Skip to main content

11. Privacy and Public Space

Published onApr 27, 2020
11. Privacy and Public Space

Technology is radically changing what is private and what is public in our daily lives. Our personal, professional, and financial interactions increasingly take place online, where almost everything is archived and thus potentially permanently searchable and publishable. Cameras are ubiquitous in public plazas; our strolls are recorded by storeowners, government agencies, and, of course, our friends, who post and tag pictures of us. We share our location both deliberately via updates to locative social media and inescapably via our location-aware smartphones.

Communication technologies have been disrupting our notion of privacy for over a century. In 1890, Warren and Brandeis wrote “The Right to Privacy,” one of the fundamental legal articles on privacy, and many of the concerns it raises are still troubling today.

Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual what Judge Cooley calls the right “to be let alone.” Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house-tops.” (Warren and Brandeis 1890, 195)

Historically, human interaction was local and ephemeral; only those nearby could witness it, and the words, once spoken, disappeared in the passing of time. Today, however, our interactions, and other’s observations of them, can reach across space and persist in time. Surveillance cameras open seemingly private rooms to distant and unseen observers; archives retain casual conversations and outgrown profiles, forever enabling their out-of-context and possibly inopportune redisplay. These technologies make it difficult to distinguish between what is private and what is public. We are often unaware of the recording of our words and actions, and do not intuitively grasp that casual interactions, once fleeting and ephemeral, are now permanently etched digital artifacts.

Privacy is about maintaining control of information about ourselves. This can include what we are thinking, what we said to another person, what we did last night, our undressed body, our favorite book, and so on. Privacy is also contextual (Nissenbaum 1998, 2004). I may dicuss my family problems with one friend, but not another, and I certainly would not want them to be publicly broadcast. I may be comfortable naked with my spouse, but not my coworkers. Privacy varies from situation to situation and culture to culture. I can freely share my taste in books if it is innocuous, if it is congruent with the mores of my community, or if I live in an open and tolerant society. But if my taste reveals my deep religious commitments in a vehemently secular context or, vice versa, proclaims my atheism in a religious world, I may prefer to keep my reading habits more private—not necessarily secret, but limited to the people who I feel are accepting of my beliefs.

Privacy is important because access to private information about us by the wrong person or agency can be harmful. The direst concern is with an intrusive and repressive government, like Big Brother of 1984 and the spies and agencies of recent and ongoing totalitarian regimes. Even for those of us lucky enough to live in a more open society, history shows that governments are in constant flux, and there is no guarantee that today’s democracy will be free forever. The data now collected for innocuous reasons may be used tomorrow by a less benign authority.

There are also concerns about employers and insurers who can hire, fire, and deny services based on information they have been able to glean about us. More insidiously, there are people and institutions who may not directly harm us, but whose motivations do not align with our own. Marketers, for example, are among the most voracious amassers of information about what people do and say online. Are they working for us, helping us find the goods and services we need? Or are they working against us, manipulating our tastes and values to make us believe we have a ceaseless need for new purchases?

In these examples, we are concerned about protecting our privacy from outside agencies, from governments and corporations that seek to constrain and influence our beliefs and behaviors. But there is another, social aspect of privacy. We need privacy to maintain a variety of relationships with diverse people (Rachels 1975). I may tell an off-color joke or use profanity in front of my friends, among whom it is an accepted way of speaking. But I would not use this language in front of my great aunt, who would be shocked, or my children, to whom I try set an example of model behavior, or my colleagues, whom I want to think of me as composed and dignified. Thus, I would be quite discomfited to find that a recording of my friends and me joking around in this manner was circulating among my relatives, kids, or coworkers. Until recently, it was unlikely that such a recording would exist. Today, camera-equipped phones, designed for easy and instant publishing of their content, are present in most social situations, making every acquaintance a potential paparazzo. Dinner-party attendees post live updates from the table about the conversation and the food. Both online and off, it is becoming harder to discern who is privy to one’s words and easier to promulgate conversations and other activities to people outside the intended audience. Technology is eroding our ability to keep separate the many facets of our lives.

Privacy is important, but more privacy is not always better. We can protect our privacy by saying nothing and leaving no traces. Taken to an extreme, a very private world is anonymous, lonely, and anarchic. We need to have public realms, where we encounter new people and new ideas and where self-imposed constraint on actions, rather than the absence of watching eyes, maintains privacy. Vibrant public spaces are of great value to a community. Public spaces are for celebrations and protests, for commerce and socializing; by being out in public, we see how others appear and act. There is an energy that comes from being seen by others and making the effort to act in our public role.

In some ways, technology is making our world more private. It was not so long ago that we could easily see what our fellow subway riders were reading because their books and magazines were clearly visible. Today, tiny screens hide what people are reading or listening to on digital media. This is a small but significant loss in the social vividness of the city, as taste in books and music is one way people define their social identity. Many workplaces have become eerily silent, as employees who once gathered to chat at water coolers now stay in their offices (or even at home), communicating mostly online. The sociability that was once available simply by being in a public space is diminishing.

In other ways, technology is creating new public spaces. The Internet provides numerous platforms for public speech; we can voice our opinions, display our photographs, and publish our songs to a global audience with unprecedented ease. What we do in these new, mediated public spaces is much the same as what we do in traditional public spaces: we seek out entertainment, support political causes, and meet new people. But mediated public spaces are significantly different; words and images persist indefinitely, audiences are often invisible, and people’s identities range from wholly anonymous to extensively documented. These new forms of public information can help reinvigorate public space, but they can also be a nightmare of violated privacy and repressed behavior. (And the line between physical and mediated spaces grows blurrier. We enter mediated public spaces when we go online from the privacy of our computer screens. We also enter them, perhaps unwittingly, when we walk into a space where cameras and other recorders are transforming ephemeral physical actions into archived data traces.)

