Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Beyond the Legal Lens: A Sociotechnical Taxonomy of Lived Privacy Incidents and Harms

Kirsten Chapman, Garrett Smith, Kaitlyn Klabacka, Harrison Winslow, Louise Barkhuus, Cori Faklaris, Sauvik Das, Pamela Wisniewski, Bart Piet Knijnenburg, Heather Lipford, Xinru Page

TL;DR

This paper critiques the reliance on US legal notions of privacy harms to understand lived privacy experiences in a modern sociotechnical landscape. Using an online survey (N=164) that yielded 369 incident reports, the authors show that many privacy harms are not acute or easily quantifiable, with loss of psychological safety emerging as a prominent new harm. They adapt Solove's Privacy Taxonomy and Citron and Solove's Typology of Privacy Harms to account for contemporary actors, information types, and sociotechnical contexts, highlighting that corporations and interpersonal interactions drive most incidents and that information types have expanded beyond traditional categories. The study offers updated taxonomies to guide research, design, and policy, enabling better anticipation, mitigation, and regulation of privacy harms in complex digital environments.

Abstract

To understand how privacy incidents lead to harms, HCI researchers have historically leveraged legal frameworks. However, these frameworks expect acute, tangible harms and thus may not cover the full range of human experience relevant to modern-day digital privacy. To address this gap, our research builds upon these existing frameworks to develop a more comprehensive representation of people's lived experiences with privacy harms. We analyzed 369 privacy incidents reported by individuals from the general public. We found a broader range of privacy incidents and harms than accounted for in existing legal frameworks. The majority of reported privacy harms were not based on tangible harm, but on fear and loss of psychological safety. We also characterize the actors, motives, and information associated with various incidents. This work contributes a new framework for understanding digital privacy harms that can be utilized both in research and practice.

Beyond the Legal Lens: A Sociotechnical Taxonomy of Lived Privacy Incidents and Harms

TL;DR

This paper critiques the reliance on US legal notions of privacy harms to understand lived privacy experiences in a modern sociotechnical landscape. Using an online survey (N=164) that yielded 369 incident reports, the authors show that many privacy harms are not acute or easily quantifiable, with loss of psychological safety emerging as a prominent new harm. They adapt Solove's Privacy Taxonomy and Citron and Solove's Typology of Privacy Harms to account for contemporary actors, information types, and sociotechnical contexts, highlighting that corporations and interpersonal interactions drive most incidents and that information types have expanded beyond traditional categories. The study offers updated taxonomies to guide research, design, and policy, enabling better anticipation, mitigation, and regulation of privacy harms in complex digital environments.

Abstract

To understand how privacy incidents lead to harms, HCI researchers have historically leveraged legal frameworks. However, these frameworks expect acute, tangible harms and thus may not cover the full range of human experience relevant to modern-day digital privacy. To address this gap, our research builds upon these existing frameworks to develop a more comprehensive representation of people's lived experiences with privacy harms. We analyzed 369 privacy incidents reported by individuals from the general public. We found a broader range of privacy incidents and harms than accounted for in existing legal frameworks. The majority of reported privacy harms were not based on tangible harm, but on fear and loss of psychological safety. We also characterize the actors, motives, and information associated with various incidents. This work contributes a new framework for understanding digital privacy harms that can be utilized both in research and practice.

Paper Structure

This paper contains 59 sections, 7 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Socio-Technical Perspectives on Modern-Day Privacy
  4. Solove and Citron's Taxonomies of Privacy
  5. The Use of Solove and Citron's Frameworks in HCI
  6. Methods
  7. Survey Instrument
  8. Recruitment
  9. Qualitative Analysis
  10. Positionality Statement
  11. Limitations
  12. Ethical Considerations
  13. Results
  14. The Characteristics of Reported Privacy Incidents (RQ1)
  15. The Role of Socio-Political Structures in Privacy Violations
  16. ...and 44 more sections

Figures (7)

  • Figure 1: Mapping of actors involved in privacy incidents to the related motives. Percentage is out of total responses (N=369). Since reports can be classified in multiple categories, percentages can add up to more than 100%.
  • Figure 2: Mapping of motives related to socio-political structures to types of privacy incident Percentage is out of total responses (N=369)
  • Figure 3: Mapping of motives related to individual actors to types of privacy incident. Percentage is out of total responses (N=369). As reports could be classified as multiple categories, percentages can add up to more than 100%.
  • Figure 4: Mapping of underlying motive to types of information involved. Percentage is out of total responses (N=369). As reports could be classified as multiple categories, percentages can add up to more than 100%.
  • Figure 5: Mapping of reported incidents to reported harms. Percentage is out of total responses (N=369). As reports could be classified as multiple categories, percentages can add up to more than 100%.
  • ...and 2 more figures