Documente Academic
Documente Profesional
Documente Cultură
and Privacy-EnhancingTechnologies
Herman T. 7hvani James H. Moor
PhilosophyDepartment PhilosophyDepartment
RivierCollege DartmonthCollege
htavani@tivier.edu james.mooi@dartmoudl.edu
The presentstudy is organizedinto two main parts. In Part I, we respondto a to determinefor themselveswhen, how and to what extentinformationabout
recentcriticismthat the restrictedaccesstheoryofprivacydoesnot adequately them is communicated to others." [Westin, 1967p. 7] Arthur Millersays, "...
explainthe role that control of personal information playsin protectingone's the basicattribute of an effectiveright of privacyis the individual'sability to
priva~ In defending a versionof the restrictedaccesstheory,we put forth a control the circulationof information relatingto him..." [Miller, 1971 p. 25]
tripartite model that differentiatesthe concq~tofprivacyfrom both thejustifi- CharlesFriedstates,"Privacyis not simplyair absenceof informationabout us
cation and the management of privacy. This-distinction is important, we in the minds ofothas, rather it is the controlwehaveover information about
argue, becauseit enablesus to avoid conflafingthe concept of privacywhich ourselves."[Fried, 1984 p. 209] More recend~ Dag Elgesemsuggests,"In my
we define in terms of protection from intrusion and information gathering view,to havepersonalprivacyis to havethe abilityto consentto the dissemina-
[Moor 1990; 1997], from the concept of control, which (a) is used to justifi/ tion ofpersonal information." [Elgesem,1996 p. 51]
the flamingofpolitiesthat provideprivacyprrotectionand (b) isessentialto the We believethis traditionofidentififingthe conceptofprivacywith control
managementofptivac~Separatingprivacyfrom controlis necessa~we further is misleading.Control of personal information is extremelyimportant as, of
argue, to preservethe identityofboth notions.Aftershowingwhy the notion course,ispfivaW.But,theseconceptsare more usefidwhen treatedasseparable,
of individual control, as expressedin three differentways-- choice,consent, mutuallysupportingconceptsthan as one. A good theoryofpfivacyhas at least
and correction--plays an important role in the management ofpriva~ we three components: an account of the concept ofpriva~ an account of the
conclude Part I with an account of why individual controls alone are not justificationfor privac~ and an account of the management of privacyThis
sufficient to guarantee the protection nfpersonal privacy and why certain tripartite structure of the theory of privacy is important to keep in mind
externalcontrols,such as thoseprovided by privacypolities,are alsoneeded. because each part of the theory performs a different function. To give an
To illustratesome of the key points made in the firstpart of this essaywe accountofone of the parts isnot to givean accountofthe others. The concept
considerexamplesofptivacy-enhancingtechnologies(or PETs) in Part II. We ofprivacyitselfisbestdefinedin termsof restrictedaccess,not control. [Moor,
argue that even if PETs provideindividualswith a means of controllingtheir 1990; Moor, 1997] Privacyis fundamentallyabout protectionfrom intrusion
personalinformation,thesetoolsdo not necessarilyensureprivacyprotection. and informationgatheringby others. Individualcontrolof personalinforma-
BecamePETs do not provideonline userswith a zone of privacyprotection tion, on the other hand, is part of the justificationofprivacyandplaysa role
that incorporatesexternalcontrols,i.e.,controlsbeyond thoseat the individual in the mauagementofptiwa~ Pfivacyandcontroldo fit togethernaturally;just
level,we condude that the use of PETs can actuallyblur the need for privacy not in the way people often state.
protection, rather than provideit. These philosophicaldistinctionshavepracticalimport. We can havecon-
trol but no pfiva~ and privacybut no control. We should aim to have both
PARTI: THETHEORYOF PRIVACY controland privacy:When we blur the distinctions,we are vulnerableto losing
one ofthem. For example,aswe shallarguelater,providingprivacy-enhancing
In this section,we defend a versionof the restrictedaccesstheory of privacy technologies(PETs)that seemto promote individualccont_olmayactt~dlyblur
[Moor, 1990; 1997] againstrecentattacksthat such a theorydoes not explain the need for strongerprivacyprotection, not provideit.
the important role that one's abilityto control personal information playsin A fimdamentalproblemabout definingthe conceptofprivacyin termsof
protectingpersonalprivacy[Elgesem,1996; 1999].We beginwith a critiqueof individualcontrolof informationis that it greadyreduceswhat can be private.
privacyas understoodmainlyin terms of controloverpersonalinformation. We control so litde. As a practical matter we cannot possibly control vast
amounts ofinformationabout us that circulatesthrough myriadsofcomputer
T h e Role o f C o n t r o l in the Theoryo f Privacy networksand databases.The current globalizafionof theseinformation pro-
In our privateliveswe wish to control information about oursdves. We wish cessesexacerbatesthe problem. If privacydepends by definition on our indi-
to controlinformationthat might be embarrassingor harm us.And, wewishto vidual control, we simply don't have significant privacyand never will in a
control information that might increaseour opportunities and allow us to computerizedworld.
advance our projects. The notion of privacy and the notion of control fit On the contrary, it seems more reasonable to maintain that sensitive
together. But how do they fit together?There is a tradition, especiallywith personalinformation ought to be privateeven if its owner is not in a position
regardto the privacyofinformation,to defineprivacyin termsofcontrol.Alan to control it. A patient should not loseher right to have her medical records
Westinmaintains, "Privacyisthe claimofindividu,~/s,groups, or institutions protectedwhen she is under anesthesia.A residentof the U.S. who is required