Contextual integrity is a theory of

privacy Privacy (, ) is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. The domain of privacy partially overlaps with security, which can include the concepts of a ...

developed by

Helen Nissenbaum Helen Nissenbaum is professor of information science at Cornell Tech. She is best known for the concept of " contextual integrity" and her work on privacy, privacy law, trust, and security in the online world. Specifically, contextual integrity ...

and presented in her book ''Privacy In Context: Technology, Policy, and the Integrity of Social Life''. It comprises four essential descriptive claims: * Privacy is provided by appropriate flows of

information Information is an abstract concept that refers to that which has the power to inform. At the most fundamental level information pertains to the interpretation of that which may be sensed. Any natural process that is not completely random ...

. * Appropriate information flows are those that conform with contextual information norms * Contextual informational norms refer to five independent

parameter A parameter (), generally, is any characteristic that can help in defining or classifying a particular system (meaning an event, project, object, situation, etc.). That is, a parameter is an element of a system that is useful, or critical, when ...

s: data subject, sender, recipient, information type, and transmission principle * Conceptions of privacy are based on ethical concerns that evolve over time

Overview

Contextual integrity can be seen as a reaction to theories that define privacy as control over information about oneself, as

secrecy Secrecy is the practice of hiding information from certain individuals or groups who do not have the "need to know", perhaps while sharing it with other individuals. That which is kept hidden is known as the secret. Secrecy is often controvers ...

, or as regulation of personal information that is private, or sensitive. This places contextual integrity at odds with privacy regulation based on Fair Information Practice Principles; it also does not line up with the 1990s

Cypherpunk A cypherpunk is any individual advocating widespread use of strong cryptography and privacy-enhancing technologies as a route to social and political change. Originally communicating through the Cypherpunks electronic mailing list, informal g ...

view that newly discovered

cryptographic Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...

techniques would assure privacy in the digital age because preserving privacy is not a matter of stopping any

data collection Data collection or data gathering is the process of gathering and measuring information on targeted variables in an established system, which then enables one to answer relevant questions and evaluate outcomes. Data collection is a research com ...

, or blocking all flows of information, minimizing data flow, or by stopping information leakage. The fourth essential claim comprising contextual integrity gives privacy its

ethical Ethics or moral philosophy is a branch of philosophy that "involves systematizing, defending, and recommending concepts of right and wrong behavior".''Internet Encyclopedia of Philosophy'' The field of ethics, along with aesthetics, concerns ma ...

standing and allows for the evolution and alteration of informational norms, often due to novel

sociotechnical system Sociotechnical systems (STS) in organizational development is an approach to complex organizational work design that recognizes the interaction between people and technology in workplaces. The term also refer to coherent systems of human relation ...

s. It holds that practices and norms can be evaluated in terms of: * Effects on the interests and

preference In psychology, economics and philosophy, preference is a technical term usually used in relation to choosing between alternatives. For example, someone prefers A over B if they would rather choose A than B. Preferences are central to decision theo ...

s of affected parties * How well they sustain

and political (societal) principles and

values In ethics and social sciences, value denotes the degree of importance of something or action, with the aim of determining which actions are best to do or what way is best to live (normative ethics in ethics), or to describe the significance of dif ...

* How well they promote contextual functions, purposes, and values The most distinctive of these considerations is the third. As such, contextual integrity highlights the importance of privacy not only for individuals, but for

society A society is a group of individuals involved in persistent social interaction, or a large social group sharing the same spatial or social territory, typically subject to the same political authority and dominant cultural expectations. Socie ...

and respective social domains.

