1. New technologies radically change what is private & public in our daily lives

Technology is radically changing what is private and public in our daily lives. Our personal, professional, and financial interactions increasingly take place online, where almost everything is archived and thus is potentially permanently searchable and publishable.   Cameras are ubiquitous in public plazas - our strolls are recorded by storeowners, government agencies and, of course, our friends who post and tag pictures of us.  We share our location both deliberately via updates to locative social media and inescapably via our location-aware telephones.

Historically, human interaction was local and ephemeral; it was heard only by those nearby and the words, once spoken, disappeared in the passing of time. Today, however, our interactions, and other’s observations of them, can reach across space and persist in time[1]. Surveillance cameras open seemingly private rooms to distant and unseen observers; archives retain casual conversations and out-grown profiles, forever enabling their out-of-context and possibly inopportune re-display.

These technologies make distinguishing between what is private and public difficult.  We are often unaware of the recording of our words and actions, and do not intuitively grasp that casual interactions, once fleeting and ephemeral, are now permanently etched digital artifacts (Nissenbaum 1998; Nissenbaum 2004).

Privacy is about maintaining control of information about ourselves.   This can include what we are thinking, what we said to another person, what we did last night, our undressed body, our favorite book, etc.  Privacy is contextual – I may discuss my family problems with one friend, but not another, and I certainly would not want them to be publicly broadcast.  I may be comfortable naked with my spouse, but not my co-workers.  Privacy varies from situation to situation and culture to culture.  I can freely share my taste in books if it is innocuous, if it is congruent with the mores of my community, or if I live in an open and tolerant society.   But if my taste reveals my deep religious commitments in a vehemently secular context or, vice versa, proclaims my atheism in a religious world, I may prefer to keep my reading habits more private – not necessarily secret, but limited to the people who I feel are accepting of my beliefs. 

Privacy is important because access to private information about us by the wrong person or agency can be harmful. The direst concern is with an intrusive and repressive government – the Big Brother of 1984 and the spies and agencies of recent and on-going totalitarian regimes.  Even for those of us lucky enough to live in a more open society, history shows that governments are in constant flux, and there is no guarantee that today’s democracy will be free forever.  The data that is now collected for innocuous reasons may be used tomorrow by a less benign authority. 

There are also concerns about employers and insurers who can hire, fire, and deny services based on information that have been able to glean about us.  More insidiously, there are people and institution that may not directly harm us, but whose motivations do not align with our own.  Marketers, for example, are among the most voracious amassers of information about what people do and say online.  Are they working for us, helping us find the goods and services we need?  Or are they working against us, manipulating our tastes and values to make us believe we have a ceaseless need for new purchases? 

In these examples, we are concerned about protecting our privacy from outside agencies, from governments and corporations that seek to constrain and influence our beliefs and behaviors.  But there is another, social, aspect of privacy.   We need privacy in order to maintain a variety of relationships with diverse people (Rachels 1975).  I may tell an off-color joke or use profanity in front of my friends, among whom it is an accepted way of speaking.  But I would not use this language in front of my great-aunt, who would be shocked, or my children, to whom I try set an example of model behavior, or my colleagues, who I want to think of me as composed and dignified.  Thus, I would be quite discomfited to find that a recording of my friends and I joking around in this manner was circulating among my relatives, kids or co-workers.  

Until recently, it was unlikely that such a recording would exist.  Today, camera-equipped phones, designed for easy and instant publishing of their content, are present in most social situations, making every acquaintance a potential paparazzo.  Dinner party attendees post live updates from the table about the conversation and the food.   Both online and off, it is becoming harder to discern who is privy to one’s words and easier to promulgate conversations and other activities to people outside the intended audience.  Technology is eroding our ability to keep separate the different facets of our lives. 

Yet while privacy is important, more privacy is not always better.  We can protect our privacy by saying nothing and leaving no traces.  Taken to an extreme, a very private world is anonymous, lonely and anarchic.  

We need to have public realms, where we encounter new people and new ideas and where self-imposed constraint on actions, rather than the absence of watching eyes, maintains privacy. Vibrant public spaces are of great value to a community.  Public spaces are for celebrations and protests, for commerce and socializing; by being out in public, we see how others appear and act.  There is an energy that comes from being seen by others and making the effort to act in our public role.  

In some ways, technology is making our world more private.  It was not so long ago that one could easily see the entertainment choices of one’s fellow subway riders: their books and magazines were clearly visible.  Today people read or listen to digital media, and tiny screens hide their choice; a small but significant loss in the social vividness of the city, for taste in books and music is one way people define their social identity.   Many work places have become eerily silent, as employees who once gathered to chat at water-coolers now stay in their offices (or even at home), communicating mostly online.  The sociability that was once available simply by being in a public space is diminishing. 

In other ways, technology is creating new public spaces.  The internet provides numerous platforms for public speech: we can voice our opinions, display our photographs, and publish our songs to a global audience with unprecedented ease.  What we do in these new, mediated public spaces is much the same as what we do in traditional public spaces[2] – we seek out entertainment, support political causes, meet new people.  But mediated public spaces are significantly different: words and images persist indefinitely, audiences are often invisible, and people’s identities range from wholly anonymous to extensively documented.  These new forms of public information can help re-invigorate public space – and they can also be a nightmare of violated privacy and repressed behavior.  

Privacy and publicity are complementary and need to be in balance.  A world in which everything is private, in which you see little of your fellow inhabitants, is a world without society.  It is a world where people act in isolation, one where social mores have no place to develop.  A world in which everything is public is one where social control is overwhelming, where every act and expression is open to scrutiny.  We need public space, where we can encounter the new and unexpected, where we can see and be seen by others.  We need private space, free from the constraining norms of the greater world, in which to act as an individual and with a smaller group.  

Indeed, public and private form a continuum.  Many of our actions are public to some group – our family, our co-workers, our fellow cross-dressers or cat-fanciers – but private to our other social groups and the rest of the world.  The street is obviously public, but even one’s family, in “the privacy of one’s home” is also a public, with its own set of rules for how one behaves: danah boyd notes that teenagers think of the family as public space and their friends as the private world, whereas adults perceive the opposite (boyd 2006).  How much control you have over the norms of a situation affects whether you perceive it to be public and controlled by others, or private and controlled by you.

