Abstract
In this paper, I offer an indirect argument for the Access Theory of privacy. First, I develop a new version of the rival Control Theory that is immune to all the classic objections against it. Second, I show that this new version of the Control Theory collapses into the Access Theory. I call the new version the ‘Negative Control Account’. Roughly speaking, the classic Control Theory holds that you have privacy if, and only if, you can control whether other people know personal information about you. Critics of the Control Theory often give counterexamples, where privacy is either not diminished even though the claimant has lost control, or where privacy is diminished even though the claimant is in control. I argue that none of these alleged counterexamples work against the Negative Control Account. However, this is not a victory for the control theorist, because the Negative Control Account collapses into the Access Theory. The paper thus adds to the recent trend in the literature of favoring the Access Theory over the Control Theory.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
Introduction
A significant part of the privacy literature consists of discussions about how best to define privacy. Among the prominent theories of privacy are the ones which David Matheson has called the ‘Limited Access Theory’,Footnote 1 the Narrow Ignorance Theory,Footnote 2 and the Broad Ignorance Theory.Footnote 3 I will not rehearse the arguments for and against these theories in this paper, but note that at this stage of the discussion, many theorists seem to agree that these theories are essentially flawed. Most contemporary theorists seem to subscribe to some version of the so-called Control Theory instead.Footnote 4 Although variations of the Control Theory seem to be the most popular ones, a host of alleged counterexamples has been raised against it.Footnote 5 So far, the control theorists have not provided satisfactory replies to these counterexamples. In this paper, I try to provide a unified and effective reply to all of the most worrying counterexamples on their behalf. However, as we shall see, this reply implies that the Control Theory collapses into the so-called Access Theory. This is very problematic for the control theorist, given that access theories are generally considered the main rivals to the Control Theory (Macnish 2018).
Although most contemporary theorists subscribe to the Control Theory,Footnote 6 this paper is part of a recent trend in the literature that suggests that the Access Theory is in fact superior to the Control Theory (Lundgren 2020; Macnish 2018). Björn Lundgren has recently argued that—due to what he calls the Parent/Macnish-dilemma—the Control Theory should be rejected, and the Access Theory should be endorsed instead (Lundgren 2020). However, Leonhard Menges has recently shown convincingly that the Parent/Macnish-dilemma can be resolved. His solution consists in interpreting ‘control’ as what he calls ‘source control’ (Menges 2020). As I will argue at the end of this paper, although Menges's source control account is convincing in many regards, it should be rejected after all. The main contribution of this paper is twofold: First, I offer an alternative version of the Control Theory that is immune to the classic objections. So far, this is the only version of the Control Theory in the literature that achieves this. Second, I show how this new theory collapses into the Access Theory.
The paper is structured as follows: In the section ‘The Control Theory’, I introduce a definition of the Control Theory. In the section ‘Two Strategies for Refuting the Control Theory’, I explain two types of argumentative strategies that critics of the Control Theory have followed in order to refute it. I call these argumentative strategies the A-strategy and the B-strategy, respectively. In the section ‘Three Types of Control’, I introduce a distinction between three types of control: Negative Control, Positive Control, and Republican Control. In the section ‘Averting Counterexamples’, I argue that if ‘control’ is interpreted as Negative Control, and not Positive Control or Republican Control, then the control theorist can effectively avert both the counterexamples that follow the A-strategy and those that follow the B-strategy. In the section ‘How Negative Control Collapses the Control Theory into the Access Theory’, I argue that if the control theorist interprets control as Negative Control, then the Control Theory collapses into the rival Access Theory. In the section ‘The Source Control Objection’, I present Menges's source control account that avoids collapsing into the Access Theory. I show that even if this is true, the source control account should be rejected for independent reasons. In the final section, I make a few concluding remarks.
The Control Theory
In this section, I will introduce a definition of the Control Theory. This theory comes in many different variations, but central to all of them is—loosely—the idea that having privacy is a matter of having control. For the purposes of this paper, nothing of importance hangs on how exactly the Control Theory is spelled out, but I will follow David Matheson’s semi-formalized version:
The Control Theory (CT)
An individual A has informational privacy relative to another individual B and to a personal fact f about A if and only if A controls whether B knows f. (Matheson 2007, p. 252).
It is helpful to note a few things about this definition of the CT. (I) The CT is non-normative. In itself, it says nothing about whether privacy is valuable, whether privacy rights exist, or what it takes to violate privacy rights if they do exist. (II) According to the CT, B must know f about A in order for A’s privacy to be diminished relative to B and relative to f. Recent critics have pointed out that weaker epistemic relations than knowledge are sufficient for privacy to be diminished, and that the stronger the epistemic relation is, the more privacy is diminished (Blaauw 2013; Kappel 2013; Fallis 2013). I find this critique compelling, but I will bracket it for now, since it is fairly easy to see how a weaker epistemic relation can be replaced with ‘knows’ in the definition without turning it into something that is not a control theory. (III) The CT states a necessary and sufficient condition for A having privacy, namely that A controls whether B knows f about A.
