Privacy As Contextual Integrity: Abstract: The Practices of Public Surveillance, Which Include The Monitoring of
Privacy As Contextual Integrity: Abstract: The Practices of Public Surveillance, Which Include The Monitoring of
Privacy As Contextual Integrity: Abstract: The Practices of Public Surveillance, Which Include The Monitoring of
Helen Nissenbaum*
I. INTRODUCTION
*
Associate Professor, Department of Culture & Communication, New York University, East
Building 7th Floor, 239 Greene Street, New York, New York 10003. E-mail address:
[email protected].
Many people and institutions have inspired and helped me in this endeavor, beginning with the
Institute for Advanced Study, School of Social Sciences, where I wrote and presented early drafts.
119
NISSENBAUMFINAL 2/17/2004 1:10 PM
Drafts were further sharpened through opportunities to present at colloquia and workshops held at
the New Jersey Bar Association, Princeton University’s Program in Law and Public Affairs,
University of British Columbia, University of California, San Diego, University of Maryland,
University of Washington, and the Social Science Research Council. Colleagues who have shared
essential insights and expertise include Grayson Barber, Rodney Benson, Aaron Goldberg, Jeroen
van den Hoven, Natalie Jeremijenko, Bob Salmaggi, Bilge Yesil, and Michael Walzer. I received
outstanding research and editorial assistance from Danny Bloch, Rachel Byrne, and Brian Cogan.
Grants from the Ford Foundation (Knowledge, Creativity, and Freedom Program) and National
Science Foundation (SBR-9729447 and ITR-0331542) have supported my research as well as the
writing of this Article.
1. See Helen Nissenbaum, Protecting Privacy in an Information Age: The Problem of Privacy in
Public, 17 LAW & PHIL. 559 (1998).
2. See Robert Gellman, Public Records—Access, Privacy, and Public Policy: A Discussion
Paper, 12 GOV’T INFO. Q. 391 (1995) (noting that restrictions do apply on access to government
records). The point here is whether any changes are necessary in the transition from paper-based
access to online access to these records.
120
NISSENBAUMFINAL 2/17/2004 1:10 PM
3. It is important to note that we are not adopting a deterministic model either of technological
development or of technology’s impact on society. When we say that a technological development
or an application of technology has had particular results, we assume an undeniably complex
backdrop of social, political, economic, and institutional factors that give meaning, momentum, and
direction to observed outcomes.
121
NISSENBAUMFINAL 2/17/2004 1:10 PM
4. See Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. L. REV. 193
(1890).
5. See LAURA J. GURAK, PERSUASION AND PRIVACY IN CYBERSPACE: THE ONLINE PROTESTS
OVER LOTUS MARKETPLACE AND THE CLIPPER CHIP (1997). Another case that has touched off a
flurry of concern and protest is profiling of online advertising companies, such as Doubleclick, that
monitor the online web-surfing behaviors of millions of users, frequently merging online records
with other information about these users. See the website of the Electronic Privacy Information
Center for a full account of this case at http://www.epic.org (last visited Jan. 17, 2004).
6. See Nissenbaum, supra note 1.
7. See, e.g., JULIAN ASHBOURN, THE BIOMETRIC WHITE PAPER (1999), available at
http://www.jsoft.freeuk.com/whitepaper.htm; Colin J. Bennett, Cookies, Web Bugs, Webcams, and
Cue Cats: Patterns of Surveillance on the World Wide Web, 3 ETHICS & INFO. TECH. 197 (2001);
Roger A. Clarke, Human Identification in Information Systems: Management Challenges and Public
Policy Issues, INFO. TECH. & PEOPLE, Dec. 1994, at 6, available at
http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html; Linda Greenhouse, Justices Say
Warrant Is Required in High-Tech Searches, N.Y. TIMES, June 12, 2001, at A1; Alice McQuillan &
James Rutenberg, E-ZPass Slows Those Trafficking in Wrong, DAILY NEWS, Nov. 3, 1997, at 3, 49.