The design of new technologies shapes private life and public space.1 Design can make a camera invisible or prominent, and it is a design choice to publicly display its video to the people it records or to show it secretly only to a distant watcher. It is a design choice for a social network site to allow its users to present different facets of themselves to different people or to insist that they present the same view to all. Yet knowing which design to choose is complicated. Privacy is not an unmitigated good: it involves trade-offs with public life, sociability, safety, and convenience. Furthermore, a design that seems to protect privacy may ultimately compromise it. For example, if I write something today in a conversation that is kept private among a small group, but my words persist into an unprivate future and are eventually publicly revealed, might my privacy have been better protected if I had never had the expectation of privacy and acted accordingly?

Privacy and publicity are complementary and need to be in balance. A world in which everything is private, in which you see little of your fellow inhabitants, is a world without society. It is a world where people act in isolation, one where social mores have no place to develop. Alternatively, a world in which everything is public is one where social control is overwhelming, where every act and expression is open to scrutiny. We need public space, where we can encounter the new and unexpected, where we can see and be seen by others. And we need private space, free from the constraining norms of the greater world, in which to act as an individual and with a smaller group.

Indeed, public and private form a continuum. Many of our actions are public to some group—our family, our coworkers, our fellow cross-dressers or cat fanciers—but private to our other social groups and the rest of the world. The street is obviously public, but even in “the privacy of your own home” your family is also a public, with its own set of rules for how one behaves. How much control you have over the norms of a situation affects whether you perceive it to be public and controlled by others or private and controlled by you. danah boyd notes that teenagers think of the family as public space and their friends as the private world, whereas adults perceive the opposite (boyd 2006).

Tolerance also affects our need for privacy. The drawbacks of a highly public world—intense social control, endless scrutiny—are ameliorated in a society that accepts and protects diversity of opinions and behaviors. When the public sphere is liberal and gives people much freedom, there is less urgency for privacy.

Many of the designs we discuss in this book change the balance between privacy and public space. For example, visualizations of interaction history can make past actions accessible to new, unforeseen audiences for far longer than if they had passed into the back pages of the digital archive. A designer who is aware of the privacy issues involved can modify the visualization to create the desired balance, in this case possibly by limiting the amount of older material that is included or personalizing the view so that people see only material they would have had access to at the time it was created. The goal of this chapter is to help the reader think through what that “desired balance” is in different situations, for we need to balance the public and the private, the collective good and personal liberty, for society to thrive.

Designs That Demarcate the Public and the Private

In a plaza, we assume that other people in the space can see us; we may be aware, too, of those looking out the windows of overlooking buildings. But new technologies make it harder for us to see those who see us. We are often unaware of the cameras that make us observable from miles away and for years to come. Online, we may know that we are posting a remark in a public forum, but we may not intuitively grasp the scale of the audience, nor the ways that this remark may become part of our growing virtual persona. Design plays an important role in enhancing privacy by clarifying the scope and boundaries of our ambiguous public spaces; it can help us understand what is public and what is private.

The illusion of privacy induces people to act, erroneously, as if they were in a private space. Online, many spaces feel as if they are very private—that one’s actions are seen by no one and that one’s words are perused by only a few. In fact, these actions are happening in a space that is not only public, in that many eyes can see it, but is also hyperpublic in that it can be seen for an extended time, in many contexts.

Designs can mislead us about the public extent of a space or they can make it quite legible: a hidden camera breaks open a space without the knowledge of those observed, a visible camera makes them aware of the possibility of being recorded and watched from afar, and a prominent live video feed makes it more vividly and intuitively clear that what happens in the space can be seen by distant and future viewers. We act differently in private than in public and need to be able to perceive those distinctions in order to act appropriately. Our knowledge is, however, inevitably asymmetric: a public display of the images and data gathered in a space provides proof that it is public, but just because there is no such display does not mean that the space is private.

Individuals’ standards of personal privacy vary; some desire attention whereas others seek isolation. A well-designed space, whether virtual or physical, should help them see who can see them and understand how far their words and actions can travel. It is then up to the person to choose how to act and what to reveal.

Making Audiences Visible

In our face-to-face communication, we take for granted the ability to see who is listening. Online, however, the audience is often invisible; we are aware of the people who participate actively, but we forget about the silent readers, who may greatly outnumber the vocal ones (Nonnecke and Preece 2003). This lack of audience awareness helps create the feeling of intimacy that can characterize even very large online discussions: people feel—and thus write—as if they are addressing only a few known companions, not the multitudes who may actually be reading. This can be good; the intimate tone of informal speech and personal revelation makes for more interesting reading than the stiffly self-conscious voice of someone addressing a vast audience. Yet this lack of awareness can create a voyeuristic dynamic in which people reveal far more than they would were they aware of the scale of the discussions.

We can redesign discussion sites to make the audience visible. One approach is to show the size of the audience without revealing the individual readers’ identity. We see such audience counters on Web pages; they are anonymous2 and do not discourage people from reading. However, they are not very intuitive: a page with a note at the bottom saying that there have been 10,000 visitors is not viscerally different from one that claims only 50. A graphical approach, even one simply showing dots for visitors, would provide a more vivid impression (figure 11.1).

Figure 11.1

Nelson Minar, Visualizing the Crowds at a Website* (1999). This visualization sketch displays visitors to a page as colored dots and one can see them move from page to page. Pages with recent visitors are bright (Minar and Donath 1999).

Making the size of the audience visible transforms the social dynamics of the interaction. A writer who becomes more aware of how large her audience is or how many strangers are in it might write more formally and disclose less personal information.3 Publicly disclosing the identities of the readers would have an even greater impact, making them more circumspect about what they could be seen perusing.

For readers, the obvious privacy concern is with controversial or embarrassing material. But making readers visible would also affect behavior around seemingly innocuous social material. Let us look at how this would affect, for example, status updates. As an invisible reader, I can peruse the updates of many friends and acquaintances, stopping to comment on only a very few, if any. The friends whose proud achievements, vacation photos, or latest jokes receive no comment from me do not know if I have said nothing because I do not care, cannot think of something to say, or simply have not seen them. As a named and visible reader, I would need to be more selective about what I read. And because it would be apparent that I was aware of something, I would often feel obligated to respond. I might choose not to read what promises to be an accounting of an important event, because I do not have the time to respond properly and do not want people to know that I have read and am aware of the event, but have said nothing. Visible readers have greater social responsibilities.

