Wednesday, April 1, 2009

Expectation of Privacy

In USA, to take legal actions, the concept of "expectation of privacy" matters. The fourth amendment (1967 I think) lays out criteria for this in order for a plaintiff to demand legal privacy protection:

1. She needs to show that she exhibited an actual "expectation" of privacy. (For example, if she leaves the data in plaintext in some public storage, she obviously has little expectation of privacy. On the other hand, if the data is encrypted, there is some level of expectation of privacy.)
2. The expectation should be one that the society is prepared to recognize as "reasonable". (This reasonableness is a subjective measure. For example, we, as a society, expect our emails to be private. However, this notion of privacy could be used by bad people for their malicious intents. For example, for terrorists to organize an attack. When there is an imminent threat, we need to give priority to societal security over personal privacy. In the interest of national security, one can argue that it is not reasonable to expect our emails are private.)

For example, Facebook (also other social networks) business model involve selling (anonymized) personal information and using it to target advertisements.

An excerpt from the Facebook privacy policy:
"Facebook may use information in your profile without identifying you as an individual to third parties. We do this for purposes such as aggregating how many people in a network like a band or movie and personalizing advertisements and promotions so that we can provide you Facebook. We believe this benefits you. You can know more about the world around you and, where there are advertisements, they're more likely to be interesting to you. For example, if you put a favorite movie in your profile, we might serve you an advertisement highlighting a screening of a similar one in your town. But we don't tell the movie company who you are."

With such statements in their privacy policies, it is questionable if a user can defend the above "expectation of privacy" as we agree to all these policies (with or without knowingly) when we sign up for the service. I am not saying social networks are bad, in fact, I do have a Facebook account and it's a great tool to connect with old colleagues and friends, and stay in touch with them. But, do we need to change our expectation of privacy to that of our service providers (Facebook in this case)? In other words, how can we show (legally) that we demonstrate sufficient expectation of privacy in case it is breached?

Here, you'll find some interesting thoughts by Bruce Schneier on this topic and he argues that "expecation of privacy" is a flawed test.

No comments: