Published in ACM SIGCAS Computers and Society, Volume 40, No. 4, December 2010.
© 2010 The MITRE Corporation. All rights reserved.

Conceptualizing Privacy

Benjamin Gerber
The MITRE Corporation

I often lead discussions and give presentations where I need to get the audience in the mindset to start thinking about privacy in a way to which they could personally relate, understand others’ privacy expectations, and discover for themselves that privacy is about more than just technical security controls for personally identifiable information (PII). Below are an approach and an exercise I took my audience through in a few presentations last year; they both have been well received and I think others might find them useful.

Explore the Origins of Privacy Expectations in a Group Discussion

An approach that I often take to engage an audience in discussing individuals’ privacy is to examine how cultural (including technological) and historical experiences frame individuals’ demands or desires for privacy; understanding the experiences of different populations (including different demographics within a unified culture) leads to an understanding of the different ways that individuals exercise or prefer to exercise privacy in relation to other individuals, businesses, and government. This approach ties in neatly with regulatory regimes and social rules—as these same experiences form the bases for the existence of privacy laws and social behaviors.

For example, at the regional and national levels: Europeans’ privacy expectations and legislation reflects experiences leading up to and during WWII; additionally, the Eastern European experience under Soviet control included extensive privacy invasions by governments seeking out “dissidents.” The United Kingdom’s extensive use of closed circuit television (CCTV) cameras is largely influenced by the 1993 Bulger murder. In Mexico, where kidnapping is prevalent, many individuals’ privacy concerns are tied directly to their and their families’ physical safety.

Privacy practices are a reflection of experiences
Privacy laws around the world are a reflection of the cultural experiences that frame constituents’ demands for privacy protections by their governments.

Understanding the origins of how we think about privacy today (and perhaps tomorrow) helps engage the mindset that allows people to identify privacy risks and implications when their organizations introduce new solutions, be they the leveraging of new technologies or innovative business and governance models, or considering the release of or new uses for existing data sets.

Think Outside the PII Box as a Group Exercise

A lot of organizations’ privacy-related activities are compliance driven, and most compliance requirements focus on controls and restrictions on personally identifiable information (PII) or personal information (PI). Which is to say a compliance approach largely focuses on controlling the collection, use, and maintenance of a specific sets of data elements, particularly in the United States, where the privacy laws that are on the books are either sectoral (e.g., financial, healthcare) or focus around addressing the problem of identity theft.

However, PII is the Maginot Line of privacy. We need to be looking beyond policies and controls that address PII and think about the wider context of information and how it relates to individuals. A great way to demonstrate this is by showing that the use of categorical or demographic characteristics alone can uniquely identify individuals.1

But how can we get people to think about how seemingly progressive or innocent changes or additions can clash with cultures, social rules or have unexpected negative impact for individuals? The below exercise is intended to help people think outside of the limiting “PII box” and widen their thinking about privacy implications.

Exercise - Google Privacy Issue in Japan

After discussing an Associated Press article2 from May 2009 entitled “Japanese maps on Google Earth unveil secrets,” (preferably provided as reading material in advance) and highlighting a few excerpts; lead the audience through a discussion of the implications (guided by the points in the second text box) and how this influences their thinking about privacy.

Benjamin Gerber () is a Principal Privacy Strategist with The MITRE Corporation.

  1. Peter Eckersley posted an excellent, easy to follow, explanation of this in January on the Electronic Frontier Foundation’s blog: “A Primer on Information Theory and Privacy” https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy ↩

  2. Alabaster, Jay. (2009). Old Japanese maps on Google Earth unveil secrets. Retrieved from http://hosted.ap.org/dynamic/stories/A/AS_JAPAN_GOOGLE_DARK_SECRETS?SITE=MTMIS&SECTION=HOME&TEMPLATE=national-2008.php&CTIME=2009-05-02-11-39-41

    Now available at http://www.usnews.com/science/articles/2009/05/02/old-japanese-maps-on-google-earth-unveil-secrets.html and http://nl.newsbank.com/nl-search/we/Archives?p_action=doc&p_docid=128400F5D21B0668&p_docnum=1 ↩

Published in ACM SIGCAS Computers and Society, Volume 40, No. 4, December 2010.
© 2010 The MITRE Corporation. All rights reserved. Approved for Public Release: 10-4814 Distribution Unlimited.