all right um thank you everybody for coming i think we'll go ahead and get started even though some folks might be popping in um at the last minute so my name is julie kientz i'm professor and chair of the department of human centered design and engineering at the university of washington and i'm honored to welcome you to our 2021 distinguished speaker event and thank our guest professor helen nissenbaum for joining us i want to first start out by acknowledging the coast salish peoples of this land on which we are working today the land which touches the shared waters of all tribes and bands within the suquamish, tulalip and muckleshoot nations we respectfully acknowledge their stewardship of this land throughout the generations during this year of upheaval it continues to be my top priority as department chair to sustain our close-knit community in hcde and across our field guest lecturers are an important opportunity for a community to come together in shared learning the hcde distinguished speaker series was created in order to provide a community event where students staff faculty alumni and friends could gather together to hear talks by people that have been innovating on bold — innovating boldly and thinking deeply about topics that have profound impact on human centered design and engineering the distinguished speaker series would not be possible without the generous support of members from our community i want to first thank former hcde chair judy ramey and friend of the department stephanie rosenbaum for sponsoring the lecture series in hcde since 2009 we are honored to continue their legacy i'd also like to recognize our friend jing de jong chen whose endowment aims to broaden understanding of human centered design issues in cyber security and privacy thanks to her investment we were able to have dr nissenbaum with us today finally i want to thank our hcde staff especially zoe bartholomew leah pistorius and stacia green and the research committee in hcde spearheaded by associate professor charlotte lee for their efforts in organizing this event today i'm now going to hand things over to professor and associate chair beth kolko to introduce our distinguished speaker dr helen nissenbaum thanks julie so i would like to thank all of you for attending today and uh thank you to dr helen nissenbaum for being with us today i am especially excited to welcome dr nissenbaum she and i met many years ago at a symposium that was a pivotal moment in my intellectual life for many reasons uh mostly because of my conversations with helen if i may call you helen so i'm gonna set the scene for those of you in the audience it was uh 1995. it might actually have been 1996. neither helen nor i can remember and i couldn't find any online record of the event i tried but it was a symposium about the internet it was in jackson hole wyoming and helen i and john perry barlow were keynote speakers for the event so one of the things that i remember most from the event was giving my talk and then sitting in a cafe at the venue it was closed but somehow helen and i had managed to secure ourselves some coffee and she's sitting across the table from me and she says your work is fascinating but what is your field and from there we launched into a conversation about the need for interdisciplinarity in order to make sense of increasingly ubiquitous online systems uh helen doesn't know this but that conversation emboldened me in my own work and helped encourage me to move from the humanities to engineering just a few years later in 1995 or six in the late 90s let's say the internet was just emerging from being a text-based medium and this was against a backdrop where anonymity online was considered largely a positive development the online world had plenty of trolls back then but we didn't have bots helen was at the forefront even then one of the only scholars asserting that questions of trust and privacy and their interplay would be key factors in how emerging technologies would come to shape interactions and institutions i want to take a moment and recognize her prescience 25 years ago in identifying what would be fundamental challenges to growing technological infrastructures so she is here today to speak on her work regarding contextual integrity research which builds on her continued outstanding intellectual contributions and that continues to provide bold and insightful guidance on how we can all think more critically and practice more carefully the work around technology design so it's my pleasure to introduce helen to you all today she is a professor at cornell tech in the in the information science department as well at cornell university she is also director of the digital life initiative which was launched in 2017 at cornell tech to explore societal perspectives surrounding the development and application of digital technology focusing on ethics policy politics and quality of life helen's research takes an ethical perspective on policy law science and engineering related to information technology computing digital media and data science her research has delved into issues of privacy trust accountability security and values in technology design her books include obfuscation a user's guide for privacy and protest with vin brunton and privacy and context technology policy and the integrity of social life the title of our talk today is contextual integrity breaking the grip of public private distinction for meaningful privacy if any of you have questions during the talk or the q & a portion please submit your questions by clicking the q & a button that should be at the bottom of your zoom window and with that please join me in welcoming helen all right so thank you so much beth i have to say it was like what they call a blast from the past when i i got your email to invite me to give this lecture and it was just so wonderful you know just to go back to that crazy time and try and trace a trajectory now i don't know that i certainly didn't feel prescient in any way i just knew that these were such fascinating questions and i didn't think that a philosopher could solve them without so many other people in different disciplines so here we are and let me do the share screen thing oh so it popped on nicely just like that all right um i am grateful and excited to be here is an amazing group of people for me to be presenting my work to because i feel like you're in the trenches with me and hopefully some of what i say will be will will connect with what you do and some thoughts that you have and i also want to say that i'm i was so excited to