Sign In

Communications of the ACM


Information Privacy: Changing Norms and Expectations

View as: Print Mobile App Share:
Microsoft Research Director Daniel Reed

Our notions of privacy and security are deeply tied to our social and historical notions of person and place. The aphorism, “A man’s home is his castle,” captures that notion and its roots in English common law. This Castle Doctrine followed settlers to the colonies and was later codified in the Fourth Amendment to the U.S. Constitution:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Your family heirlooms may be secure in your personal castle, but what of the information about you that lives on the Internet? The legacy of physical place and norms around it are far less relevant.

Equally importantly, we often convolve privacy and security without considering their differences. One needs security to protect private information, but one can have security without privacy, as many world events have shown. Security is a topic for another day; let’s talk about the evolving notions of electronic information privacy.

Riding the Light

That picture of you at a family reunion, squinting into the sun, can rarely be delimited by a physical location. It might be on disk two, machine nine, rack twenty three in a North Carolina data center, but it probably will not be for long.

Instead, information flows freely, in radio waves among our wireless devices and on photon beams along the fiber optic cables that connect the burgeoning network of worldwide cloud data centers, each themselves larger than the entire Internet was just a few years ago. It’s cached, distributed, forwarded, copied, mirrored and indexed.

All of which suggests that we need to rethink our notions of information privacy, moving beyond concepts rooted primarily in person and place, and considering logical privacy. These issues are complex and emotionally charged, for they challenge many of our social, cultural, legal and economic assumptions. I would not presume to offer a definitive answer here. Instead, let me offer three ideas to stimulate our debate the future of information and electronic persona management in this brave new world.

A Simple Family Photo

Let’s return to that family reunion photograph, captured on a smartphone and posted to a social network site. What might I, as person in the picture, wish to specify and who else might be involved?

First, I might well like to specify a bounded lifetime for the photograph, after which it would be inaccessible to anyone. Of course, the bound might be infinity, allowing it to remain in the electronic ether forever. That is the current default, as more than one person has learned to their chagrin. I have occasionally noted, tongue in cheek, that one can trace the history of my hair loss on the Internet due to just this default. (For the record, let it be noted that I am at peace with my baldness.)

Second, I might choose to define the transitivity of access. I could share the photograph with my extended family but not allow any of them to share it with their friends. Or, I might limit access to some overlapping circle of personal or professional friends, preventing viral propagation. This is challenging because our overlapping spheres of social, professional and familial influence rarely have hard boundaries, as anyone who has configured their social network privacy settings knows all too well.

The usability of specification interfaces for privacy and security deserves far more attention than it has received. All too often, the only options presented are a broad and vague end user license agreement (EULA) that one must accept to use a service or a byzantine set of confusing service configuration options whose effects are less than obvious. Privacy specifications must be made far simpler and more intuitive.

Third, I might wish to define a claims-based access policy. This is not a binary access specification, but rather a statement that this person or this entity can access this photograph for this and only this purpose. Thus, I might grant my cousin the right to look at this photograph but not to sell it, alter it or combine it with other media.

Ownership, privacy, reputation and decision making are intertwined in subtle ways. What if I posed for a reunion photograph but one of my crazy cousins was dancing on the table behind me? Who controls that family reunion photograph, me, the drunken dancer in the background, the photographer with the smartphone, all of us? The shifting nature of social relationships further exacerbates these challenges.

Let Us Reason Together

Let me end with another aphorism, “Possession is nine tenths of the law.” In a digital world where images, video and text can proliferate globally in seconds, we need to rethink what “possession” means.

I don’t have all the answers, but I do have lots of questions.



Good point, but we must categorically reject Larry Ellison's claim that "Privacy is dead. Get over it." Of course that was when he was offering his database free for the national people files, no doubt consulting fees extra.

The 5th amendment to the US Constitution articulates our natural right to "be secure" in our castle, papers and effects, and too often we have passively accepted the idea that government can require private companies to keep dossiers on their customers "just in case".

Displaying 1 comment

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account