaum will be translating these insights into actionable principles and guidelines that data and privacy commissioners can use to perform their tasks.

References

Westin, Alan (1970). Privacy and Freedom. Chs. 1-3.

Spiros Simitis, “Reviewing Privacy in the Information Society,” 1987.  University of Pennsylvania Law Review 135: 707-46.