Tolerance affects our need for privacy. The drawbacks of a highly public world – intense social control, endless scrutiny – are ameliorated in a society that accepts and protects diversity of opinions and behaviors.   We need to balance the public and private, the collective good and personal liberty.  When the public sphere is liberal and gives people much freedom, there is less urgency for privacy. 

2.Designs to demarcate public and private

The design of new technologies shapes the effect they have on private life and public space.  Design makes a camera invisible or prominent; it is a design choice to display its video to the people it observes or to show it only to a distant watcher. It is a design choice for a social network site to allow its users to present different facets of themselves to different people, or to insist that they present the same view to all.   Yet knowing which design to choose is complicated.  Privacy is not an unmitigated good, but involves tradeoffs with public life, sociability, safety, and convenience.  And it is not always clear what designs best protect privacy – if I speak freely now, because I am in private, but my words persist into an unprivate future, might my privacy have been better protected by always being in public and acting accordingly?  

An important role design[3] plays is to demarcate the public and the private.  In a plaza, we assume that other people in the space can see us; we may be aware, too, of those looking out the windows of overlooking buildings.  But new technologies make it harder for us to see those who see us.  We are often unaware of the cameras that make us observable from miles away and for years to come.  Online, we may be aware that we are posting a remark in a public forum, but not intuitively grasp the scale of the audience, nor the ways that this remark may become part of our growing virtual persona.   We can enhance privacy by clarifying the scope and boundaries of our ambiguous public realms.

The illusion of privacy induces people to act, erroneously, as if they were in a private space. Online, many spaces feel as if they are very private, that one’s actions are seen by no one and one’s words are perused by only a few.  In fact these actions are been made in a space that is not only public, in that many eye can see it, but is also hyper-public in that it can be seen for an extended time, in many contexts. 

A hidden camera breaks open a space without the knowledge of those observed, while a visible camera makes them aware of the possibility of being recorded and a prominent live video feed makes it more intuitively clear that the space may be spatially and temporally extended. We act differently in private than in public and need to be able to perceive those distinctions in order to act appropriately.  Our perception, however, is inevitably asymmetric:  A public display of the images and data gathered in a space provides proof that it is public, but lack of such a display cannot reassure us that the space is private.

Individuals’ standards of personal privacy vary; some desire attention while others seek isolation.  A well-designed space, whether virtual or physical, should help them understand how far their words and actions can travel.  It is then up to the person to choose how to act and what to reveal.  

2.1.designing visible audiences

In our face-to-face communication, we take for granted the ability to see who is listening.  Online, the audience is often invisible: we are aware of the people who participate actively, but forget about the silent readers, who may greatly outnumber the vocal ones (Nonnecke and Preece 2003).  

This lack of audience awareness helps create the feeling of intimacy that can characterize even very large online discussions; people feel – and thus act – as if - they are addressing only a few known companions, not the multitudes who are actually reading.  This can be good: the intimate tone of informal speech and personal revelation makes for more interesting reading than the stiffly self-conscious voice of someone addressing a vast audience.  Yet this unawareness can create a voyeuristic dynamic in which people reveal far more than they would were they aware of the scale of the discussions. 

Redesigning discussion sites can make the reading audience visible.  A message in such a forum would show how many people had read it – or even who the readers were.  Making the audience visible would affect both writers and readers.  A writer who becomes more aware of how large her audience is or how many strangers are in it might write more formally and disclose less personal information.  A design that simply counted each view would have less affect on  readers[4], but publicly listing their names would make readers more circumspect about what they were seen perusing.  Making the audience visible transforms the social dynamics of the conversation.

For readers, the obvious privacy concern is with controversial material.   But making readers visible would also affect behavior around seemingly innocuous social material.   Let us look at how this would affect, for example, status updates. As an invisible reader, I can peruse the updates of many friends and acquaintances, stopping to comment on only a very few, if any.    The friends whose proud achievements, vacation photos, or latest jokes receive no comment from me do not know if I have said nothing because I do not care, cannot think of something to say, or simply have not seen them.  As a named and visible reader, I need to be more selective about what to read for since it will be apparent that I am aware of something, I will often feel obligated to respond.  I might choose not to read what promises to be an accounting of an important event, because I do not have the time to respond properly and do not want it to be known that I have read and am aware of the event, but have said nothing.   Visible readers have greater social responsibilities. 

Our existing social norms influence our understanding of privacy.  If we frame online writing as conversation, we expect visibility of all participants.  In a face-to-face conversation or a telephone call, the norm is to be aware of the audience; an unseen listener is an eavesdropper.  Allowing the speaker (or writer) to see who is listening is courteous rather than invasive.

On the other hand, if we frame it as publication, we expect privacy for the readers.  Reading privately is a revered right.  Thus, if we think of social media as being like publishing, then making the audience visible is itself an invasion of privacy, reminiscent of asking libraries to reveal their patrons’ borrowing records or the concern over electronic books keeping tabs on their readers (Ozer and Lynch).  Naming the readers of, say, an online political tract has unpleasant overtones of state surveillance. 

To support privacy, designs need to clarify the conceptual model underlying participants’ expectations of what they can see and what they can hide.  The publishing model, with its invisible audience is suitable in some situations, and the conversation model, with its mutually visible participants, is suitable in others.  A social medium can follow either model; designing it to support privacy means providing cues to ensure that participants’ expectations match the medium’s affordances.

2.2.designing visible surveillance

In some situations, the best way to protect privacy is to remind people they are in public – and the watchers may not be their intended audience.   Mistaken expectations about privacy are frequent at work (Nord, McCubbins, and Nord 2006), especially as communication technologies blur the distinction between office and home.  We chat online with friends while at work, and keep up with professional duties from home. Employees often feel that their email and other communication is private.  Yet it is not, especially if they are using company equipment and accounts

If a company says that management may scrutinize all email, it is important that the employees habitually think of their email at work as public communication.  Yet although they may receive notices that their correspondence may be read and their online activities monitored, employees frequently do not understand that there is not a zone of privacy for personal correspondence or they forget they may be observed.  

Imagine a workplace common area with a big dynamic display that shows the flow of email in the company.  Such a display is interesting as a social map of the company (see ch x), but it also functions as a very visceral reminder that these emails are not private.   If I am secretly dating someone in the next department, it can make me think twice about sending him a note via company email.  Do I want a connection between us to show up in a public display?  If not, I need to find another way to reach him.  If I want to schedule a very confidential meeting with HR to complain about my boss, it reminds me that he may read my email.  Perhaps I should call, instead.   

