Parameters of Privacy
post by Raemon · 2020-07-29T01:18:54.662Z · LW · GW · 2 commentsContents
Frames of Privacy: Ownership vs Caution Ownership Caution Other Frames Parameters i. Am I making a promise? ii. Who am I keeping this secret from, and to what degree? iii. What Skills Am I Expected to Have? For not revealing information: Attention to context: Psychological safety: iv. Duration v. Escape Clauses Costs/Benefits in local situations Patterns of Manipulation Sensible Defaults My defaults: None 2 comments
In my last post, I argued that people should probably have more meta-discussions about privacy (rather than simply assuming everyone was on the same page about how seriously to take confidentiality)
What might that conversation entail?
First, it's worth first checking "Is this actually all that important? Do you want me to try very hard to keep this private?" Much of the time, many people don't care that strongly. They just don't want you to go around blabbing publicly, and would prefer if you err on the side of not spreading it if you can.
Simply confirming that the stakes are low may be all that's needed, and it's good check that first to avoid spending unnecessary effort.
(As I said in the comments last time: the reason I think it's useful to check if the stakes are actually low, is that a) people sometimes have different expectations, b) sometimes, the ambiguity about "how seriously am I supposed to take privacy here?" can become ammunition in a power game, and I'd prefer to remove that ambiguity)
But if the stakes are moderate-to-high, you might talk through some parameters before revealing more information.
Note: I'm using "secret" and "private information" somewhat interchangeably here, because "secret" is a shorter noun that's easier to work into sentences. I think there are actually some distinctions between them, but those distinctions aren't the point of this essay.
Frames of Privacy: Ownership vs Caution
Ownership
One model of privacy is ownership based – I have some information, I'm considering sharing the information with you, but want to "retain ownership" over the information, such that you only use it in ways I endorse.
This could include "my social security number", or "my private feelings about a matter." It could also include other people's private information that I've been "loaned" (Alice shared her social security number or private feelings with me, and they belong to Alice, but in this circumstance I'm confident Alice would be fine with me sharing them with you so long as you agree to the same privacy terms that I did)
Caution
But, a different model here is about "proper caution." Say I'm a physicist who discovers how to build nuclear reactors. As a scientist, I might generally desire to share information and educate people. I don't are about "ownership" of the idea.
But nuclear reactors are dangerous, and I don't want it to fall into the wrong hands. If I share it with other people, I might want to check: will they misuse the information? Will they share it with other people who might misuse the information?
Sometimes the danger comes from incomplete information – Carla overhears Alice and Bob conducting an improve scene, where Bob is insulting Alice. If Carla were to tell someone "Bob insulted Alice" but not "Bob and Alice were in an improv scene where the insults were completely consensual", she'd be spreading misinformation that harms Bob.
If Carla is considering telling Dave about the information, she might care about is whether Dave will make sure that if he tells anyone else, he conveys the full story, not just "Bob insulted Alice."
In general this frame is less concerned about ownership, but about good judgment, which might be domain specific. (You trust Joe not to reveal secrets about nuclear reactors, but might not trust his judgment in sharing personal information that people might misinterpret)
Other Frames
There may be other frames for privacy. I think it's good to at least be aware that you and your colleague might be operating in different frames [LW · GW], and which come with different assumptions about what's important.
With that in mind, what are some specific parameters you might fine-tune for a given exchange of private-information?
Parameters
i. Am I making a promise?
Privacy is an important tool for coordination.
Another useful tool for coordination is the specific tech of "making a promise" – committing to definitely make sure to get something done (or not done). If I do not successfully do the thing, you are right to judge me, and trust me less in the future. Breaking a promise has longterm consequences.
I think it's quite important to be able to make promises, and to be able to rely on people who make them.
Consequently, I think it's important that our social norms not require people to casually make promises that they can't actually keep. Doing so erodes the tool of promise-making. And it fosters an environment where most people are guilty, but can be selectively punished.
So I think it's useful to more explicitly distinguish "private information that you're making a reasonably good faith effort to contain" and "private information you're making a promise to contain."
I generally don't think it makes sense to make promises by default.
ii. Who am I keeping this secret from, and to what degree?
One might want any of the following:
- Never reveal *any* information that allows anyone to make updates about the secret, including microexpressions. (This is quite hard, and I don't think should generally be expected)
- Don’t reveal more than “I can’t talk about that because of confidentiality"ere
- Don’t tell anyone directly about the secret
- Don’t spread the secret more than N degrees
- Make sure the information doesn’t spread to a particular person.
- Make sure the secret doesn’t reach people who might use it to hurt the ingroup.
- You can talk about the secret, but not reveal the particulars.
- Any of the above, but you can have a confidant.
I want to draw particular attention to that last point. One thing I've found fairly burdensome about privacy is not having someone who can help me think through the ramifications of a situation.
iii. What Skills Am I Expected to Have?
Depending on the previous question, you might need to have particular skills:
For not revealing information:
- Remembering not to tell the secret in the first place.
- Gracefully segueing a conversation so as not to reveal that you almost revealed something
- Thinking fast enough to respond to direct interrogation without revealing information. Or...
- ...removing yourself from the conversation (awkwardly if necessary).
- Control over your microexpressions.
Attention to context:
- Awareness of which people talk to each other (i.e. if tell Carla, is she likely to tell Bob?)
- Good judgment about the object-level content of the information. Under what sorts of circumstances might it be harmful for someone to know it, or spread it?
- Good judgment about which other people are okay to tell (including whether they have any of these skills)
Psychological safety:
- Some secrets are hard to bear alone, or even sometimes in a small group. Do I have the resilience to hold the secret without feeling isolated and stressed?
- If a secret is a literal infohazard that might harm the listener, do I actually have the skills to think through that infohazard safely? (this includes lots of subskills which depends on the infohazard)
Then, there's self-awareness about how good you are at each of these skills.
iv. Duration
How long do you need to keep the secret? Literally until the day you die? Until some current controversy has blown over, or some product launched?
Most of why I'm averse to keeping secrets has to do with the cognitive overhead of tracking multiple secrets that accumulate over time. Time-limited secrets avoid secret-creep.
v. Escape Clauses
There are some circumstances where I might end up regretting having made an all-encompassing promise. If a secret is important to someone, I try to talk through
Two clusters of reasons are:
Costs/Benefits in local situations
Sometimes a secret isn't that that big a deal, and meanwhile, a situation comes up where it's hard for me to have a conversation with Bob without inadvertently revealing some facts that relate to a secret Alice told me.
It'd be quite valuable to have the conversation openly with Bob, and meanwhile I'm pretty confident it wouldn't harm Alice or anyone else to tell Bob.
Now, this is the sort of judgment call that results in mismatched expectations and feelings of betrayal, and I'm not advocating that people unilaterally decide to share information whenever it feels convenient. But, I do think people underestimate the costs when agreeing to keep something private in the first place. If you were trying seriously to keep a secret, often that means keeping a lot of related details secret, and that ends up making it really hard to have what would otherwise be an innocuous conversation.
So, before agreeing to keep something private, I try to get a sense of how important it actually is to the person, and to talk through this consideration explicitly.
Patterns of Manipulation
I'll have a whole other blogpost about this. But quickly noting for now: one major issue with privacy is that it can be used to protect bad actors.
I've met a couple people who exploited my willingness-to-keep-things-confidential, which made it harder for me to share notes about them with other people. They generally pushed for confidentiality in a way that dampened an entire community's ability to notice that they were harming people.
I'm still figuring out exactly how to think about this. But, I know have a general escape clause in all privacy promises: If I come to believe that you are manipulating and harming people, I may reveal some things you told me in confidence (in as controlled and honorable a way I can think of). If you choose to tell me the secret, you're trusting that a) I have good judgment about that, and b) that the secret is not something I'm likely to perceive as part of a manipulative pattern.
Sensible Defaults
Negotiating all that individually each time is a pain, and you probably don't want to do it each time. Also, most people don't enjoy meta-discussion as much as I do, and you probably don't want to dump 1-3 blogposts worth of material on most people the first time private-information comes up.
Obviously people may vary in what defaults make sense. In a future post, I'll lay out my entire privacy policy more explicitly, but for now it seemed good to list as an example my most common defaults.
My defaults:
- Try to notice when people are sharing information that is commonly-coded "private", and get the person to stop until we've chatted at least briefly about all this.
- Don't make promises by default.
- Do offer "low effort not-too-reliable pseudoprivacy" (clearly labeled as such)
- Do offer "reasonable good faith effort to keep things private" (without promising) fairly easily to people who need it.
- When higher degrees of privacy are required, almost always have a confidant who is able to offer an outside perspective on the situation.
- If I take on semi-private information, and need to share it with others, try to have the others take on a higher degree of privacy than I did, to limit it's spread. (i.e it's often basically fine for some info to spread a little, Alice just didn't want it spreading across the whole internet)
2 comments
Comments sorted by top scores.
comment by NormanPerlmutter · 2021-12-27T04:41:53.948Z · LW(p) · GW(p)
I have been thinking about this topic a lot on my own and with friends before finding this post and was excited to see a post so related to my recent thoughts. One idea that came up in a recent discussion with a friend was that the pitfalls of the reasonable good faith effort in connection with common communication norms, especially if somebody reveals a secret accidentally and is feeling vulnerable and then asks you to keep it secret. In that case, if you say, "I'll make a good faith effort to keep it but I can't promise" it may be interpreted as "I don't care about the privacy of your secret." What the person is actually wanting to hear is something more like "Don't worry, your secret is safe with me." There is a social expectation of some degree of fallibility, and depending on the social context, pointing to this fallibility may overemphasize it and be interpreted differently from how it is intended. All this is very context-dependent.