8. See PRISCILLA M. REGAN, LEGISLATING PRIVACY: TECHNOLOGY, SOCIAL VALUES, AND
PUBLIC POLICY (1995) (providing a rich reading of many interest based privacy disputes during the
122
NISSENBAUMFINAL 2/17/2004 1:10 PM
period roughly from 1890 through 1991); see also SUSANNAH FOX, THE PEW INTERNET & AM. LIFE
PROJECT, TRUST AND PRIVACY ONLINE: WHY AMERICANS WANT TO REWRITE THE RULES (2000)
(survey of popular privacy preferences), available at
http://www.pewinternet.org/reports/pdfs/PIP_Trust_Privacy_Report.pdf; JOSEPH TUROW,
ANNENBURG PUB. POLICY CTR. OF THE UNIV. OF PA., AMERICANS & ONLINE PRIVACY: THE
SYSTEM IS BROKEN (2003) (survey of popular privacy preferences), available at
http://www.asc.upenn.edu/usr/jturow/internet-privacy-report/36-page-turow-version-9.pdf.
9. This is in contrast with the case of Lotus Marketplace: Households, where privacy advocates
arguably “won” but not in a precedent setting way in the current landscape of data collection,
aggregation, and analysis.
10. This is sometimes called “constitutional privacy.” For discussion of the full picture and
opposing views, see ANITA L. ALLEN, UNEASY ACCESS: PRIVACY FOR WOMEN IN A FREE SOCIETY
(1988); JUDITH WAGNER DECEW, IN PURSUIT OF PRIVACY: LAW, ETHICS, AND THE RISE OF
TECHNOLOGY (1997); Ruth Gavison, Privacy and the Limits of Law, 89 YALE L.J. 421 (1980).
123
NISSENBAUMFINAL 2/17/2004 1:10 PM
124
NISSENBAUMFINAL 2/17/2004 1:10 PM
This principle comes into play when questions arise about intrusions
by agents of government (or government agencies or representatives)
who are accused of acting overzealously in collecting and using personal
information. This principle can be understood as a special case of the
powerful, more general principle of protecting individuals against
unacceptable government domination. Privacy is thus protected by
reference to general, well-defined, and generally accepted political
principles addressing the balance of power, which, among other things,
set limits on government intrusiveness into the lives and liberty of
individuals. Data gathering and surveillance are among many forms of
government action in relation to individuals needing to be stemmed.
In the United States, the Constitution and Bill of Rights20 provide
what is probably the most significant source of principles defining limits
125
NISSENBAUMFINAL 2/17/2004 1:10 PM
21. I refer very generally to core political works that have shaped contemporary, liberal
democracies. See, e.g., THOMAS HOBBES, LEVIATHAN (C.B. Macpherson ed., Penguin Books 1981)
(1951); JOHN LOCKE, THE SECOND TREATISE OF GOVERNMENT (Thomas P. Peardon ed., Macmillan
Publ’g Co. 1986) (1690); JOHN STUART MILL, ON LIBERTY (Gertrude Himmelfarb ed., Penguin
Books 1982) (1859); JEAN-JACQUES ROUSSEAU, THE SOCIAL CONTRACT (Maurice Cranston trans.,
Penguin Books 1968) (1762).
22. For discussions of the trend toward increasing reliance upon computerized record-keeping
systems by government and other agencies, see, for example, COLIN J. BENNETT, REGULATING
PRIVACY: DATA PROTECTION AND PUBLIC POLICY IN EUROPE AND THE UNITED STATES (1992);
DAVID BURNHAM, THE RISE OF THE COMPUTER STATE (1983); DAVID H. FLAHERTY, PRIVACY AND
GOVERNMENT DATA BANKS: AN INTERNATIONAL PERSPECTIVE (1979); KENNETH C. LAUDON,
DOSSIER SOCIETY: VALUE CHOICES IN THE DESIGN OF NATIONAL INFORMATION SYSTEMS (1986);
GARY T. MARX, UNDERCOVER: POLICE SURVEILLANCE IN AMERICA (1988); REGAN, supra note 8;
JAMES B. RULE, PRIVATE LIVES AND PUBLIC SURVEILLANCE (1973); Richard P. Kusserow, Fighting
Fraud, Waste, and Abuse, 12 BUREAUCRAT 23 (1983); James B. Rule et al., Documentary
Identification and Mass Surveillance in the United States, 31 SOC. PROBS. 222 (1983).
126
NISSENBAUMFINAL 2/17/2004 1:10 PM
127
NISSENBAUMFINAL 2/17/2004 1:10 PM
This principle does not focus on who the agent of intrusion is but on
the nature of information collected or disseminated—protecting privacy
when information in question meets societal standards of intimacy,
sensitivity, or confidentiality. Capturing the notion that people are
entitled to their secrets, this principle finds robust support in scholarship
developed from a variety of disciplinary perspectives, is well entrenched
in practical arenas of policy and law, and is frequently raised in privacy
deliberations in public or popular arenas. Several prominent
philosophical and other theoretical works on privacy hold the degree of
sensitivity of information to be the key factor in determining whether a
privacy violation has occurred or not. These works seek to refine the
category of so-called “sensitive information” and explain why the
sensitivity of information is critical in defending privacy against
countervailing claims.32
29. SEC’Y’S ADVISORY COMM. ON AUTOMATED PERS. DATA SYS., U.S. DEP’T OF HEALTH, EDUC.
& WELFARE, RECORDS, COMPUTERS, AND THE RIGHTS OF CITIZENS (1973) [hereinafter RIGHTS OF
CITIZENS], available at http://aspe.os.dhhs.gov/datacncl/1973privacy/tocprefacemembers.htm.
There is no doubt that security worries following the September 11 attacks have lessened the
dominance of public resistance to overly intrusive government agencies in lives of individuals, as
seen in general willingness to accept legislation like the PATRIOT Act. Uniting and Strengthening
America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA
PATRIOT) Act of 2001, Pub. L. No. 107-56, 115 Stat. 272.
30. RIGHTS OF CITIZENS, supra note 29.
31. Id.
32. See, e.g., RAYMOND WACKS, PERSONAL INFORMATION: PRIVACY AND THE LAW (1989)
(devoted almost entirely to establishing the foundational definition of “sensitive information”);
128
NISSENBAUMFINAL 2/17/2004 1:10 PM
Behind this principle is the simple and ages-old idea of the sanctity of
certain spaces or, more abstractly, places.39 For example, “a man’s home
is his castle”—a person is sovereign in her own domain. Except when
there are strong countervailing claims to the contrary, this principle
apparently endorses a presumption in favor of people shielding
themselves from the gaze of others when they are inside their own
Charles Fried, Privacy, 77 YALE L.J. 475 (1968) (arguing for protection of a socially determined
kernel of sensitive information); Tom Gerety, Redefining Privacy, 12 HARV. C.R.-C.L. L. REV. 233
(1977) (limiting privacy rights to information that is sensitive); William Parent, Privacy, Morality,
and the Law, 12 PHIL. & PUB. AFF. 269 (1983).
33. 20 U.S.C. § 1232(g) (2000).
34. 12 U.S.C. §§ 3401–3422.
35. 18 U.S.C. § 2710.
36. 42 U.S.C. §§ 1320d–1320d-8.
37. William L. Prosser, Privacy, 48 CAL. L. REV. 383, 389 (1960).
38. Warren & Brandeis, supra note 4, at 216.
39. Michael R. Curry, Discursive Displacement and the Seminal Ambiguity of Space and Place,
in THE HANDBOOK OF NEW MEDIA 502 (Leah A. Lievrouw & Sonia Livingstone eds., 2002).
129
NISSENBAUMFINAL 2/17/2004 1:10 PM
40. See generally RICHARD C. TURKINGTON & ANITA L. ALLEN, PRIVACY LAW: CASES AND
MATERIALS (2d ed. 2002) (providing a discussion that specifically focuses on information and
information technology); W.R. LAFAVE, SEARCH AND SEIZURE: A TREATISE ON THE FOURTH
AMENDMENT (3d ed. 1996) (providing a general discussion of Fourth Amendment cases); DANIEL J.
SOLOVE & MARC ROTENBERG, INFORMATION PRIVACY LAW (2003) (providing a discussion that
specifically focuses on information and information technology).
