Unpacking Privacy for a Networked World
Leysia Palen Paul Dourish
Department of Computer Science School of Information & Computer Science
University of Colorado, Boulder University of California, Irvine
Boulder, CO 80309 Irvine, CA 92697
abqmaw@r.postjobfree.com abqmaw@r.postjobfree.com
we have few tools for understanding exactly what those
ABSTRACT
issues are. Privacy regulation is complicated, and has a
Although privacy is broadly recognized as a dominant
range of functions, from maintaining comfortable personal
concern f or t he d evelopment o f n ovel i nteractive
spaces to protecting personal data f rom surreptitious
technologies, our ability to reason analytically about
capture. Both social and design studies of technology
privacy in real settings is limited. A lack of conceptual
often u nknowingly c onflate t hese f unctions, and
interpretive frameworks makes it difficult t o unpack
consequently fail to provide satisfying analytical treatment.
interrelated privacy issues in settings where information
technology is also present. Building on theory developed We hope to provide researchers and practitioners with a
by social psychologist Irwin Altman, we outline a model better understanding of privacy by unpacking the concept
of privacy as a dynamic, dialectic process. We discuss three so that more specific statements can be made vis- -vis
tensions that govern interpersonal privacy management in technology. W e d o t his b y b uilding u pon p rivacy
everyday life, and use these to explore select technology regulation theory developed by social psychologist Irwin
case studies drawn from the research literature. These Altman [6, 7]. Altman is primarily concerned with how
suggest new ways for thinking about privacy in socio- people manage face-to-face interactions; we extend it to
technical environments as a practical matter. consider the lessons for information technology analysis
and design. We then apply these concepts in case analyses.
Keywords
Privacy, s urveillance, m onitoring, a ccess regulation, While traditional approaches understand privacy as a state
boundary management, disclosure, social psychology of social withdrawal, Altman instead sees it as a dialectic
and d ynamic boundary regulation p rocess [ 6]. A s a
INTRODUCTION
dialectic process, privacy regulation is conditioned by our
In an increasingly networked world, privacy protection i s own expectations and experiences, and by those of others
an e ver-present c oncern. N ew t echnologies a nd with whom we interact. As a dynamic process, privacy i s
infrastructures, f rom p ervasive I nternet t o m obile understood t o b e u nder c ontinuous n egotiation and
computing, are being rapidly introduced and woven into management, with the boundary that distinguishes privacy
the fabric of daily life; devices and information appliances, and publicity refined according to circumstance. Privacy
from electronic picture frames to digital video recorders, management is a process of give and take between and
carry with them new possibilities for information access, among technical and social entities from individuals to
and s o f or p rivacy m anagement. Human-Computer groups to institutions in ever-present and natural tension
Interaction (HCI) researchers have long acknowledged the with the simultaneous need for publicity. Our central
implications their designs have for personal privacy. concern is with how this process i s conducted i n the
Indeed, the synergy between the technologists and social presence of information technology.
scientists who belong to that community, and the related
computer-supported cooperative work (CSCW) community Common C oncerns
in p articular, h as l ed t o m utual a ppreciation o f t he Technology and personal information is haunted by the
interdependent r elationship b etween t echnology and specter of Big Brother, with its implications of invasive
and subversive action.1 W hen p rivacy i s discussed
situations of use. This, in turn, has heightened awareness
of the privacy concerns that novel technologies introduce. abstractly, concerns about surveillance and personal identity
theft are among the most prominent. Certainly, these are
However, despite broad concern, there have been few
important and pressing concerns. However, in studies of
analytic or systematic attempts to help us better understand
the relationship between privacy a nd technology. We
recognize when our systems introduce privacy issues, but 1
The idea of Big Brother, drawn from Orwell s dystopian vision in
1984, is often used to refer to the idea of pervasive monitoring and
recording of activity, often by some central authority. Two things a re
Permission to make digital or hard copies of all or part of this work f or important to note, however. First, in 1 984, the actual threat is o f
personal or classroom use is granted without fee provided that copies potential monitoring; there was of course no way of knowing whether
are not made or distributed for profit or commercial advantage and that you were being watched at any moment [22:6]. This is also true o f
copies bear this notice and the full citation on the first page. To copy Bentham s Panopticon, a metaphor Foucault and others have used.
