Privacy, Consent, and Norms

Richard Warner

Summary

Informational privacy is the ability to control what others know about us and what they do with it.

Advances in information processing have greatly decreased that ability, resulting in

“mass surveillance.” We object to the loss of control, because . . . Any very wide range of reasons given by

privacy advocates. Current privacy law fails to address our

concerns.

Summary

“Requiring consent” will not return the desired control.

But to do so we need to ensure free and informed consent to privacy tradeoffs.

We suggest that informational norms are the key to ensuring free and informed consent to privacy tradeoffs.

Informational Norms

Informational norms are social norms that constrain the collection, use, and distribution of personal information.

Informational norms explain why you expect your pharmacist to inquire about drugs you are taking (to prevent harmful drug interactions), but not whether you are happy in your marriage.

Claims and an Example

Ideally, norm-governed exchanges: implement acceptable tradeoffs between informational privacy and competing goals; and ensure free and informed consent to those tradeoffs.

The wine store example. What is norm? Why are norm-governed exchanges

acceptable? Why do businesses conform? Why do norms ensure free and informed

consent?

Norms Defined

A norm is a sanction-supported behavioral regularity in a

group of people, where the regularity exists in part because each group

member thinks each group member ought to act in accord with that regularity.

Ought: Prudential versus justified in light values the person accepts.

Norms

Three examples: You are making a comment during a roundtable

discussion. How long should you talk? You enter a crowed elevator. Where should you

stand? Two strangers meet in a narrow corridor. Who

makes what effort to allow the other to pass?

Nissenbaum On Norms

Informational norms “circumscribe the type or nature of information about various individuals that, within a given context, is allowable, expected, or even demanded to be revealed. In medical contexts, it is appropriate to share details of our physical condition or, more specifically, the patient shares information about his or her physical condition with the physician but not vice versa; among friends we may pour over romantic entanglements (our own and those of others); to the bank or our creditors, we reveal financial information; with our professors, we discuss our own grades; at work, it is appropriate to discuss work-related goals and the details and quality of performance.”

The No-Helmet Norm

Until the 1979, the norm among National Hockey League players was not to wear a helmet.

When the players were asked in a secret ballot, the vast majority said that the league should require them to wear helmets.

Most players preferred that most players, themselves included, wore helmets, but, preferred not to wear a helmet, if most others did not.

The Sanctions

The players conformed to avoid two sanctions: non-helmet-wearing players’ perception that

helmet-wearers lacked toughness, and a small loss in playing effectiveness

against non-helmet-wearing players from the helmet’s restriction of peripheral vision.

In light of the sanctions, each player thought he ought to conform.

The Players’ Values

The values of the vast majority of players decisively favored a regularity in which all players wore helmets.

The norm was not value-justified. A norm as not value-justified if: (1) people

think they ought to conform as long as most others conform, but (2) the values of most lead them to prefer that most would not conform.

Value-Justified Norms

We typically conform to norms without much thought. The elevator example.

You could--after sufficient, adequately informed, and unbiased reflection—justify the norm.

Call such norms value-justified. Not all norms are value-justified.

The key defect in EULAs is that the contain terms not governed by value-justified norms.

Throwing Harder

Two elementary school friends adhere to the norm, “Throw as hard as you can,” when they play catch. One of them moves away and returns later as a teenager.

When the reunited friends again play catch, one of them injures the other by throwing the ball with great force.

When the injured friend complains, the thrower says that she was simply following the norm to throw as hard as possible.

“Throwing Harder”

Technological advances had made businesses able to “throw harder”: they are now far more effective than in the past

in determining whether a specific individual meets the requirements businesses wish to impose.

The business situations differ in one crucial way. The friends would abandon their old norm But in the business cases, the relevant the

norms remain norms.

The Consequence

The norms are no longer value-justified. We are similar to the hockey players prior

to the National Hockey League’s requiring helmets: we think we ought to conform to the

norms as long as most others conform, but our values lead us to prefer the

situation in which most did not conform to the norm.

Direct Marketing

Direct marketing sorts buyers into groups according to their willingness to purchase certain products and services for the purpose of targeting advertising.

Defining direct marketing categories requires processing a great deal of personal information about consumers.

Retailers routinely collect sufficient personal data their customers that that they can also function as information brokers

Dwyer v. American Express American Express analyzed the purchases of

its cardholders to divide them into “six tiers based on spending habits and then

rent this information to . . . merchants . . . [D]efendants analyze where they shop and how much they spend, and also consider behavioral characteristics and spending histories. Defendants . . . create a list of cardholders who would most likely shop in a particular store and rent that list to the merchant.”

Direct Marketing as Mass Surveillance Direct marketing is a prime example of “mass

surveillance”—the use of “systematically harvested personal information . . . to determine what treatment to mete out to each individual.”

The “systematic harvesting” is facilitated by the fact that, as noted earlier, “[i]t has become increasingly rare to deal with any . . . private-sector organization without generating and relying upon a database of personal information.”

The Norm

Retailers acting as information brokers play a critical role in feeding direct marketing the personal information it needs.

Despite the privacy cost, the norm is that retailers may act as information brokers for direct marketing purposes. Regularity Sanctions Think we ought

Not Value-Justified

Consumers conform to the “retailers as information brokers” norm in order to avoid the sanctions of non-conformity,

But—like the hockey players—they value their informational privacy in a way that leads them to strongly prefer a situation in which that norm did not hold, a situation in which they had more control over their personal information.

Why?

Why think that consumers value their informational privacy in a way that leads them to have a strong preference for much greater control over their personal information?

This is the most reasonable (and indeed most widely accepted) interpretation of over twenty years of studies and surveys about consumer attitudes toward privacy. http://www.heinz.cmu.edu/~acquisti/economics

-privacy.htm

An Objection

“A number of more recent surveys, anecdotic evidence, and experiments . . . have . . . shown that individuals are actually less concerned about privacy than what they claim to be: many are willing to provide very personal information, in exchange for small rewards.”

Alessandro Acquisti & Jens Grossklags, Privacy and Rationality in Individual Decision Making.

In exchanging personal information for small rewards, consumers are conforming to the “retailers as information brokers” norm, but, as in the hockey helmet example, conformity is consistent with having values that lead one to strongly prefer an alternative in which most do not conform.

Other Examples

Information aggregators Health insurance Employer hiring and retention The extension of credit News reporting The practice of price discrimination