The display does not reveal the contents of the email – you can still send company confidential email to co-workers without any of the material being revealed to casual visitors, but you are reminded and would  come to intuitively feel that your actions, when using the company’s communication technologies, are open in various ways within the company.  It makes the virtual space semi-public, like the glass-walled offices that are popular in many businesses.  We can close the door so no one hears what we are talking about, but anyone can see who is meeting with whom.

Such a display would have a chilling effect on users, but that can be a good thing, as in this case.  Given that the employees’ correspondence is already monitored, they benefit from greater awareness -- and the company benefits by having employees focus on work-related issues.  (One might argue against tightly monitoring employees, but then the solution is for the monitoring to stop or be limited, not for it to exist while its subjects are only vaguely aware of it.)

Design needs to balance the benefit of providing people with the knowledge that they are or might be watched with the cost to them of the pervasive anxiety this knowledge can engender.

In 1785, the English philosopher Jeremy Bentham proposed the “panopticon”, a prison designed so that prisoners could be under surveillance at any time, but would be unable to tell at any given moment if they were actually being observed or not (Bentham 1791).  Though they might be unobserved, they would need to act at all times as if they were under an omniscient and omnipresent eye. 

The concept of the panopticon resonates in a world where surveillance is increasingly ubiquitous.  The social theorist Michel Foucault, wrote in Discipline and Punish, his history of prisons and punishment, says “[t]he panoptic schema, without disappearing as such or losing any of its properties, was destined to spread throughout the social body; its vocation was to become a generalized function .” (Foucault 1979).

Though the phrase “ignorance is bliss” sounds unsettlingly like the Party’s slogans in 1984[5], it is actually from an 18^th century poem, saying that given the inevitability of suffering and death, it is better to enjoy youth life without being consumed with thoughts of the misery to come  (Gray 1753).   How much should we be aware of the possibility of surveillance?   When is it better to know, and to limit what we say and do – and when is that self-censorship itself a problem?   The answer depends on who is watching.

3.Who is watching us?

Our feeling about being observed depends on the observer.  Why are they watching us?  Is it for our own good, or does it harm us?  Is it an asymmetric observation, where they watch us while we are unaware of them?  Or is it an experience of mutual assessment?

The focus in this book is on private and public social interaction, where controlling and revealing personal information is part of negotiating trust and establishing bonds among individuals.  Yet we need to be aware of other observers of our actions – governments, employers, insurers, marketers, etc. - whose purpose may be detrimental to us.  They add a cost to our interactions that may be steep enough to make us rethink how we act – or what degree of privacy we require in our social spaces. 

Most readers of this book live under nearly constant government surveillance in public spaces.  Security cameras, with increasing ability to recognize faces, monitor stores, parks, and streets.  Private phone conversations may be recorded, and shopping, web-browsing and travel records may also be analyzed.  This surveillance is meant to combat terrorism and crime; many citizens support it, especially at times and in places where fear of attack is high.   It is benign to the extent that the government’s laws and actions are just.   Yet even a just government can have corrupt or over-zealous departments and individuals.  And governments change, while databases last forever. 

Governments are not the only watchers.  Corporations watch, too. They want to know if you are credit-worthy, insurable, or employable.  Many people in Europe and the United States see this as a more immediate concern than government repression, for while they think of themselves as generally law-abiding, they have done things that could make them ineligible for a desired service or position.  Feeling that all your actions, everywhere, must conform to a company’s ideal puts tight constraints on behavior. 

Some of this observation is for our own benefit. Medical use of data about us is generally helpful, letting us and/or our doctors make better decisions for our health.  However, insurers’ use of that same data is often harmful to us, for they seek information that allows them not to reimburse us for medical expenses. 

Surveillance can be indirectly beneficial.  The government may intrude on our privacy for our own good, to protect against terrorists and criminals.  It needs information about everyone in order to find those who are truly dangerous.  We may benefit from the government having access to other people’s information, but do not derive any benefit from – and arguably are harmed by - their access of our own information.  Here we need to weigh the benefit against the privacy costs.  (What has been disturbing in the years since 9/11 is the claim that fighting terrorism is infinitely important, trumping all costs). Can the government maintain security with lower privacy costs, e.g. by diligently destroying information as soon as it is reasonably deemed irrelevant?  And what are the social costs? If the government uses the data it finds this way for suppressing dissent, the cost is extremely high.

Whether marketers’ use of our private information is beneficial or not is up for debate.  They claim that, by being able to better target advertising to your wants and needs, they can provide information that is more relevant to you -- which sounds beneficial.  However, the “benefit” of being persuaded to spend more, of being made ever more skillfully and subtly dissatisfied with what we have, is arguably more of a cost to us, though certainly it benefits the advertiser and its client. 

The benefit to us of employers, school admission offices, etc. having access to private information is also complex.  Admission and employment are generally zero-sum games – someone will be hired, and one person’s loss is another’s gain.   The key issue is whether the information the employer is using is relevant to the decision.  If it is-- if it helps her make a better decision and is in line with what the community thinks is pertinent information for assessing that sort of job or opportunity --  then it is beneficial: though it may cost one person the job, another, presumably better suited person does get it.  The problem is when the information used is not materially relevant to the decision.  This is a matter for the community to decide (though what constitutes the relevant community and how they made this decision is not always clear).  As a country, we are a community that has outlawed racial and other forms of discrimination in hiring: an interviewer is privy to the applicant’s race and gender, but is barred from using it in their assessments.  We need to make similar determinations about the use of all kinds of private data: health information, online comments and photographs, etc.

A very different category of observers is other people in a social setting.  “Although Big Brother actions may threaten life and liberty,it is interpersonal privacy matters that figure primarily in decisions about technology use on an everyday basis.” (Palen and Dourish 2003)  This is the privacy of social mores, of social expectations, of keeping face and experiencing embarrassment.  This social privacy is changing as our interactions move online, where they are stored, archived, collated, visualized and permanently retrievable. We are entering a world where the impression we make comes not just from our present demeanor, but also from a vast shadow of past words, photos and others’ comments.  While much  has been written about technology and changing expectations of external privacy, the impact of new media on social privacy and public space is less well understood.  Why do people want to know private information about each other – and why do people want to provide it?  Is this beneficial or not?  Who benefits?  Who loses?   

4.The most private of times, the most public of times

20^th century America was in many ways the most private of societies.  Huge numbers of people migrated to the relative anonymity of cities, surrounded by strangers.    It was the century in which going to the bank went from a social exchange with a clerk with whom you exchanged pleasantries and greetings to the much more efficient but impersonal  interaction with a bank machine.  Big companies transferred their employees every few years, resettling them in new face-less suburban tracts with wide and empty streets.  Television moved entertainment from public theaters to private homes.  Not only did we not know our neighbors’ secrets, we did not even know their names.   Privacy slid into isolation.

At the same time, it was becoming the most public of societies.  At the beginning of the 20^th century, women ventured out only if properly covered up from wrist to ankle; by mid-century, they were on the beaches in bikinis.  Television let ordinary people expose their personal quirks in front of millions, coyly at first with programs such as “The Newlywed Game”, and accelerating to today’s relentless broadcasts of plastic surgeries, family court battles, childbirth close-ups, and hoarders’ piles of dirty laundry.

Entering the 21^st century, it is also, on the whole, a tolerant society.  This, plus the abundance, if not excess, of privacy, creates a world where in which many place a low value on privacy.   We post updates about our dates, our health, our political beliefs.  At the extreme, we allow cameras to follow us day and night,  discuss our family’s unhappiness on TV, and describe the minutiae of our daily life in tell-all blogs and memoirs.  The openness of our society appears to be self-perpetuating: the more we see and hear of other’s thoughts and actions, the less shocked we are by differences and the more tolerant our society becomes – and the less value we place on privacy. 

America is the “wild west” of privacy in a two opposite ways. First, there is the myth of the frontier, of the endless ability to move west and start over; privacy through reinvention. .  Second, though, is that privacy is not well protected.  In America it is open hunting season on data, as compared to in Europe, where numerous laws govern the collection and use of citizen’s information.  Europe does not have the mythology of endless reinvention: many people still live in the towns and villages of their ancestors.  It also has more immediate and vivid memories of the horrors a totalitarian regime can inflict and how it can  use records to terrorize people.

As we attempt to understand the current rapid, technologically precipitated changes in our experience of public and private, we need to keep in mind that our sense of “normal”, of the proper balance between the two, was formed in a particular place and time, and is neither culturally nor historically universal.

20 years ago, it was difficult to find out much about a person who was neither famous nor known within one’s social group.  Today, whenever you come across a new person – a name mentioned in a news article, a person seated across from you at a business lunch, a potential babysitter, etc. – the first thing you are likely to do is to Google them.  For some people, there is still very little information.  But many others have extensive dossiers: a search on their name comes up with papers they’ve written, articles about them, photos at parties, blog postings reaching back several years, court records of their divorce and custody battles, their arguments in forums, and their reviews of shoes and hotels and anti-fungal creams

Our social expectations are changing.  If no information comes up in a search on someone you meet in a professional context, it now seems strange.   Have they really left no mark online – not a posting? Have they not inspired anyone to say anything about them?  Our expectation today is to be able to find data about others[6].   

This also changes what we expect others to know about us.  If I am meeting someone for the first time,  say a researcher from a distant university, how much should I know about him?   If I know nothing, it , it can seem a bit insulting, as if I did not think they were important enough to look up.  Yet if I do such a search, and now I know that their dog recently died or they spent several years living in Mumbai, how do I bring up this  personal knowledge I have about someone who had been a stranger only minutes before?   We need a new etiquette to help us appear interested and attentive, and not creepily stalking. 

Like celebrities who both crave fame yet complain about the cameras that follow them, we are ambivalent about whether we want more publicity or privacy. 

People’s reactions to these social changes are mixed.  A newspaper article about sharing in social media (Stone 2010), described people who enthusiastically  post such things as what they ate, the clothes they bought,  and where they are:

 Mr. Brooks, a 38-year-old consultant for online dating Web sites, seems to be a perfect customer. He publishes his travel schedule on Dopplr. His DNA profile is available on 23andMe. And on Blippy, he makes public everything he spends with his Chase Mastercard, along with his spending at Netflix, iTunes and Amazon.com.

“It’s very important to me to push out my character and hopefully my good reputation as far as possible, and that means being open,” he said, dismissing any privacy concerns by adding, “I simply have nothing to hide.”

It prompted an outpouring of almost unanimously negative comments, e.g.

Lack of common sense. That's all I can attribute it to. Seriously, what real or tangible purpose does posting everything you do or purchase serve. You can call me old fashioned, but privacy is something I (and countless other millions) would like to continue to enjoy.

and

I am a very private person and find appalling this need people have to expose everything about themselves on the web. I do not understand it. But I generally find the entire culture, from the worship of vapid celebrities to 50% high school drop out rates, appalling. None of it bodes well.

and

Years from now, when we look back, this sort of thing will be to the 2010s what polyester pants were to the 1970s.

Is this sharing part of a growing trend toward decreasing privacy or is it a temporary fad, perhaps more akin, in its risks and long-lasting repercussions,  to taking acid in the 60’s than to wearing polyester pants, but nonetheless a passing fashion?

By the time you read this, most of the websites mentioned will be gone.  In a couple of years, the form of providing information will have transformed, so that today’s “status updates”, “tweets” and “check-in” will indeed sound dismally out of date.  However, the concept of sharing extensive and seemingly mundane information online may well continue, for its social value goes beyond satisfying narcissistic tendencies.

4.1.Facets of identity

We all work to create an impression on other people – to make them think a certain way about us.  This impression, or “face”,  changes given different audiences and varying contexts (Goffman 1966)[7].  Sometimes we want to seem authoritative and knowledgeable; at other times, with other people, we may want to seem loving or empathic or in need of care. 

We are not always able to present the face we ideally wish to show.  I may want to show my boss that I am really brilliant and responsible, but if my job is very menial, I may have little opportunity to do so.  Or, information may surface that is contrary to what I want the others to know – that disrupts and distorts the face I wish to present.  Thus, the embarrassment that occurs when you are out with new and old friends, and one who has known you for a long time tells revealing stories out of your past that contradict your current image.  