Second, the threat lies in the culture of pervasive mutual monitoring,
otherwise, or republish, to post on servers or to redistribute to lists,
rather than centralized surveillance; Winston Smith s friend Parsons is
requires prior specific permission and/or a fee.
proud to be turned in not by his telescreen but by his children.
CHI 2003, April 5 10, 2003, Ft. Lauderdale, Florida, USA.
Copyright 2003 ACM 1-58113-630-7/03/0004 $5.00.
information technology in mundane and pervasive activity particular attention to the institutional norms that govern
like video conferencing, shared calendar management and forms of participation and control.
instant messaging communications, concerns most salient Agre [2, 3, 4, 5] has written extensively on privacy
to users include minimizing embarrassment, protecting turf concerns and new technologies. I n particular, h e has
(territoriality) a nd s taying i n c ontrol o f o ne s time. critically examined technical discourse surrounding privacy
Although Big Brother actions may threaten life and liberty, and information technology, in an effort to uncover the
it is interpersonal privacy matters that figure primarily in assumptions and analytic approaches at work (e.g. [2, 3]).
decisions about technology use on an everyday basis. He has advocated an institutional approach t hat casts
Our most familiar ways of managing privacy depend privacy as an issue not simply of individual needs and
fundamentally on features of the spatial world and of the specific technologies, but one that arises from recurrent
built environment, whether that be the inaudibility of patterns of social roles and relationships [5].
conversation at a distance, or our inability to see through Technology may be able to help as well as hinder. Writing
closed doors. We can a lso rely o n others t o honor in t he c ontext o f t he W 3C s P latform f or Privacy
behavioral norms around physical touch, eye contact, Preferences [26], Ackerman and Cranor [1] propose privacy
maintenance of interpersonal space, and so on [6]. critics agents that will provide users with feedback on the
With information technology, our ability to rely on these potential privacy implications of their action. Similarly,
same physical, psychological and social mechanisms for Dourish and Redmiles [13] propose an architecture for
regulating privacy is changed and often reduced. In virtual enhancing user understandings of the security implications
settings created by information technologies, audiences are of their actions on networked computer systems.
no longer circumscribed by physical space; they can be Notwithstanding these investigations, the general state of
large, unknown and distant. Additionally, the recordability understanding privacy concerns is limited in our fields of
and subsequent persistence of information, especially that research and design. We feel that our goal to better
which was once ephemeral, means that audiences can exist understand and describe the role of information technology
not o nly i n t he p resent, b ut i n t he future a s well. in privacy management is best met b y returning to
Furthermore, i nformation t echnology c an create privacy theory that predates digital technologies.
intersections of multiple physical and virtual spaces, each
Debates over privacy are not new, and did not arrive with
with potentially differing behavioral requirements. Finally,
information technology. The history of privacy is long and
in such settings, our existence is understood through
intricate, involving a wide range of concerns including
representations of the information we contribute explicitly
social and legislative practice, cultural adaptation, and even
and implicitly, within and without our direct control.
urban and domestic architecture. A fuller treatment of
These concepts of d isclosure, i dentity and the shifting
privacy and technology merits a deeper examination of this
expressions and implications of these in time are central to
background. H owever, w e r ely h ere o n Altman s
our analysis, and we will return to them later in the paper.
contemporary model of privacy and privacy regulation,
Information technology has shifted and complicated privacy
which emerged from this long history.
regulation p ractices b y c reating n umerous possible
consequences from our computer-mediated interactions. ALTMAN S P RIVACY T HEORY
Altman s f undamental o bservation i s t hat privacy
Related R esearch
regulation is neither static nor rule-based. We know that
Our treatment builds upon the work of those who have
setting explicit parameters and then requiring people to live
walked this path before. A number of HCI researchers have
by them simply does not work, and yet this is often what
turned their attention t o privacy concerns i n modern
information technology requires, from filesystems to email
information environments. In the domain of ubiquitous
filters to databases to cell phones. Instead, a fine and
computing, Bellotti a nd Sellen [8] reflected o n user
shifting line between privacy and publicity exists, and i s
experiences i n a p ervasive d igital environment that
dependent on social context, intention, and the fine-grained
combined computer, audio and video networking with
coordination between action and the disclosure of that
individual t racking a nd c ontrol t echnologies. They
action [6, 7].
