GKC-CI: A Unifying Framework for Contextual Norms and Information Governance
Yan Shvartzshnaider, Madelyn Sanfilippo, Noah Apthorpe
Designing technology that is attuned to ethical privacy considerations is a multifaceted challenge that requires a detailed understanding of the interplay between societal privacy norms, governance factors, and information handling practices in specific contexts. A grounding theoretical framework is needed to define the “right” research questions to untangle these interconnected factors across empirical studies from different disciplines.
Our recent work (Shvartzshnaider et al., 2022) integrates contextual integrity (CI) (Nissenbaum, 2009) and governing knowledge commons (GKC) (Frischmann et al., 2014; Sanfilippo et al., 2018) into a combined framework (GKC-CI) that provides this theoretical foundation. GKC-CI extends the range of inquiry supported by either CI or GKC individually, enabling further insight into privacy expectations and governing factors across contexts.
—The GKC-CI framework provides a foundation for studying privacy norm formation and the governance institutions of communities in a variety of contexts.—
In this article, we briefly describe the GKC-CI framework and a recent case study to show how GKC-CI can inform empirical research in information and computer science.
The GKC-CI Framework
GKC-CI connects governing knowledge commons (GKC) and contextual integrity (CI) to provide greater insight into users’ privacy expectations and governing factors.
GKC-CI uses the GKC framework to identify communities that share governance institutions and practices within a given context. This formalizes questions about governance trade-offs, including the roles and objectives of relevant actors and the information resources that necessitate and support governance altogether. This also provides a structure for understanding the emergence of new information norms, specific governance mechanisms, and how communities and stakeholder groups shape governing institutions.
GKC-CI then uses the CI framework to assess the perceived appropriateness of new information flows within identified communities. This involves a three-stage process for evaluating privacy norms related to these flows: a cost-benefit analysis of the interests of those affected, a normative analysis vis-à-vis existing societal values, and a consideration of ethical values related to fairness, discrimination and civil liberties (Nissenbaum, 2018).
GKC-CI also connects the GKC institutional grammar to the CI transmission principle parameter (Table 1). Specifically, it defines the transmission principle (condition on which a privacy-relevant information flow occurs) as a combination of four institutional grammar concepts: aims (specific goals), conditions (when, where, and how aims apply), consequences (sanctions for noncompliance or penalties in absence of consent), and modalities (deontic operators implying pressure or hedging). This allows researchers to quantify the effects of each of these elements on privacy norms and provides a way to discover which elements contribute to evolving privacy and governance institutions. This also provides a theoretically-grounded clarification of the CI transmission principle parameter, which has been a historically challenging aspect of the CI framework to operationalize.
The GKC-CI framework provides a foundation for studying privacy norm formation and the governance institutions of communities in a variety of contexts. This is particularly vital in contexts where established norms and expectations are no longer aligned with new practices. Notable examples include the recent shift to remote and online learning during the COVID-19 global pandemic (Cohney et al., 2021), surveillance and information collection practices during natural disaster management (Sanfilippo et al., 2020), smart city designs (Sanfilippo & Shvartzshnaider, 2021), activism using social media (Sanfilippo & Strandburg, 2019), and the increasing popularity of consumer Internet of things devices (Apthorpe et al., 2018; Lee & Kobsa, 2016; Naeini et al., 2017). In all of these situations, a rapid transition to digital services put preexisting privacy norms and governance into a state of flux, allowing questionable information collection and surveillance practices to flourish.
Our recent paper demonstrates the effectiveness of using GKC-CI to structure an experimental study of privacy expectations for “smart home” Internet of things devices (Shvartzshnaider et al., 2022). Survey responses from 609 U.S. individuals allowed us to identify communities of users with similar norms and governance institutions. We could then quantify how specific information flow parameters (i.e., attributes, senders, subject, recipients, aims, conditions, and consequences) affected the appropriateness of new information handling practices in these communities.
Apthorpe, N., Shvartzshnaider, Y., Mathur, A., Reisman, D., & Feamster, N. (2018). Discovering smart home internet of things privacy norms using contextual integrity. Proceedings of the ACM on Interactive Mobile, Wearable, and Ubiquitous Technologies, 2(2), 59:1–59:23.
Apthorpe, N., Varghese, S., & Feamster, N. (2019). Evaluating the contextual integrity of privacy regulation: Parents’ IoT toy privacy norms versus COPPA. 28th USENIX Security Symposium (USENIX Security) (pp. 123–140).
Cohney, S., Teixeira, R., Kohlbrenner, A., Narayanan, A., Kshirsagar, M., Shvartzshnaider, Y., & Sanfilippo, M. (2021). Virtual classrooms and real harms: Remote learning (US) universities. Seventeenth Symposium on Usable Privacy and Security (SOUPS) (pp. 653–674).
Frischmann, B. M., Madison, M. J., & Strandburg, K. J. (2014). Governing Knowledge Commons. Oxford University Press.
Lee, H., & Kobsa, A. (2016). Understanding user privacy in internet of things environments. 3rd IEEE World Forum on Internet of Things (WF-IoT) (pp. 407–412).
Naeini, P. E., Bhagavatula, S., Habib, H., Degeling, M., Bauer, L., Cranor, L. F., & Sadeh, N. (2017). Privacy expectations and preferences in an IoT world. Thirteenth Symposium on Usable Privacy and Security (SOUPS) (pp. 399–412).
Nissenbaum, H. (2009). Privacy in Context: Technology, Policy, and the Integrity of Social Life. Stanford Law Books.
Nissenbaum, H. (2018). Respecting context to protect privacy: Why meaning matters. Science and Engineering Ethics, 24(3), 831852.
Sanfilippo, M. R., Frischmann, B. M., & Strandburg, K. J. (2018). Privacy as commons: Case evaluation through the governing knowledge commons framework. Journal Information Policy, 8, 116–166.
Sanfilippo, M. R., & Shvartzshnaider, Y. (2021). Data and privacy in a quasi-public space: Disney World as a smart city. International Conference on Information (iConference) (pp. 235–250).
Sanfilippo, M. R., Shvartzshnaider, Y., Reyes, I., Nissenbaum, H., & Egelman, S. (2020). Disaster privacy/privacy disaster. Journal of the Association for Information Science and Technology (JASIST).
Sanfilippo, M. R., & Strandburg, K. J. (2019). Privacy governing knowledge in public Facebook groups for political activism. Information, Communication & Society.
Shvartzshnaider, Y., Sanfilippo, M. R., & Apthorpe, N. (2022). GKC-CI: A unifying framework for contextual norms and information governance. Journal of the Association for Information Science and Technology (JASIST).
Cite this article in APA as: Apthorpe, N., Sanfilippo, M., & Shvartzshnaider, Y. (2022, April 7). GKC-CI: A unifying framework for contextual norms and information governance. Information Matters, Vol. 2, Issue 4. https://informationmatters.org/2022/04/gkc-ci-a-unifying-framework-for-contextual-norms-and-information-governance/