Do We Need Subsidiarity in Software?

TL;DR

The study reframes data privacy in software through subsidiarity, comparing the actual data-flow level of control across OS, browsers, and apps with user-identified necessary levels of control gathered from interviews. Using data-flow monitoring (via Wireshark) and semi-structured interviews with 16 participants, the authors find that users generally favor user-level control, but accept platform-level control for browsers, search, and social media, while community-level control emerges as preferred in group contexts. The biggest subsidiarity violation occurs in chat applications, where users demand strong privacy but platforms exhibit higher-level data collection. The work demonstrates how subsidiarity can guide design toward user flourishing, proposing privacy-by-design improvements for chat and advocating community governance as a middle ground between user and platform control. The findings have practical implications for designing privacy-respecting, transparent, and trust-based digital ecosystems, and point to future work exploring broader platforms and diverse populations.

Abstract

Subsidiarity is a principle of social organization that promotes human dignity and resists over-centralization by balancing personal autonomy with intervention from higher authorities only when necessary. Thus it is a relevant, but not previously explored, critical lens for discerning the tradeoffs between complete user control of software and surrendering control to "big tech" for convenience, as is common in surveillance capitalism. Our study explores data privacy through the lens of subsidiarity: we employ a multi-method approach of data flow monitoring and user interviews to determine the level of control different everyday technologies currently operate at, and the level of control everyday computer users think is necessary. We found that chat platforms like Slack and Discord violate subsidiarity the most. Our work provides insight into when users are willing to surrender privacy for convenience and demonstrates how subsidiarity can inform designs that promote human flourishing.

Figures (19)

• Figure 1: Flow chart to determine which level of control an operating system, browser, or application is operating at. Our data flow monitoring cannot definitively determine if we are operating at a user, community, or platform level of control, but rather determines if we are operating at a lower or higher level of control. A lower level corresponds to operating at closer to the user level of control and a higher level corresponds to operating at closer to the platform level of control, as indicated by the boxes on the right.
• Figure 2: The organizations that the Windows and Ubuntu operating systems contact and transfer application data to when running idle for one hour. In comparison to Ubuntu, Windows contacts more organizations more times. Windows also transfers application data, which is unexpected behavior when running idle. Ubuntu only contacts its parent company and our university (likely because we were on the university Wi-Fi) and does not transfer any application data.
• Figure 3: The organizations that Chrome, Firefox, and Brave browsers contact and transfer application data to when they run idle for one hour. We compare the browsers when running idle on Windows and Ubuntu, and highlight organizations for which we suspect contact is background traffic from the operating system rather than traffic from the browser. Contact is suspected to be background traffic from an OS when it is both to an organization contacted in the idle experiment for that OS and does not show up in the idle browser experiments on the other OS. Each browser contacts and transfers application data to its parent company/primary cloud service provider.
• Figure 4: The organizations that various email providers contact and transfer application data to while running idle. Suspected background traffic from the operating system and/or browser is highlighted, as well as cases where traffic could be either background traffic or from the application itself. When both personal and university-sponsored Gmail accounts run idle, they transfer application data back to Google. Proton Mail does not transfer application data while running idle.
• Figure 5: The organizations that various search engines contact and transfer application data to while running idle. Suspected background traffic from the operating system and/or browser is highlighted. While each search engine contacts their parent company or content provider, no search engines transfer application data while running idle.