Inside NYU Steinhardt: Helen Nissenbaum on the White House Bill to Protect Consumer Online Privacy

On February 23, 2012, the White House unveiled a blueprint for a “Privacy Bill of Rights” to protect consumers online.  Helen Nissenbaum, a professor in NYU Steinhardt’s Department of Media, Culture, and Communication, and author of Privacy in Context: Technology, Policy, and the Integrity of Social Life, discusses the new privacy bill.

What is the Consumer Privacy Bill of Rights?

The Consumer Privacy Bill of Rights, unveiled yesterday, is a set of seven privacy principles developed by the Obama Administration articulating clear expectations regarding the way companies handle the collection and use of personal information.  The Privacy Bill of Rights incorporates a core of traditional principles but it includes new elements, particularly addressing growing concerns over unregulated and problematic activities posed by online and mobile communications media. Recent problems include iPhone and Android Apps that upload a phone’s entire contact list to app companies’ servers, surreptitious collection of consumer information during transactions both online and off, and frequent alterations in company privacy policies.

The Administrations’ Consumer Privacy Bill of Rights will inform multi-stakeholder deliberation with the aim of producing detailed sets of sector-based “best practices.” What happens next will be controversial. A model favored by companies whose business involves capturing and using personal information is voluntary adoption of these best practices enforceable by the consumer protection arm of the federal government (the Federal Trade Commission). Many privacy advocates and advocacy NGOs oppose voluntary adoption and favor the passage of law in which the Bill of Rights is embedded.

Can you explain the role that you played in shaping this new privacy plan?

Last year, with NYU postdoctoral research fellows Kenneth Farrall and Finn Brunton, I submitted a public comment in response to the Administration’s request for comments on an earlier position paper.

In our comments, we referenced the theory of privacy as contextual integrity, which I had advanced in my book, Privacy In Context: Technology, Policy and the Integrity of Social Life. (Stanford University Press, 2010) According to this theory, at the heart of privacy is the expectation that personal information will flow appropriately, which, in turn, is determined by the social context, type of information, who is receiving it, and the constraints under which it is shared. Many of the companies that the Privacy Bill of Rights addresses are using information technologies and digital media in ways that have radically disrupted expected information flows. These have become so complex that the companies themselves are hardly able to understand them, let alone all of us directly affected by these practices.
The Consumer Privacy Bill of Rights cites my book as well as our public comment from last year and includes Respect for Context as Principle Three.

I have argued that transparency alone will not safeguard consumer privacy and urge policy makers to support substantive constraints on flow of personal information both online and off.

Why should consumers be concerned about online privacy rights?

I want to be clear that my work isn’t limited to thinking about privacy online, but rather to what I refer to as privacy in a networked world. The online component of this network vastly magnifies the capacities to collect, utilize, and distribute information and hence magnifies the privacy problem  
Many of the services we use, and the advertisements we see online, make heavy use of personal information. Social networks, such as, Facebook, all of Google’s services, and Amazon, as well as many others, draw on personal information, whether provided voluntarily or captured surreptitiously.  These companies argue that since many of these services are free, that is, do not charge dollars and cents, users should not begrudge them the use of information as an alternative currency — who we are, what we like, what we do, where we go, what we say, etc. 

The trouble is that this exchange of information for service is usually implicit and open-ended.

In brick and mortar shopping malls there is no database recording the time we arrive, what we purchased, what we looked at, what stores we entered, how long they spent in the bathroom, and so forth.  When we order something online, we may understand why a shipping address is needed. But what we do not realize is that the company is using the data for other purposes: for targeted advertising, charging us more for certain products because they have determined we would be willing to pay the price and selling this information to companies whose business it is to build massive dossiers.

Imagine being told by a company that though they are willing to tell us they are charging us for goods and services they are unwilling to say how much!  If information is the currency of a digital world, then this is equivalent to a bargain we are being asked to accept.

There are many reasons to care about privacy: individuals can be harmed by inappropriate collection and distribution of information; our freedom and autonomy may be abridged; we may suffer unfair discrimination; and many social institutions, as fundamental as democracy, may be threatened if norms of privacy are not respected.