Professional Documents
Culture Documents
Contextual Integrity, Explained: A More Usable Privacy Definition
Contextual Integrity, Explained: A More Usable Privacy Definition
Contextual integrity is a privacy model popular with privacy researchers, but it can be relevant to others.
This article introduces this theory and its main ideas, explains why it might be useful, and shows how it
can be applied.
www.computer.org/security 59
USABLE SECURITY AND PRIVACY FOR SECURITY AND PRIVACY WORKERS
Idea 2: Information Flow Is Appropriate sharing intimate details or betraying a friend’s confi-
When It Conforms With Contextual dence). They can be so strongly held that they have
Privacy Norms been codified as laws (such as, in the United States,
According to the theory of CI, information flow is privacy regulations about health data or children).
appropriate when it happens according to the norms But they might also be loosely defined and best-effort
of a particular informational context. In other words, (getting our friends’ permission before photograph-
CI asks, “What are the privacy norms in this specific ing them or posting those pictures on social media).
situation?” If information is shared in a way that runs Finally, some may be vague and rapidly evolving
counter to these entrenched expectations, that flow is (such as the question of how to respect the privacy of
inappropriate—i.e., it is a privacy violation. In fact, this guests in smart homes).
is precisely how the theory defines privacy: Just like social rules, norms can be shared by an
entire society or country (for example, being obligated
Privacy, defined as CI, is preserved when infor- to submit one’s fingerprints if arrested on suspicion of
mation flows generated by an action or practice a crime) or can be localized to an individual family or
conform to legitimate contextual informational workplace (such as a company where all employees
norms; it is violated when they are breached know each other’s compensation). To summarize:
(Nissenbaum,4 p. 224).
Norms may be explicit or implicit, may ema-
While this may appear almost tautological (“a nate from a variety of sources, may or may not
privacy violation happens when you violate privacy be enshrined in law, may be commanded or
expectations”), this definition draws an important merely emergent, may vary over time and across
distinction from notions of privacy that are purely cultures, may be strict or approximate, may be
procedural, such as the principle of informed con- universally or merely locally known, and so forth
sent and other Fair Information Practice Principles (Nissenbaum,4 p. 227).
(FIPPs). Under a procedural model of privacy, any
information flow might be considered appropriate An implication of this flexibility is that there may
as long as certain practices were followed, such as not be a single true norm for a given situation. Mul-
encrypting the data in transit or getting the user to tiple norms may be present, and perhaps even in con-
agree to some terms and conditions. flict with each other, due to the interaction of different
Informed consent and other FIPPs certainly have contexts, cultures, and values. As a result, not everyone
their value, but CI says that following them is not might agree about what the prevailing norm is. In these
sufficient to maintain privacy, just like you’re cases, CI doesn’t necessarily offer a resolution (though
unlikely to achieve security simply by ticking all the it provides some guidance, to be discussed in a later sec-
boxes on a checklist. Privacy concerns won’t magi- tion), but it can help model what is happening.
cally go away just because the user clicked “I accept.” Nonetheless, the flexibility of norms is not total.
Instead, CI postulates that norms are the key deter- Since they are like social rules and represent entrenched
minant for privacy. expectations in society, norms require some consen-
Norms are generally established standards and com- sus: one person’s opinion, no matter how reasonable or
monly held expectations about what will happen with well-justified, cannot constitute a norm if it is at odds
shared information. Here are some examples of contex- with everyone else’s.
tual informational norms: Therefore, norms cannot be assumed or derived
from first principles but must rather be gleaned from
■■ A teacher is expected to share a pupil’s grades with the the real world. Thus, the most reliable way to ascer-
student’s guardians (and perhaps other teachers) but tain a norm is to identify people’s attitudes, beliefs, and
not anyone else. expectations. Because norms differ between contexts,
■■ A therapist is expected not to reveal a patient’s mental conducting this research (and, more generally, under-
state unless they believe the patient is in danger. standing norms) requires a more precise definition of
■■ Citizens are required to report their income to the what constitutes a context.