identified common problems that arise when the site of
someone s activity and the site of its effect are separated, as Privacy a s P rocess
can often happen i n these environments. Grudin has Altman conceptualizes privacy as the selective control of
suggested that threats t o privacy as a result of these access to the self regulated as dialectic and dynamic
technologies might be more fundamentally explained as the processes t hat i nclude m ultimechanistic optimizing
steady erosion of clearly situated action, and that our behaviors [7: 67].
control over how disclosed information is interpreted in
Altman describes privacy s dialectic and dynamic nature by
different contexts and times is diminished or absent [18].
departing from the traditional notion of privacy as a
Dourish [12] also investigated questions of privacy that
withdrawal process where people are to be avoided. Instead,
arose in a range of media space environments [9] and
Altman conceptualizes privacy as a boundary regulation
pointed in particular to the organizational situatedness of
process where people optimize their accessibility along a
appropriate solutions. Clement [11] broadly explored the
spectrum of openness and closedness depending on
privacy concerns raised by these technologies, paying
context. Privacy is not monotonic, that is, more privacy i s
n ot n ecessarily b etter. I ndeed, b oth crowding a nd We begin by describing three boundaries that we believe are
isolation are the result of privacy regulation gone wrong. central to the characterization of privacy management. One
Privacy states are relative to what is desired and what i s is the Disclosure boundary, where privacy and publicity are
achieved; one can be in the presence of others but feel in tension. At this boundary, determinations are made
isolated or crowded depending on the degree of sociability about what information might be disclosed under what
sought. The goal of privacy regulation is to modify and circumstances, albeit with varying degrees of direct control.
optimize behaviors for the situation to achieve the desired The display and maintenance of Identity of parties on both
state along the spectrum of openness and closedness. To sides o f t he i nformation e xchange o ccurs a t another
that e nd, p eople e mploy a n etwork o f behavioral boundary. Features o f identity, including institutional
mechanisms, which include affiliation, a re m anaged i n t ension w ith audience.
Temporality describes the boundaries associated with time,
verbal a nd p araverbal b ehaviors s uch a s p ersonal
that is, where past, present and future interpretations of and
space and territoriality, and culturally defined styles o f
responding. Thus privacy regulation includes much more actions upon disclosed information are in tension.
than just the physical environment in the management of
Furthermore, the objectives that determine where each of
social i nteraction. F urthermore, t hese b ehavioral
these boundaries lies are in tension with each other.
mechanisms operate as a system. As such, they i nclude
properties of interdependence and of compensatory a nd Actions around information disclosure are tempered by
substitutable action. That is, a person may use d ifferent possibilities about what might happen in the future, or how
mixes of behaviors to achieve a desired level of privacy,
the information might be judged as an artifact of the past.
depending upon circumstances. Or different people a nd
Actions around disclosure are balanced with how one wants
cultures m ay h ave u nique b lends o f m echanisms t o
regulate privacy. [7: 67-68] to present oneself, or by knowledge of who might consume
and re-use disclosed information, and so forth.
Caveats a nd E laborations
Altman s theory is foundational, but has limitations for our The D isclosure B oundary: P rivacy a nd P ublicity
purposes. He is concerned with the management of personal As Altman theorizes, privacy regulation in practice is not
access in public spaces and other forms of interpersonal simply a m atter o f a voiding information disclosure.
interaction; his attention is devoted primarily to situations Participation in the social world also requires selective
where a ccess i s m ediated b y t he everyday spatial disclosure of personal information. Not only do we take
environment. Information technology and the everyday pains to retain certain information as private, we also
environment mediate action in different ways [16]. choose to explicitly disclose or publicize information about
ourselves, our opinions and our activities, as means of
Additionally, while Altman analyzes cultural differences,
declaring allegiance or even of differentiating ourselves
we attempt only to address conditions of circumstance,
from others (another kind of privacy regulation). Bumper
which we define to be a function o f local physical
stickers, designer clothing, and letters to the editor
environment, audience, social status, task or objective,
deliberately disclose information about who we are. We sit
motivation a nd i ntention, a nd f inally, information
in sidewalk cafes to see and be seen. We seek to maintain
technologies in use. Technologies and the forms of their
not just a personal life, but also a public face. Managing
use set conditions, constraints, and expectations for the
privacy means paying attention to both of these desires.
