Privacy: An Operational Definition

Mon 22 February 2016

I value privacy. I inconvenience myself daily to preserve mine, keeping my cell radio off, using encryption, and distrusting other people's servers. But, when I recently sat down to think about a project that had privacy implications, I realized I was missing an operational definition of the word. While I could tick off examples of violations, the generalization was missing. So here is my attempt to rectify that.

At its root, privacy is the ability to keep “secrets”. Secrets aren't necessarily nefarious ones, for our purposes here; they are usually prosaic, like those we protect by closing the bathroom or bedroom door. Here are some other kinds of potential secrets:

  • Your location
  • Your activities
  • Your communications
  • Your associations with others
  • Your health
  • Your plans for the future
  • Your stored data or keys to unlock it
  • Your opinions or beliefs
  • Generalizations about any of these (e.g. metadata)

Some people hold certain of these more dear than others. Most will disclose them in some situations and withhold them in others. The above list isn't comprehensive, but it shows the breadth of the possibility space.

We can then define privacy in terms of those “secrets”:

Privacy is being secure against...

  • The forced appropriation or sharing of “secrets”
  • Storage of secrets longer than is necessary to achieve an agreed-upon transaction

“Forced” goes beyond mere physical force or legal compulsion. It also includes any coercive effect achieved by an imbalance of clout, time, or expertise. For example, force includes making ordinary activities contingent on (or unnecessarily annoying apart from) the disclosure or storage of secrets: things like driving (under the watchful eyes of license plate scanners), talking on the phone (leaving logs that persist long after the bill is paid), using a computer program (which phones home with your habits), using a mapping app (which leaks your location), buying or selling, reading a document, or borrowing a book. When you visit a web page containing a Facebook Like button, not realizing that the mere presence of the button tells Facebook what page you're on, force has been employed by means of an imbalance of expertise. Force is also commonly effected through confusion, as through unclear laws, confusing privacy UIs, or promiscuous defaults.

Concretely, then, why do I want privacy? What do we lose if we give it up?

  • Violations of privacy facilitate criminal prosecution of ordinary behavior. Civil-liberties lawyer Harvey Silverglate estimates you commit 3 felonies a day. Having everyone be “a criminal on paper” is a great tool for oppressive regimes.
  • Stored secrets routinely leak to unintended recipients. In 2015, there was a smorgasbord of high-profile leaks, like Target (which leaked banking info), Premera (medical claim info), the IRS (tax records), and mSpy (chat logs). Storage and sharing are really equivalent, as time goes to infinity; computers are blabbermouths.
  • Leaks create chilling effects on behavior and discussion, public and private. This inhibits democracy, since it multiplies the risks of researching or debating unpopular ideas. Sometimes risky ideas are good ones: Alexander Hamilton and James Madison had to adopt pseudonyms to discuss their politics in print.
  • Privacy promotes peace in a diverse population, since without it you cannot selectively withhold your religious, political, or romantic preferences from those who might take offense.
  • Privacy is necessary to the development of the self, allowing one to experiment with different ideas and behaviors while constraining social costs to a manageable scope.

Clearly, privacy is not just a fuzzy feeling but rather a real thing with concrete consequences. Is my cautious value system the right one? Will it become less necessary as laws and social etiquette evolve to either defend the privacy of individuals—or, perhaps, just cut them some slack? Or is this going to be a drawn-out technical war with safe languages, onion routing, and endpoint security playing major parts? Those are questions for another post, but a rigorous discussion of any of them will be well-supported by the foundation of a good definition.