Such disruptive information is a form of privacy violation.  It is the revelation of information that was meant for one context into another one (Rosen 2000).  These violations need not be malicious or even intentional.  An embarrassing loss of face can occur if you are out in the park in old clothes, playing silly games with your dog, when a colleague from work, to whom you have always maintained a formal and serious demeanor, spots you.  Indeed, simply being in the presence of people you know from disparate social contexts makes such privacy violations likely.  It is awkward to encounter them together – simply choosing which voice to use means that to some members of the mixed audience you will seem to be acting out of face. 

Privacy violations are thus not only a matter of revealing what we think of as “private” information – our weight or salary or romantic interests – but also anything about us that we did not want to have presented in a particular context, even if it is quite innocuous in another.  Even information of which we are quite proud of in one context can be embarrassing in another.  In a professional context it may be perfectly normal, even necessary, to display one’s knowledge and achievements.  Yet in the company of old friends one might want to appear more modest – the professional mode would be misunderstood as unappealing, self-promoting and out of face.

In the pre-Internet, face to face world it was relatively easy to keep one’s social contexts separate (though not always successfully – the discomfort of keeping face in the presence of people from different and incompatible social contexts is the basis of farcical writing dating back to [early example]).  Online, however, these contexts often collapse.   On a social network site, readers of your updates and the writers of comments about them may include your colleagues, your anarchy-espousing college roommate and your prim great-aunt.   (Donath and boyd 2004)

Of course, not all contextual mixings bring embarrassment.  They also provide depth to the impression we have of each other.  It is nice to know that your friend is a well-respected expert in her professional life, or that your highly efficient colleague is sweet and silly with his toddler.   Politicians running for office strive to keep a balance between the humanizing effect of allowing us to see them with their families, and maintaining the aura of authority and competence that a be-suited official image conveys. 

Technology – in particular search engines such as Google -  makes it more difficult to maintain the separation we have in the physical world between different roles and  personality facets.  Sometimes this is deliberate.  Mark Zuckerberg , the founder of the giant social networking site Facebook has stated that one of his goals is breaking down these social walls between people, and Facebook’s design strongly encourages people to present personal updates, including photos of family vacations, announcements of work travel, statements of political opinion and religious belief, in a single undifferentiated context.   “You have one identity” Zuckerberg has said  “Having two identities for yourself is an example of a lack of integrity”(Kirkpatrick 2010 p. 199).  

The demand for a single, un-nuanced self-presentation oversimplifies the complexity of human personality and human social existence.  We play different roles in different situations – I may be silly and playful with young children, yet also have absolute authority with them, neither of which is my role with a senior colleague. The varying facets of ourselves we show to people results from having different relationships and things in common with each.   

Furthermore, this stance is at best naïve about the importance of privacy to people outside of the mainstream, whose beliefs and practices leave them vulnerable to harassment or persecution.   It is easy to espouse the extreme transparency of an un-private life when your religion, your taste, and your lifestyle align with the values of those in power.   For others, privacy is essential to be able to discuss their ideas, practice their religion, show affection for their lover, etc.

It is not only the marginalized who seek privacy to avoid conflict.  Our ability to have a diverse society – to build communities of people who are different, who disagree about things – depends on our ability to mask our differences when necessary.  Indeed, “politeness” is primarily concerned with preventing overly honest interactions – we learn to be gracious when we are actually irritated, to say thank you when we are disappointed, to act calm when we are seething[8].  Both in the course of trying to present ourselves in as good a light as possible and in striving to be nice to others, we may act in ways that are at odds with how we actually feel.  

What is the social effect of being unable to present different facets of ourselves in different circumstances?   One possibility is that people will be more circumspect. They will keep information offline, and say mostly innocuous, even banal things.  Many users of Facebook have said they follow this strategy in order to not offend or act out of character to the diverse set of people who are privy to their updates. [cite?].  

Another, perhaps utopian, possibility is that people, upon seeing more about each other, will become more tolerant.  In 1985 the communication theorist Joshua Meyrowitz argued that media (at that time, primarily mass media) were breaking down the barriers between social groups by exposing facets of their lives and ideas that had previously been hidden from each other (Meyrowitz 1985). 

Understanding the role of technology in pushing society towards tolerance or divisiveness is complex.   Online forums bring very diverse groups of people together – but often these gatherings often result in highly polarized antagonisms.    Simply throwing people with fundamentally different beliefs together does not alone promote tolerance – usually the opposite.  However, the slower revelation that people with whom you already have some bond are in fact less similar to you than you thought may have better results.  

Being among strangers is the condition of being in public. Being among the same group of people after they have come to know each other is more of a private gathering, where one can reveal more about oneself.  If the initial group of strangers is homogeneous, it is easier to form the group – and there is less to be learned from others’ differences. If the initial group is quite diverse – as it often is online – the challenge is to create a situation where enough trust can be generated to establish trust; though much harder, there is potentially much more for the group to gain from the experience of coming to know each other. 

Private information is a social currency that we trade to establish trust. Close friends exchange confidences.  They do so to get advice and empathy; it also has the effect of bringing them closer: they have the bond of having trusted each other with information they do not share with others.   Telling something to me and no one else signals that you trust me.  If you tell me along with one hundred other people, there is no longer a special significance. Sharing information widely dissolves the trust through shared confidences aspect.  But sharing personal information engenders trust in ways other than the bonds of secrecy.  Through these confidences, people learn more about each other.  This knowledge is also a source of trust.

4.2.Identity technologies

Relentless honesty would lead to equally relentless strife. Yet society also cannot function with rampant dishonesty.  We need to find the right balance between honesty and kindness, and to achieve politeness without hypocrisy.   Technological designs play a role in this, making it harder or easier to present different facets to different people. 

Online, the extremes of anonymity and verified identity are relatively easy to create.  What is difficult to create online is the gray space of everyday life – the incomplete but functional privacy that comes from the spatial and temporal separation of home and work, friends and family. 

We can attempt to re-create our faceted identities, using multiple identifiers for different roles.  People do this, using one email address for games or dating, another one for work, a third for shopping or political activity, etc. 

There is a whiff of the illicit about this, for in our ordinary life we seldom, unless engaging in a forbidden activity, resort to using a false name.  Face to face, the separation in place and time between our social, familial and professional worlds is usually sufficient to give us the privacy we need to maintain the distinct facets we present to each.  Online, however, search engines conglomerate all data and activities carried out under a particular identifier, requiring the more radical separation of different identities. 