Our existing social norms influence our understanding of privacy. If we frame online writing as conversation, we often expect all participants to be visible. This is why, as we saw in chapter 7, nonparticipating readers may be called, pejoratively, “lurkers” even though as readers they benefit the active participants. In a face-to-face conversation or a telephone call, the norm is to be aware of the audience; an unseen listener is an eavesdropper. Allowing the speaker (or writer) to see who is listening is courteous rather than invasive. On the other hand, if we frame the writing as publication, we expect privacy for the readers. Reading privately is a revered right. Thus, if we think of social media as being like publishing, then making the audience visible is itself an invasion of privacy, reminiscent of asking libraries to reveal their patrons’ borrowing records or the concern over electronic books keeping tabs on their readers (Ozer and Lynch 2010). Naming the readers of, say, an online political tract has unpleasant overtones of state surveillance.

To support privacy, designs need to clarify the conceptual model underlying participants’ expectations of what they can see and what they can hide. The publishing model, with its invisible audience, is suitable in some situations, and the conversation model, with its mutually visible participants, is suitable in others. A social medium can follow either model; designing it to support privacy means providing cues to ensure that participants’ expectations match the medium’s affordances.

Seeing Surveillance

In some situations, the best way to protect privacy is to remind people that they are in public and that their audience may include unintended watchers. Mistaken expectations about privacy are frequent at work (Nord, McCubbins, and Nord 2006), especially as communication technologies blur the distinction between office and home. We chat online with friends while in the office, and keep up with professional duties from home. Employees often feel that their email and other communications are private, but they actually are not, especially if they are using company equipment and accounts. If a company says that management may scrutinize all email, it is important that the employees habitually think of their email at work as public communication. Yet although they may receive notices that their correspondence may be read and their online activities monitored, employees frequently do not understand that there is not a zone of privacy for personal correspondence or forget they may be observed.

Figure 11.2

Josh Knowles, ITP Student List Conversations (2007). This visualization shows the quantity and variety of email contact between students in an academic department (Knowles 2007).

Imagine a workplace common area with a big dynamic display that shows the flow of email in the company (see, for example, figure 11.2). Such a display is interesting as a social map of the company, but it also functions as a visceral reminder that these emails are not private. If I am secretly dating someone in the next department, it would make me think twice about sending him a note via company email. Do I want a connection between us to show up in a public display? If not, I need to find another way to reach him. If I want to schedule a confidential meeting with Human Resources to complain about my boss, it reminds me that he may read my email. Perhaps I should call, instead.

The display would not reveal the contents of the email; you could still send confidential company email to coworkers without any of the material being revealed to casual visitors, but you would be reminded and come to intuitively feel that your actions, when using the company’s communication technologies, are open in various ways within the company. It makes the virtual space semipublic, like the glass-walled offices that are popular in many businesses. We can close the door so no one hears what we are talking about, but anyone can see who is meeting with whom. This type of display would have a chilling effect on users, but that can be a good thing. Given that the employees’ correspondence is already monitored, they benefit from greater awareness, and the company benefits by having employees focus on work-related issues. (One might argue against tightly monitoring employees, but then the solution is for the monitoring to stop or be limited, not for it to exist while its subjects are only vaguely aware of it.) Design needs to balance the benefit of providing people with the knowledge that they are or might be watched with the cost to them of the pervasive anxiety this knowledge can cause.

In 1785, the English philosopher Jeremy Bentham proposed the “panopticon,” a prison designed so that prisoners could be under surveillance at any time but would be unable to tell at any given moment if they were actually being observed or not (see figure 11.3). Though at any particular time they might be unobserved, they would need to act at all times as if they were under an omniscient and omnipresent eye (Bentham 1791). The concept of the panopticon resonates in a world where surveillance is increasingly ubiquitous. Social theorist Michel Foucault wrote in Discipline and Punish, his history of prisons and punishment, “The panoptic schema, without disappearing as such or losing any of its properties, was destined to spread throughout the social body; its vocation was to become a generalized function” (Foucault 1979, 207).

Figure 11.3

Statesville Prison in Illinois is one of many prisons built on a panoptic model. A single guard in the center tower could watch hundreds of prisoners in their surrounding cells.

Though the phrase “ignorance is bliss” sounds unsettlingly like the Party’s slogans in 1984,4 it actually comes from an eighteenth-century poem that suggests that given the inevitability of suffering and death, it is better to enjoy life without being consumed with thoughts of the misery to come (Gray 1753). How much should we be aware of the possibility of surveillance? When is it better to know, and to anxiously limit what we say and do, and when is that self-censorship itself a problem? The answer depends on who is watching.

Who Is Watching Us?

Our feelings about being observed depend on who is observing us. Why are they watching us? Is it for our own good, or does it harm us? Is it an asymmetric observation, where they watch us while we are unaware of them? Or is it an experience of mutual assessment? This book focuses on private and public social interaction, where controlling and revealing personal information is part of negotiating trust and establishing bonds among individuals. Yet we need to be aware of others who observe our actions—governments, employers, insurers, marketers—whose purpose may be detrimental to us. They add a cost to our interactions that may be steep enough to make us rethink how we act or demand a greater degree of privacy in our social spaces.

Most readers of this book live under nearly constant government surveillance in public spaces. Security cameras, increasingly able to recognize faces, monitor stores, parks, and streets. This surveillance is increasingly pervasive in seemingly private spaces too. Private phone conversations may be surreptitiously recorded and one’s shopping, Web browsing, and travel activity analyzed. The aim of this surveillance is to combat terrorism and crime; many citizens support it, especially at times and in places where fear of attack is high. It is benign to the extent that the government’s laws and actions are just. Yet even a just government can have corrupt or overzealous departments and individuals. And governments change, whereas databases last forever.

Governments are not the only watchers. Corporations watch, too. They want to know if you are credit worthy, insurable, or employable. Many people in Europe and the United States see this as a more immediate concern than government repression, for though they think of themselves as generally law-abiding, they have done things that could make them ineligible for a desired service or position. Feeling that all your actions, everywhere, must conform to a company’s ideal puts tight constraints on behavior. Yet, some of this observation is for our own benefit. Having our data used for medical purposes is generally helpful, letting us and/or our doctors make better decisions for our health. However, insurers’ use of that same data is often harmful to us when they seek information that allows them to refuse to reimburse us for medical expenses.

Surveillance can be indirectly beneficial. The government may intrude on our privacy for our own good, claiming that it needs information about everyone to protect against terrorists and criminals (Baker 2003; Cole and Dempsey 2006). We may benefit from the government having access to other people’s information, but we do not derive any benefit from—and arguably are harmed by—their access to our own information. Here we need to weigh the benefits against the privacy costs. (What has been disturbing in the years since 9/11 is the claim that fighting terrorism is infinitely important, trumping all costs.) Can the government maintain security with lower privacy costs, for example, by diligently destroying information as soon as it is reasonably deemed irrelevant? And what are the social costs? If the government uses the data it finds this way for suppressing dissent, the cost is extremely high.

Whether marketers’ use of our private information is beneficial or not is up for debate. They claim that by being able to better target advertising to our wants and needs, they can provide information that is more relevant to us—which sounds helpful. However, the “benefit” of being persuaded to consume more, of ever more skillfully and subtly being made dissatisfied with what we have, benefits the advertiser and its client, but is arguably quite costly to us—and the environment.

The benefit to us of employers, school admission offices, and the like having access to private information is also complex. Admission and employment are generally zero-sum games; someone will be hired, and one person’s loss is another’s gain. The key issue is whether the information the employer is using is relevant to the decision. If it is—if it helps her make a better decision and is in line with what the community thinks is pertinent information for assessing that sort of job or opportunity—then it is beneficial. Though it may cost one person the job, another, presumably better-suited person does get it. The problem is when the information used is not materially relevant to the decision. This is a matter for the community to decide (though what constitutes the community and how they made this decision is not always clear). The United States as a country is a community that has outlawed racial and other forms of discrimination in hiring. Interviewers are privy to the applicants’ race and gender, but are barred from using it in their assessments. We need to make similar determinations about the use of all kinds of private data: health information, online comments, photographs, and so on.

In his essay “On Face-Work,” Erving Goffman wrote:

Every person lives in a world of social encounters, involving him either in face-to-face or mediated contact with other participants. In each of these contacts, he tends to act out what is sometimes called a line—that is, a pattern of verbal and nonverbal acts by which he expresses his view of the situation. … The term face may be defined as the positive social value a person effectively claims for himself by the line others assume he has taken during a particular contact. … A person may be said to have, or be in, or maintain face when the line he effectively takes presents an image of him that is internally consistent, that is supported by judgments and evidence conveyed by other participants and that is confirmed by evidence conveyed through impersonal agencies in the situation. … A person is said to be in the wrong face when information is brought forth in some way about his social worth which cannot be integrated … into the line that is being sustained for him. (Goffman 1967, 5)

A very different category of observers is other people in a social setting: “Although Big Brother actions may threaten life and liberty, it is interpersonal privacy matters that figure primarily in decisions about technology use on an everyday basis” (Palen and Dourish 2003, 130). This is the privacy of social mores, of social expectations, of keeping face and experiencing embarrassment. This social privacy is changing as our interactions move online, where they are stored, archived, collated, visualized, and permanently retrievable. We are entering a world where the impression we make comes not just from our present demeanor, but also from a vast shadow of past words, photos, and others’ comments. Much has been written about technology and changing expectations of external privacy, but the impact of new media on social privacy and public space is not as well understood. Why do people want to know private information about each other, and why do people want to provide it? Is this beneficial or not? Who benefits? Who loses?

Managing Identities

In the physical world, we maintain privacy through the separation of different facets of our lives. Coworkers with strongly differing political or religious beliefs can get along by not discussing those facets of their lives at lunch together; parents of young children can be silly and warm at home yet in charge and imposing at work. For everyday privacy, the distance between work and home, or between different sets of friends, can be sufficient to keep different aspects of our identity separate. Online, we need stronger walls between the aspects of our lives we wish to keep distinct.

We all work to create an impression on other people—to make them think a certain way about us. This impression, or “face,” changes given different audiences and varying contexts (Goffman 1966). Sometimes we may want to seem authoritative and knowledgeable, while at other times, with other people, we may want to seem loving or sinister, empathetic or helpless. But we cannot always present the face we ideally wish to show. I may want to show my boss that I am really brilliant and responsible, but if my job is very menial, I may have little opportunity to do so. Or, information may surface that is contrary to what I want the others to know—that disrupts and distorts the face I wish to present. For example, if I’m out with a group of new and old friends, one who has known me for a long time might tell revealing stories from my past that contradict my current image. Such disruptive information is a form of privacy violation: information that was meant for one context has been revealed in another one (Rosen 2000). These violations need not be malicious or even intentional. Indeed, simply being in the presence of people you know from disparate social contexts makes such privacy violations likely. It can be awkward to encounter people from various social circles together—simply choosing which voice to use means that to some members of the mixed audience you will seem to be acting out of character.

Mixing social contexts can also be beneficial, providing depth to the impressions we have of each other. It is nice to know that your friend is a well-respected expert in her professional life, or that your highly efficient colleague is sweet and silly with his toddler. Politicians running for office strive to keep a balance between the humanizing effect of allowing us to see them with their families and maintaining the aura of authority and competence that their official image conveys.

Technology Collapses Contexts

In the pre-Internet face-to-face world, it was relatively easy to keep one’s social contexts separate. Online, however, these contexts often collapse. On a social network site, readers of your updates and the writers of comments about them may include your colleagues, your anarchy-espousing college roommate, and your prim great aunt (Donath and boyd 2004). Technology, including search engines and social network sites, makes it more difficult to maintain the separation we have in the physical world between different roles and facets of our personality. Sometimes this is deliberate. Mark Zuckerberg, the founder of Facebook, has stated that one of his goals is to break down these social walls between people; and Facebook’s design strongly encourages people to present personal updates, including photos of family vacations, announcements of work travel, statements of political opinion and religious belief, in a single undifferentiated context. “You have one identity,” Zuckerberg has said; “having two identities for yourself is an example of a lack of integrity” (D. Kirkpatrick 2010, 199).

This demand for a single, un-nuanced self-presentation oversimplifies the complexity of human personality and human social existence. Furthermore, this stance is at best naive about the importance of privacy to people outside of the mainstream, whose beliefs and practices leave them vulnerable to harassment or persecution. It is easy to espouse the extreme transparency of an unprivate life when your religion, tastes, and lifestyle align with the values of those in power.5 For others, privacy is essential to be able to safely discuss their ideas, practice their religion, show affection for their lover, and so on. However, not only the marginalized seek privacy to avoid conflict. Our ability to have a diverse society—to build communities of people who are different, and who disagree about things—depends on our ability to mask our differences when necessary. Indeed, “politeness” is primarily concerned with preventing overly honest interactions; we learn to be gracious when we are actually irritated, to say thank you when we are disappointed, and to act calm when we are seething inside.6 Both in the course of trying to present ourselves in as good a light as possible and in striving to be nice to others, we may act in ways that are at odds with how we actually feel.

What is the social effect of being unable to present different facets of ourselves in different circumstances? One possibility is that people will be more circumspect. They will keep more information offline, and say mostly innocuous, even banal things. Many users of Facebook have said they follow this strategy in order to not offend or act out of character to the diverse set of people who are privy to their updates (Lampinen et al. 2011). Another, perhaps utopian, possibility is that people, upon seeing more about each other, will become more tolerant. In 1985, the communication theorist Joshua Meyrowitz argued that media (at that time, primarily mass media) were breaking down the barriers between social groups by exposing facets of their lives and ideas that had previously been hidden from each other (Meyrowitz 1985). Understanding the role of technology in pushing society toward tolerance or divisiveness is complex. Online forums bring together very diverse groups of people, but these gatherings often result in highly polarized antagonisms. Simply throwing people with fundamentally different beliefs together does not by itself promote tolerance; usually the opposite occurs. Time can bring better results, as when you learn that someone with whom you already have some bond is less similar to you than you had thought; here the existing tie motivates learning more about why the other holds these disparate beliefs.

As a group of people gets to know one another better, the experience of being together transforms from the public experience of being amidst strangers to the more trusting and private experience of being among friends. As strangers, we are circumspect about what we tell each other and unable to predict each other’s actions. As we learn anything about another, it helps us to categorize him, to feel as if he is a familiar type, and to know what to expect from him. Furthermore, we may exchange confidences with someone, private information that functions as a social currency which we trade to establish trust. This engenders trust through secrecy; confidants have the bond of trusting each other with information they do not share with others. Telling something to me and no one else signals that you trust me; if you tell me along with one hundred other people, there is no longer a special significance. Sharing information widely diminishes the trust achieved through shared confidences.

To connect with others we need to be somewhat vulnerable, somewhat open. We must reveal a bit of ourselves. It is part of the constant trade-off of privacy versus accessibility in the social sphere.

Creating Context with Pseudonyms

Online, the extremes of identity—anonymity and real-name identity—are relatively easy to implement. It is the gray space of everyday life that is difficult to replicate, the incomplete but functional privacy that comes from the spatial and temporal separation of home and work, friends and family. We can attempt to recreate our faceted identities, using multiple identifiers—pseudonyms—for different roles. People do this by using one email address for games or dating, another one for work, a third for shopping or political activity, and so on. Face to face, the separation in place and time between our social, familial, and professional worlds is usually sufficient to give us the privacy we need to maintain the distinct facets we present to each. Online, however, search engines conglomerate all data and activities carried out under a particular identifier, requiring a more radical separation of different identities. These separations are delicate, for once there is a single public connection link between the two personas, the identities are linked.

The notion of “local” is central to privacy. In the physical world, the difference between private and public is often a distinction in space: you are in your room (private) or out in the street (public). Between these extremes is “locally public.” Many private spaces are locally public: a classroom, restaurant, office, a party at someone’s house. A private matter can be locally public, within a small group; the privacy violation occurs when it spreads beyond the bounds of the intended group. As our actions and interactions move online, privacy centers around identification: you are anonymous (private) or named (public). Pseudonyms are local identities; they are identifiers that maintain history and reputation, but are distinct from their creator’s real-world identity; one can have multiple distinct and separate pseudonyms.

I can create a pseudonym that I will use, say, for doing product reviews online. We would like these reviews to not be anonymous; part of their value is that we can see a whole history of someone’s taste, so you know if it aligns with yours. A pseudonym keeps these reviews from being part of my public persona. Why should I care? I may be reviewing personal products, whether medicine for itchy feet, or the book I just read, or even just the restaurants I eat at or the hotdogs I buy. Is this private information? Some of it is. What parts of it are private is a personal decision. One person might like to have all the fantasy novels that he read be part of what all people know about him; for others, it is a private taste and not part of the public persona that they wish to fashion. One person might want others to know about the elegant restaurant he visits (indeed, this display might be for him the main point of the visit), while another might feel uncomfortable about publicly displaying such extravagance. I may want to discuss controversial political matters without my opinions being part of my real-life public identity. I may simply want to keep private how I spend my days: I might have no problem with others knowing that I read the Times or buy Palmolive, but I do not want the fact that I spend hours embroiled in virtual discussions to be part of my identity.

There is a whiff of the illicit about this, for in our ordinary life we seldom, unless engaging in a forbidden activity, resort to using a false name. Yet pseudonyms provide both accountability and privacy if they are implemented in a manner that encourages people to establish a good history and reputation with them. (The data portraits we discussed in chapter 8 are one approach to creating a memorable representation of an individual without relying on his or her real name and physical appearance.) Online, pseudonymity recreates the level of personal privacy we expect in our everyday lives.