41. Warren & Brandeis, supra note 4, at 90.
42. 486 U.S. 35 (1988).
130
NISSENBAUMFINAL 2/17/2004 1:10 PM
43. Id. at 37; see also LAFAVE, supra note 40, at 603.
44. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (USA PATRIOT) Act of 2001, Pub. L. No. 107-56, 115 Stat. 272.
45. The FBI developed the Carnivore software, which is now typically called DCS 1000.
131
NISSENBAUMFINAL 2/17/2004 1:10 PM
46. See, e.g., SPECIAL DIRECTIVE SUBCOMM., N.J. PRIVACY STUDY COMM’N, REPORT OF THE
SPECIAL DIRECTIVE SUBCOMMITTEE TO THE NEW JERSEY PRIVACY STUDY COMMISSION (2003)
[hereinafter REPORT OF THE SPECIAL DIRECTIVE SUBCOMMITTEE] (discussing whether home
addresses and telephone numbers of citizens should be made publicly available), available at
http://www.nj.gov/privacy/eo26.pdf.
47. 20 U.S.C. § 1232(g) (2000).
48. 277 U.S. 438 (1928), overruled by Katz v. United States, 389 U.S. 347 (1967).
49. Id. at 466.
50. 389 U.S. 347 (1967).
51. Id. at 359.
52. 533 U.S. 27 (2001).
132
NISSENBAUMFINAL 2/17/2004 1:10 PM
133
NISSENBAUMFINAL 2/17/2004 1:10 PM
59. The term “public Web” is used to mark a distinction between those realms of the Web that are
publicly accessible and those that are accessible only to authorized users and frequently protected by
some form of security.
60. See, e.g., Oscar Gandy, Public Opinion Surveys and the Formation of Privacy Policy, 59 J.
SOC. ISSUES 283 (2003); Electronic Privacy Information Center, Public Opinion on Privacy, at
http://www.epic.org/privacy/survey (last modified June 25, 2003) (summarizing public opinion
surveys).
61. See, e.g., Gary Marx, A Tack in the Shoe: Neutralizing and Resisting the New Surveillance, 59
J. SOC. ISSUES 369 (2003).
134
NISSENBAUMFINAL 2/17/2004 1:10 PM
preferences, and second, consumers, through their actions, can affect the
terms and nature of commercial offerings in a free, competitive
marketplace.62 These alternatives deserve a great deal more attention
than I am able to offer here.
Although this view preserves the three-principle framework, at least
one problem with it is that it places resistance to public surveillance on a
weak footing against countervailing claims, particularly those backed by
recognized rights and values. In a free society, a person has a right to
choose chocolate over vanilla ice cream, or to press for extensive
protections of privacy preferences, except where such preferences
happen to conflict with another person’s claim to something of greater
moral or political standing. Those who conduct public surveillance, or
support its pursuit, have lobbied exactly on those grounds, citing such
well-entrenched freedoms as speech, action, and pursuit of wealth.63 The
weak footing that this allows for the aversion to public surveillance can
be demonstrated in relation to a commonly used legal standard, namely,
reasonable expectation of privacy.
Justice John Harlan, concurring with the majority opinion in Katz, is
credited with formulating two conditions that later courts have used to
test whether a person has “a reasonable expectation of privacy” in any
given activity or practice, namely: (1) that the person exhibited an actual
expectation of privacy, and (2) that the expectation is one that society is
prepared to recognize as reasonable.64 Although the reasonable
expectation benchmark raises deep and complex questions that cannot be
addressed here, there is at least one point of direct interest, notably that
the benchmark is a potential source of crushing rebuttal to preference-
based complaints against public surveillance. It is simply this: when
people move about and do things in public arenas, they have implicitly
yielded any expectation of privacy. Much as they might prefer that
others neither see, nor take note, expecting others not to see, notice, or
62. Privacy skeptics have argued that because people seem to do neither, they obviously do not
care much about privacy. See Calvin C. Gotlieb, Privacy: A Concept Whose Time Has Come and
Gone, in COMPUTERS, SURVEILLANCE, AND PRIVACY 156 (David Lyon & Elia Zureik eds., 1996);
Solveig Singleton, Privacy as Censorship: A Skeptical View of Proposals To Regulate Privacy in
the Private Sector, in CATO POL’Y ANALYSIS NO. 295, (Cato Inst. 1998), available at
http://www.cato.org/pubs/pas/pa-295.pdf.
