Jennifer Valentino-DeVries of the Wall Street Journal recently interviewed Ryan Calo about his concept of “privacy harm.” I had posted a link to Ryan’s article earlier this month, but if you haven’t read it yet or would like to think more about his ideas — and I would hope that you do — you can read the interview here.
If we take Ryan’s view (as I understand it), some events might constitute privacy violations but not privacy harms. I had discussed some of this with him prior to the release of his first draft as I think that we should consider something a privacy harm if it weakens our ability to protect our privacy going forward. The fact that we may not know about a privacy violation or even know that we have been harmed does not mean that we have not been harmed.
Ryan offers a two-category classification of privacy harms (footnotes omitted):
I maintain that privacy harms fall into two categories. The first category is “subjective” in the sense of being internal to the person harmed. Subjective privacy harms are those that flow from the unwanted perception of observation. Subjective privacy harms can be acute or ongoing, can accrue to one individual or to many. They can range in severity from mild discomfort at the presence of a security camera to “mental pain and distress far greater than could be inflicted by mere bodily injury.” Generally to be considered harmful the observation must be unwanted. We hesitate to see subjective harm where, as often, the observation is welcome. But actual observation need not occur to cause harm; perception of observation can be enough.
The second category is “objective” in the sense of being external to the person harmed. This set of harms involves the forced or unanticipated use of information about a person against that person. Objective privacy harms can occur when personal information is used to justify an adverse action against a person, as when the government leverages data mining of sensitive personal information to block a citizen from air travel, or a neighbor forms a negative judgment from gossip. They can also occur when such information is used to commit a crime, such as identity theft or murder. To constitute harm, the use must be unanticipated or, if known to the victim, coerced. Again, however, no human being actually needs to see the personal information itself for it to be used against the victim.
Ryan’s conceptualization has some definite strong points, in my opinion, not the least of which is the notion that an individual can suffer a privacy harm even if no other human looks at the personal information in a database that is used to make decisions about people (such as whether they pose a threat to air safety). His conceptualization also acknowledges that all of us may feel a sense of subjective harm by knowing that our government may have us under surveillance without a warrant even if we have no proof that we have individually been the target of such surveillance. One of my main concerns about his approach is that his definition of privacy harm does not seem to encompass the effect of privacy or data breaches when the individual is not aware of the breach and the data have not (yet) been misused.
To illustrate my concerns about his approach, and as an analogy, suppose someone crashes their car into my house while everyone is away and suppose that the incident cracks the foundation of my home but I am not aware of it at the time and the house is still standing. To the extent that the structural integrity of my home has been weakened — even if I am not aware of it at the time — and that it might not withstand a subsequent rain storm without water coming in, I would argue that my home was harmed. Similarly, if a physician injects me using a dirty needle, I may not know that I have been harmed until I become ill and we discover the cause, but I would argue that I suffered a harm at the time of the injection — not just when I realized I was ill or the cause of it.
Yet if we move these types of scenarios into the privacy arena, under Ryan’s conceptualization of “privacy harm,” he might not agree that harm had occurred at the time of the original act. And if he does agree that anything that weakens or damages the integrity of the structural or physical system constitutes harm in those situations, why doesn’t he apply the same principles to privacy?
If I am interpreting Ryan’s position correctly, he might argue that if someone improperly sells my information to a third party, that might be a privacy violation, but I have not necessarily suffered a privacy harm if I do not know that the information has been sold and if the information is not then used against me. I would argue that harm occurred at the moment that others improperly came into possession of private information, and that the only issues left are the nature and extent of harm that occurred as a result of the act.
What do you think? And Ryan, if I’ve misunderstood your arguments or you see a flaw in my reasoning, please feel free to jump in and explain.