be here that i might have stuffed just a little bit too much into my talk so don't think i'm crazy if you leave this talk with just some of the things i've said staying in your brain i'll be happy and of course i would be delighted to share more and and carry on the conversation and so here goes i'm also happy that um you were interested in hearing me talk about privacy because i have to say that you know there's always like a shiny object in our field and now there's so much attention to ai and ethics which is it warrants that attention but what what i what i fear is that we don't the by turning away from issues of privacy we failed to understand or we failed to realize how important getting things right or even getting things better with respect to privacy is so intricately connected to some of these important questions of ai and ethics so i'm happy to go there if need be let me see oh sorry okay so here's here's the talk overview i want to talk a little bit about why contextual integrity really like why privacy what what gripped me about privacy what is contextual integrity and how does it differ from other ways of thinking about privacy some applications and some potential challenges there are many people and i'm not even sure that i've listed everybody but there are many people along the way who've helped develop contextual integrity with me both the theoretical aspects of it and also showing that contextual integrity the framework of it could be applied in design and in formal languages and also could be adapted to empirical social science research and so forth so led me along different pathways now back now to the talk the talk outline why why privacy why contextual integrity and um this is a slide that i use often when i'm talking about privacy because i wanted a lot i like to mention that i didn't though i have a phd in philosophy i didn't approach the issue of privacy to say oh privacy it's such a rich concept and um i'm i'm an ethicist or a political philosopher and now i need to understand privacy from a philosophical and of course a legal perspective it was more looking at this range of technologies some you know that we already were aware of at the time that beth and i were were meeting so many years ago and now as i use this slide i'm constantly oh sorry i see a typo forgive me i'm constantly updating obviously without thinking too much about it i should have applied my my spell checker but anyway um obviously updating all the time but the important thing for me to reckon with is is when people observe what's done with these technologies and of course whenever i say technology please just know that what i mean is socio-technical systems because it's never you know the bare technology as if it could be functioning on mars so what is it when people see some of the applications of these technologies and they complain they cry out that privacy has been violated and i wanted to show you that this is a very curious thing that i came across um etc discovery and invention have made it possible for the government by means far more effective than stretching upon the rack to obtain disclosure in court of what is whispered in the closet the progress of science in furnishing the government with means of espionage is not likely to stop with wiretapping ways may sometimes be developed by which government without removing papers from secret drawers can reproduce them in court and by which it will be enabled to expose a jury the most intimate occurrences of the home advances in the psychic i mean that might give things away and related sciences may bring means of exploring unexpressed beliefs thoughts and emotions so this was um written in 1928 by brandeis and many of you in the famous olmsted v united states where this was a dissenting opinion which then was overturned 50 years later but just to show that this the idea of technology threatening privacy in these ways isn't something brand new to us so we hear people claim privacy is violated and it was fascinating to me to say well why are people angry what are they afraid of why do we think that these actions are morally wrong and i and that led me to to this quest for what i like to call a meaningful account of privacy and um i mean by that the philosopher's task to begin with of defining a concept that's clear and rigorous but also more the social scientists concept to find one that's true to us that it's makes sense that it responds that most of the time when people say oh my privacy is being violated this account actually captures that and we also want a value that's ethically legitimate so that we can claim that when someone's privacy has been let's say threatened or reduced or placed at risk there's something wrong with that and we need to do something about it and it's worth defending with technology and policy so that's what we are after and in in particular the the events that really shaped my interest and this is really responding i wanted to have a theme around which to discuss contextual integrity because really the goal of this talk today is to present contextual integrity as an answer to these challenges that a response to to the quest for a meaningful conception of privacy but largest marketplace households as you can see and i hope you've been reading was i have to say by today's standards was was child's play but what was important about it was when lotus and equifax are eventually under a lot of pressure decided to withdraw the product they said we weren't doing anything wrong because we were simply using data that came from public sources and therefore we weren't violating privacy and much later when people started worrying about google maps street view the defensive initially when google didn't want to do anything about anything now it's like blurring faces and and so forth their argument again was we have every right to drive around on the roads and capture information capture images from public spaces no privacy issues are raised because these are public places this seemed wrong and many people weren't buying of course we were already in that phase that it was you know tough luck law doesn't help you any and um these arguments held sway so what is contextual integrity and how does it address these issues what these cases do and many of the cases that i bring to bear in order to showcase contextual integrity and how it differs i think of it as a prism i run these cases and then we see how the different theories respond to these cases so for example we might think about facial recognition systems in public used in public places do they violate