government, but the government is expected not to
make that information public. Idea 3: A Contextual Norm Can Be Described
by (at Least) Five Parameters
As these examples illustrate, norms are like the So far, we’ve seen that privacy can be modeled as infor-
rules that govern our interactions in society. Some may mation flow and argued that the privacy expectations
be informal but enduring (for example, norms about for these flows are governed by norms, which vary
www.computer.org/security 61
USABLE SECURITY AND PRIVACY FOR SECURITY AND PRIVACY WORKERS
Regardless of how exactly you choose to model the contextual purpose of providing health care—for
context, it’s worth remembering that purpose mat- example, by stopping an outbreak of a disease early
ters and that there can be more to CI than just the through notifying public health officials so they can
five parameters. take appropriate measures—this, according to CI,
could outweigh the privacy interests of an individual
Idea 4: New Norms and Flows Are Evaluated data subject.
Through Their Context Clearly, these determinations are subjective and
The previous ideas have described CI’s perception of pri- might be contested; even outside the realm of privacy,
vacy and conception of contexts; together, these provide debates rage over whether particular policies align with
us with the ability to model existing information flows specific values. While CI cannot deliver a definitive
with respect to the privacy norms that govern them. But decision in each case, the framework provides a struc-
what happens if there’s a new information flow? tured way of thinking about whether something hurts
Just because an information flow is unfamiliar, or enhances privacy.
doesn’t mean it’s bad; the new flow could still be appro-
priate. However, when we’re dealing with new technol- Applying CI
ogy and novel data flows, norms for a specific context This article has argued that CI offers an effective model
might not be established yet. and a more precise definition of privacy. But how can it
Consider, for example, a doctor who wants to make be used? Next are four lessons demonstrating how CI
use of new technologies that require access to patients’ can be applied to research and practice.
data (perhaps AI-powered dictation software, a diagnos-
tics assistant, or an electronic health record). These are Lesson 1: Think Beyond Binaries
novel flows, so how can the doctor determine whether It can be tempting to reduce data to binary categories: sen-
or not they are appropriate? sitive or not sensitive; private or public, information that
The theory of CI provides a way to evaluate the ethi- is—or isn’t—personally identifiable, and so on. Yet, just
cal legitimacy of new flows. It gives a framework for iden- as anonymous data can often be reidentified, so can public
tifying the strengths and weaknesses of the novel flow as data often turn out to be sensitive. All of these binary char-
compared with the status quo. CI suggests three layers acterizations fail to acknowledge the context-dependent
of analysis: nature of what people consider private.
Of course, this isn’t a suggestion to start treating
1. the interests of the affected parties credit card numbers the same way as comments on a
2. the ethical and political values blog post. If anything, it’s the opposite. For example, if
3. the contextual functions, purposes, and values. one were to aggregate a person’s every public comment
and product review into a dossier and then publish it,
In the case of the doctor’s data sharing, we would that would feel like a privacy violation. Why? Weren’t
first consider the interests of the parties. It will make they public already? As CI explains, it’s not enough
the doctor’s life easier, but are there ways in which it to consider that the information is public; we need to
might be detrimental to the patients? Next, we would think about how that information was flowing before
look at more general ethical priorities—for example, and how that flow changed.
values like justice and equity, free speech, and free- Another illuminating example is the outcry when, in
dom of choice. Would any of these be hurt? Finally, short succession, pretty much every voice assistant was
we’d think about the fundamental purpose of the revealed to have been relying on contractors to listen to
context—in this case, providing health care. Would some user interactions.10 Many people were upset to dis-
its goals be undermined by the flow, or any of its con- cover this new, previously undisclosed, flow, forcing the
sequences? For example, will patients become less companies to apologize and backtrack.
likely to seek care due to concerns about how their In this situation, the companies felt that they were
data are used? relatively unconstrained by what they could do with
Each of these factors may offer a reason to reject the data since users had already shared those record-
a new flow as not being morally legitimate from the ings with them. In reality, they were taking interactions
perspective of CI. If the data sharing leads to higher that many saw as ephemeral and generating new data
insurance premiums, it can hurt the patient financially. flows on their basis, creating a (mostly invisible) per-
If it results in disparate health outcomes for different manent record. The companies consequently learned
demographics, it may be unjust. On the other hand, that the new flows were surprising and unwelcome to
the benefits offered by the new flow might show it to people even though the data technically never left the
be superior to the status quo. If the data sharing aids company and was not shared with third parties. These
www.computer.org/security 63
USABLE SECURITY AND PRIVACY FOR SECURITY AND PRIVACY WORKERS
imparting knowledge to students, and in contexts of the might be done remains an ongoing research question.