information disclosures that they enable or limit. We view
information technology not simply as an instrument by Furthermore, m aintaining a d egree o f p rivacy, or
which privacy concerns are reflected, achieved, or disrupted; closedness [6], will often require disclosure of personal
rather, it is part of the circumstance within which those information or whereabouts. The choice t o walk down
concerns are formulated and interpreted. public streets rather than darkened back alleys is a means of
protecting personal safety by living publicly, of finding
PRIVACY I N A N ETWORKED W ORLD
safety in numbers. We all have thoughts or facts we would
Privacy m anagement i s n ot a bout s etting r ules and
like to keep secret, but most of us also need to ensure that
enforcing them; rather, it is the continual management of
others know something about ourselves, for personal or
boundaries between different spheres of action and degrees
professional r easons. F or s ome, t his management of
of disclosure w ithin those spheres. Boundaries move
personal and public realms is analogous to the job of a
dynamically as the context changes. These boundaries
public relations agent who needs t o make their client
reflect tensions between conflicting goals; boundaries occur
available and known in the world, while at the same time
at points of balance and resolution.
protecting them from the consequences of existing in this
The significance of information technology in this view very public sphere. Celebrities operate in this space, but so
lies in its ability to disrupt or destabilize the regulation of do many lesser-known people: academics, for example,
boundaries. Information technology plays multiple roles. It often feel compelled to maintain web pages, not only to
can form part of the context in which the process of advertise their expertise and experience, but also to keep
boundary m aintenance i s c onducted; t ransform t he requests for papers and other inquiries at bay. Therefore,
boundaries; be a means of managing boundaries; mediate one of the roles of disclosure can ironically be to l imit,
representations of action across boundaries; and so forth. rather than increase, accessibility. Views of privacy that
However, to better understand the role of technology, equate disclosure with accessibility fail to appreciate this
additional precision about these boundaries is needed. necessary balance between privacy and publicity.
Active participation in the networked w orld requires The tension between self and other is also problematized by
disclosure of information simply to be a part of it. To the phenomenon of recipient design the way that one s
purchase goods, we make ourselves visible in public space; actions and utterances are designed with respect to specific
in exchange for the convenience of shopping on-line, we others. That is, not only is self constructed with respect
choose t o d isclose personal i dentity information for to a set of social arrangements, but other is not entirely
transactional purposes. In so doing, we assume some risk undifferentiated at different t imes, different others
of identity theft, although we might mitigate risk by (professional colleagues, students, fellow bus riders, or
shopping only at well-known web sites. whatever) can be distinguished from each other and will be
treated differently. So, for example, when technology
However, problems emerge when participation i n the
advocates argue that security cameras mounted in civic
networked world is not deliberate, or when the bounds of
spaces offer no threat to individual privacy because one s
identity definition are not within one s total control. A
actions are already public, they fail to take into account
Google search, for example, can reveal a good deal of
that public is a broadly faceted concept, and that denying
information about a person, including the artifacts and
the ability to discern who might be able to see one s action
traces of past action, which may have been concordant with
can, in itself, constitute a violation of personal privacy.
self-perception at a particular time such as postings to
Usenet but not in later years. Information can also come Our reflexive interpretability of action one s own ability
from other, third-party sources, including public record data to understand a nd anticipate h ow one s actions (and
that was never as easily accessible as the web makes i t information, d emeanor, e tc.) a ppear t o others is
today, such as the price paid for homes. Even friends might sometimes c ompromised i n i nformation technology
benevolently post photographs from a recent party that one supported environment and has repercussions for privacy
would not post on one s own (for any number of reasons, management. Assessing the efficacy of strategies for
including revealing behavioral as well as location-in-time withholding or disclosing information is inescapably based
information). When one s name is unique and therefore on this reflexive interpretation. To withhold information,
easily searchable, these concerns about public presentation one needs to know from whom it is to be withheld and
of the self are magnified. One might even take deliberate how that can be done, which requires an understanding of
action to formulate a public persona under these conditions how our actions will be available or interpretable to others.
by way of a personal web page, if only to mitigate or put The fundamental problem of technology i n interaction,
in balance the perceptions one might gather from other then, is m ediation . In the everyday world, we experience
sources. As these examples show, the tension around relatively u nfettered a ccess t o e ach o ther, w hile i n
privacy a nd p ublicity i s i nfluenced b y i dentity and technological settings our mutual access is mediated by
temporal concerns, which we now address in turn. some technology that interposes itself, be that telephone,
email or other computer system. Rather t han interact
The I dentity B oundary: S elf a nd O ther
directly with another person, we interact with and make
The second tension central to privacy management is that
assessments from a representation that acts i n proxy.
