Contextual Integrity

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Contextual integrity is a theory of privacy developed by professor Helen Nissenbaum and presented in her book Privacy In Context: Technology, Policy, and the Integrity of Social Life.[1]

Contextual Integrity comprises four essential descriptive claims:

  • Privacy is provided by appropriate flows of information.
  • Appropriate information flows are those that conform with contextual information norms
  • Contextual informational norms refer to five independent parameters: data subject, sender, recipient, information type, and transmission principle
  • Conceptions of privacy are based on ethical concerns that evolve over time

Contextual Integrity can be seen as a reaction to theories that define privacy as control over information about oneself, as secrecy, or as regulation of personal information that is private, or sensitive.

This places contextual integrity at odds with privacy regulation based on Fair Information Practice Principles; it also does not line up with the 1990s Cypherpunk view that newly discovered cryptographic techniques would assure privacy in the digital age because preserving privacy is not a matter of stopping any data collection, or blocking all flows of information, minimizing data flow, or by stopping information leakage.

The fourth essential claim comprising Contextual Integrity gives privacy its ethical standing and allows for the evolution and alteration of informational norms, often due to novel sociotechnical systems. It holds that practices and norms can be evaluated in terms of:

  • Effects on the interests and preferences of affected parties
  • How well they sustain ethical and political (societal) principles and values
  • How well they promote contextual functions, purposes, and values.

The most distinctive of these considerations is the third. As such, Contextual Integrity highlights the importance of privacy not only for individuals, but for society and respective social domains.

Contextual Integrity’s Parameters[edit]

The “contexts” of contextual integrity are social domains, intuitively, health, finance, marketplace, family, civil and political, etc. The five critical parameters that are singled out to describe data transfer operation are:

  1. The data subject
  2. The sender of the data
  3. The recipient of the data
  4. The information type
  5. The transmission principle.

Some illustrations of contextual informational norms in western societies, include:

  • In a job interview, an interviewer is forbidden from asking a candidate’s religious affiliation
  • A priest may not share congregants’ confession with anyone
  • A U.S. citizen is obliged to reveal gross income to the IRS, under conditions of confidentiality except as required by law
  • One may not share a friend’s confidences with others, except, perhaps, with one’s spouse
  • Parents should monitor their children’s academic performance

Examples of data subjects include patient, shopper, investor, or reader. Examples of information senders include a bank, police, advertising network, or a friend. Examples of data recipients include a bank, the police, a friend. Examples of information types include the contents of an email message, the data subject’s demographic information, biographical information, medical information, and financial information. Examples of transmission principles include consent, coerced, stolen, buying, selling, confidentiality, stewardship, acting under the authority of a court with a warrant, and national security.

A key thesis is that assessing the privacy impact of information flows requires the values of all five parameters to be specified. Nissenbaum has found that access control rules not specifying the five parameters are incomplete and can lead to problematic ambiguities.[2]

Nissenbaum notes that the some kinds of language can lead one’s analysis astray. For example, when the passive voice is used to describe the movement of data, it allows the speaker to gloss over the fact that there is an active agent performing the data transfer. For example, the sentence “Alice had her identity stolen” allows the speaker to gloss over the fact that someone or something did the actual stealing of Alice’s identity. If we say that “Carol was able to find Bob’s bankruptcy records because they had been placed online”, we are implicitly ignoring the fact that someone or some organization did the actual collection of the bankruptcy records from a court and the placing of those records online.


Consider the norm: “US residents are required by law to file tax returns with the US Internal Revenue Service containing information, such as, name, address, SSN, gross earnings, etc. under conditions of strict confidentiality.”

Data Subject: A US resident

Sender: The same US resident

Recipient: The US Internal Revenue Service

Information type: tax information

Transmission principle: the recipient will hold the information in strict confidentiality.

Given this norm, we can evaluate a hypothetical scenario and see if it violates the contextual integrity norm:

Hypothetical: “The US Internal Revenue Service agrees to supply Alice’s tax returns to the city newspaper as requested by a journalist at the paper.”

This hypothetical clearly violates contextual integrity because the providing the tax information to the local newspaper would violate the transmission principle under which the information was obtained.

Technical Applications of Contextual Integrity[edit]

In 2006 Barth, Datta, Mitchell and Nissenbaum presented a formal language that could be used to reason about the privacy rules in privacy law. They analyzed the privacy provisions of the Grahm Leach Biley act and showed how to translate some of its principles into the formal language.[3]


  1. ^ Helen Nissenbaum, Privacy in Context, 2010
  2. ^ Martin, K and Helen Nissenbaum. "What is private about ‘public’ records data?" Targeted Submission: Fall Law Reviews.
  3. ^ Barth, Adam; Datta, Anupam; Mitchell, John; Nissenbaum, Helen (2006). "Privacy and Contextual Integrity: Framework and Applications". Proceedings of the 2006 IEEE Symposium on Security and Privacy: 184–198. doi:10.1109/SP.2006.32.

See also[edit]

  • H. Nissenbaum, Privacy in Context: Technology, Policy and the Integrity of Social Life (Palo Alto: Stanford University Press, 2010), Spanish Translation Privacidad Amenazada: Tecnología, Política y la Integridad de la Vida Social (Mexico City: Océano, 2011)
  • K. Martin and H. Nissenbaum (2017) “Measuring Privacy: An Empirical Examination of Common Privacy Measures in Context,” Columbia Science and Technology Law Review (forthcoming).
  • H. Nissenbaum (2015) "Respecting Context to Protect Privacy: Why Meaning Matters," Science and Engineering Ethics, published online on July 12.
  • A. Conley, A. Datta, H. Nissenbaum, D. Sharma (Summer 2012) “Sustaining both Privacy and Open Justice in the Transition from Local to Online Access to Court Records: A Multidisciplinary Inquiry,” Maryland Law Review, 71:3, 772-847.
  • H. Nissenbaum (Fall 2011) "A Contextual Approach to Privacy Online," Daedalus 140:4, 32-48.
  • A. Barth, A. Datta, J. Mitchell, and H. Nissenbaum (May 2006) “Privacy and Contextual Integrity: Framework and Applications,” In Proceedings of the IEEE Symposium on Security and Privacy, n.p. (Showcased in “The Logic of Privacy,” The Economist, January 4, 2007)