In this article, we briefly describe the GKC-CI framework and a recent case study to show how GKC-CI can inform empirical research in information and computer science.

The GKC-CI Framework

GKC-CI connects governing knowledge commons (GKC) and contextual integrity (CI) to provide greater insight into users’ privacy expectations and governing factors.

GKC-CI uses the GKC framework to identify communities that share governance institutions and practices within a given context. This formalizes questions about governance trade-offs, including the roles and objectives of relevant actors and the information resources that necessitate and support governance altogether. This also provides a structure for understanding the emergence of new information norms, specific governance mechanisms, and how communities and stakeholder groups shape governing institutions.

GKC-CI then uses the CI framework to assess the perceived appropriateness of new information flows within identified communities. This involves a three-stage process for evaluating privacy norms related to these flows: a cost-benefit analysis of the interests of those affected, a normative analysis vis-à-vis existing societal values, and a consideration of ethical values related to fairness, discrimination and civil liberties (Nissenbaum, 2018).

GKC-CI also connects the GKC institutional grammar to the CI transmission principle parameter (Table 1). Specifically, it defines the transmission principle (condition on which a privacy-relevant information flow occurs) as a combination of four institutional grammar concepts: aims (specific goals), conditions (when, where, and how aims apply), consequences (sanctions for noncompliance or penalties in absence of consent), and modalities (deontic operators implying pressure or hedging). This allows researchers to quantify the effects of each of these elements on privacy norms and provides a way to discover which elements contribute to evolving privacy and governance institutions. This also provides a theoretically-grounded clarification of the CI transmission principle parameter, which has been a historically challenging aspect of the CI framework to operationalize.

GKC-CI Applications

The GKC-CI framework provides a foundation for studying privacy norm formation and the governance institutions of communities in a variety of contexts. This is particularly vital in contexts where established norms and expectations are no longer aligned with new practices. Notable examples include the recent shift to remote and online learning during the COVID-19 global pandemic (Cohney et al., 2021), surveillance and information collection practices during natural disaster management (Sanfilippo et al., 2020), smart city designs (Sanfilippo & Shvartzshnaider, 2021), activism using social media (Sanfilippo & Strandburg, 2019), and the increasing popularity of consumer Internet of things devices (Apthorpe et al., 2018; Lee & Kobsa, 2016; Naeini et al., 2017). In all of these situations, a rapid transition to digital services put preexisting privacy norms and governance into a state of flux, allowing questionable information collection and surveillance practices to flourish.

Our recent paper demonstrates the effectiveness of using GKC-CI to structure an experimental study of privacy expectations for “smart home” Internet of things devices (Shvartzshnaider et al., 2022). Survey responses from 609 U.S. individuals allowed us to identify communities of users with similar norms and governance institutions. We could then quantify how specific information flow parameters (i.e., attributes, senders, subject, recipients, aims, conditions, and consequences) affected the appropriateness of new information handling practices in these communities.

The GKC-CI study design used in our paper is just one example of how GKC-CI can inform experimental research. GKC-CI can also be used to extend existing CI-based privacy policy annotation techniques (Shvartzshnaider et al., 2019) to inform and evaluate consumer perceptions of privacy policies and regulation (Apthorpe et al., 2019). We expect there to be many additional applications of GKC-CI across contexts and disciplines and look forward to future research. We hope that GKC-CI will be useful to the privacy and governance research communities and will strive to support the future application and extension of this framework.

References

Apthorpe, N., Shvartzshnaider, Y., Mathur, A., Reisman, D., & Feamster, N. (2018). Discovering smart home internet of things privacy norms using contextual integrity. Proceedings of the ACM on Interactive Mobile, Wearable, and Ubiquitous Technologies, 2(2), 59:1–59:23.

Apthorpe, N., Varghese, S., & Feamster, N. (2019). Evaluating the contextual integrity of privacy regulation: Parents’ IoT toy privacy norms versus COPPA. 28th USENIX Security Symposium (USENIX Security) (pp. 123–140).

Cohney, S., Teixeira, R., Kohlbrenner, A., Narayanan, A., Kshirsagar, M., Shvartzshnaider, Y., & Sanfilippo, M. (2021). Virtual classrooms and real harms: Remote learning (US) universities. Seventeenth Symposium on Usable Privacy and Security (SOUPS) (pp. 653–674).

Frischmann, B. M., Madison, M. J., & Strandburg, K. J. (2014). Governing Knowledge Commons. Oxford University Press.

Lee, H., & Kobsa, A. (2016). Understanding user privacy in internet of things environments. 3rd IEEE World Forum on Internet of Things (WF-IoT) (pp. 407–412).

Naeini, P. E., Bhagavatula, S., Habib, H., Degeling, M., Bauer, L., Cranor, L. F., & Sadeh, N. (2017). Privacy expectations and preferences in an IoT world. Thirteenth Symposium on Usable Privacy and Security (SOUPS) (pp. 399–412).

Nissenbaum, H. (2009). Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford Law Books.

Nissenbaum, H. (2018). Respecting context to protect privacy: Why meaning matters. Science and Engineering Ethics, 24(3), 831852.

Sanfilippo, M. R., Frischmann, B. M., & Strandburg, K. J. (2018). Privacy as commons: Case evaluation through the governing knowledge commons framework. Journal Information Policy, 8, 116–166.

Sanfilippo, M. R., & Shvartzshnaider, Y. (2021). Data and privacy in a quasi-public space: Disney World as a smart city. International Conference on Information (iConference) (pp. 235–250).

Sanfilippo, M. R., Shvartzshnaider, Y., Reyes, I., Nissenbaum, H., & Egelman, S. (2020). Disaster privacy/privacy disaster. Journal of the Association for Information Science and Technology (JASIST).

Sanfilippo, M. R., & Strandburg, K. J. (2019). Privacy governing knowledge in public Facebook groups for political activism. Information, Communication & Society.

Shvartzshnaider, Y., Apthorpe, N., Feamster, N., & Nissenbaum, H. (2019). Going against the (appropriate) flow: a contextual integrity approach to privacy policy analysis. Proceedings of the Seventh AAAI Conference on Human Computation and Crowdsourcing (HCOMP), 7(1), 162–170.

Shvartzshnaider, Y., Sanfilippo, M. R., & Apthorpe, N. (2022). GKC-CI: A unifying framework for contextual norms and information governance. Journal of the Association for Information Science and Technology (JASIST).