which occurs around the Identity boundary; that is, the
However, in technologically-mediated environments, these
boundary between self and other. On first reflection, such a
representations are often impoverished, and indictors of the
boundary might seem counter-intuitive or even nonsensical.
boundary between privacy and publicity are unclear. We
Conventional formulations of privacy problems focus on
implicitly and constantly seek to understand how others
the individual, and the boundaries of the individual would
want to be perceived along many dimensions, including
seem to be stably defined by the spatial extent of the body.
their d egree o f a vailability a nd a ccessibility, b ut
However, when we look at privacy as a social phenomenon,
interactions can go awry when what is conveyed through
this simple formulation becomes inadequate.
the technological mediation is n ot what i s intended.
Affiliation and allegiance are complicating factors. The Privacy violations, then, can occur when regulatory forces
individualistic p erspective a ssumes t hat p eople act are o ut o f b alance b ecause i ntent i s n ot adequately
primarily as individuals, which fails to take into account communicated nor understood.
when people act as representatives or members of broader
Information p ersistence a s a r esult o f technological
social groups, as they often do. Social or professional
mediation further complicates regulation of the self/non-self
affiliations set expectations that must be incorporated into
boundary, a nd t o w hat d egree a p erson f eels t hat
individual behavior, which is why disclaimers about
information can act as proxy to the self. Explicit products
corporate liability in email signatures exist, or even why
of work or activity such as manuscripts posted to a web
employees are discouraged or barred from using corporate
page, o r U senet p ostings t hat w e n ow k now are
email address to post to public forums. Furthermore,
archived can be used to construct and control how we
adopting a particular set of attitudes towards appropriate
want to be perceived. In comparison, we have very little
information disclosure can even serve as a means of
control over representations of ourselves that are artifacts of
marking status or affiliation. ( Client confidentiality is a
simply having been somewhere or done something at a
marker of professional status for physicians and lawyers but
particular time such as visiting a cookie-enabled web
not p lumbers.) I n o ther w ords, t he i nclusiveness or
page, or as being l isted a s a member o f a n email
exclusiveness implied by self and other i s continually
distribution list. How this kind information is interpreted
enacted in and through one s actions in the world.
is largely in the control of recipients. Those interpretations
subsequently vary in time, yielding even less direct control personal privacy; rather it destabilizes the delicate and
by the person for whom the information represents. complex web of regulatory practices.
Temporal B oundaries: P ast, P resent a nd F uture GENRES O F D ISCLOSURE
Altman s v iew o f t he d ialectic n ature o f privacy When considering these three tensions, it is important to
management is perhaps most obviously seen in the tension bear in mind that they are not resolved independently; all
between past and future. The critical observation here i s three are part of the same, ongoing process of privacy
that specific instances of information disclosure are not management and regulation. At any given moment, the
isolated from each other; they occur as the outcome of a balance between self and other, privacy and publicity, and
sequence of historical actions, and as the first of many past and future must have a single coherent and coordinated
expected actions stretching out into the future. The exercise resolution. As a unifying principle, we use the term genres
of control, or the active management of privacy as the of d isclosure to h ighlight t hese socially-constructed
outcome of some decision-making process, needs to be patterns of privacy management. Using this term draws
seen in the context of this temporal sequence. attention to the ways in which privacy management in
everyday life involves combinations of social and technical
Past actions are a backdrop against which current actions
arrangements that reflect, reproduce and engender social
are p layed. O ur response t o s ituations o f potential
expectations, guide t he interpretability o f action, and
information disclosure in the present are likely to draw
evolve as both technologies and social practices change.
upon or react to similar responses in the past, both those of
Evolution occurs as the possibilities and consequences of
our own and those of others. This is not to say, of course,
particular technological arrangements should gradually be
that we blindly act in the same way every time a situation
incorporated into practice. Integrating and resolving the
recurs; if this were true, than privacy regulation would not
various tensions, these regularly reproduced arrangements
be the dynamic process we have attempted to illustrate
of people, technology and practice that yield identifiable
here. Patterns, conventions, and genres of disclosure (see
and socially meaningful styles of interaction, information,
below) are made to be broken; conventions can be invoked
etc., are what we refer to as genres of disclosure.