63. Many articles deal with privacy in relation to competing claims. But see, e.g., Cohen, supra
note 58, at 1373; Richard Posner, The Right to Privacy, 12 GA. L. REV. 393 (1978); Eugene Volokh,
Personalization and Privacy, COMM. ACM, Aug. 2000, at 84.
64. See Katz v. United States, 389 U.S. 347, 360–61 (1967) (Harlan, J., concurring); see also
REGAN, supra note 8, at 122; SOLOVE & ROTENBERG, supra note 40, at 21.
135
NISSENBAUMFINAL 2/17/2004 1:10 PM
65. Peter Slevin, Police Video Cameras Taped Football Fans, WASH. POST, Feb. 1, 2001, at A10.
66. It might still admit of variability in that the categories of sensitive and non-sensitive, for
example, could vary across, say, cultures, historical periods, and places.
136
NISSENBAUMFINAL 2/17/2004 1:10 PM
67. See generally PIERRE BOURDIEU & LOIC J.D. WACQUANT, AN INVITATION TO REFLEXIVE
SOCIOLOGY 95–115 (1992) (providing general discussion of Pierre Bourdieu’s fields); id. at 97 (“In
highly differentiated societies, the social cosmos is made up of a number of such relatively
autonomous social microcosms . . . . For instance, the artistic field, or the religious field, or the
economic field all follow specific logics . . . .”); MICHAEL PHILLIPS, BETWEEN UNIVERSALISM AND
SKEPTICISM: ETHICS AS SOCIAL ARTIFACT (1994); MICHAEL WALZER, SPHERES OF JUSTICE: A
DEFENSE OF PLURALISM AND EQUALITY (1983); Roger Friedland & Robert R. Alford, Bringing
Society Back In: Symbolic Practices, and Institutional Contradictions, in THE NEW
INSTITUTIONALISM IN ORGANIZATIONAL ANALYSIS 232, 247–59 (Walter W. Powell & Paul J.
DiMaggio eds., 1991) (also discussing institutions); id. at 251 (“[Institutions] generate not only that
137
NISSENBAUMFINAL 2/17/2004 1:10 PM
A. Appropriateness
which is valued, but the rules by which it is calibrated and distributed.”); id. at 253 (“society is
composed of multiple institutional logics”); Jeroen van den Hoven, Privacy and the Varieties of
Informational Wrongdoing, in READINGS IN CYBER ETHICS 430 (Richard A. Spinello & Herman T.
Tavani eds., 2001).
68. It still holds that a violation can be justified in the event that another, more serious or urgent
value is at stake.
138
NISSENBAUMFINAL 2/17/2004 1:10 PM
69. The formal regulation of confidentiality within professional fields is an exception, but this
Article argues that similar norms hold in all contexts, even if not stipulated in explicit laws or
regulations.
70. James Rachels, Why Privacy Is Important, in PHILOSOPHICAL DIMENSIONS OF PRIVACY: AN
ANTHOLOGY 290, 294 (Ferdinand David Schoeman ed., 1984).
