With data privacy legislation springing up across the globe, governments and their citizens clearly recognize the value and importance of protecting privacy online. At the same time, Facebook has nearly 3 billion global users who share information on the most intimate aspects of their life. What are we to make of these seemingly contradictory attitudes?
The privacy paradox is where people pay lip service to the importance of privacy while demonstrating a failure to protect their privacy with their actions. What conclusions should we draw from this? Should we take behaviour as the marker of valuation for example, providing a name and email to read an article. The problem with this argument is it blends the worth to the individual in a particular context with a general valuation. The gap between privacy behaviour and attitude toward privacy exists because they are about different things. Behaviour is shaped by context while attitudes are abstract and transcend a particular context. For this reason, the effort to align them falters.
So what is the value of privacy?
Often privacy is viewed along a spectrum. At one end is privacy balanced against the interest of national security. Thus, the following arguments about the value of privacy must be implicitly weighed against justifications for surveillance practices that often include threats to safety and well-being.
Respect for Individuals
Not respecting an individual’s reasonable desire for privacy disregards an individual’s judgment about their own self-interest. It must be up to the individual whether they wish to exchange their personal data for some other good.
This respect for an individual’s privacy is about realizing one’s need to be alone to explore the depths of their own inner being expressed through the introspection. This interest will not always win out, but the individual must have the right to choose this for themselves.
Reputation Management and Breaches of Trust
Privacy also provides respect for a person’s ability to manage their reputation which has key ties to personal and career opportunities. What has developed is a body of European law that recognizes and protects reputation. In addition, for people to feel less reserved, they need places of solitude and retreat where they can escape the gaze of others. People establish informational boundaries that vary across relationships and privacy plays a key role in maintaining those boundaries.
Privacy also reduces social friction as people do not want others to know everything about them. The truth of this is called into question when one considers the proliferation of social media platforms. This explosion in social media must also be considered in the context that many provide for anonymity.
Exceeding privacy boundaries is a breach of trust. We see these boundaries manifest as social norms and laws, like relationships with lawyers and doctors. Knowing that boundaries exist between what an individual may disclose creates candor, vital in situations bound up with legal and health consequences. At the same time, you may want to prevent this very health information from being disclosed to insurance organisations who set the price of your premiums.
Personal data is a core component of many decisions affecting people’s lives like getting a loan or a job. Therefore, there are limitations placed on financial data.
The government uses personal data to determine who to investigate. Therefore, there are limitations on government surveillance. People are helpless if they cannot object to uses of personal data that harm them as a core pillar of freedom is autonomy. This control is marginalized if decisions are made about people without their awareness and input.
Freedom of Thought and Speech
Privacy is essential for intellectual freedom. Watchful eyes have a chilling effect on the exploration of risky ideas outside of the mainstream. Think about the historical prosecution of marginalized communities who live outside social norms. Privacy is key to communicating unpopular messages and cultivating new ways of thinking and seeing the world. If one wants to explore ideas outside of what is common, they must have a space for doing so.
In this way privacy plays a foundational role in democracy, providing a space for unpopular political associations all the way up to privacy at the ballot box. In this way political privacy is essential for a free and democratic society. Privacy is not just an individual value; it is also a social value.
Privacy also shields people’s bodies, sexuality, gender, and intimate relationships. Roe v. Wade, the famous Supreme Court case,was decided on ground of privacy and autonomy of one’s body. Privacy respects the boundaries on the intimate lives of others and respects individual choices about whom they entrust with their bodies as well as what they do with their bodies.
Being constantly vigilant about how others perceive your actions is a heavy burden and the freedom from having to justify oneself is a social virtue and vital difference between a free society and a totalitarian one.
Limit on Power
Privacy limits the power of government and companies by giving the individual control over their personal data about who and how it can be accessed and used. This individual sovereignty limits the power of other actors to target them in some way for example by shaping their decision making through targeted information campaigns.
The Problem with Individual Valuation
Privacy cannot be meaningfully captured in monetary terms. Calculating a monetary value for privacy is not generalizable and is often context specific. Privacy is not a product by which the market can set a price, but instead has a value beyond what people will pay for it.
Rather, privacy is best conceived as a constitutive element of civil society necessary for deliberative democracy and the individual capacity for self-determination. For this reason, data privacy has been compared to public goods like air and water quality that cannot be effectively regulated by trusting the wisdom of individual choices.
Of course, privacy is not a transcendent value and can be trumped by other conflicting values. The normal spectrum highlights the tension between privacy and security. However, the market fails to adequately price privacy where people are often presented with a take it or leave it choice: provide personal data and receive access to information, or don’t and do not get access to the service. This choice stems from the Internet’s common business model to provide free content and monetize it by collecting and selling personal data. The new adage has emerged that if the service is free, you are the product.
The behaviour valuation argument fails to fully encompass the relevant factors on privacy. Exchange measures constrain values that must be broadened to account for other positive externalities of privacy. Additionally, behaviour valuation improperly generalizes from highly specific contexts where people do not often know the consequences of the exchange of their personal data for access to trivial goods.
The Impracticality of Assessing Privacy Risks
A major issue with assessing privacy risk is that those risks involve potential misuse of data in the future. While people can be informed about immediate uses, later downstream uses remain peripheral and speculative. A related issue is that data is often given out in bits where each individual disclosure is innocuous, but when data is combined it reveals a story about a person’s tastes, behaviours, and habits.
While the benefits of sharing personal data are immediately identifiable like accessing a news article. The problem is it is impossible for people to understand the full implications of providing pieces of personal information that can be aggregated to create digital dossiers. Privacy risks are often vague, abstract, and uncertain and fare unfavourably when pitted against easily understood benefits.
Futility and Resignation
Do you know those privacy policies that pop up when you visit a website? What about those terms and conditions your cell phone prompts you with? How many of those have you read?
A study by Aleecia McDonald and Lorrie Cranor found that if a person were to read every privacy notice relevant to them, it would take 201 hours per year. Nobody reads privacy policies, and this begs the further question of why we even go through the charade of posting them.
Often privacy regulation focuses on privacy self-management giving individuals rights like knowing what information a company collects on them and the right to access, correct, and delete data. The law appears to give individuals a lot of control over their data. The problem is that many companies gather personal data without those people knowing. This is less of a problem in Europe where there is often a consent requirement to data collection. However, in the realistic scenario that thousands of companies are gathering people’s data, are they then expected to make thousands of requests or in the case of opt-out, to do so a thousand times?
In the face of these challenges, resignation is far from an irrational response and feelings of futility may lead people away from even considering these safeguards the law seeks to provide. Meaningful privacy protection cannot rely on seemingly infinite privacy self-management.
Perhaps privacy legislation places to much of a burden on individuals to protect their own privacy when operating in an environment of deceit and obfuscation.