Privacy, in contrast with secrecy, is a relational concept, achieved when personal information is shared appropriately between actors. Viewed in this way, privacy is necessarily contextual and complex because norms about appropriate flows and use of personal information are socially negotiated and often contested (Reference NissenbaumNissenbaum, 2009). Privacy is thus a problem of collective action. Moreover, personal information is often among the knowledge resources pooled and managed by knowledge commons. Even when that is not the case, personal information can be important in shaping knowledge commons participation and governance. The Governing Knowledge Commons (GKC) framework is thus well suited for studying and analyzing how communities or populations evaluate and shape governance of privacy in particular contexts. (Reference Sanfilippo, Frischmann and StrandburgSanfilippo, Frischmann & Strandburg, 2018)
Chapter 1 of this volume introduces the theoretical basis for applying the GKC framework to study privacy, explores how that framework complements and supplements Nissenbaum’s contextual integrity theory, and describes a privacy-focused meta-analysis of previous GKC case studies. Previous case studies within the GKC tradition did not explicitly address questions of privacy. Nonetheless, the meta-analysis presented in Chapter 1 demonstrates that personal information shaped governance – and was itself pooled and governed – in previously published GKC cases. By studying how the strength and enforcement of particular types of “rules-in-use” for personal information varied among those cases, the privacy-focused meta-analysis uncovers three patterns of commons governance: member-driven, public-driven, and imposed.
Drawing on insights from the theory and meta-analysis reviewed in Chapter 1, the chapters gathered in this volume were solicited from an interdisciplinary group of scholars studying personal information governance in a variety of contexts. Chapters 2 through 5 in this volume present case studies of knowledge commons in which personal information is pooled and governed as a critical knowledge resource. Chapters 6 and 7 present case studies in which privacy’s role is primarily instrumental to the creation and management of other sorts of knowledge resources; commons governance of personal information enables trust and cooperation. Chapters 8 through 10 explore some of the failures and complexities of privacy commons governance, particularly with respect to the representation of information subjects, and suggest potential paths toward greater inclusion and legitimacy.
In Chapter 2, “How Private Individuals Maintain Privacy and Govern Their Own Health Data Cooperative: MIDATA in Switzerland,” Felix Gille and Effy Vayena explore the Swiss MIDATA cooperative. MIDATA’s members exert cooperative control over the uses of their personal health data through a combination of individual decisions and collective review of project proposals for biomedical research. Within this privacy commons, the board, which reviews research proposals, provides governance and builds trust, while participants across the Swiss population supply the critical resources, namely personal health data.
Chapter 3, “Pooling Mental Health Data with Chatbots,” by Michael Mattioli, presents a critical analysis of applications of conversational agents to treat clinical anxiety. In addition to treating anxiety and depression in real time, these chatbot apps are designed to improve quality of care with time, not only by learning about individual users, but also by creating and using a larger pool of user conversations. Patients who use these chatbots are thus both the source of personal information used as a resource for generating new knowledge and part of the community most directly impacted by its use. Unlike MIDATA, the chatbot governance model does not involve information subject participation, but relies instead on the ethical commitments of its physician creators and patient-informed consent.
In Chapter 4, “Privacy in Practice: A Socio-Technical Integration Research (STIR) Study of Rules-in-Use within Institutional Research,” Chase McCoy and Kyle M. L. Jones study the governance and practice of university data mining and learning analytics using a sociotechnical integration research (STIR) design. Their study probes the value of student data to institutional research, the institutional participants involved with its collection and use, and the ways in which the creation and use of student data knowledge resources are governed. In this case, student information subjects do not participate directly in governance, nor is governance premised on their consent. Instead, privacy governance is based on legal regulation, university policies, and, importantly, collective norms reflecting the ethical commitments of the researchers.
Chapter 5, “Public Facebook Groups for Political Activism,” by Madelyn Sanfilippo and Katherine Strandburg, studies governance of personal information in online social movements that use Facebook as a primary locus for activity. Their empirical study of the Day Without Immigrants movement, the March for Science, and the Women’s March explores the variety of personal information – ranging from personal narratives to contact information – contributed by participants and the complex and polycentric ways in which personal information resources are governed by movement leaders and organizers, informal responses from other participants, and the design of Facebook’s platform. This chapter also serves as a bridge to the group of studies focused on the ways that privacy governs participation and co-creation of knowledge resources because these movements also must deal with collateral flows of personal information associated with the creation and governance of other types of knowledge resources.