These separations are delicate, for a single link between two personas, two identifiers, makes it easy to connect them.  For example, a family that wants to keep secret how much they paid for their house can use a pseudonymous trust to buy it, in which case even though their town assessor publishes all house prices online, their name is not listed. However, as soon as something – an online c.v., a publicly posted party invitation, a news article – connects their name and address, all this data is united.   

In the physical world, the difference between private and public is often a distinction in space – you are in your room (private) or out in the street (public).  Online, privacy is often about identification – you are anonymous (private) or named (public).  Many physical spaces are semi-public: the gym, a classroom, restaurant, a party at someone’s house.  And many online identifications also straddle public and private: pseudonymous identifiers that maintain history and reputation, but are distinct from their creator’s real world identity.

First, let us clarify the distinction between anonymity, pseudonymity and veronymity.  Anonymity is when your words and actions cannot be traced back to you[9]. They exist entirely separately from any person:  with true anonymity, they are not linked with your future or past actions.   Pseudonymity is when your words and actions cannot be traced back to you, but are connected to a fictional name.  They are linked with other actions you (or others - it is possible to have a collectively created pseudonymous identity) perform using that identity.  A pseudonymous identity can have an extensive presence and a carefully maintained reputation.  Veronymity is when you act using your own identity.  We carry out most of our daily activities veronymously - our actions can be linked to our embodied self.

To connect with others we need to be somewhat vulnerable, somewhat open.  We must reveal a bit of ourselves.  It is part of the constant tradeoff of privacy vs. accessibility in the social sphere.   

Anonymity provides the greatest privacy, and the least accountability.  An anonymous statement contains information, but is devoid of the context of knowing who said it.  Without that context, it can be very difficult to judge the truthfulness and value of the statement.   Let us take, for example, an anonymous note that arrives at a politician's desk saying that the owner of a nearby factory has falsified safety records and is in fact violating key guidelines.  With no knowledge of who wrote this it is hard to know how much credence to give the note.  Was it an employee, concerned about safety but afraid to be identified because of the many possible repercussions?  Or someone from a rival business, hoping to cause damage? The note might contain information that would help the reader assess its veracity: detailed examples and dates of the false records would suggest that it was indeed an important warning to follow up.   "Whistleblower" cases are among the top reasons for maintaining, in a world of increasing identification, channels for anonymous communication.   The downside of anonymity is that without accountability, bad behavior is rife. 

Online, the negative aspects of privacy through anonymity are vivid and common.  Anyone who reads the unmoderated comments on any online article is familiar with the commercial spam and misanthropic rants that fill them, and horror stories of anonymous harassment repeatedly appear on the evening news.   It is easy to be (somewhat) anonymous online and any forum that allows anonymous participation quickly degenerates into hostile flame-wars and fills with spam. 

Many sites now require participants to identify themselves to avoid this.  Others moderate participation - they may allow verified participants to post easily, but hold anonymous comments until a moderator has vetted the remarks.  Pseudonymity, which encourages people to care for their accumulating reputation, provides both accountability and privacy.

The notion of “local” is central to privacy.  A private matter can be public within a small group; the privacy violation occurs when it spreads beyond the bounds of the intended group.  As our actions and interactions move online, the notion of local becomes one of identification.  Pseudonyms are local identities.

I can create a pseudonym that I will use, say, for doing product reviews online.  We would like these reviews not to be anonymous: part of their value is that one can see a whole history of someone’s taste, so you know if it aligns with yours.  A pseudonym keeps these reviews from being part of my public persona.  Why should I care?  I may be reviewing personal products – whether medicine for itchy feet or the book I just read or even just the restaurants I eat at or the hotdogs I buy.  Is this private information?  Some of it is.  Which is private is a personal decision.  One person might like to have all the fantasy novels that they read be part of what people know about them – for others, it is a private taste and not part of the public persona that they wish to fashion.  One person might want others to know about the elegant restaurant they visit (indeed, this display might be for them the main point of the visit) , while another might feel uncomfortable about publicly displaying such extravagance.  I may want to discuss controversial political matters without my opinions being part of my real-life public identity.  I may simply want to keep private how I spend my days:  I might have no problem with others knowing that I read the Times or buy Palmolive, but I do not want it to be part of my identity that I spend hours embroiled in virtual discussions.

We take for granted that many of the patterns of our behavior are private, because they are obscure.  But as more information is correlated and connected – even if it is all information that individually we are aware of as public data – the patterns that it reveals when analyzed and visualized can be far more revealing than any individual item.  

If search engines and others create vast and detailed pictures of us, they do so by aggregating everything associated with a particular identifier; if there are multiple identifiers that are known to refer back to the same person, all the various data that exists under each of those connected identifiers are also united.   To create a private space, one must act either anonymously or under a pseudonym.   Anonymity is generally not conducive to civility.  Thus, an important – but delicate – aspect of online privacy is the creation of multiple pseudonyms with rigorously maintained separations. 

5.Permanent records

Judge Benjamin Cardozo wrote in 1931:“What gives the sting to writing is its permanence in form. The spoken word dissolves, but the written one abides and perpetuates the scandal.” Ostrowe v. Lee, 175 N.E. 505, 506 (N.Y. Ct. App. 1931).

The online world is a hyper-public space that extends in time.   The biggest transformation in privacy and public space the internet has created is the retention of data into the indefinite future.  Our spoken words are ephemeral, disappearing as soon as we utter them.  Our traditional written words on paper are relatively controllable, individual objects: photos and diaries can be destroyed.   But the words and images that reside online are tenacious.  They are easily copied and live on in back-ups and other archives long after you think you have erased them.  While some things do indeed disappear, it is reasonable to assume that anything published online is there forever. 

We think of the past as private, with time creating a curtain that shields our present self from our earlier days.  Our mobile society has a mythology of personal reinvention and redemption.  We believe in moving on, in creating a new life for ourselves.  More prosaically, you may have spoken openly when you were young and single and jobs were plentiful, but now you want a more serious job or insurance.  Or, you are now going through a difficult custody battle and wish to be able to present yourself as being as mainstream and vanilla as possible.  

An ineradicable data shadow makes the past a part of the present.   Of especial concern is the fact that words and images taken from the past are, unless they were intended for a future public, taken out of context.  It is the display of information in an unintended context that defines a violation of privacy (Rosen 2000).

