issuhub.com

Science - USA (2022-01-21)

(Antfer) #1 
science.org SCIENCE

INSIGHTS | POLICY FORUM


ventions that embed privacy safeguards into
the core of our information systems.
Consider an analogy. Thanks to con-
tinuous technological improvements, the
speed and acceleration of car production
kept growing over time. Once cars reached
velocities that rendered drivers’ reaction
times unreliable tools for avoiding colli-
sions, the solution was not to teach driv-
ers to develop faster reaction abilities,
but rather to develop policy interventions
(e.g., mandatory safety standards on cars
for accident avoidance and damage reduc-
tion) and technological fixes (e.g., anti-lock
braking systems, airbags) that countered
the challenges arising from other techno-
logical progress. Better safety in cars was
the result of deliberate policy intervention
(driving investment in technical and infra-
structural changes), not merely of driver
education or market forces. In the case of
privacy, policy intervention can both instill
baseline safeguards (such as those embed-
ded in the Organization for Economic Co-
operation and Development’s Guidelines on
the Protection of Privacy and Transborder
Flows of Personal Data) and foster the de-
ployment of technologies that make those
safeguards possible without hurting mod-
ern society’s reliance on data.
Recent decades have, in fact, not only
produced a burst of innovation around data
as a critical asset for economic and societal
development; they have also generated in-
novations in statistics, cryptography, and
computer science that may address the chal-
lenges of creeping surveillance. Protocols
from differential privacy to homomorphic
encryption to federated learning point at
the possibility of protecting individuals’
privacy while allowing beneficial analytics
to advance. Tools from artificial intelligence
and machine learning deployed in privacy
assistants suggest a future in which com-
puterized agents may represent users’ data
interests when they interact with services,
help them evaluate privacy risks, and iden-
tify mismatches between users’ preferences
and systems settings. These developments
portend a world where privacy by design is
possible without undermining the value of
data. Indeed, economic research suggests
that data protection is not inherently wel-
fare-decreasing ( 13 ), and the use of differen-
tially private algorithms to achieve the dual
goal of producing accurate statistics while
protecting privacy is being investigated.
Yet, we believe that those technologies
are unlikely to fulfill their promise unless
they are embedded at the core of our infor-
mation infrastructures. To achieve that, we
first need to resolve, through policy, an in-
ception problem: Without a policy interven-
tion to support their deployment, the incen-


tives for the vast array of industry players

who control individuals’ data may be insuf-

ficient to reach a critical mass of adoption,

and only isolated individual market agents

would act ( 13 ). Returning to the car-safety

analogy, the externalities of privacy call for

regulatory intervention, similarly to how

externalities arising from unsafe driving led

to policy responses.

Privacy legal scholarship has also evolved

with the times, expanding the notion of pri-

vacy protection from mere control over data

flows to encompass issues of autonomy and

protection from bias, and proposing new

approaches, such as construing data holders

as data “fiduciaries” who hold legal obliga-

tions to act in the best interests of their cus-

tomers. Those efforts are promising. In our

view, any regulatory effort genuinely intent

on addressing the challenges of privacy will

have to be deliberate in avoiding the pitfall

of spawning new iterations of ineffectual

notice and consent mechanisms—which are

easily gamed ( 15 ) and at best provide neces-

sary but insufficient conditions for privacy

management. The problems with recent

legislations like GDPR make the limitations

of this approach abundantly clear, with con-

sumers fatigued by the constant clicking of

buttons to waive privacy rights.

Instead, we argue for regulation that ac-

counts for the richer understanding of pri-

vacy that scholarship has produced (one

that goes beyond mere control over data

or user consent) and that concentrates on

fostering mass-scale deployment of privacy

technology. Such efforts may include man-

dating products and services c ompliance

with user-centered privacy technologies

(including intelligent agents representing

user interests, and not just preferences);

incentivizing the usage of privacy-preserv-

ing, analytics-retaining algorithms among

data holders; and fostering corporate prac-

tices that minimize user burden and the

likelihood of coercion and manipulation.

Several alternative paths could achieve

those objectives—from standards setting

to coordinated R&D efforts; from leverag-

ing incentives to relying on penalties and

fines for noncompliance. Regulatory initia-

tives should, therefore, be preceded and ac-

companied by a concerted policy effort to

promote the development of these tools—by

which we refer to efforts aimed both at im-

proving technical solutions and analyzing

their downstream impacts at the individual,

organizational, and societal levels.