privacy in this i know you know major discussions going on ban the scan in different cities um happening in new york and potentially in other places um you know and here's facial recognition as a as augmented reality in classes and so how do we think about this using contextual integrity and they're going to be a lot more examples as we move along so what this is a whirlwind pass through contextual integrity and i want to present it to you in a modular way so the four key ideas that i've identified and i'm i'm going to introduce them progressively and i have to say that at times when i present these four key ideas people will say oh helen you know i really agree with the first one but no then you then you you've lost me but but it's okay you know i i want to show how they build on each other and um we can see the various inter interdependencies i'm prepared to uh defend all of those key ideas but um this is a discussion for us to have so what's the first key idea the first key idea oh sorry i i forgot i had this slide what uh sorry that like really break br broke the drama but what we have the way i'm going to present it so that we see this prison prism effect is i'll describe what the key idea is and then i'll contrast it here's what it is here is how it's different so the first key idea is that privacy is about appropriate flow of information just that that basic idea which may seem uh nothing to it on the other hand it really contrasts with a million computer science papers where privacy is presented as secrecy and any data that may leak that you often see this notion of leakage because it's not it's like a non-moral concept is considered a violation of privacy so privacy in this case is secrecy and leakage is a violation and the in in privacy by design there's this concept of minimization and it's basically says um any reduction of the amount of amount of information like data minimization is considered to be um giving people more more privacy now that's the first key idea privacy is appropriate flow so when people say oh privacy it's such a complicated concept no wonder we're having such trouble i say calm down it's very simple privacy is appropriate flow of information and then they say what do you mean by appropriate flow and the answer that i give is that it conforms with norms or rules it meets people's expectations and the number four key idea so you'll see in a little moment why i'm doing um i have i can count but this is just you know um how i'm laying it out at the moment is that in fact it's legitimate norms or rules worth defending they're morally justifiable and i say norms or rules because again i'm talking to computer science colleagues they really don't like the word norms unlike the humanists and the social scientists and so we talk about rules instead but now let's just focus on the key idea number two this is where context come into play first so what we really mean to spell it out is that flow conforms with contextual informational norms or rules so appropriate flow meets expectations so we connect up here with some of the legal concepts of a reasonable expectation of privacy now there's a social theory that underlies this second idea and that is that social sphere social social we live in a social life that isn't an undifferentiated social space but rather we have these differentiated social spheres and here i don't invent the idea but rather i'm drawing on ideas that i read about from social philosophy and um theoretical social sciences um and i'm now giving you the basic ideas behind what characterizes context importantly they're characterized by purposes goals and values they're characterized by distinctive ontologies of roles or capacities in which people act certain practices and and just it's nothing magical but when we think about healthcare education family these are all contexts and then we have norms and the norms govern how people behave in these contexts and among the norms are informational norms which are could be implicit could be explicit and these are the norms or the rules that govern the flow of information in a particular context and the claim is that we live we we have a we know if just by living in society we know a lot about when data or information flows conform with the norms now number three this is where the third key idea comes in so maybe you agree with me so far you say you know the law also agrees with me if we want to find out if privacy has been violated we have to show that people's reasonable expectation of privacy have not been met and that's a signal that privacy has been has been violated adding to that contextual integrity proposes that these rules have a certain structure this is really important to the big argument and i've learned from my computer science colleagues this is the ci tuple the five parameters five not five um and they are actors informat subject center recipient information type and transmission principle so um and when we talk about actors remember we're there's always this contextual ontology of actors it's people acting in certain capacities the norms govern flow in terms of there's a meaning when when we're talking when we're mapping these flows and we characterize the flows in meaningful terms we have information type specific things age gender books you've read so forth so on and hopefully you've been reading a long while because i'm not going to read everything in the slide and then there's this parameter called transmission principle and this is uh the other parameters are known in a lot of the role-based approaches to privacy but this transmission principle um we always understood it to be there i think it's quite intuitive but this theory makes it explicit which is it's the terms under which the information flows the constraints under which the information flows so in the very common thought of privacy sorry of you're providing information with consent cons with consent is a transmission principle because that is the constraint under which information flows but it doesn't always require consent so when you're filing your income tax returns it's not that you're consenting to provide the information you're being coerced you've been compelled that's a law it requires that you provide and of course information can be bought and sold it can be a one-way flow it can be reciprocal so the physician gets to hear what your health complaints are but you don't get to hear what the physician's health complaints are and so forth so there's certain um and then one important one is with a warrant so it's really important in the law we see this over and over again with the fourth amendment did the police have to get a warrant in a certain instance of search and if they didn't get the information with a warrant then we say well it was unlawfully gained so that happened so this concept of transmission principle really covers a lot that's very familiar to us but it then it identifies it now have this question mark near use because over the years i've had lots of debates with people as to whether i forgot i should have had six parameters and the sixth parameter should have been used and maybe maybe those people are right however there are ways in which the use parameter and and i don't know if i'm gonna have time to go go into it the reasons for hope for believing that the use parameter which may not have been important at the time have become increasingly important as we have as we've entered this these times that we're living in but but i'm just going to leave this up in there so here's you know you know how it is you learn the mathematical concepts and then you learn here are the concrete instances but here are some um rules that fit the structure where we you know travelers are obliged are obliged upon request to show the contents of their luggage to the csa agent to show how this this well-formed sentence would mention different parameters and i want to show you how some of our sectoral laws so this comes from hipaa when they write the rule they actually do use these parameters which which which was i wouldn't say proof but it was very heartening because it suggests that these parameters capture something intuitive in how people want to think about and evaluate data flows and this one is i always use this one i like it a lot because it goes against the common wisdom that you always need the data subject's permission to share information and in this case what we're saying is that actually it's only with authorization um with the from the psychiatrist that this information can flow and um this work by the way comes from a paper uh with from from these guys they developed formal language and very excited you know maybe we can use this formal language to implement or enforce in a computer system okay so here we are um i promised that i would show you the connection um between the key ideas and other approaches or other ways of thinking about privacy and here i i wanted to just raise this little flag and say this particular way of thinking about privacy which is conforms with contextual informational norms and the norms having the structure is different from two dominant ways of thinking about privacy one we are one is that privacy protects only the private so we we're we're very much dominated by this dichotomy of private and public and privacy only applies to the private and another dominant definition which comes from alan weston privacy is control over personal information how many articles countless countless countless even progressive thinkers on privacy end the article i'm thinking about you know the new york times had a recent series on privacy what we need is to give people control over information about ourselves please one thing to take away this kills privacy this this is the death of privacy and we really need to have a revolution and we're going to have a revolution everybody and it is to reject this definition of privacy as controller with personal information so this idea we back now to the google map street view privacy only applies to the private in the case of the public all bets are off so that so and contextual integrity says no we don't divide the world into two things we don't say public information private information we have a much more richer understanding of this informational and spatial ontology that comes from social domains we cannot build privacy on top of this private public dichotomy it doesn't match up and then when we want to think about why privacy is control over personal information has led us has gra has resulted in us being beached when it comes to privacy and i should say that it stems from what was initially a great idea code of fair information practices but ultimately builds on this idea that the right to privacy is the right to control fast forward to the present and i'm not going to spend too much time i'm whipping through these you know this is what this is where we get to when when we have the operationalization of privacy is control we have these privacy policies and you know have a whole nother talk about privacy's control and privacy policies but i just want to bring to attention something we all know very well and the conclusion of this quick little foray so now we have a first approximation of a definition of contextual integrity contextual integrity is preserved when information flows conform with entrenched informational norms and it is there's an assumption of of what these norms are now like any norms they're contested they can't sometimes controversial uh they're not 100 held and so on but but here's the first approximation and the point how this connects with technology remember the whole list of technologies that i presented at the beginning is that these technologies raise flags and make people crazy because what they're doing is they're disrupting the information flows and when i say disrupting the information flows if you're a privacy as control person the only disruption that is worth mentioning is whether this flow happens without someone consenting but when you're when you hold contextual integrity as your framework for privacy then what you mean is that you can capture the disruption by some alteration in the data in the values for the parameters that come about when you introduce certain kinds of technologies so when we go back to our facial recognition technology the public if it's in public you know you have oh you have these fourth amendment plainview doctrine that says you know if it's in plain view then no holds barred i'm just obviously there's a lot more detail when you are privacy as control then if you choose to share the information and choose is like you you arrive at you know a website whatever it is and you are implicitly agreeing then the third then it's like well you've agreed to share this information under these in these terms and that party can do whatever it likes as long as it doesn't violate the terms of the privacy policy but what privacy is contextual integrity says and i'll be you know fairly specific about it is that first of all when you're walking around in public so we're looking at the hardest case facial recognition in a public space there's certain even