William T. Bonner
In this paper I argue that, with respect to privacy, actions taken with new ICTs have taken us backwards. Each time questions of privacy emerge around uses made of new ICTs attention tends to be reactive, focusing on the specific context in which the question arose and with that focus a very limited conception of privacy is considered. Cycles of reactions to uses made of new ICTs compounds this further, relegating privacy as a broad concept to the sidelines as actors jockey for position on the actual substance of rules created for the narrow conception of privacy defined in each specific context. With rules created the focus shifts to interpreting the rules with two consequences. First, experts around those rules emerge, those that speak for the rules, and as their voices increase the question of privacy broadly and ethics specifically are displaced. Second and related, the rules originally set out as minimal expectations for behavior become the maximum target for experts interpreting the rules. In this paper I focus on fair information principles (FIP) as one instance where rules displace ethics and that rules, once created, are minimally interpreted to further narrow the concept of privacy.
These observations have emerged from ongoing research, starting with a puzzle around how privacy was so easily defeated in a specific instance involving the sale of citizen information by the government of Alberta, Canada. The argument in favour of the continued sale of this personal information was examined in depth employing Actor-Network Theory (ANT) and found to lack substance but it carried the day anyway (Bonner, Chiasson, Gopal, 2009). This finding led to parallel another ANT investigation into the substance of privacy’s representative in this enactment of balance, fair information principles (FIP). FIP were created as a reaction to concerns about the modern computer that arose in the 1970s and 1980s and they focus on the thing that computers process, data (Bonner, Chiasson 2007). With FIP in place the focus in this balancing act shifted to interpreting the rules. Since FIP did not prohibit the sale of this personal information it was interpreted to be permissible. In effect, the minimum requirements of the rules become the maximum action taken. Questions of ethics and propriety had no place in this world view.
Subsequent research on the sale of student information by the Calgary Board of Education (CBE) in Alberta, to a company in California in exchange for hosted email services, revealed another instance where rules become the focus and expert interpretation of those rules resulted in the minimum becoming the maximum. The Office of the Information and Privacy Commissioner (OIPC) of Alberta ruled that the exchange of student information for services and potential revenue was unacceptable and must cease (Office of the Information and Privacy Commissioner of Alberta, 2002). On the question of whether the CBE should disclose personal student information to outside organizations at all the OIPC ruled that if the CBE decided that the use of the information was necessary to carry out its educational mission, then the CBE was free to disclose this information and no parental permission was necessary. In interpreting this ruling the CBE has decided that since parental permission is not required it is not necessary for the CBE to advise parents that personal student information is being released to outsiders at all.
That is now CBE policy (Bonner 2007). Nothing prohibits the CBE from letting students and parents know what information is being released to outsiders, but the official rule is that it is not necessary and the minimum necessary has become the maximum done. It could have been otherwise but it is not.
It is this notion that it could have been otherwise and is not that bears examination as my own ongoing research is making it clear that it is not the innovation that limits the concept of privacy employed but rather a focus on the context in which it is employed. This is reflected in the field of MIS as we tend to focus on the artefact of our field, the computer and that which it processes – data. An assumption arising from that focus on context is that FIP can be employed as privacy’s representative (Smith, Milberg and Burke 1996, Liu, Marchewka, Lu and Yu 2005). At times FIP are granted the status of an ethical standard (Culnan, 1993, Culnan and Armstrong 1999). This something FIP cannot be. FIP are a narrow set of principles focused on data that have to be interpreted and enacted in specific settings. In the two examples provided (government sale of citizen information and the CBE sale of student information) it was FIP in practice that produced those results; an interpretation of rules that were created based on FIP.
I see this pattern of a focus on context within MIS research repeating with what I see as an emerging branch of “privacy” research that focuses exclusively on online activities as though privacy online is separable from privacy offline (Awad and Krishnan 2006; Liu, Marchewka, Lu and Yu 2005; Malhotra, Kim and Agarwal (2004). My concern here is reflected in a comment by Hinduja (2004), “What is appropriate in business ethics offline should be seamlessly transferred to the online milieu, and persons should not need to reassess their perceptions of the practice of corporations simply because of the change of context” (Hinduja 2004). What makes this statement stand out is that it starts from the premise that privacy and ethics transcend context; it is the concept and not the context that is important.
We in the field of MIS/CIS are implicated in this focus on context, as noted. This focus defines the concept of privacy ahistorically and so narrowly that questions of ethics have no place to appear. If we want to keep the question of ethics visible we have to critique the narrow constitution of rules that have emerged, the narrow conception of privacy embedded in them and show how it could have been and still could be otherwise.
Awad, N.F., & Krishnan, M.S. (2006). The personalization privacy paradox: An empirical evaluation of information transparency and the willingness to be profiled online for personalization, MIS Quarterly, 30(1), 13-18.
Bonner, W.T. (2007) Locating a Space for Ethics to Appear in Decision-making: Privacy as an Exemplar, Journal of Business Ethics, 70(3), 221-234.
Bonner, W.T., Chiasson, M. (2005). If fair information principles are the answer, what was the question? An actor-network theory investigation of the modern constitution of privacy, Information and Organization, 15(4), 267-293.
Bonner, B., Chiasson, M., Gopal, A, (2009). Restoring balance: How history tilts the scales against privacy. An Actor-Network Theory investigation, Information and Organization, (19, 2), 84-102
Culnan, M. J. (1993). ‘How did they get my name?’ An exploratory investigation of consumer attitudes toward secondary information use, MIS Quarterly, 17(3), 341-363.
Culnan, M. J., & Armstrong, P. K. (1999). Information privacy concerns, procedural fairness, and impersonal trust: An empirical investigation, Organization Science, 10(1), 104-115.
Hinduja, S. (2004). Theory and policy in online privacy, Knowledge, Technology and Policy, 17(1), 38-58
Liu, C., Marchewka, J.T., Lu, J., & Yu, Chun-Sheng, (2005). Beyond concern – a privacy-trust-behavioral intention model of electronic commerce, Information & Management, 42(2), 289-304.
Malhorta, N.K., Kim. S.S., & Agarwal, J. (2004). Internet users’ information privacy concerns (IUIPC): The construct, the scale, and a causal model, Information Systems Research, 15(4), 336-355.
Office of the Information and Privacy Commissioner of Alberta: 2002, ‘Order 2001–038’, Edmonton Alberta, September 23, 2002.
Smith, H. J., Milberg, S. J., & Burke, S. J. (1996). Information privacy: Measuring individual concerns about organizational practices, MIS Quarterly, 20(2), 167-196.