139
NISSENBAUMFINAL 2/17/2004 1:10 PM
B. Distribution
140
NISSENBAUMFINAL 2/17/2004 1:10 PM
141
NISSENBAUMFINAL 2/17/2004 1:10 PM
generally the default—that is, friends expect what they say to each other
to be held in confidence and not arbitrarily spread to others. While some
departure from the norms is generally allowable, as when friends coax
information from each other, straying too far is usually viewed as a
serious breach. Where a friend ferrets out information from third party
sources, or divulges information shared in friendship to others for
reasons having nothing to do with the friendship, not only might the
friend justifiably feel betrayed, but the actions may call into question the
very nature of the relationship.81
Free choice, discretion, and confidentiality, prominent among norms
of flow in friendship, are not the only principles of information
distribution. Others include need, entitlement, and obligation—a list that
is probably open-ended. In a healthcare context, for example, when a
patient shares with her physician details of her current and past physical
condition, the reigning norm is not discretion of the subject (that is, free
choice of the patient) but is closer to being mandated by the physician
who might reasonably condition treatment on a patient’s readiness to
share information that the physician deems necessary for competent
diagnosis and treatment. Another difference from friendship is that in the
healthcare context, the flow is not normally bidirectional. Confidentiality
of patient health information is the subject of complex norms—in the
United States, for example, a recent law stipulates when, and in what
ways, a physician is bound by a patient’s consent: for example, where it
is directly pertinent to diagnosis and treatment, where it poses a public
health risk, and where it is of commercial interest to drug companies.82
Other cases of information practices following rational norms of flow
include, for example, transactions between customers and mail-order
merchants. In such transactions, customers are required to provide
sufficient and appropriate information to satisfy companies that they can
pay, and provide an address indicating where packages should be sent.
Police are bound by law to abide by various regulations governing
modes of acquiring information and how to deal with its flow thereafter.
However, suspects arrested by police on criminal charges may volunteer
81. We may wonder how it would affect a friendship if one party discovers his friend has engaged
the help of the much advertised snoop programs that promise the ability to track e-mail
correspondence.
82. 45 C.F.R. §§ 164.102–.535 (2003). For a general discussion of the privacy regulations
implemented pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA),
42 U.S.C. §§ 1320d–1320d-8 (2000), see the Health Privacy Project website at
http://www.healthprivacy.org (last visited Jan. 17, 2004).
142
NISSENBAUMFINAL 2/17/2004 1:10 PM
143
NISSENBAUMFINAL 2/17/2004 1:10 PM
83. I am aware of an oversimplification in the way I express this issue, for change is not strictly a
consequence of devices and systems by themselves but, of course, may involve other social,
economic, or legal determinants.
84. Florida v. Riley, 488 U.S. 445, 447, 452 (1989).
85. Id. at 458.
86. See supra notes 52–56 and accompanying text.
87. See Kyllo v. United States, 533 U.S. 27, 34, 40 (2001).
144
NISSENBAUMFINAL 2/17/2004 1:10 PM
145
NISSENBAUMFINAL 2/17/2004 1:10 PM
not ever be blurted out outside—I will remain silent, holding such things
to be unutterable [sacred, not to be divulged].”90
The context of elections for political office is another case of a settled
normative framework that functions in generally positive ways.91 On
election day, citizens converge on polling stations to cast votes. From the
moment they cross the threshold, information flows are highly regulated,
from what elections officers can ask them to what they can ask officers,
what voters are required to document in writing, who sees it, what
happens to the vote cast and who sees that, what exit pollsters can ask
citizens as they leave—for whom they voted but not voters’ names—and
what the exit pollsters are free to disseminate publicly. These two
familiar cases illustrate how systems of norms of appropriateness and
flow may evolve to serve determinable ends and institutions.
A presumption in favor of status quo does not, however, rule out the
possibility of a successful challenge where adequate reasons exist.
Resolving these contested cases calls for reliable means of evaluating the
relative moral standing of entrenched norms and the novel practices that
breach or threaten them. Specifically, I propose that entrenched norms be
compared with novel practices that breach or threaten them, and judged
worth preserving, or not, in terms of how well they promote not only
values and goods internal to a given context, but also fundamental social,
political, and moral values. Conducting the second of these two modes
of evaluation, namely, a comparison in terms of social, political, and
moral values, involves identifying fundamental values that may be
served by (or obscured by) the relevant informational norms imposing
restrictions on the flow and distribution of personal information in the
given case. According to the insights of several privacy scholars, the list
of values likely to be affected includes: (1) prevention of information-
based harm, (2) informational inequality, (3) autonomy, (4) freedom,
(5) preservation of important human relationships, and (6) democracy
and other social values.92 Values that are regularly cited in support of
90. “In a Pure and Holy Way:” Personal and Professional Conduct in the Hippocratic Oath, 51
J. HIST. MED. & ALLIED SCI. 406 (1996) (Heinrich Von Staden trans.) (alteration in original),
available at http://www.indiana.edu/~ancmed/oath.htm.