by breaching as well as by following them. The relevance
of future context is part of this same, continuous process; Our use of the term genre is deliberately suggestive of the
we orient not only to immediate circumstances but also to work of researchers such as Yates and Orlikowski [27] and
potential future situations. Current actions may be a means Erickson [15]. The important feature of their work is that
to affect future situations (as in our point above about they adopt a socially-constructed notion of genre, defined
academic web pages, where current disclosure is used to not simply by the structural properties of particular forms
limit future accessibility.) of communication, but by the social patterns of expectation
and response that genres embody. Genres are encounters
So, while past and future interpretations of information
between representational forms and social practice. Privacy
disclosure are out of our control, the way in which current
and technology is not least a matter of representation (of
privacy management is oriented towards events in the past
people and their actions), and the relevance of genre i s
or future is a matter of active control and management. Our
precisely i n h ow i t s ets e xpectations a round these
response to situations of disclosure, or our interpretation of
representations, integrating them i nto recurrent social
information we encounter, i s framed a nd interpreted
practices. For example, Erickson [14] cites the example of a
according to these other events and expectations. We
graduate student s reflections on a personal web page as a
negotiate boundary locations as we act in the world.
tool of self-expression and as a professional badge of entry
Technology s ability to easily distribute information and into the job market; the issues of interpretation and the
make ephemeral information persistent affects the temporal identification o f t he information a s f itting i nto a
nature of disclosure. In our view, such ability is seen not as commonly-understood pattern of communication was a
a fundamental blow to regulatory control, but rather as part central issue. Similarly, investigations of personal web
of t he o ngoing m anagement o f t ensions i n which pages have pointed to the importance of particular styles
information permanence may play as much of a role as and interpretations of the information [10]. Personal web
impermanence. T he r elevance o f p ermanence and pages are clearly bound up with issues of disclosure; the
impermanence likes in the ways they constrain, undermine, idea of genres of disclosure extends this to other forms of
or modify regulatory behavior. Because future uses of interaction and potential information disclosure, from our
information cannot always be controlled, the nature or expectations over the monitoring of our movements in
format of information might instead be governed. For public s paces t o concerns o ver personal information
example, distributing manuscripts as PDF rather than requested on web-based forms.
Microsoft Word format reduces the ease with which one s
An important feature of the notion of genre of disclosure i s
ideas can be modified; excerpts might be still extracted and
that, since genres are loosely defined, it can account for
changed, but the integrity of the whole remains.
violations, or situations in which o ne feels t hat the
The Disclosure, Identity and Temporality boundaries, and promise of a genre was broken; t hat, for instance,
the tensions that occur with their negotiation, are the personal information was misappropriated and used in ways
primary features of our framework. They demonstrate that that h ad n ot b een anticipated. T he v ery i dea of
privacy regulation is a dynamic, dialectic, negotiated affair. misappropriation implies that information is disclosed with
Technology itself does not directly support or interfere with an expectation of appropriate use; the relationship between
forms of disclosure and expectations of use is precisely one s time. The benefits to temporal coordination have
what the idea of genre is intended to capture. been demonstrated time and time again, and so we find that
people a re m ore w illing t han i n t he p ast t o share
CASE S TUDIES
information that was once considered private [24].
The central motivation for this paper is to understand the
However, publicly available calendar data makes explicit
complexity and multi-faceted nature of privacy in settings
the patterning and sequencing of information, and the
where information technology i s present, w hich has
interpretations that can be made from such patterns might
necessitated the extensive conceptual exploration above.
inadvertently compromise privacy. The implications of this
However, in an effort to make this perspective more
are particularly apparent in this case of conference room
tangible, we explore various cases drawn from our own
bookings: A technology company was rife with rumors
observations as well as those of our colleagues; some of
about an impending layoff, but details were confidential.
these cases have been discussed in research publications,
An employee using an online calendar system to book the
while others are informal experiences reflected upon here for
local conference room for a meeting the following week
the first time. Analyses are necessarily abbreviated; our
found that it was already scheduled, and, in searching for
goal i s o nly t o i llustrate h ow t he t ensions a nd
alternatives, gradually discovered that every room had been
considerations we have presented here might be used to
booked, all day, by Human Resources. Although room
express more nuanced understanding of privacy concerns.