In Chapter 6, “The Republic of Letters and the Origins of Scientific Knowledge Commons,” Michael Madison explores how privacy shaped the historical knowledge sharing practices of “The Republic of Letters,” an early open science regime. The knowledge resources created by this sharing regime were public, both in the sense that they were not secret and in the sense that they were intended to include general, rather than personal, knowledge. Nonetheless, as Madison describes, privacy practices were key to self-organization processes of the Republic of Letters. For example, rules-in-use about personal information sharing both underlay reputational compensation and significantly limited the types of personal information deemed appropriate to share.
In Chapter 7, Brett M. Frischmann, Katherine Haenschen, and Ari Ezra Waldman address “Privacy and Knowledge Production across Contexts.” They compare the rules-in-use governing personal information flows in three distinct contexts: meetings governed by the Chatham House Rule, Gordon Research Conferences, and Broadband Internet Tech Advisory Group (BITAG). Their study shows how these communities use different forms of privacy governance to create trusted environments for information sharing, thereby encouraging participation by diverse contributors to the creation of knowledge resources.
Chapter 8, Scott J. Shackelford’s “Governing the Internet of Everything,” considers the problem of cybersecurity governance in a global Internet system that increasingly involves connected smart devices. He emphasizes the complexity and polycentricity of the cybersecurity governance regime, which involves international, state, commercial, and private actors. Cybersecurity has many aspects, including governance of the ways that various commercial, governmental, and criminal players can exploit users’ personal information. Shackelford warns that the regime complexes addressing cybersecurity may not adequately represent the interests of personal information subjects, particularly those who live in less developed and less powerful states. He argues that the GKC framework and Ostrom’s IAD framework can be used to critically analyze cybersecurity governance in order to develop novel interventions to address these concerns.
In Chapter 9, “Contextual Integrity as a Gauge for Governing Knowledge Commons,” Yan Shvartzshnaider, Madelyn Sanfilippo, and Noah Apthorpe use contextual integrity (CI) as a gauge for evaluating the governance of personal information revealed by users participating in the Internet of Things. Through a survey of public perceptions regarding privacy and IoT devices, they find large gaps between the norms and expectations articulated by some sub-groups of users and the ways that commercial suppliers of smart connected devices govern the aggregation and use of such information. These gaps are evidence that current governance fails to account for the interests of information subjects. Their study also explores how some smart device users cooperate through user forms to create a distinct knowledge resource of information about how personal information flows in the IoT environment and strategies that users can use to limit the collection of their information, at least to some extent.
Chapter 10, Darakhshan J. Mir’s “Designing for the Privacy Commons,” examines how the tools and methodologies of design might be used to assess the appropriateness of entrenched norms or rules-in-use associated with privacy. Mir argues that Participatory Design methodology, with its political and ideological commitments to democratic decision-making, may be a particularly promising way to address the deficits in representation of information subjects’ interests identified in some cases of personal information governance.
While each of these chapters and case studies is fascinating in its own right, the concluding chapter provides a critical meta-perspective. Taken together, this book’s exploration of personal information and its unique connection to information subjects add nuance to our earlier analysis of member-driven, public-driven, and imposed commons governance and bring new themes into focus. Newly salient themes include the role of personal information governance in boundary negotiation and socialization, the potential for conflicts between knowledge contributors and information subjects; the potential adversarial role of commercial infrastructure in imposing commons governance; the role of privacy work-around strategies in responding to those conflicts; the importance of trust; the contestability of commons governance legitimacy; and the co-emergence of contributor communities and knowledge resources. These new studies also confirm and deepen insights into recurring themes identified in previous GKC studies (Reference Frischmann, Madison and StrandburgFrischmann, Madison & Strandburg, 2014; Reference Strandburg, Frischmann and MadisonStrandburg, Frischmann & Madison, 2017).