91. I am speaking of elections in a democratic state, with details drawn more specifically from the
context of the United States.
92. This list is informed by the work of Julie Cohen, Stanley Benn, Ruth Gavison, Jeroen van den
Hoven, James Nehf, Paul Schwartz, Jeffrey Reiman, Jeffrey Rosen, and others. Citations to specific
works are given in footnotes to follow.
146
NISSENBAUMFINAL 2/17/2004 1:10 PM
2. Informational Inequality
There are a number of facets to this value. In the crucial 1973 U.S.
Department of Health, Education, and Welfare’s report on computerized
records, the opening sentences presented fairness, or we might say
justice, as a foundational value for regulating the collection, storage, and
use of personal information in computerized databases.94 The
Department’s politically grounded argument will be familiar in the
American contexts where entities, such as government and financial
institutions, wield significant power over the fates of individual citizens
and clients. Allowing these institutions free reign in collecting and using
information further tips the balance of power in their favor. Responsive
to the strong sentiment in favor of leveling the playing field, the widely
influential Code of Fair Information Practices defined restrictions on
gathering, storing, and using information about people in the name of
fairness.95
93. See Margan v. Niles, 250 F. Supp. 2d 63, 68 (N.D.N.Y. 2003). Passage of the Driver’s
Privacy Protection Act (DPPA), 18 U.S.C. §§ 2721–2725 (2000), followed shortly thereafter in
1994. Margan, 250 F. Supp. 2d at 68–69.
94. RIGHTS OF CITIZENS, supra note 29.
95. Id. at xxiii–xxxv.
147
NISSENBAUMFINAL 2/17/2004 1:10 PM
148
NISSENBAUMFINAL 2/17/2004 1:10 PM
149
NISSENBAUMFINAL 2/17/2004 1:10 PM
150
NISSENBAUMFINAL 2/17/2004 1:10 PM
6. Countervailing Values
There are obviously many reasons for favoring the collection, sharing,
and widespread distribution of personal information, including
maintaining free speech112 and a free press, economic efficiency113 and
profitability, open government, and security.114 When these values clash
with those that support restrictive treatment, we need to pursue trade-offs
and balance.
One of the key ways contextual integrity differs from other theoretical
approaches to privacy is that it recognizes a richer, more comprehensive
set of relevant parameters. In addressing whether placing public records
online is problematic, whether moving records from filing cabinets or
stand-alone databases onto the net marks a significant change, it forces
us to look beyond whether the information in question is public. To
establish whether contextual integrity is breached requires an
examination of governing norms of appropriateness and flow to see
whether and in what ways the proposed new practices measure up.
When the first case, the availability of public records online, is
viewed through the lens of contextual integrity, certain aspects of the
well as empirical analysis); Donna L. Hoffman et al., Building Consumer Trust Online, COMM.
ACM, Apr. 1999, at 80 (same); see also L. JEAN CAMP, TRUST AND RISK IN INTERNET COMMERCE
(2000).
111. See OSCAR H. GANDY, JR., THE PANOPTIC SORT: A POLITICAL ECONOMY OF PERSONAL
INFORMATION (1993); Oscar H. Gandy, Jr., Coming to Terms with the Panoptic Sort, in
COMPUTERS, SURVEILLANCE, AND PRIVACY 132 (David Lyon & Elia Zureik eds. 1996); Oscar H.
Gandy, Jr., Exploring Identity and Identification, 14 NOTRE DAME J.L. ETHICS & PUB. POL’Y 1085
(2000).
112. See, e.g., Cohen, supra note 58; Paul M. Schwartz, Privacy and Democracy in Cyberspace,
52 VAND. L. REV. 1607 (1999); Volokh, supra note 63, at 84; see also SOLOVE & ROTENBERG,
supra note 40, ch. 2, sec. C (providing extensive case law).
113. See Singleton, supra note 62 (describing economic efficiency as potentially in conflict with
privacy).
