Blogger: Ian Glazer
Over the last 6 or so months, Bob Blakley and I have been doing a lot of listening and thinking about privacy. To successfully re-launch our privacy coverage, we needed to lay a wide foundation that would serve to support future research. We needed to provide a meaningful starting point for our customers. Since our customers’ jobs are not typically focused on privacy, we needed to start with a form of first principles and build outward.
I’ve learned that it is generally frowned upon to use the second person in our reports – too informal I am told. Use the blog if you want to address the audience directly. Normally, I don’t have a problem avoiding the second person, but this report proved to be a challenge. We had to work hard not to write without using “you.” And why was that? Privacy discussions are and must be inclusive. They involve each of us on a far more personal level than a discussion of, say, account lifecycle management. Cognizant of privacy implications or not, the decisions you make on a daily basis have effects the privacy of your customers and partners.
Because privacy is personal, because it requires concerted behavior throughout the enterprise, discussions about privacy must include everyone. You. Me. Everyone. To guide concerted behavior, in our recently released privacy report, we put forth a Golden Rule as a means of developing and evaluating privacy principles leadings to practices and behaviors:
This report is by no means the end of our exploration of privacy – it is just the beginning. We will continuing the conversation this July, at Catalyst North America, in the “Privacy Risks Get Real” track. We are working hard to ensure that these discussions reflect the inclusive nature of privacy. We’ll be exploring privacy concerns across multiple domains: from healthcare to higher education. Finally, to sweeten the deal, we have worked with the International Association of Privacy Professionals to get some of the tracks at Catalyst approved for Continuing Privacy Education credits. We are looking forward to continuing the privacy conversations with all of you this July!
Speaking of Catalyst, we have special surprise for IdPS blog readers… Since it is Easter egg hunting season, we’ve placed a couple of them on the Catalyst web site. The prize inside is a super discount code to attend Catalyst. To find the eggs, go to the conference web site and do this:
- Hover (but don't click) over the "San Diego" icon for 20 seconds
-or-
- Click and hold on the Catalyst logo and then drag your mouse off and release
Register right away – this discount is limited to 50 users and could disappear at any time!
Your golden rule sucks. It's wishy washy and leaves no-one with any bright line concerning privacy save "Respect thy neighbour".
Naturally, an individual's private domain is that space about an individual (and their family/possessions) that they are able to exclude others from. Bubbles of this private domain are also contained within secured possessions to which they still have title, e.g. vehicles, suitcases. However, privacy is a right of individuals for their lifetimes, not of inanimate entities or immortal corporations.
Protecting privacy means protecting the boundaries of an individual's private domain against incursion/invasion and violation (removal or external communication of contents), and consequently prosecuting invasion and also remedying violations.
I suspect you're getting waylaid by the idea that privacy grants individuals with the supernatural power to constrain the dissemination of sensitive details about themselves by others to whom they have confided, i.e. the ability to constrain the speech of others. That is not privacy, but discretion and confidence, and is a matter of trust and respect - not law.
Posted by: Crosbie Fitch | April 07, 2009 at 10:25 AM
To start at the end of your post, Crosbie, we are certainly NOT waylaid by the idea that privacy grants individuals the power to constrain dissemination of information about themselves; in fact in our paper (as in previous writings & talks on the subject) we point out very clearly that individuals do NOT have this "supernatural power". Privacy cannot be achieved through one person's control over another; it is a gift we give to one another in order to create a harmonious society.
Your formulation ("Protecting privacy means protecting the boundaries of an individual's private domain against incursion/invasion") is frankly repellent from my point of view; the idea that we can have privacy only when holed up in a lonely little fortress cleaning our guns is a postapocalyptic dystopia I have no desire to participate in.
I want to go out in society, associate with friends and colleagues, live in the world, and still have privacy. This is how truly social environments function, and it is how humanity has muddled along since the beginning. One of the things we're trying to argue against in this paper is the notion that we can abdicate our social responsibilities to the computers and their "privacy enhancing technologies". Ain't gonna happen.
You're right that we set down no bright-line rules for privacy. In fact, our paper argues that bright-line rules are impossible, because privacy is deeply contextual.
As far as our rule being "wishy washy", or "sucking", I suppose that too is contextual and in the eye of the beholder. I will observe that our rule is intentionally pretty similar to that of Hippocrates, which, though it may be wishy-washy and not bright-liney, is the oldest and most successful regime we have.
Posted by: Bob Blakley | April 11, 2009 at 04:22 PM
The 'private domain' or 'bright line delimited privacy' as I defined it is clearly a non-static set of spaces about the individual and what they inhabit or possess. So, one does not necessarily lose privacy when one leaves home, one retains the visual privacy of one's clothes, and the physical privacy of one's personal space.
However, there is a difference between the mutual respect in which people informally grant their fellows additional 'privacy', and the clear boundary of privacy that requires legal protection (as opposed to mere social opprobrium).
Privacy as you've defined it seems to derive more from observations of social etiquette than natural law. That doesn't make it invalid if it's suitably qualified, but it seems a nebulous foundation upon which to build law or inform technologies.
I quite agree with you that we can't abdicate our social responsibilities to computers. I'm also glad to see that (unlike some) you recognise that computers cannot either provide us with the supernatural power to constrain the dissemination of our sensitive information by those in whom we confide.
The 'privacy as etiquette' may well be deeply contextual and consequently a definition that resonates with people's feelings as to what privacy is, but it doesn't help in determining invasion or violation from a natural law perspective, i.e. in being able to clearly recognise where an individual's control over their personal information ends, what constitutes their intellectual property and its theft.
Posted by: Crosbie Fitch | April 15, 2009 at 06:10 AM