if you accept that there's certain information that can be captured traditionally or what the expectation is your name is not known your identity is not and now with facial recognition we have a novel flow we have a disruptive flow suddenly the information type changes because now your name flows and second of all because of the technology it's not just like you know i see someone across the street but rather the image can be captured and it can flow to all sorts of places and so it's not the case oh public is public anything goes this really constitutes a change and privacy is contextual integrity gives you a finer grain way of revealing what the changes are when um when i talk say with students about surveillance technology like drones and and cameras what i said to them is please don't get all worked up about these technologies because you want to understand that these technologies can be designed in different ways and you as a technology designer can decide are you going to store the data is the data real time who gets access to the data how fine grain is it does it feed into a facial you know so many different questions that are relevant to whether to what the privacy dimensions are of these systems it really belittles it it doesn't give enough attention to the importance of what's relevant in these systems by just waving your hand and attacking the systems whole cloth but it really requires a design approach here's another experience that we had in the past few years just to give you a little bit of a heads up the voter role information and voter registration information it's a state by state decision and many states for many most states in fact voter role which is whether you voted in an election is public and yet when this commission on voter fraud requested the information from states the states said no even though this information was public so the argument of public is public no holds barred is belied and i think people a hazard a guess that most people were very relieved at this resistance so all the parameters matter and it doesn't serve us to overlook some of the parameters now i wanted to let's see how am i doing on time we started all right gosh i'm going to try and whip through this um because what i th this was the promise i made to you guys i i wanted to show how th this is now my collaboration with people who do empirical work empirical survey study in particular kirsten martin and what we want to do show is that when you pay attention to all the parameters you can disambiguate a lot of bad survey stuff that has been going on for decades so we did we looked at the private public distinction and we looked first at sensitive data and then we looked at what's so-called public data so the first article was showing confounding variables with sensitive data and i just have a couple of slides for each of these studies what we first did is we looked at the information types found to be most sensitive by the pew foundation now according to the public private dichotomy it we would say that you should really protect the most private and depending on your theory of privacy maybe secrecy we hold these to be secret when you add and it feels so obvious you know when when i show you these results when you include the additional parameters into your story you see that even the most sensitive data health information when it goes to a doctor no problem obviously when it goes to um the the most unpopular one was always the data broker then we're very upset about it so it's got not you can't take the information and divide it into two categories and then know how to treat it then we showed the opposite we wanted to show that even information in public databases people felt that there were privacy interests and i should mention that early days i had written an article my first article on privacy was like oh revealing that there's privacy in public again each time we use this factorial vignette survey approach and we ask the question is it okay we spent so much time asked figuring out how to ask the question we we were trying to get at the norm we didn't want to get the preference so i'm sure that anyone who's been doing this kind of survey stuff knows like how you ask the question and there's such fine-grained distinctions we ask is it okay and what i wanted to point out is how um let me see what i can do here okay so in the first case we're saying a company receiving job information by information type um how okay is it to receive criminal data from a data broker from a from government website and from the subject him or herself and you can see the discrepancies uh the one we kind of enjoyed a lot was we imagine you know you're going to someone's party and you decide oh that's a big house i wonder how much they paid so you know you look up online you go to you know one what what are those data broke what are the what are they called when you look up and you see what's something or redfin those companies yeah yeah yeah so not not nice not appropriate but if you ask the person what you paid that's it's okay it's not a hundred but it's it's much much better and so forth so really these factors affect you know where going from negative to positive when you start adjusting the different parameters and then finally we looked about we we looked this was a much more complex complicated paper it's just just come out privacy interest in public locations and i mean location tracking is is in it's huge i'm sure you guys are aware of this you know this is the plane for you doctrine we we did multiple rounds of this survey and um i'm just letting you look at it for you know 10 seconds and um what what we show i mean this is just a little fraction i just mainly wanted to point out that when what's important by the way is that it's not only who gets it by what means which we used as a proxy for a transmission principle but we also especially kirsten was interested in what happens when the location data allows you to draw certain inferences and i was particularly interested in the place versus the gps latitude longitude the kind of semantics of the location so you can see here's the fbi collecting look at this kind of location uh but when you look at the data aggregator everyone hates that so these location aggregators that are out there that are what are they called you know data location data brokers and the tons of them that you know it's been discussed a lot uh people really think it's unacceptable but sometimes it's okay for the fbi but anyway you can draw conclusions and the fascinating thing was when we were doing our pilots we find people don't really distinguish the precision so gps latitude longitude and if you which is what you can see street city they're very close but what did matter is location versus place when you give semantics to it that really causes different responses okay so i've done all this and i'm probably some of you are saying you know tyranny of the convention the whole point of technology is to disrupt data flows and sometimes it's for the good so isn't this a terrible theory that it always says that disruption is bad so now we come to the fourth key idea which is that it's not only that appropriate flow requires legitimacy the norm needs to be legitimate we want to allow for technologies that come in and make things better and we also have to allow for the possibility that technologies can disrupt flow look bad at the beginning and then over time make an argument that in fact these technologies are not violating privacy and so the theory has a way of evaluating these novel flows it's a layered approach and i'm going to be very i'm not i'm not even going to spend time except to read the slide we evaluate the differential impact on the affected parties or stakeholders which is for individual custom benefits we evaluate them in terms of ethics and political principles so this fabulous literature on you know how inadequate privacy can chill speech and freedom and autonomy and so on and then the one that's the new contribution of this theory is contextual functions purposes and values and i wanted to show you that around this time andrew mellon proposed that irs records that tax records go from being public to being private and why did he say he didn't say because it hurts people that embarrasses them et cetera et cetera his argument is it will mean that people will answer their tax returns honestly and the treasury will get a lot of money so his argument was a societal contextual argument here's some ideas about purposes and values uh that the different and and this is just me you know spinning it i feel like each of everything i've said you know take education there's a there's an argument to be had about what the ends and purposes and and and values are for educational context and so now i want to come back to the definition no longer a first approximation and the definition is contextual integrity is preserved when information flows conform with legitimate informational norms and there's work to be done to transition between entrenched and the point is that sometimes we don't have entrenched norms and we need a way to evaluate flows so you know with cambridge analytic it was like oh people didn't give permission and i'm thinking who cares what we care about is that it undermine democracy that's what we need to care about um and i am going to uh maybe i'll ask i don't know julie how am i doing how many minutes can i have more uh depends on how many questions you want to be able to answer we do have about six questions that people have asked so far but um sure five minutes sounds great okay okay great because that's i think i think yes so um i'm not going to go into this article this was an early article there was a debate going on in various states about posting court records online there too the argument was court records they're public records what difference does it make if it's a file in a draw in a courthouse or a click away on a website now any of us sitting here know how enormous that difference is but once again it was like public is public what does the medium matter and this article carefully shows how when you change to a different medium you affect the values of the parameters and then again we ask the question when you change the flows what values are you promoting what harms are you bringing on board by making a very thoughtless change in the medium without going through this analysis and finally we'll come back you know to our this case we've been looking at and again we show there's a disruption that's really important and then we discuss we when we evaluate the disruption first we have to show it using a more fine-grained measurement which is the five you know the ci tuple we then have to discuss and of course many of the argument arguments are just to give throw one off the cuff you know people won't go um and protest because maybe they're afraid undermines democratic values and this one this is the last one thanks to badger friedman i don't know if she's here today but she a few days ago sent me this example of the ancient like hundreds of years old letters that were folded in a way that if you would unfold them it would break them and so there was the application of x-ray technology to be able to unfold without damaging the artifact and actually read the words of the letter and you might say to yourself oh well we can now read letters in envelopes because we have this x-ray technology what the heck now letters even in envelopes are public because we can read them with technology and once again this is not the way to argue you need to go through the steps and see what the disruptions are and how that affects long-held values so this this is the conclusion um still holds an iron grip ci reveals misalignment i continue to believe that these dominant ideas are detrimental to individual interests and denigrate societal and contextual values my approach would be to regulate with substantive rules informed by legitimate norms sometimes involving control but not always but using these ends purposes and values as the arbiters there's a lot of work to be done a lot of work and i welcome anyone to join in the effort we really need to change things up and that's it thank you now for the q a yes please um david rebus is going to be our q a maestro helena i'm gonna read out the questions for you but you can follow along too if you like in the q a box are you in the mood for helen for some uh very high philosophical questions or would you like to start with more grounded questions give me an assortment all right okay let's uh let's begin with the mark castle corn's question um he asks hi helen my question is about government databases that can be used to provide public benefit so for example to manage a major emergency and its impact on regional systems that government is loathe to create because they may contain private information and become targets of a foia and public disclosure request can contextual integrity help us find the appropriate balance yeah so this is this is a great question the it's a good question that some computer scientists or you know some policy makers want to answer by saying let's create the databases and then make them accessible through differential privacy so that we can extract you know the usual you know utility privacy utility trade-off which is an issue for me and i my pushback on this and it's not universal because i'm not saying that that approach isn't acceptable in some cases you know i think that um for many cases and i know there's a whole discussion of the census making the data available in in a differentially private way what i want to say is that if you consider the different parameters they're ways of providing the information different from the threat model that differential privacy solves so i'm i prefer to to offer a variety of approaches to say you can create the databases certain people will have privileged and you know what that is or to use this data and and or you're held accountable for certain uses of the data you you know you we create a system where we try and constrain the flow of that data according to the different parameters and i think right now we we've either we've talked about either you know releasing at all or um having it be and and having it be anonymized which we know cannot do or differential privacy which also has problems and i want to offer a different alternative to it where we might even make the data available in ways that could reveal identity but we do it in a way that's constrained i'm going to stick with another somewhat on the ground question um caitlin cork asks as cyber physical technologies become the norm in the built environment especially for uh internet of thing devices how do we ensure that the norms are morally justifiable do you see privacy concerns with aggregate data collected by iot device systems um the i'm not really sure why the iot i i can understand why iot devices escape the standard notice and choice regime i'm not sure first of all um when we say aggregated that they're different ways of aggregating so it could be that in order if you have some kind of fitness device and i'm sure and i imagine that caitlyn might include fitness trackers as an instance of an iot device then you would you might actually want that fitness tracker to keep track it could be useful for you to keep track of of aggregate like how much did you walk this week or was it better than last week and so forth and my colleague deborah estrin courses in small data versus big data when you're talking about aggregating across contexts so we're going to combine this data with shopping data and so forth then we have glaring violations of contextual integrity and we need to run these flows again through the machinery of the of the norms i don't know if caitlyn you can come back if if i didn't answer your question i'll look out for that all right let's shoot up to um the maybe the highest level question in the deck um but i think it's a fair question for a philosopher uh scott mainwearing asks my question is about the conception of information the contextual integrity theory appears to rest upon the metaphor of flow suggests metaphorically that information is a fluid object something that objectively exists in the world as opposed to say to ideas from critical theories that information is not quote unquote real but for example in some versions a social construction that is always in danger of being destabilized would you agree that contextual integrity depends on this kind of stabilized unproblematic idea of information if so does this create strengths and weaknesses of your approach um when it's interesting so the the term flow was was the term i chose out of a lot of different terms that i was considering at the time um because i wanted to be to not make assumptions about anything that was happening on the two ends and and here i am i'm stuck with it and the other thing i'm stuck with is the word context which has caused me no end of heartburn but i think your question i don't know that i understand your question as deeply you know in the depths to the correct depth but i will say this that when you take information of a certain type and of course the semantics of the information is is not god-given it's constructed within the context and and i am committed to that that the ontology that that different contexts are defined by different informational ontologies passes from one party to another party and the meaning of that data that information when it arrives to the other party could change dramatically and i want to just give it a very practical you know give a very practical reason because when it goes from this party to that party that party might have a bunch of other information that gives a whole lot of different meaning to that information when it arrives and this is why we have to be careful to um not just talk about party and party b but rather actor in a certain capacity and act in another capacity so i might have a headache tell the physician and the physician interprets that data that data gets a meaning depending on its arrival i don't know if that's what you meant scott and probably what you meant was deeper than that but i do accept that that the meaning changes in ways and that by including the recipient as a parameter you're allowing us to place constraints on what i'm calling flow which is just passage of data from one party to another oh great question i'd love to talk about it for hours but i won't um let's uh i'm just going to allow mark hasselhorn to do a follow-up um just to remind you his his question was about uh government databases first question he says follow-up is um so we can restrict individual access for public good he's asking i guess is that what you're saying um not quite as bluntly because um when because we can restrict in different ways yes so the answer is yes restrict but we can restrict in different ways and it used to be the case just just to give you an example that if you wanted information out of a court record you would go to the courthouse and you would be able to look at the material in the folder and that restricted access materially in a certain way the data brokers got around that because they hired people whose job it was and i saw this you would go to the courthouse you would you know claim all these and then they would just sit there and they would transcribe the information so there are various ways that you can impose restrictions you can impose use restrictions etc i think we don't fall into the computer science trap that says if you can do it that's all that matters and we we have to say well you can do it but we're gonna make it not okay just as companies impose restrictions on you know how you might use a copyrighted movie or something like that we can do it and then we need to think about that but but but it's important when we it's not like public interest writ large it's to understand what's being served when we do that so when we think about court records we the court record played an important function in the way the courts functioned whether to to achieve fair outcome you know equal outcomes for similar cases and so forth but then they became a mechanism to attach a reputation onto somebody and that's when things went wrong so we have to really define what that public what that interest is or yeah amy kelly very simply written question but i think it's quite deep hi helen i am wondering who gets to decide uh what the privacy norms should be in different contexts yes who should be responsible for ensuring that those norms are protected either by design or other means and three how can we trust um how much trust can we place in developers and especially users of various technologies to uphold privacy norms and goals i love that question um the second one the first one was who gets to the side the second one is who should be responsible for ensuring that their the norms are protected either by design yeah i'm i feel like maybe i placed you in the audience and paid you to ask that question so um because i i don't know who gets to decide because we have norms and by the way i'm aware that a lot of a lot of the norms that govern us and looking at it i'm not a critical theorist but i've been schooled by my critical theory colleagues who say that you know don't give too much credence to entrench norms because these entrenched norms may represent the interests of the powerful in society you know whatever gender race uh socioeconomic and not reflect the interests of everyone and by the way that is sometimes how technology can disrupt things in a good way so how norms become established in a society is when i say i don't know it's not like oh i forgot to figure that out it's to say there are other people who are much better qualified than me who have studied the evolution of norms in society and sometimes the norms are not you know equally good but we're going to assume that if we have a kind of reflective if we have a set of norms that we've reflectively evaluated then who is responsible for enforcing those norms or even passing the norms down from generation to generation and the answer is it's so interesting and complex not all norms get embodied into explicit rules we know that law is one vehicle for is that um responsible vehicle for promulgating and enforcing norms but norms can be family law uh you can be you know your friends can can push you away if you violate norms you could be part of a professional society that that lives that is defined by a set of norms and if you violate etc so the are many societal mechanisms for both expressing norms and for enforcing the norms and then the third question about how much trust to place in users and developers um part of what we try to do when we teach um when we do things like this is to create some sense of consciousness first of all that those people who are designing our systems pay attention so if you're designing a drone with a camera think about data flows and then should we trust you if you're working for a company that's invasive and etc so so there's this a lot of attention on things like professional ethics i think some of this is about trust and about promulgating in various different ways and some of it is about law and enforcement sometimes we have to enforce enforce the constraint in design and you know this beth that to this discussion of values and design sometimes we enforce it in design but design isn't the answer by itself i think this is going to be our last question okay from joe bernstein it is the most upvoted question uh i design enterprise tools for information privacy and protection most of our use cases aren't voluntary but for policy compliance such as gdpr do you think policy has negative effects of encouraging company to collect more information the more tools we have to manage data sharing and attempt to protect from breaches it feels like more companies now feel comfortable collecting data in the first place well that is so fascinating wow i don't think i'm going to be able to give a really good answer to that question because it it gets into the mind of incentives and and motivations but i do i do feel that we that we all held high hopes for the ccpa and for the gdpr and i'm i'm afraid that the achilles heel of both of these laws is that they utilize consent as this little loophole and so no matter what the constraints are they have so with gdpr there's one little bit of hopefulness in it because when you specify the the purpose so the purpose specification the idea of it is that you can only specify a legitimate purpose now if those folks were on their game they would say what do we mean by legitimate purpose and now we run through the whole contextual integrity process but uh i'm not seeing it happening and i'm afraid that because they give such a big role to consent we're going to it's it's it's going to be close to business as usual but i realize i haven't addressed that question because if you if you have a law that isn't very restrictive then the like kids you know they're going to push wow i'm not collecting all that data i think i'm going to collect more data because i'm allowed to and i do see those weird backwards incentives thanks for that quick thanks for those great questions all right thank you i think i'll have julie has some final words yeah thank you so much helen that was really interesting and thank you for taking the time to answer everyone's questions so i want to thank everyone for joining us for distinguished lecture today and i want to join join me in thanking helen one more time um either in the chat or or you know digitally clapping or however you'd like to uh share your things with with helen one more time today um also i wanted to thank again to the research committee for putting together the event as well as all the staff who put things together so wishing everyone a happy friday um and you wish you know health and wellness and perseverance until we can get together hopefully next year's distinguished lecture will be in person again but we'll now that we have such a great audience digitally we can hopefully uh maybe have a hybrid next year so looking forward to seeing you and and take care hi thank you helen that was awesome that was great thank you thank you yes thanks and see you soon
2021-03-13