Parameters

The "contexts" of contextual integrity are

social domain A social domain refers to communicative contexts which influence and are influenced by the structure of such contexts, whether social, institutional, power-aligned. As defined by Fishman, Cooper and Ma (1971), social domains "are sociolinguistic ...

s, intuitively, health, finance, marketplace, family, civil and political, etc. The five critical parameters that are singled out to describe data transfer operation are: # The data subject # The sender of the data # The recipient of the data # The information type # The transmission principle. Some illustrations of contextual informational norms in western societies, include: * In a job interview, an interviewer is forbidden from asking a candidate's

religious affiliation Religious identity is a specific type of identity formation. Particularly, it is the sense of group membership to a religion and the importance of this group membership as it pertains to one's self-concept. Religious identity is not necessarily the ...

* A priest may not share congregants' confession with anyone * A U.S. citizen is obliged to reveal gross income to the

IRS The Internal Revenue Service (IRS) is the revenue service for the United States federal government, which is responsible for collecting U.S. federal taxes and administering the Internal Revenue Code, the main body of the federal statutory tax ...

, under conditions of

confidentiality Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...

except as required by law * One may not share a friend's confidences with others, except, perhaps, with one's spouse * Parents should monitor their children's academic performance Examples of data subjects include patient, shopper, investor, or reader. Examples of information senders include a bank, police, advertising network, or a friend. Examples of data recipients include a bank, the police, a friend. Examples of information types include the contents of an email message, the data subject's

demographic Demography () is the statistical study of populations, especially human beings. Demographic analysis examines and measures the dimensions and dynamics of populations; it can cover whole societies or groups defined by criteria such as edu ...

information, biographical information, medical information, and financial information. Examples of transmission principles include consent, coerced, stolen, buying, selling, confidentiality,

stewardship Stewardship is an ethical value that embodies the responsible planning and management of resources. The concepts of stewardship can be applied to the environment and nature, economics, health, property, information, theology, cultural resources e ...

, acting under the authority of a court with a warrant, and national security. A key thesis is that assessing the privacy impact of information flows requires the values of all five parameters to be specified. Nissenbaum has found that access control rules not specifying the five parameters are incomplete and can lead to problematic ambiguities. Nissenbaum notes that the some kinds of language can lead one's analysis astray. For example, when the

passive voice A passive voice construction is a grammatical voice construction that is found in many languages. In a clause with passive voice, the grammatical subject expresses the ''theme'' or ''patient'' of the main verb – that is, the person or thing t ...

is used to describe the movement of data, it allows the speaker to gloss over the fact that there is an active agent performing the data transfer. For example, the sentence "Alice had her identity stolen" allows the speaker to gloss over the fact that someone or something did the actual stealing of Alice's identity. If we say that "Carol was able to find Bob's bankruptcy records because they had been placed online", we are implicitly ignoring the fact that someone or some organization did the actual collection of the bankruptcy records from a court and the placing of those records online.

Example

Consider the norm: "US residents are required by law to file tax returns with the US Internal Revenue Service containing information, such as, name, address, SSN, gross earnings, etc. under conditions of strict confidentiality." * Data subject: a US resident * Sender: the same US resident * Recipient: the US Internal Revenue Service * Information type: tax information * Transmission principle: the recipient will hold the information in strict confidentiality. Given this norm, we can evaluate a hypothetical scenario and see if it violates the contextual integrity norm: "The US Internal Revenue Service agrees to supply Alice's tax returns to the city newspaper as requested by a journalist at the paper." This

hypothetical A hypothesis (plural hypotheses) is a proposed explanation for a phenomenon. For a hypothesis to be a scientific hypothesis, the scientific method requires that one can test it. Scientists generally base scientific hypotheses on previous obser ...

clearly violates contextual integrity because providing the tax information to the local newspaper would violate the transmission principle under which the information was obtained.

Applications

As a conceptual framework, contextual integrity has been used to analyze and understand the privacy implications of socio-technical systems on a wide array of platforms (e.g. Web, smartphone, IoT systems), and has led to many tools, frameworks, and system designs that help study and address these privacy issues.