A generation ago, students went off to college as blank social slates, able to start fresh, create a new identity independent of their high school role.  Of course, not entirely new:  personalities, social skills, and interests did not change and the careless, charismatic athlete was quickly distinguished from the awkward and introverted mathematician.  What was escapable was the roles they’d outgrown;  in entering a new social ecology, they could  find a new niche.  Today students arrive with roommates already friended on Facebook, already calling them by the nicknames they had wished to shed. 

For those of us who grew up at a time when every move was a fresh start, this new inescapability seems invasive.  Yet those dislocating moves were a painful severance as well as a liberation, a harsh chopping away from the past as well as a fresh start.  The new inescapability is also a new continuity, ending an era of disposable pasts. 

Our ineradicable data shadows certainly present enormous challenges to privacy.  Yet making the past go away can be undesirable.  The nightmare of 1984 is not only the pervasive surveillance, but also the constant re-writing of history; Winston, the novel’s protagonist, works in the Ministry of Truth, his job to revise past news stories to keep them in line with the Party’s current positions.  

We are living in an experiment, shifting rapidly from a culture in which reinvention was singularly easy, due to great mobility and the relative anonymity of city life, to a culture in which the past is inescapable, a culture in which everything goes into your permanent record. 

Perhaps the cultural response will be a great belief in personal transformation.  Perhaps it will bring greater empathy, if we know more of the struggles someone had in becoming the person they are now.  Or perhaps our past may be dismissed for being too dissonant with the present. Many teens have been mortified when their mother brought out their baby pictures to entertain their date – but these pictures, no matter how embarrassing, seldom affect the date’s impression of the present day self.  The diapered baby is too distant to connect to the current person. 

Some legal scholars have proposed “reputation bankruptcy” as a potential (but problematic) solution to temporal privacy issues. [Rosen: NYTimes article ; Zittrain The Future of the Internet ].  There are legal precedents – convictions can be expunged from one’s records, and one of the important tasks for a trial judge is determining what evidence – what tales from the past – can be heard during a trial. 

Leaving out the considerable -- and given the reproducibility of information, probably insurmountable -- technological problems of instituting “reputation bankruptcy”[10], a theoretical social question remains: what about the past can legitimately be erased?  We have rules about what constitutes normal personal information polishing and what verges on deception.  Your resume, for example, is a history of your past jobs and education.   You may omit things, and even rearrange the document to obscure these omissions (e.g. the years you were out of the job market because of family, cult membership, incarceration, etc.).  But you are not allowed to pad it with non-existent accomplishments; if caught doing so you could face loss of your job and possible legal prosecution.  Social situations are murkier.  Advice columns frequently feature questions from people unsure about what they must tell a new romantic partner about their past - other lovers, financial bankruptcy, marriage, an arrest?

In the physical world, the image we present is not wholly under our control.  Our material resources and basic physical appearance, among others things, also shape it.  Online, too, many things are out of our control. We cannot control the things people say about us or the pictures they post.  As more of our everyday interactions move online, we must either participate in this medium, or live an increasingly sequestered life, off the virtual grid.  

We spend years learning how to behave in public, how to act in different contexts.  How will this play out online – how will we learn to control our data face, our online representation?  

Data shadows are still new.  In the physical world, we take for granted that we spend time and money crafting our appearance.   We need to learn to craft our virtual self, too.  Those who frequently study other people’s online data – who have a visceral sense of the portrait that data can draw – are the ones most likely to monitor and shape their online presence (Madden and Smith 2010).  For most people, the notion of shaping what is online about you exists is still an abstraction. 

Few of us have a clear idea about what information exists about us – and certainly not about how it all fits together, what sort of image about us it creates.  One design solution (explored more fully in chapter X “Data Portraits”) is to have a “data mirror” -- a visualization of the patterns made by your purchases, postings, playing, etc. -- to help you take control of your digital image. You might think your digital reflection is just fine, or you might look at it and think the virtual equivalent of “no more dessert!”  You could then decide that you want to make some of it private, buy some things with cash, or be meticulous about keeping an alternative persona. 

6.Observed everywhere – the physical melds with the virtual

Walking down a street today, I can see many people – strangers – going about their business.  Although we are all out in public together, we retain quite a bit of privacy.  I do not know where they are going or why, nor do I know much about them beyond what they have chosen to reveal about themselves.  Our privacy comes not from being hidden, but from being obscure. 

Today, the footage from the increasingly ubiquitous surveillance cameras in public spaces is effectively of anonymous people going about their unknown business. Only when there is reason for suspicion, e.g. a robbery, is the effort made to figure out who they are.

But once computers can recognize people and attach to their physical selves the vast hoards of official, commercial and social information about them, obscurity evaporates.  As face recognition improves (and in our online socializing, many of us unwittingly help by tagging images of our friends and ourselves), anyone will be able to point a camera at a stranger on the street, identify them and  see a vivid portrait of the data they have generated,  the reputation they have accrued, and the records they have left.

To us, this seems creepy; it is the end of privacy.  Think of how self-conscious you feel when someone is looking closely at you.  Now imagine that they can see a tremendous amount about you. Maybe this is not such a bad thing for you.  Maybe all the “public” records about you are things you are proud of – your job success, the articles you have published, the winning races you have run. However, maybe there are things about you online that make you cringe.  An embarrassing photograph – maybe drunken, or maybe just taken with an unfortunate angle and timing that makes you look as if you were.  A negative article.  The nasty flame war you got into years ago, the one that ended with everyone calling each other Nazis.  What about your search history?  Did you write a review for a book on what it is like to be married to an alcoholic?  Or for bad breath remedies? You might well find the merging of the virtual and physical selves uncomfortable, knowing that anyone else in the park, the café, who might be curious about you, could see all this.

But the future inhabitant of that hyper-public city, looking back at our current world, might find it unsettlingly opaque.  Enigmatic strangers surround us.  Yes, the astute observer can read quite a bit of identity information from passersby: we can recognize businessmen vs. construction workers, wealthy vs. poor.  Yet some wealthy people seek to be inconspicuous, while others who are poor strive to appear successful, and many people are reticently indeterminate, hiding lives of extraordinarily complexity under an unremarkable exterior.  Our unaugmented public display, while not entirely uninformative, provides a layer of privacy through vagueness and the ease of imitation.

