Applications of Contextual Integrity – Report from the 2nd Symposium

By TAP Guest Blogger

Posted on October 24, 2019

Contextual integrity (CI) was first proposed by Helen Nissenbaum in 2004 as a new framework for reasoning about privacy. Rather than defining privacy as control over information, CI takes into account the context of how the information is acquired and used. “CI’s bedrock claim is that protecting privacy means protecting appropriate informational flows.” (quote from the Privaci: Privacy through Contextual Integrity website.)

For example, a smartphone user may be comfortable with their location information being sent to a website in order to receive recommendations for nearby restaurants; however, the user may not be comfortable for the same location information to be transferred to the same website for a different purpose, such as to display ads or coupons.

In August, Cornell Tech’s Digital Life Initiative and University of California, Berkeley’s International Computer Science Institute hosted the 2nd Annual Symposium on Applications of Contextual Integrity. The forum focused on how CI can inform policy and system design, and how the theory can be refined, operationalized, and applied to emerging technologies.

A report of the program’s discussions has been created and is available: The 2nd Symposium on Applications of Contextual Integrity Report. Below is the executive summary from the report.

This symposium summary was written by Jessie G. Taft.

2019 CI Symposium - Summary

Berkeley’s International Computer Science Institute and Cornell Tech’s Digital Life Initiative hosted the Second Symposium on Applications of Contextual Integrity on August 19-20, 2019 in Berkeley, CA. The event brought together researchers from computer and information science, communication, political science, and public health to discuss research using the theory of privacy as contextual integrity (CI).

CI defines privacy not as control over information but as information flow that is appropriate given contextual information norms. Norms are defined by the information’s subject, sender, recipient, type, and transmission principles. The theory provides a rigorous framework for determining people’s perception of appropriateness and ethical implications of modern technologies. As such, its application is an important part of the process of evaluating the privacy risks posed by new and emerging technologies.

The researchers and practitioners who gathered at the Symposium have each incorporated CI into their work, whether as a foundational principle or as an analytical tool. Over the course of the two-day event, with five panels of talks and multiple collaborative activities, attendees explored how CI can inform policy and system design, and how the theory can be refined, operationalized, and applied to emerging technologies and heretofore unexplored social contexts.

Panel 1 | CI: Theoretically Speaking

These presentations combined the CI theory with other theories from across information science, sociology, and organizational behavior. For example, work by Stanford University researcher Jennifer King explores how combining Social Exchange Theory and CI can help explain privacy and disclosure norms develop under conditions of extreme power imbalance. Other presenters focused on Hirschman’s exit and voice framework and Bourdieu’s Field theory. All three talks explored the ways in which these theories inform and overlap with CI, and ways in which the theories can work together to create real-world outcomes.

Panel 2 | Through the Lens of CI

Each presentation in this panel investigated real-world privacy concerns by applying the CI framework. Presentations explored privacy in applications such as internet-connected toys, childrens’ mental models, and enterprise systems. One talk, by NYU’s Yan Shvartzshnaider, investigated disaster contexts, a time when norms for sharing information such as location and personal data change drastically. The researchers conducted a CI analysis of FEMA data handling practices and disaster app privacy policies, concluding that more third parties have access to disaster-related data than governance models account for.  While seemingly disparate, each presentation used CI to augment existing research, resulting in better understanding of information flow in communication, computer science, and organizational behavior.

Panel 3 | CI and Norms Discovery

A complete CI analysis needs a full understanding of the norms at play in each context. This session presented research on discovering norms, expectations, and preferences in varying contexts: among older adults, for domestic employees working in smart homes, and in community-based research. One multidisciplinary team of researchers investigated the divide between implicit and explicit norms of consent on Facebook. By interviewing Facebook users with long-lived accounts and viewing the site as a data archive, they discovered which types of information flow are considered inappropriate, and how social pressure and information management interact. The results of each of these studies points the way toward more precise CI analyses. Other outcomes include advances in research methods and data management, and suggestions for the design of privacy-preserving technologies.

Panel 4 | CI and System Design

Presentations in this session demonstrate how CI can inform the design of technical systems. Researchers presented their work on using CI to explore privacy in the design of technical systems. For example, work from Dr. Catherine Dwyer at Pace University combined privacy frameworks and system design concepts to argue that technical systems use basic categorical information about data as a substitute for a careful understanding of context. Thus, CI analyses are needed to explore these categorical assumptions and to create technical solutions that are more sensitive to contextual norms. Other presentations addressed these issues in the context of integrated electronic health records, surgical robots, and recommendation systems. Together, these projects suggest ways that the abstract concepts involved in CI can be made concrete for use in technical systems, and how technical systems that require considerations of privacy can benefit from the results of CI analyses.

Panel 5 | CI and Reasonable Expectations

CI assumes that users of a technology have certain expectations, values, and norms about how information flows in each context. The presentations in this session explored privacy expectations in marginalized communities, proposed computational modeling of context with values as predicates, and developed a privacy paradigm that encompasses reasonable expectations and can be incorporated into existing engineering lifecycles. Another work uses CI to better understand how China’s social credit system re-defines privacy. The researchers describe how the system’s practice of public shaming as punishment for infractions regardless of their severity changes expectations of the relationships between actors in this context. Each paper concluded with calls for further engagement with the specific contexts of the research, from global society to small communities.

Open Mics and Breakouts

At several points during the symposium, attendees were given the opportunity to raise their own questions relating to applications of CI, or to apply CI to a new context in a focused breakout session. The “CI Open Mic” on Monday provided a forum for feedback on new research ideas and open questions in the CI research community. The CI and Regulation breakout session on Tuesday gave attendees the task of understanding how to regulate new technologies via understanding of information flows.

Common Themes

Defining Context. Throughout the symposium, attendees raised the question of defining context. Privacy scholars use the word in different ways across disciplines and fields, and even within discussions of CI, no specific definition of context has been completely agreed upon. Many talks also surfaced the idea of agency in defining context, noting that context may be different from the perspectives of different actors within an information flow.

Technical Operationalization. A number of presentations explored how CI can be operationalized in research methods, technical systems, and interfaces. While better definitions of context, norms, values, and transmission principles may assist in this effort, no clear “best practices” for incorporating CI into new technologies has emerged. Future work will need to bring these research findings together to create guidelines for those wishing to apply CI to real-world projects.

Next steps. Previous symposia raised the need for a CI 2.0 - one that would incorporate updated definitions and clarify understanding of norms, values, information flows, and contexts. While the 2019 symposium made efforts to unify these diverse interpretations, as many new questions were raised as were answered. Future symposia will build on this year’s enthusiasm for collaboration to further refine the CI framework and promote understanding of CI across domains.

Read the full report: | @privaci_way | @DLIcornelltech

This symposium summary was written by Jessie G. Taft. Jessie is the Research Initiative Coordinator at the Digital Life Initiative (DLI) at Cornell Tech.

Note: The “2nd Annual Symposium on Applications of Contextual Integrity” was supported by a gift from the Microsoft Corporation. Additionally, the Technology | Academics | Policy (TAP) website is sponsored by the Microsoft Corporation. Microsoft respects academic freedom, and is working to enable the dialogue on the most critical technology policy issues being debated. While Microsoft provides administrative and financial support for the TAP website’s platform and content, there is no payment made to scholars for appearing or blogging on the site.