Social media: privacy in the public

In her book ''Privacy In Context: Technology, Policy, and the Integrity of Social Life'', Nissenbaum discussed the privacy issues related to public data, discussing examples like

Google Street View privacy concerns Privacy advocates have objected to the Google Street View feature, pointing to photographs that show people leaving strip clubs, protesters at an abortion clinic, sunbathers in bikinis, cottagers at public parks, people picking up prostitutes, an ...

and problems caused by converting previously paper-based

public records Public records are documents or pieces of information that are not considered confidential and generally pertain to the conduct of government. For example, in California, when a couple fills out a marriage license application, they have the optio ...

into digital forms and making them online. In recent years, similar issues happening in the context of social media have revived the discussion. Shi et al. examined how people manage their interpersonal information boundary with the help of the contextual integrity framework. They found that the information access norms was related to who was expected to view the information. Researchers have also applied contextual integrity to more controversial social events, e.g.

Facebook–Cambridge Analytica data scandal In the 2010s, personal data belonging to millions of Facebook users was collected without their consent by British consulting firm Cambridge Analytica, predominantly to be used for political advertising. The data was collected through an app ca ...

The concept of contextual integrity have also influenced the norms of ethics for research work using social media data. Fiesler et al. studied Twitter users' awareness and perception of research work that analyzed

Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...

data, reported results in a paper, or even quoted the actual tweets. It turned out that users' concerns were largely dependent on contextual factors, i.e. who is conducting the research, what the study is for, etc., which is in line with the contextual integrity theory.

Mobile privacy: using contextual integrity to judge the appropriateness of the information flow

The privacy concerns induced by the collection, dissemination and use of

personal data Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...

via

smartphone A smartphone is a portable computer device that combines mobile telephone and computing functions into one unit. They are distinguished from feature phones by their stronger hardware capabilities and extensive mobile operating systems, whic ...

s have received a large amount of attention from different stakeholders. A large body of computer science research aims to efficiently and accurately analyze how sensitive personal data (e.g. geolocation, user accounts) flows across the app and when it flows out of the phone. Contextual integrity has been widely referred to when trying to understand the privacy concerns of the objective data flow traces. For example, Primal et al. argued that smartphone permissions would be more efficient if it only prompts the user "when an application's access to sensitive data is likely to defy expectations", and they examined how applications were accessing personal data and the gap between the current practice and users' expectations. Lin et al. demonstrated multiple problematic personal data use cases due to the violation of users' expectations. Among them, using personal data for

mobile advertising Mobile advertising is a form of advertising via mobile (wireless) phones or other mobile devices. It is a subset of mobile marketing, mobile advertising can take place as text ads via SMS, or banner advertisements that appear embedded in a mob ...

purposes became the most problematic one. Most users were unaware of the implicit data collection behavior and found it unpleasantly surprising when researchers informed them of this behavior. The idea of contextual integrity has also infiltrated the design of the system. Both

iOS iOS (formerly iPhone OS) is a mobile operating system created and developed by Apple Inc. exclusively for its hardware. It is the operating system that powers many of the company's mobile devices, including the iPhone; the term also includes ...

and Android are using a permission system to help developers manage their access to sensitive resources (e.g.

geolocation Geopositioning, also known as geotracking, geolocalization, geolocating, geolocation, or geoposition fixing, is the process of determining or estimating the geographic position of an object. Geopositioning yields a set of Geographic coordinate s ...

, contact list, user data, etc.) and to provide users with control over which app can access what data. In their official guidelines for developers, both iOS and Android recommend developers to limit the use of permission-protected data to situations only when necessary, and recommend developers to provide a short description of why the permission is requested. Since Android 6.0, users are prompted at runtime, in the context of the app, which is referred to as "Increased situational context" in their documentation.

Other applications

In 2006 Barth, Datta, Mitchell and Nissenbaum presented a formal language that could be used to reason about the privacy rules in privacy law. They analyzed the privacy provisions of the Gramm-Leach-Bliley act and showed how to translate some of its principles into the formal language.

References

{{reflist