Perhaps most unsettling to the time-traveler from the future would be our ignorance of how dangerous the strangers around us might be.  Is the man on the park bench by the playground just reading his book or is he a child molester scouting his prey?   Is the passerby who offered to help us with our flat tire a kind Samaritan or a potential thief?  Because of this ignorance, we treat everyone with suspicion.  If our car breaks down, we are told to stay inside with the doors locked, telephone the authorities for help -- and check their low-tech  ID carefully through the window before accepting aid.   (Those sorts of safety issues may give us our first taste of widespread social augmentation.  It is not hard to imagine a government deciding that in the name of security, all convicted felons or sex-offenders must virtually broadcast their status, perhaps with an easily read RFID tag. )

For the traveler from the augmented, hyper-public, fully identified future, accustomed to knowing so much about everyone around, our world would seem unnavigable, its inhabitants socially blind.

Is such a future inevitable?  The technologies that enable it – face recognition, big identity databases - are almost certain to exist.  But what form it will take is not yet clear. 

Space alone – and even the presence of surveillance – does not wholly define one’s level of privacy.  How identifiable you are is also important.  Surveillance cameras learn much less about an identically clad, hooded and masked populace.   If people feel oppressed by the watching eyes, they may respond, like paparazzi hounded celebrities, by venturing out only if thoroughly disguised.   But intense suspicion may fall on anyone who cannot be recognized.  The question of how identifiable one must be in public is already a subject of intense debate:

  “On grounds of security, however, I believe that both coverings [niqab and burqa] should be banned, as one cannot have faceless persons walking the streets, driving cars, or otherwise entering public spaces.” (Daniel Pipes in (An Unveiling: Separate, but Acceptable? 2006))

7. World changing

1999, Sun Microsystems chief executive Scott McNealy: “You have zero privacy anyway. Get over it”

December 2009, Google chief executive Eric Schmidt: “If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."

Jan 2010, Facebook founder Mark Zuckerberg:  “People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that's evolved over time.”

There is good reason to think that privacy, as we have known it, is disappearing.  As we shop, socialize and gather information online, we build a detailed and persistent trail of data about our interests and intentions.   We build some of it ourselves, with our check-ins, status updates, political rants and product reviews. Even without ever touching a computer, we amass a personal data shadow.  Marketers and others who stand to gain immensely from knowing us better, whether to guide our purchasing or influence our opinions, work to ensure that our daily tasks– whether virtual or real –are heavily instrumented to record our every action.  Cameras, whether hidden surveillance eyes or the ubiquitous snapshots of the tourist panopticon, transform our physical movements into archivable data.

The move to less privacy is perhaps inevitable and unstoppable.  We may not, at least in the foreseeable future, without some catastrophic upheaval, turn back on the data collection of this new information age.  The coming century will be one in which more and more is known about everyone.  

As we lose our privacy, we gain is a more public world.  What does this mean?

In a world where there is a great deal of privacy, where we know little of each other, people are free to act as they will, and there is little social pressure on them to conform.  Privacy supports diversity – where people have protected private space, they have freedom to be different from the more public mainstream ideal.   Online, privacy through anonymity safeguards dissidents and whistleblowers, but it also – and more frequently – is the shield for hackers and spammers. 

The more we know about each other, the more we can enforce social norms.  The more information that individuals must reveal about themselves in a society, the more influence the society has over what they do.  If the society is very rigid, then there will be very little freedom.  Yet if the society is very tolerant there will still be considerable freedom.

The permissiveness and openness of a society affects the value of privacy

In an intolerant society, much behavior is unacceptable and those who engage in it must do so secretly.  Privacy is very valuable, especially if you in any way deviate from the accepted norm.    A society that is publicly intolerant, but also provides a great deal of privacy might seem to us to be hypocritical, but it provides its members opportunities for greater liberty while also having the benefits of a conforming public culture (e.g. Victorian England, a boarding school with strict rules of behavior but lax dorm supervision, etc.) 

In a repressive regime one must publicly conform and there are few private spaces where difference is tolerated. When imposed by the government, this is totalitarianism. 

But people also choose to voluntarily live in strictly conformist societies with little privacy; e.g. they may join a strict religious group.   For those whose individual norms fit well with the groups, this can be a satisfying communal, cooperative life (Sosis 2003).  How pleasant life is in any community in which everyone knows everything about everybody depends on how narrow the community’s norms are, and for the individual, how well they fit them. 

In a liberal and tolerant society, privacy is less valued because the society does not seek to tightly control the individual – revealing personal data about yourself does not result in negative societal consequences. In a very open (and so far, utopian and theoretical) society that tolerates and even celebrates differences among people, extreme transparency is possible because there is no cost to being different. 

In practice, privacy protects diversity.  It can be very difficult to tolerate those who are significantly different from us.   A particularly thorny questions is the tolerance of intolerance:  when we believe in something strongly we see those who do not share our beliefs as wrong. By permitting people to have private space, a society can give people room to have their own beliefs, to act according to their practices – to, in the privacy of their home or their church, be less tolerant than the larger, public space requires. 

In a society where diversity thrives through privacy, people of different beliefs are segregated from each other. 

In a society that has little privacy, but is flexible and tolerant, people of different beliefs have the benefit of exposure to each other.  As we contemplate a future of diminished privacy, this is the societal ideal we must seek.

But ensuring tolerance is difficult.  It is especially difficult the more diverse the society is.  Nor is it guaranteed over time.  A society that is open-minded today – about your religion, sexuality, political beliefs, behavior, etc – may not be so open minded tomorrow.

Privacy supports the individual; publicity supports the group.  Our last century of unprecedented privacy has also been one of unprecedented consumption, a habit that is clearly and urgently unsustainable.  In theory, a less private world, in which, say, people’s consumption/carbon footprint followed them visibly about, would lead to public pressure to consume less.  But humans are complex.  Conspicuous consumption is still a mark of high status.  And, realistically, we are in much less danger of losing privacy for the enforcing of a collective good than we are of losing it to the marketers who use increasingly precise pictures of us to persuade us to consume ever more voraciously.

Ultimately, to retain the freedom and safety – the benefits of privacy – our designs must address the larger issue of safeguarding tolerance and supporting individuality in a growing public sphere.