An Historic Perspective on Privacy

2.3.1Changes in Expectations of Privacy

There are two noteworthy aspects on how privacy expectations have changed. The first is that social practice and expectations co-evolve with technical development, making it difficult to establish causal effects between the two. The second aspect is that privacy expectations evolve along multi-dimensional lines, and the same technology can have opposite effects on different types of privacy.

Social practice and technology co-evolve. For example, the introduction of digital cameras, or location technology in cell phones, happened alongside the gradual introduction of legislation [2, 3, 5] and the emergence of a social etiquette regulating their use. Legislation often follows technical development, although in some cases specific legislation preempts technical development. For example, digital signature legislation in some European countries was enacted well before the technology was fully developed, which may have in fact slowed down adoption by negatively affecting its usability [7].

It is often difficult to tease cause and effect apart: whether social practices and expectations drive the development of technology or vice-versa. Some observers have noted that the relationship between social constructs and technology is better described as co-evolution. Latour talks of “socio-technological hybrids,” undividable structures encompassing technology as well as culture—norms, social practices and perceptions [193]. Latour claims that these hybrids should be studied as a whole. This viewpoint is reflected in HCI research, including the proponents of participatory design [92, 256] and researchers of social computing [85]. Iachello et al. even go as far as claiming that in the domain of privacy, adoption patterns should be “designed” as part of the application and can be influenced to maximize the chances of successful acceptance [158].

The reader should note that in some cases, technologies that affect privacy are developed without much public debate. For example, Geographic Information Systems (GIS) classify geographic units based on census, credit, and consumer information. Curry and Philips note that GIS had a strong impact on the concepts of community and individual, but were introduced almost silently, over the course of several decades, by a combination of government action, developments in IT, and private enterprises, without spurring much public debate [78].

Understanding these changes is not a straightforward task, because technical development often has contradictory effects on social practice. The same artifact may produce apparently opposite consequences in terms of privacy, strengthening some aspect of privacy and reducing others. For example, cell phones both increase social connectedness, by enabling distant friends and acquaintances to talk more often and in a less scheduled way than previously possible, but also raise barriers between physically co-present individuals, creating “bubbles” of private space in very public and crowded spaces such as a train compartment [29].

From this standpoint, privacy-sensitive IT design becomes an exercise of systematically reconciling potentially conflicting effects of new devices and services. For example, interruption management systems based on sensing networks (such as those prototyped by Nagel et al. [218]) aim at increasing personal and environmental privacy by reducing unwanted phone calls, but can affect information privacy due to the collection of additional information through activity sensors. We highlight this issue of how expectations of privacy change over time as an ongoing research challenge in Section 4.5.

2.3.2Changes in Privacy Methodologies

The FIPS reflect the top-down and systems approach typical of IT at the time. Systems were relatively few, carefully planned, developed for a specific purpose, centrally managed, and their use was not discretionary. The terminology used to describe privacy reflects this perspective as well. Data subjects were protected through data protection mechanisms, which were centrally administered and verified by a data controller or data owner (the organization managing the data). Trust originated in the government and in the accountability of data owners. HCI in the 1970s also reflected carefully planned, structured process modeling of non-discretionary applications [134]. Computer-related work tasks were modeled and evaluated to improve performance, usability, and effectiveness using techniques such as GOMS [129].

This picture began to change with advances in personal computing. Discretionary use became the predominant mode for many applications, even in office settings, and HCI started to concentrate more on ease-of-use, learning curves, and pleasurable interaction. Users enjoyed increasing discretion of what applications and services to employ. At the same time, the collection of personal data expanded with advances in storage and processing power, making trust a fundamental component in the provisioning of IT services. This increased choice and shift of approaches is reflected in data protection legislation in the 1980s, where the original concepts of use limitation gives way to the more far-reaching concept of Informational Self-Determination [6].

Finally, the 1990s saw the emergence of the Internet, which enabled new kinds of applications and forms of communication. Regulators and industry started developing more flexible and comprehensive legislation to support the greatly increased amounts of personal information that was being shared and used. Privacy research followed these changes, acknowledging the use of IT for communication purposes and the increasing fluidity of personal information collected and used by individuals, businesses, and governments. The development of privacy-enhancing technologies like machine-readable privacy policies [72], of concepts such as Multilateral Security [247], and of technology supporting anonymous transactions (e.g., mail encryption tools, mix networks, anonymizing web services) are manifestations of the complexity of the IT landscape.

At the same time, HCI research and practices began to focus on the use of IT to enable interpersonal communications and support social and work groups, first in small environments such as offices, later in society at large. Example domains studied by HCI researchers at this time include remote collaboration, telecommunications, and organizations. Following these developments, interpersonal relations became an important domain of the privacy discourse, and research started to focus on interpersonal privacy within office environments [118, 215] and in everyday interactions and communications (e.g., instant messaging, email).

Today, the combination of wireless networking, sensors, and computing devices of all form factors has spurred the development of new kinds of mobile and ubiquitous computing applications. Many of these new applications operate in non-traditional settings, such as the home or groups of friends, which lead to new challenges for HCI and privacy [191, 267]. For example, the implicit nature of interaction with these systems requires developers to re-think both Norman’s seven steps of interaction [227] and established tenets of privacy such as informed consent [11]. Furthermore, the type, quantity and quality of information collected from ubicomp environments significantly heighten risks of misuse.

This brief historical review should have convinced the reader that privacy is a very dynamic construct, and that design for privacy is a function of social and technological contexts, which vary over time. Against this backdrop, we next survey the research landscape of privacy in HCI.