Jim Adler, Chief Privacy Officer and General Manager of Data Systems at Intelius, always has interesting and thoughtful things to say about online privacy debates. I recommend following him on Twitter (@jim_adler). Today, he posted an interesting essay on his blog entitled “Creepy Is As Creepy Does, which begins by noting that “with increasing volume, ‘creepy’ has snuck its way in to the privacy lexicon and become a mainstay in conversations around online sharing and social networking. How is it possible that we use the same word to describe Frankenstein and Facebook?” Good question. Better question: Why is “creepiness” the standard by which we are judging privacy matters? I posted a comment to his blog post elaborating on that point that I thought I would also post here:
I think we’d be better served by moving privacy deliberations — at least the legal ones — away from “creepiness” and toward a serious discussion about what constitutes actual harm in these contexts. While there will be plenty of subjective squabbles over the definition of “harm” as it relates to online privacy / reputation, I believe we can be more concrete about it than continuing these silly debates about “creepiness,” which could not possibly be any more open-ended and subjective.
Indeed, when harm is reduced to “creepiness” or even “annoyance,” credible cost-benefit analysis is virtually impossible since the debate becomes entirely about emotional appeals instead of anything empirical / verifiable. Thus, we are stuck with “gut-level” debates that are not grounded in any substantive theory of rights or economic analysis. Such an amorphous standard for policy analysis or legal / regulatory action leaves much to the imagination and opens the door to creative theories of harm that (a) may not actually represent true harm at all, and (b) could be exploited by those who ignore the complex trade-offs at work when we attempt to regulation of information flows online. When we get more serious about defining harms, we also think about the possibility that benefits may exist that must be considered alongside possible costs.
Viewed in this light, we don’t need to use the term “creepy” with reference to the actions of News of the World; that was flat-out illegal activity with clear harm coming to certain individuals. And there certainly weren’t any benefits associated with NotW’s actions. By contrast, subsequent analysis of the Carrier IQ situation has revealed no clear harm and actually plenty of benefits associated with the service that company provides. Yes, I agree more transparency about this and other data collection schemes can help alleviate whatever “creepiness” concerns are out there in the minds of some. But when actual harm to individuals is the standard of review, it doesn’t seem like there is anything actionable here or even all that much to worry about.
In sum, “creepiness” is crappy standard by which to judge privacy matters when we are discussing policy perspectives / regulatory solutions. Here’s another way to think about it: There are plenty of people we come in contact with in this world that we might describe as “creepy.” But would we also describe all of them as harmful? Unlikely. We’d draw a distinction between creepiness and the potentially harmful nature of various individuals and likely reserve judgment on the latter question until we had more evidence. That’s the same standard we should use for privacy matters when they are elevated to policy concerns.