bookings are not expected to be a channel by which large-
The F amily I ntercom scale corporate plans might be discovered, the employee
In an influential project, Georgia Tech researchers are was able to easily infer that layoffs were imminent.
building a residential research laboratory the Aware
This illustrates an interesting tension between publicity and
Home, a t hree-story h ouse, i ntended for
privacy. One cannot book a room without disclosing that i t
occupation which is a testbed for the use embedded
has been booked (although other systems might disguise
computing technologies in domestic settings. One of the
identities); publicity is relevant here, since advertising the
program s projects is the Family Intercom [22], which
rooms unavailability is the point of the exercise. However,
allows family members to communicate seamlessly with
the ability to see aggregate temporal patterns of information
one another when distributed throughout their home using
( all rooms booked by HR ), rather than individual data
a built-in sensing and tracking infrastructure.
points, constitutes the disclosure problem. It is not simply
This project can be interpreted as a reproduction, for that HR was forced into disclosing information they would
domestic environments, o f u biquitous communication have preferred to keep secret. Rather, it was that they
technologies that have been explored in research workplace desired publicity at the level of individual data points, but
settings (e.g. Active Badges, below, and media spaces [9]). privacy at the level of the whole, with no system-supported
This c omparison i llustrates a m ismatch between the means for making this distinction.
institutional arrangements of home and work life. Such
Active B adges
concepts as accessibility, awareness, and availability
In a classic case, Harper [19, 20] discusses experiences in
for interaction, which have been goals supported by
the deployment of personal tracking systems based on
research workplace studies, do not map conveniently onto
Active Badges in two research laboratories. Of note is the
equivalents in the home environment. A six-year old is not
variety o f r esponses, d iffering b oth b etween the
in a position to control her availability for interaction to
laboratories, and between different groups in each.
her parents; she may display attentiveness or disinterest,
but the concept of voluntary availability does not apply in For example, the scientific staff in each lab placed different
this different institutional setting. Similarly, a sixteen-year- values on the technology, in part due to different styles of
old may not appreciate his sibling s passive awareness of work. In one lab, staff often worked in a central lab, and so
his actions. B y t he same token, t he n otion o f the the ability to route phone calls to them was highly valued;
substitutability of media that a conversation over an in the lab where people worked at their desks, the active
intercom is a replacement for a face-to-face conversation badge technology seemed less useful, and even intrusive.
does not apply in settings where what is being conducted i s This speaks in part to the tension between publicity and
not simple communication b ut a n exercise i n power privacy, and people s ability to control the balance.
relations; when a parent calls to a child, what is often
On the other hand, Harper suggests a different orientation
demanded is presence, not communication.
between different staff groups. The administrative staff
In other words, the genres of disclosure and accessibility in (who often need to track down research staff s whereabouts)
these two settings are quite different. T he interesting were more positively disposed to the technology than were
questions, then, are which institutional arrangements are the scientific staff. Harper proposes that this may be in part
implicit in the design of the technology, and to what extent due to the professional self-image of the scientific staff,
it is possible to blur these genres in practice. who were more likely to adopt a position of individual
responsibility for their own actions, and perhaps then resent
Shared C alendars
the introduction of a technology that potentially limits
Enterprise calendar applications that allow users to share
individual freedom a nd imposes greater organizational
calendar data in the hopes of improving coordination, most
accountability. The administrative staff, perhaps, were less
typically in corporate settings, illuminate a range of privacy
likely to feel this organizational accountability as a threat;
issues, from maintaining company security to protecting
it was already a feature of their working lives. In our terms, on their IM participation. In our privacy regulation terms,
this reflects different ways to resolve the tension between this tension occurs at the disclosure boundary, but also at
self and other; the scientific staff, understanding self in the identity boundary, where teens pay attention to who
personal terms, saw the system as providing a new form of they are expected (and want) to be in each of the spaces.
information disclosure, while the administrative staff saw Finally, we can say that the genres of disclosure for the two
less of an impact since their notion of professional self spaces are distinctly constructed and maintained.
was already more strongly associated with the organization.