Two Strategies for Refuting the Control Theory
Given (III), at least two effective strategies are available for a critic of the CT. Since the definition of the CT states a necessary and sufficient condition for privacy, a critic of the CT can attack the necessity-part, or she can attack the sufficiency-part. Many objections to the CT take the form of a reducio ad absurdum, where a counterexample (often in the form of a thought experiment) is offered to show that control is either not necessary or not sufficient for privacy. The two types of strategies against the CT can thus be described in the following manner:
-
The A-strategy Show that privacy is sometimes diminished, even if control is not diminished.
-
The B-strategy Show that privacy is sometimes intact, even if control is diminished.
Counterexamples that follow the A-strategy aim to show that the CT is too narrow. That is, they aim to show that control is not sufficient for privacy. And counterexamples that follow the B-strategy aim to show that the CT is too broad. That is, they aim to show that control is not necessary for privacy. The reason why I frame the discussion in terms of the A-strategy and the B-strategy, and not just in terms of narrowness and broadness, is that the CT or variations of it have also been accused of being too narrow and too broad for reasons that are not related to control. For instance, some think that the CT is too narrow because it only concerns ‘informational privacy’ (Solove 2002). Others think that the CT is too broad, because not all ‘personal facts’ are private (ibid.).
Both strategies can be found in the literature, but the B-strategy seems to be the most common one in the works of prominent privacy scholars. Critics who follow the A-strategy often make use of variations of so-called ‘voluntarily divulgence cases’ (Parent 1983; Menges 2020). Critics who follow the B-strategy often make use of so-called ‘threatened loss cases’ (Parent 1983; Menges 2020), but as we shall see they also make use of others types of cases. In the next section, I will introduce three types of control, which will become crucial in the subsequent discussion.
Three Types of Control
Let me introduce a distinction between three types of control. Call them Negative Control, Positive Control, and Republican Control, respectively. As we shall see, these three types of control are inspired by the distinction between three types of freedom in the political philosophy literature:
-
Negative Control An individual A has Negative Control over relevant information f with respect to B, if, and only if,
-
(i) B does not attempt to access f (or attempts to give others access), or (ii) B does attempt to access f (or attempts to give others access), but fails due to A’s intentional actions directed at preventing B from accessing f, or, due to random circumstances, or, due to the incompetence of B, and,
-
(iii) A does not voluntarily let B access f.Footnote 7
-
-
Positive Control An individual A has Positive Control over relevant information f with respect to B, if, and only if,
-
(iv) A wants to give B access to f, and A can act so that B gets access to f.
-
-
Republican Control An individual A has Republican Control over relevant information f with respect to B, if, and only if,
-
(v) B could not get access to f if B tried.Footnote 8
-
It is helpful to note a few things about these definitions. First, Negative Control is defined in a way that implies that A’s privacy can be diminished in two ways. The first way to diminish privacy occurs if neither (i) nor (ii) are satisfied. The second way to diminish privacy occurs if (iii) is not satisfied.Footnote 9 An obvious example of the first way to diminish privacy involves a peeping Tom who gets access to information about what A does in her bedroom by peeping in between the curtains. An obvious example of the second way to diminish privacy involves an exhibitionist A who wants peeping Tom to access the information about what A does in the bedroom, and therefore opens the curtains and lets Tom watch.Footnote 10
Second, Positive Control is defined in a way that implies that A has it if A is able to give others access to f, regardless of whether or not they want to have access or not. An example of this involves an exhibitionist who forces others to look at her while she performs sexual acts.
Third, contrary to Negative Control, Republican Control is defined in a way that implies that A has it whether or not someone else attempts to access f. If A does not have Republican Control, then it follows that someone is able to access f, and this someone can have this control without ever getting close to f in any way, and without ever attempting to access f. An example of this involves a peeping Tom who is able to look through A’s curtains if he wants to.
The distinctions between the three types of control loosely resemble the well-known distinctions between different types of freedom in the political philosophy literature. The distinction between Negative Control and Positive Control loosely resembles Isaiah Berlin’s distinction between negative freedom and positive freedom (Berlin 1969). The notion of Republican Control loosely resembles Philip Pettit’s notion of republican freedom (Pettit 1999).Footnote 11 What I mean by resemblance here is that the respective types of control at play in my distinctions between Negative Control, Positive Control, and Republican Control respectively, are relatively akin to the type of control that the claimant has if she has negative freedom, positive freedom, and republican freedom, respectively. The three types of control do not map on to the corresponding types of freedom perfectly. However, this is not a big problem. What matters is that interpreting control as Negative Control averts all the classic counterexamples to the CT, because all these counterexamples turn on interpretations of control that are either Positive Control or Republican Control.
Negative freedom is the absence of interference from others (Berlin 1969, pp. 15–22). Positive freedom, on the other hand, is the ability to do certain things (ibid., pp. 22–25). If, for example, someone stops you from running to wherever you want, then you do not have full negative freedom. If you, on the other hand, are physically disabled and unable to run, then you do not have full positive freedom.
Pettit thought that the combination of negative freedom and positive freedom does not capture all aspects of freedom. One can, Pettit thought, be unfree in an important way, even though one has full negative freedom and full positive freedom. A slave that is owned by a benevolent slave owner might have both full negative freedom and full positive freedom, and yet it seems strange to say that the slave is really free, since the slave owner is able to interfere at any given time if he so chooses (Pettit 1999, pp. 32–35).
Here is how the definitions of Negative Control, