Shostack + Friends Blog Archive


Solove’s Understanding Privacy

Dan Solove sent me a review copy of his new book, “Understanding Privacy.” If you work in privacy or data protection either from a technology or policy perspective, you need to read this book and understand Solove’s approach. That’s not to say it’s perfect or complete, but I think it’s an important intellectual step forward, and perhaps a practical one as well.

I’m going to walk through the chapters, and then bring up some of my responses and the reasons I’m being guarded.

Chapter 1 is “Privacy: A Concept in Disarray.” It lays out how broad and complex a topic privacy is, and some of the struggles that people have in defining and approaching it as a legal or social science concept. Chapter 2, “Theories of Privacy and Their Shortcomings” lays out, as the title implies, prior theories of privacy. Having thus set the stage, chapter 3 “Reconstructing Privacy“is where the book transitions from a review of what’s come before to new analysis. Solove uses Wittgenstein’s concept of ‘family resemblances’ as a way of approaching the ways people use the word. Privacy (as I’ve commented) has many meanings. You can’t simplify it into, say, identity theft. Solove uses family resemblances to say that they’re all related, even if they have very different personalities. Chapter 4, “The Value of Privacy” points out that one of the reasons we’re losing privacy is that it’s often portrayed as an individual right, based on hiding something. In policy fights, society tends to trump individualism. (Which is one reason the Bill of Rights in the US protects the individual.) Rather than calling for better protection of the individual, this chapter explores the many social values which privacy supports, bringing it closer to equal footing, and providing a policy basis for the defense and enhancement of privacy because it makes us all better off.

Chapter 5, “A Taxonomy of Privacy” is the core of the book. The taxonomy is rich. Solove devotes seventy pages to expounding on the harms done in not respecting privacy, and discussing a balance between societal interests of privacy and the reason for the invasion. In brief, the taxonomy is currently:

  1. Information collection: Surveillance, Interrogation
  2. Information Processing: Aggregation, Identification, Insecurity, Secondary Use, Exclusion
  3. Information Dissemination: Breach of confidentiality, Disclosure, Exposure, Increased Accessibility, Blackmail, Appropriation, Distortion
  4. Invasion: Intrusion, Decisional Interference.

I’ve tried to apply this taxonomy to issues. For example, when I wrote “Call Centers Will Get More Annoying,” I used the taxonomy, although not the words. There’s surveillance, secondary use, increased accessibility and (what feels like a form of) intrusion. What the taxonomy doesn’t do is capture or predict my outrage. I think that that’s an important weakness, but it may well be asking too much. Solove’s goals of a societal balance don’t admit my outrage as a key factor. They can’t. Outrage is too individual.

I’m also concerned that perhaps this isn’t a taxonomy. If you read the old posts in my taxonomies category, you’ll see that I spent a bunch of time digging fairly deeply into what taxonomies are, how they come about, how they’re used and abused. I don’t think that Solove’s taxonomy really fits into the core of a taxonomy: a deterministic way to classify things which we find, which various practitioners can reliably use. As in my example of the call centers, the flaws are legion, and some of my classification may be wrong.

At Microsoft, we use STRIDE as a “taxonomy” of security issues (STRIDE is Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) I think, as a taxonomy, STRIDE is lousy. If you know about an issue, it’s hard to classify using STRIDE. The categories overlap. On the other hand, it’s very useful as an evocation of issues that you might worry about, and the same may be said of Solove’s taxonomy. I also don’t have a superior replacement on hand, and so I use it and teach it. Taxonomy-ness is not next to godliness.

My other issue with Solove’s taxonomy is that it doesn’t recognize the issuance of identifiers, in and of itself, as a privacy issue. I believe that, even before the abuses start, there are forseeable issues that arise from issuing identification numbers to people, like the Social Security Number. The act of enumeration was clearly seen by as an invasion by Englishmen who named the Doomsday book. The ability of the US government to even take a census is tied directly to the specified purpose of allocating legislative seats. I see it as self-evident, and haven’t been able to find the arguments to convince Solove. (Solove and I have discussed this in email now and then; I haven’t convinced him [that identifiers are, per se, a privacy harm])

Chapter 6 Privacy: A New Understanding closes the book with a summation and a brief discussion of the future.

The book has a strong policy focus. I am very interested in understanding how this new understanding intersects both broad laws and legal principles (such as the Fair Information Practices) and specific law (for example, HIPAA). The FIP, the OECD privacy statements, and Canada’s PIPED act all show up in the discussion of secondary use. I’m also interested in knowing if an organization could practically adopt it as a basis for building products and services with good privacy. I think there’s very interesting follow-on work in both of these areas for someone to pick up.

I also worry that privacy as individual right is important. Even though Solove makes a convincing case that that’s a weaker policy basis than the one he lays out, that doesn’t mean it’s not to be cherished as a social value, and I feel that the view of privacy which Solove presents is weaker to the extent that it fails to embrace this.

In closing, there are three major elements to the book: the first is to take us past the definitional games of “what is privacy.” The second is a serious attempt to address the “what do you have to hide” approach to privacy. The third is the taxonomy. Two of these would have been a pretty good book. Three are impressive, even as I disagree with parts of it. Again, this is an important book and worth reading if you work in or around privacy.

[Edited to own up to having written “divisional interference”, rather than “decisional interference.”]

4 comments on "Solove’s Understanding Privacy"

  • Craig Heath says:

    > The act of enumeration was clearly seen by as an invasion by Englishmen who named the Doomsday book.

    It’s the “Domesday” book, and I don’t think the word necessarily had a negative connotation then; it just means “day of reckoning” (as in Judgment Day) and if you’ve been pure and good you have nothing to fear, do you? 😉

  • I’m assuming was based on his excellent Penn law review article “A Taxonomy of Privacy” (2006) (freely here:
    For your loyal readers with a few too many volumes in their stack, is there enough new meat in the book? The Wittgenstein argument is familiar to Solove fans, but the Value of Privacy chapter sounds very interesting, particularly from a policy framing perspective.

  • Tony Higgins says:

    While I agree with your concerns that “issuance” may not be adequately addressed in the taxonomy (I’d likely put it in the first group), there’s another omission that concerns me – correlation. Aggregation (in and of itself) has some impact on privacy, but to my mind a more significant threat occurs as data about oneself is correlated with that other data. Maybe a new element for the “processing” section…

    BTW, the term aggregation itself can be a bit misleading, since aggregation of collective data results in greater anonymity, and aggregation of data about a singular identity results in reduced privacy.

    Thanks for the very helpful review.

  • Adam — Thanks for the very thoughtful review of my book.
    Regarding your argument about identifiers, my point is that there isn’t an inherent problem with giving people an identifying number. If there are foreseeable abuses, then I recognize a problem. The argument I reject is that identifying a person is per se an affront to that person’s dignity. Your arguments about the problems of identifiers are all ones I can agree with, because they stem from the way identifiers are used, not with something inherently wrong with identification itself.
    You also suggest that I’m rejecting an understanding of privacy as an individual right in favor of a social value account, but that’s only partially the case. I contend in the book that individual rights can be understood in social terms: “Privacy protects aspects of individuality that have a high social value; it protects individuals not merely for their sake but for the sake of society.” (p. 92). I contend that individual rights are important but should be valued in terms of how they help society. So I’m not rejecting privacy as an individual right, I’m just trying to recast it in a different way by articulating the instrumental value of individual rights for society.
    Allan — The book is indeed an expansion of the “Taxonomy of Privacy” article. Although I haven’t changed the framework of the taxonomy, and the Wittgenstein argument is also from earlier work, there’s quite a lot in the book that is new. The chapter with the Wittgenstein argument is largely new, and it justifies my approach to understanding privacy and it explores pitfalls with some other approaches. For example, I examine why looking at the nature of the information or to reasonable expectations of privacy are both flawed approaches. I also discuss how we can grapple with the great variability in attitudes and beliefs about privacy across cultures and throughout history. I discuss how we can create a nuanced and contextual account of privacy but also one that is general enough to provide sufficient guidance about addressing privacy problems. Chapter 4, which explores the value of privacy, is new. Chapter 5, which incorporates the “Taxonomy” article is updated to show how many of the problems I identify are recognized in other countries. I have a lot more examples in this chapter than I do in the article. I’ve supplemented it with some new cases as well. Chapter 6 is new, and it explores ways in which we can understand privacy harms and how the taxonomy can be applied. The article never attempted to apply the taxonomy. In the book, I have an extensive discussion of how it would work as applied to several cases and issues. Finally, I demonstrate how my taxonomy responds to arguments that conceptions of privacy are too culturally diverse to find much common ground. In particular, I respond to James Whitman’s piece that explores the divide between US and European conceptions of privacy.

Comments are closed.