judicial system for the purpose of securing justice. Even In the meantime, the theory has already proven useful in
casual interactions, like gossip or small talk, serve some a number of computer science research projects.5 Still,
social motive. CI isn’t the final word in privacy; it has a number of limi-
CI instructs us to consider the consequences for tations, which are worth knowing about.
these purposes when analyzing the impact of new flows. As a theoretical model, CI aims to predict how
This framework can be used, as an example, to analyze people will feel about privacy under different circum-
the concerns surrounding the surveillance of students. stances; it does not claim that this is how people think
As part of the pandemic-induced switch to remote learn- about privacy or make privacy decisions. You’re unlikely
ing, students were subjected to a variety of new demands to find many people who go into a situation, identify
on their privacy, from requirements to turn on their web- each of the five CI parameters at play, reflect on the con-
cams and be on video during remote lectures to invasive text they are operating in, and then arrive at a privacy
monitoring of their computers and surroundings as a judgment. Most of the time, our reactions are rooted in
part of remote proctoring.13 How should we think about emotions and intuitions.
the ethical legitimacy of these novel flows? Furthermore, even if asked to reflect more logically
The rights and interests of students and instruc- on their decisions, people don’t necessarily think about
tors are a good starting point for this debate. But CI the situation in the same terms as the CI model.14 And
offers an additional question to guide delibera- like any model, CI necessarily simplifies things. As dis-
tion. Do any of these cussed previously,
measures enhance there may be other
student lear ning ? factors that matter,
Or do they actually beyond the param-
hurt students’ educa- eters CI identifies.
tion by drawing their As researchers and practitioners in comput- Another limitation
attention away from er science, everyone would benefit if more of CI is its conser-
the subject matter vativeness. Though
of us knew about and made use of CI.
and introducing new it provides a way of
stresses? If so, then adj udicating novel
the new flows are pri- flows based on the
vacy violations and moral values at play,
inappropriate. CI favors established
Similar skepticism should be shown to new flows norms. Existing expectations can be entrenched for
that endanger the values and purposes of other con- good reasons, but not always. For example, many work-
texts: health technologies that may make patients reluc- places have a norm that employees don’t share their
tant to seek care (for example, data sharing between salaries with each other, but this may have the effect of
health-care providers and employers) and voting meth- limiting workers’ bargaining power and hurting under-
ods that may reduce citizens’ engagement or increase represented minorities. CI provides some tools for
their distrust in civic affairs (such as certain proposals reasoning about these disputes, but it’s not a complete
for online voting). Regardless of the setting or the tech- theory of norm evaluation.
nology, a full appraisal calls for considering the contex- One of the biggest challenges for CI is the problem
tual values. of inferences, in which the collection of one data type
Ultimately, this perspective is so useful because— can lead to conclusions about another, as a result of
just as security is not a primary activity but rather an which harmless data bits can be composed into highly
operational requirement—most people don’t care invasive profiles. A famous example is a woman’s preg-
about privacy for its own sake. Privacy enables free nancy that was predicted, based on shopping history,
speech, creativity, self-expression, experimentation, and prior to her knowing.15 CI’s perspective on this is that
other beneficial values and outcomes. When we fight higher-order data types—ones derived and inferred
for privacy, we fight for these values, too. from other information—should be evaluated on their
own terms, not based on the norms of the lower-order
Unresolved Questions source data. Just because it’s accepted for a store to keep
and Future Directions track of your purchases doesn’t make it okay for it to
Beyond the lessons discussed previously, there may be traffic in health data that they were able to infer from
opportunities to incorporate CI more directly into the your buying habits. If anything, privacy expectations
privacy decision-making of systems. Exactly how this might “travel down”: If some data can be used to infer
www.computer.org/security 65