Summary
The main point we have tried t o emphasize i n our
Mobile T elephones
The public use of mobile phones has been the topic of conceptual d evelopment i s t he d ynamic and
much discussion in the popular and research literatures. Its multidimensional nature of privacy. Privacy management
rapid, widespread deployment has called attention to the involves satisfying a number of needs, and balancing a
norms and conventions that guide behavior in public number of tensions. Taken individually, the examples
places, a s m any p eople r eport t hat w hat constitutes presented here illustrate how our approach can illuminate
appropriate use of mobile phones is violated there [25]. specific issues in the interaction of privacy and information
When such violations occur, it is not upon the user of the technology. Taken together, they demonstrate the diversity
technology as we usually see in other technology use of privacy issues at work in everyday settings. In contrast
scenarios but rather upon the unassuming person who to the traditional model of privacy as social withdrawal, we
feels that a conversation has been thrust upon them, with can see many different tensions at work. This, again, points
violations made to their acoustical privacy. The boundary to the need for interpretive frameworks, to help unpack and
between privacy and publicity is challenged here: the elucidate these different questions. Any encounter between
telephone user may feel comfortable about the degree of privacy and technology will involve many or all of these
openness they display, whereas the recipient who occupies different t ensions. T o u nderstand t he i mpacts of
the same physical space has little control of the degree of technology, we need to be able to see how these different
closedness they desire (short of asking the phone user to tensions operate, separately and together.
move, or to move him- or herself). The boundary between
C ONCLUSIONS
self and other is destabilized when phone users assume that
Our initial goal was to unpack the idea of privacy and
they are without an audience, or that they somehow do not
propose a conceptual framework that would allow more
affect anyone else, or, worse yet, that their behaviors are of
specific a nd d etailed s tatements a bout p rivacy and
interest to those who surround them. The furor and upset
technology to be made in HCI analyses. Our central
that surrounds mobile telephone use emerges from the
arguments have been that privacy management is a dynamic
overlap b etween t wo d omains o f a ctivity personal
response to circumstance rather than a static enforcement of
conversation and public presence. Phone conversations are
rules; that it is defined by a set of tensions between
not subject to the same self-monitoring and responsiveness
competing needs; and that technology can have many
to setting that characterizes face-to-face interactions. What
impacts, by way of disrupting boundaries, spanning them,
we are witnessing, then, is the gradual emergence of new
establishing new ones, etc. Using case studies, we have
communication forms that represent alternative resolutions
attempted to show how such a perspective might illuminate
of the tensions, organized around the new technological
our understanding of privacy regulation. What are the
forms and their consequence for social opportunities [21].
consequences of this perspective for technologists and
designers? We submit four possibilities here.
Instant M essaging
Instant messaging (IM) raises a range of privacy concerns, First, our view emphasizes that, when considering privacy
including tensions at the temporal boundary, created by the concerns raised by the development of new technologies,
possibility of recording what is assumed to be ephemeral the whole of the social and institutional setting in which
information f or f uture u se. A mong t eenagers, IM technologies are deployed should be considered. What is
conversations tend to be informal and in-the-moment, important is not what the technology does, but rather how
much l ike f ace-to-face i nteraction [ 17]. T heir I M it fits into cultural practice. As we suggested earlier, in
communications are crafted for the present with the Orwell s 1 9 8 4, it is the culture o f pervasive mutual
foreground assumption that friends can be trusted; however, monitoring that constitutes the threat to individuals.
the potential that their statements might instead be recycled
Second, our perspective on privacy requires attention to the
for unauthorized purposes, by copying t o a permanent
historical continuity of practice. Privacy regulation i s
record, keeps in check what is revealed to whom.
oriented both to the past and the future. Adequate analyses
Teenagers use of IM in their homes illustrates other kinds of the affects of technology on privacy practices would
of privacy regulation behaviors [17]. Teens report preferring interpret those practices not as arbitrary decontextualized
IM to the family phone because IM does not advertise to provisions, but as part of a trajectory of action.
parents that they are engaged in conversation with others,
Third, this perspective shows that privacy management i s
perhaps at times when such communications would be
something of a balancing act, a resolution of tensions not
discouraged or even prohibited. In the virtual meeting
just b etween p eople b ut a lso between t heir internal
space that IM creates, teens want to advertise their publicity
conflicting requirements. The significance here is that small
and availability to their friends; in contrast, in the physical
changes may have disproportionately large effects.
space of
Copyright 2003 ACM 1-58113-630-7/03/0004…$5.00.