Holes in the Boundaries of Space and Time

Twentieth-century America was in many ways the most private of societies. Huge numbers of people migrated to the relative anonymity of cities, surrounded by strangers. It was the century in which going to the bank went from a social exchange with a clerk with whom you exchanged pleasantries and greetings to the much more efficient but impersonal interaction with a bank machine. Big companies transferred their employees every few years, resettling them in new faceless suburban tracts with wide and empty streets. Television moved entertainment from public theaters to private homes. Not only did we not know our neighbors’ secrets, we did not even know their names. Privacy slid into isolation. Yet at the same time, it was becoming the most public of societies. At the beginning of the twentieth century, women ventured out only if properly covered up from wrist to ankle; by midcentury, they were on beaches wearing bikinis. Television let ordinary people expose their personal quirks in front of millions, coyly at first with programs such as The Newlywed Game, and accelerating to today’s relentless broadcasts of plastic surgeries, family court battles, childbirth close-ups, and hoarders’ piles of dirty laundry.

Richard Sennett, in his book The Fall of Public Man (1976), traces changing expectations among the upper class in the eighteenth and nineteenth centuries about how much knowledge one was expected to have in advance about new acquaintances. Eighteenth-century court society was a small world in which everyone knew or knew about everyone else. Upon introduction, the greeting convention was for the person of lower social standing to flatter the other extensively, mentioning his accomplishments and position. The assumption was that while you might meet new people, they would not be total strangers, but known-of entities within your greater community. As the center of social life moved from the court to the city, such meetings, even in the same rarified upper class, became encounters between strangers who as the decades passed knew less and less about each other. Public space became a world of encounters with strangers and people became more private in their public behavior; for example, public clothing became more guarded and less expressive.

Entering the twenty-first century, American society is also, for the most part, a tolerant one. This, plus the abundance, if not excess, of privacy, creates a world in which many people place a low value on privacy. We post updates about our dates, our health, and our political beliefs. At the extreme, we allow cameras to follow us day and night, discuss our family’s unhappiness on TV, and describe the minutiae of our daily life in tell-all blogs and memoirs. The openness of our society appears to be self-perpetuating: the more we see and hear of others’ thoughts and actions, the less shocked we are by differences and the more tolerant our society becomes—and the less value we place on privacy.

America is the “Wild West” of privacy in two opposite ways. First, the myth of the frontier, of the endless ability to move West and start over as an unknown, history-free stranger, is deeply rooted in its culture; this is privacy through reinvention (Copple 1989). Second, however, privacy is not well protected. In America, it is open hunting season on data, as compared to Europe, where numerous laws govern the collection and use of citizens’ information (Bignami 2007). Europe does not have the mythology of endless reinvention: many people still live in the towns and villages of their ancestors, deeply aware of how long one’s history can linger. Europeans also have more immediate and vivid memories of the horrors a totalitarian regime can inflict and how it can use records to terrorize people. Thus, as we attempt to understand the rapid, technologically precipitated changes in our current experience of public and private, we need to keep in mind that our sense of “normal,” of the proper balance between the two, was formed in a particular place and time, and is neither culturally nor historically universal (Solove 2002).

In the 1990s, it was difficult to find out much about a person who was neither famous nor personally known within one’s social group. Today, whenever you come across a new person—a name mentioned in a news article, a person seated across from you at a business lunch, a potential babysitter—the first thing you are likely to do is to Google him. For some people, there is still very little information. But many others have extensive dossiers: pages of links to papers they’ve written; articles about them; photos at parties; blog postings reaching back several years; court records of their divorce and custody battles; their arguments in forums; and their reviews of shoes, hotels, and antifungal creams. Our social expectations are changing. It now seems strange if no information comes up in a search on someone you meet in a professional context. Has she really left no mark online, not even a posting? Has she not inspired anyone to say anything about her? Today we expect to be able to find data about others. This also changes what we expect others to know about us. If I am meeting someone for the first time, say, a researcher from a distant university, how much should I know about him? If I know nothing, it can seem a bit insulting, as if I did not think he was important enough to look up. Yet if I do such a search, and now I know that his dog recently died or he spent several years living in Mumbai, how do I bring up this personal knowledge I have about someone who had been a stranger only minutes before? We need new etiquette to help us appear to be interested and attentive, but not creepy stalkers.

Like celebrities who both crave fame yet complain about the cameras that follow them, we are ambivalent about whether we want more publicity or more privacy. People’s reactions to these social changes vary greatly. A newspaper article about sharing in social media described people who enthusiastically and publicly post such things as what they ate, the clothes they bought, and where they are (Stone 2010, A1):

Mr. Brooks, a 38-year-old consultant for online dating Web sites, seems to be a perfect customer. He publishes his travel schedule on Dopplr. His DNA profile is available on 23andMe. And on Blippy, he makes public everything he spends with his Chase Mastercard, along with his spending at Netflix, iTunes and

“It’s very important to me to push out my character and hopefully my good reputation as far as possible, and that means being open,” he said, dismissing any privacy concerns by adding, “I simply have nothing to hide.”

It prompted an outpouring of almost unanimously negative comments, such as:

Lack of common sense. That’s all I can attribute it to. Seriously, what real or tangible purpose does posting everything you do or purchase serve. You can call me old fashioned, but privacy is something I (and countless other millions) would like to continue to enjoy.


I am a very private person and find appalling this need people have to expose everything about themselves on the web. I do not understand it. But I generally find the entire culture, from the worship of vapid celebrities to 50 percent high school drop out rates, appalling. None of it bodes well.


Years from now, when we look back, this sort of thing will be to the 2010s what polyester pants were to the 1970s.

Is this sharing part of a growing trend toward decreasing privacy, or is it a temporary fad? Perhaps it is more akin, in its risks and long-lasting repercussions, to taking acid in the 1960s than to wearing polyester pants, but nonetheless it still could be a passing fashion. By the time you read this, many of the websites mentioned will be gone.7 In a couple of years, the way we provide information will have transformed, so that today’s “status updates,” “tweets,” and “check-ins” will indeed sound dismally out of date. However, the concept of sharing extensive and seemingly mundane information online may well continue, for its social value goes beyond satisfying narcissistic tendencies.

Permanent Records

Judge Benjamin Cardozo wrote in 1931: “What gives the sting to writing is its permanence in form. The spoken word dissolves, but the written one abides and perpetuates the scandal.”8 The online world is a hyperpublic space that extends in time. The biggest transformation in privacy and public space the Internet has created is the retention of data into the indefinite future. Our spoken words are ephemeral, disappearing as soon as we utter them. Our traditional written words on paper are relatively controllable, individual objects: photos and diaries can be destroyed. But the words and images that reside online are tenacious. They are easily copied and live on in backups and other archives long after you think you have erased them. Although some things do indeed disappear, it is reasonable to assume that anything published online is there forever.

We think of the past as private, with time creating a curtain that shields our present self from our earlier days. Our mobile society has a mythology of personal reinvention and redemption. We believe in moving on, in creating a new life for ourselves. More prosaically, you may have spoken openly when you were young and single and jobs were plentiful, but now you want a more serious job or insurance. Or, you are now going through a difficult custody battle and wish to be able to present yourself as being as mainstream and vanilla as possible. But an ineradicable data shadow makes the past a part of the present.

A generation ago, students went off to college as blank social slates, able to start fresh, create a new identity independent of their high school role. Of course, not entirely new: personalities, skills, and interests did not change, and the careless, charismatic athlete was quickly distinguished from the awkward and introverted mathematician. But they could escape the roles they had outgrown; in entering a new social ecology, they could find a new niche. Today, students arrive with roommates already friended on Facebook, already calling them by the nicknames they had wished to shed.

For those of us who grew up in a time when every move was a fresh start, this new inescapability seems invasive. Yet those dislocating moves were a painful severance as well as a liberation, a harsh chopping away from the past as well as a fresh start. The new inescapability is also a new continuity, ending an era of disposable pasts. Our ineradicable data shadows certainly present enormous challenges to privacy. Yet making the past go away can be undesirable. The nightmare of 1984 is not only the pervasive surveillance, but also the constant rewriting of history. Winston, the novel’s protagonist, works in the Ministry of Truth; his job is to revise past news stories to keep them in line with the Party’s current positions.

We are living in an experiment, shifting rapidly from a culture in which reinvention was singularly easy, owing to great mobility and the relative anonymity of city life, to a culture in which the past is inescapable, a culture in which everything goes into your permanent record. Perhaps the cultural response to this will be a great belief in personal transformation. We may be more empathetic if we know more of the struggles someone had in becoming the person he is now. Or perhaps we will discount the past when it is too dissonant with the present. Many teens have been mortified when their mother brought out their baby pictures to entertain their date; but these pictures, no matter how embarrassing, seldom affect the date’s impression of the present-day self. The diapered baby is too distant to connect to the current person.

Some legal scholars have proposed “reputation bankruptcy” as a potential (but problematic) solution to temporal privacy issues. The idea is to allow people to make a fresh start by removing some or all of their history from the online record (Rosen 2010; Zittrain 2008). There are legal precedents; convictions can be expunged from one’s records, and one of the important tasks for a trial judge is determining what evidence—what tales from the past—can be heard during a trial.

Leaving out the considerable (and given the reproducibility of information, probably insurmountable) technological problems of instituting “reputation bankruptcy,”9 a fundamental social question remains: what about the past do we as a society feel is legitimate to erase? We have rules about what constitutes normal personal information polishing and what verges on deception. Your resume, for example, is a history of your past jobs and education. You may omit things, and even rearrange the document to obscure these omissions (for example, the years you were out of the job market because of family, cult membership, or incarceration). But you are not allowed to pad it with nonexistent accomplishments; if caught doing so, you could face losing your job and possible legal prosecution. Social situations are murkier. Advice columns frequently feature questions from people unsure about what they must tell a new romantic partner about their past—other lovers, financial bankruptcy, marriage, an arrest?

In the physical world, we take for granted that we spend time and money crafting our appearance. We need to learn to craft our virtual self, too. For most people, the notion of consciously shaping what is online about you is still an abstraction. Those who frequently study other people’s online data, who have a visceral sense of the portrait that data can draw, are the ones most likely to monitor and craft their online presence (Madden and Smith 2010). The visualizations of conversations and other social data that we discussed in the first half of the book are useful not only for perceiving others—they are an invaluable mirror for reflecting and grooming one’s virtual self.

Observed Everywhere

Walking down a street today, I can see many people (strangers) going about their business. Although we are all out in public together, we retain quite a bit of privacy. I do not know where they are going or why, nor do I know much about them beyond what they have chosen to reveal about themselves. Our privacy comes not from being hidden, but from being obscure. Today, the footage from the increasingly ubiquitous surveillance cameras in public spaces effectively shows anonymous people going about their unknown business. Only when there is reason for suspicion, like a robbery, is the effort made to figure out who they are.

But once computers can recognize people and attach to their physical selves the vast hoards of official, commercial, and social information about them, obscurity evaporates. As face recognition improves (and in our online socializing, many of us unwittingly help by tagging images of our friends and ourselves), anyone will be able to point a camera at a stranger on the street, identify her and see a vivid portrait of the data she has generated, the reputation she has accrued, and the records she has left.

Today, this seems creepy; it is the end of privacy. Think of how self-conscious you feel when someone is looking closely at you. Now imagine that he can see a tremendous amount about you—not just your face, hair, clothes, and body, but also all the information that is publicly available about you. Maybe this is not such a bad thing for you. Maybe all the public records about you are things you are proud of: your job success, the articles you have published, and the winning races you have run. However, maybe there are things about you online that make you cringe: a negative article; an embarrassing photograph—maybe you were drunk, or maybe the picture just makes you look as if you were; the nasty flame war you got into years ago, the one that ended with everyone calling each other Nazis. Did you write a review for bad breath remedies, or for a book you read on what it is like to be married to an alcoholic? What about your search history? How much time do you spend watching celebrity meltdowns, how much do you spend on weight-loss products? You might well find the merging of the virtual and physical selves uncomfortable, knowing that anyone else in the park or the café who might be curious about you could see all this.

But the future inhabitant of that hyperpublic city, upon looking back at our current world, might find it unsettlingly opaque. Enigmatic strangers surround us. Yes, the astute observer can read quite a bit of identity information from passersby; we can recognize businesspeople versus construction workers, wealthy versus poor. Yet some wealthy people seek to be inconspicuous, whereas others who are poor strive to appear successful, and many people are reticently indeterminate, hiding lives of extraordinarily complexity under an unremarkable exterior. Our unaugmented public display, though not entirely uninformative, provides a layer of privacy through vagueness, ambiguity, and the ease of imitation.

Perhaps most unsettling to the time-traveler from the future would be our ignorance of whether the strangers around us are dangerous. Is the man on the playground park bench just reading his book or is he a child molester scouting his prey? Is the passerby who offered to help us with our flat tire a kind Samaritan or a potential thief? Because of this ignorance, we treat everyone with suspicion. If our car breaks down, we are told to stay inside with the doors locked, telephone the authorities for help, and check their (low-tech) ID carefully through the window before accepting aid. Safety concerns such as these may give us our first taste of widespread social augmentation. It is not hard to imagine a government deciding that in the name of security, all convicted felons or sex offenders must virtually broadcast their status, perhaps with an easily read RFID (radio-frequency identification) tag. For the traveler from the augmented, hyperpublic, fully identified future, accustomed to knowing so much about everyone, our current world would seem unnavigable, its inhabitants socially blind.

In a world of ubiquitous surveillance, being in private requires being unidentifiable: surveillance cameras glean little about a hooded and masked populace. If people feel oppressed by the watching eyes, they may respond, like paparazzi-hounded celebrities, by venturing out only if thoroughly disguised. But intense suspicion may fall on anyone who cannot be recognized. The question of how identifiable one must be in public is already a subject of intense debate: “On grounds of security … I believe that both coverings [niqab and burqa] should be banned, as one cannot have faceless persons walking the streets, driving cars, or otherwise entering public spaces” (Pipes 2006).

World Changing

In 1999, Sun Microsystems chief executive Scott McNealy: “You have zero privacy anyway. Get over it” (quoted in Sprenger 1999).

In December 2009, Google chief executive Eric Schmidt: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place” (CNBC 2010).

In January 2010, Facebook founder Mark Zuckerberg: “People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that’s evolved over time” (quoted in M. Kirkpatrick 2010).

There is good reason to think that privacy, as we have known it, is disappearing. As we shop, socialize, and gather information online, we build a detailed and persistent trail of data about our interests and intentions. We build some of it ourselves, with our check-ins, status updates, political rants, and product reviews. Even without ever touching a computer, we amass a personal data shadow. Cameras—whether hidden surveillance eyes or the ubiquitous snapshots of the tourist panopticon—transform our physical movements into archived data. Marketers and others who stand to gain immensely from knowing us better, whether to guide our purchasing or influence our opinions, work to ensure that our daily tasks, whether virtual or real, are heavily instrumented to record our every action. The move to less privacy is perhaps inevitable and unstoppable. We may not, at least in the foreseeable future, without some catastrophic upheaval, turn back on the data collection of this new information age. The coming century will be one in which more and more is known about everyone. And as we lose our privacy, we gain a more public world. What does this mean?

In a world where there is a great deal of privacy, where we know little of each other, people are free to act as they will, and there is little social pressure on them to conform. Privacy supports diversity; where people have protected private space, they have the freedom to be different from the public mainstream ideal. The more we know about each other, the more we can enforce social norms. The more information that individuals must reveal about themselves in a society, the more influence the society has over what they do.10

Thus, the permissiveness and openness of a society determines the value of privacy. In an intolerant society, privacy is very valuable, especially if you in any way deviate from the accepted norm. Many forms of behavior are unacceptable and those who engage in them must do so secretly. On the other hand, a society that is publicly intolerant but also provides a great deal of privacy might seem to us to be hypocritical, but it provides its members opportunities for private liberty while also having the benefits of a conforming public culture.

Repressive regimes are intolerant of dissent both in public and in private. When imposed by the government, this is totalitarianism. But people also sometimes choose to live in highly conformist societies with little privacy; for example, they may join a strict religious group. For those whose individual norms fit well with those of the group, this can be a satisfying communal, cooperative life (Sosis 2003). How pleasant life is in any community in which everyone knows everything about everybody depends on how narrow the community’s norms are, and for the individual, how well they fit them. In a liberal and tolerant society, privacy is less valued because the society does not seek to tightly control the individual; revealing personal data about yourself does not result in negative societal consequences. In a very open (and so far, utopian and theoretical) society that tolerates and even celebrates differences among people, extreme transparency is possible because there is no cost to being different; privacy here would be pointless.

In practice, privacy protects diversity. It can be very difficult to tolerate those who are significantly different from us, which brings up the issue of the tolerance of intolerance. When we believe in something strongly, we see those who do not share our beliefs as wrong. By permitting people to have private space, a society can give people room to have their own beliefs, to act according to their practices—to, in the privacy of their home or their church, be less tolerant than is required in the greater public space.

In a society where diversity thrives through privacy, people of different beliefs are segregated from each other. Alternatively, in a society that has little privacy but is flexible and tolerant, people of different beliefs have the benefit of exposure to each other. As we contemplate a future of diminished privacy, we must seek this societal ideal. But the more diverse the society is, the more difficult it is to ensure tolerance. Nor is it guaranteed over time. A society that is open minded today—about your religion, sexuality, political beliefs, behavior—may not be so open minded tomorrow.

Ultimately, to retain freedom and safety—the benefits of privacy—our designs must address the larger issue of safeguarding tolerance and supporting individuality in a growing public sphere.

No comments here
Why not start the discussion?