The history of privacy tells us that the

drive to maintain a private space may be

as universal as the drive to commune (and

that the two drives are in fact intimately re-

lated)—and that humans invariably attempt

to carve out those spaces even when the

odds are stacked against them by surveil-

lance, whether digital or physical ( 13 ). The

reason why concerns over privacy endure,

despite privacy being repeatedly declared

dead, may be in part cultural and in part

related to visceral, evolutionary roots. The

current state of privacy also tells us, how-

ever, that those spaces have become unques-

tionably harder for individuals to manage.

Solutions that predominantly rely on notice

and consent mechanisms are inadequate—

because they fail to take into account the

visceral roots of our sense of privacy and

thus can be easily gamed by platforms and

service providers. Understanding and then

accounting for those ancestral roots of pri-

vacy may be critical to secure its future. j

REFERENCES AND NOTES


  1. I. Altman, J. Soc. Issues 33 , 66 (1977).

  2. In addition to the references listed at the end of this
    article, an annotated bibliography of further schol-
    arly works related to arguments presented in this
    manuscript can be found at https://www.heinz.cmu.
    edu/~acquisti/companion-science-privacy-past-
    future-evolution.html.

  3. B. Moore Jr., Privacy: Studies in Social and Cultural
    History: Studies in Social and Cultural History (Sharpe,
    1984).

  4. P. Aries, G. Duby, A History of Private Life: From Pagan
    Rome to Byzantium (Belknap, 1987), vol. 1.

  5. A. Westin, Privacy and Freedom (Simon & Schuster,
    1967), chapter 1.

  6. A. Acquisti, L. Brandimarte, G. Loewenstein, Science
    347 , 509 (2015).

  7. P. H. Klopfer, D. I. Rubenstein, J. Soc. Issues 33 , 52 (1977).

  8. J. H. Barkow, Darwin, Sex, and Status: Biological
    Approaches to Mind and Culture (Univ. of Toronto Press,
    1989).

  9. R. F. Baumeister, M. R. Leary, Psychol. Bull. 117 , 497
    (1995).

  10. H. R. Varian, in Privacy and Self-Regulation in the
    Information Age (National Telecommunications
    and Information Administration, US Department of
    Commerce, 1996), chapter 1.

  11. A. Acquisti, L. Brandimarte, J. T. Hancock, “Are There
    Evolutionary Roots To Privacy Concerns?” Privacy Law
    Scholars Conference (Berkeley, CA, 2013).

  12. A. Shariff, J. Green, W. Jettinghoff, Curr. Dir. Psychol. Sci.
    30 , 159 (2021).

  13. A. Acquisti, L. Brandimarte, G. Loewenstein, J. Consum.
    Psychol. 30 , 736 (2020).

  14. A. Warofka, “An Independent Assessment of the
    Human Rights Impact of Facebook in Myanmar,”
    Facebook (2018; revised 2020); https://about.fb.com/
    news/2018/11/myanmar-hria/.

  15. C. Utz, M. Degeling, S. Fahl, F. Schaub, T. Holz,
    (Un)informed consent: Studying GDPR consent notices
    in the field. Proceedings of the 2019 ACM SIGSAC
    Conference on Computer and Communications Security,
    London, UK, November 2019.


ACKNOWLEDGMENTS

The authors acknowledge support from the National

Science Foundation through Awards 1228857 (Evolutionary

Approaches to Privacy and Information Security, 2012) and

1514192 (Understanding and Exploiting Visceral Roots of

Privacy and Security Concerns, 2015). A.A. acknowledges

support from the Alfred P. Sloan Foundation through grant

G-2015-14111 and from the Carnegie Corporation of New

York via an Andrew Carnegie Fellowship. The authors are

thankful for comments provided by the reviewers, as well as

J. Bailenson, E. Carbone, D. Chang, J. Flagg, C. Hoofnagle, L.

Jiang, L. John, G. Loewenstein, J. Spiegel, R. Steed, and by

participants at several workshops (including PLSC 2013, SHB

2014, and WEIS 2015) and seminars.

10.1126/science.abj0826

272 21 JANUARY 2022 • VOL 375 ISSUE 6578

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.