114. See Orrin Kerr, Internet Surveillance Law After the USA PATRIOT Act: The Big Brother
That Isn’t, 97 NW. U. L. REV. 607 (2003). In general, literature and cases surrounding the Fourth
Amendment involve a quest to balance privacy against security.
151
NISSENBAUMFINAL 2/17/2004 1:10 PM
152
NISSENBAUMFINAL 2/17/2004 1:10 PM
For the three cases, I have been able to provide only sketches of
arguments to support particular prescriptions to restrict (or not restrict)
information gathering, aggregation, and dissemination on the basis of
contextual integrity. In general, the norms of appropriateness and flow
demand consideration of a number of parameters, including the nature of
the information in question and its relationship to the context, the roles
involved in the context, the relationships among the roles, the rules of
flow, and how any changes made within a context might affect the
underlying values. For the most part, building a conclusive argument in
117. To complete the argument would require showing that these breaches are justifiable neither
in terms of values internal to the context nor in terms of more fundamental social, political, and
moral values.
153
NISSENBAUMFINAL 2/17/2004 1:10 PM
154
NISSENBAUMFINAL 2/17/2004 1:10 PM
relationships among the various parties, and even larger institutional and
social circumstances. It matters that the context is, say, a grocery store as
opposed to, say, a job interview or a gun shop. When we evaluate
sharing information with third party users of data, it is important to know
something about those parties, such as their social roles, their capacity to
affect the lives of data subjects, and their intentions with regard to
subjects. It is important to ask whether the information practice under
consideration harms subjects; interferes with their self-determination; or
amplifies undesirable inequalities in status, power, and wealth.
We might agree that there is something disrespectful, even sinister, in
the relentless gathering, aggregation, mining, and profiling conducted by
companies like Seisint and Axciom. In other cases, contexts, or activities
that are similar in form might strike most people as desirable, or at least
acceptable. Consider teachers in the setting of primary and secondary
education in the United States—they collect and aggregate information
about students in order to assign grades. Over time, these grades are
further aggregated to yield grade point averages and are combined with
other information to form a student dossier, which, in some form, may
be submitted to colleges or employers to which students have applied for
admission or employment. A school might be judged remiss if it failed to
notice that the performance of particular students had changed
significantly in one way or another, if it failed to “mine” its data for
other categories of change that reflected on students’ and the school’s
performance.
IV. CONCLUSION
155
NISSENBAUMFINAL 2/17/2004 1:10 PM
156
NISSENBAUMFINAL 2/17/2004 1:10 PM
Policy and law are not the only means of preserving contextual
integrity. Outside the legal arena, norms of decency, etiquette,
sociability, convention, and morality frequently address appropriateness
and distribution of information. Certain contexts, such as friendship and
courtship, for example, as rich and important as they are, are likely to
remain the purview of these non-legal systems. In certain contexts, such
as that of a lawyer-client (or other professional) transaction, a middle
ground has so far seemed workable—norms explicitly articulated,
backed by sanctions of the relevant professional associations.123 When to
codify contextual integrity into law, policy, and regulation is a familiar
question about the scope of the law. Here, there is space to propose only
that when violations of norms are widespread and systematic as in public
surveillance, when strong incentives of self-interest are behind these
violations, when the parties involved are of radically unequal power and
wealth, then the violations take on political significance and call for
political response.
weekends in the socially conscious town of Southampton, said that the people who divulge
information and pass along tips are most likely concerned with improving their social
status. . . . With a wink or a nod among friends and acquaintances, information heard along the
boulevard is used to lubricate a promising personal or business relationship, impress a dinner table
and repay a favor.”).
123. But see Jonathan D. Glater, Lawyers Pressed to Give Up Ground on Client Secrets, N.Y.
TIMES, Aug. 11, 2003, at A1, A12 (reporting that new government rules following corporate
scandals, tax evasion, and concerns over terrorism are forcing professional groups, such as the
American Bar Association, to cede ground on client confidentiality). Within this approach, such a
change is framed as a change in norms of distribution on the lawyer-client context.
157
NISSENBAUMFINAL 2/17/2004 1:10 PM
158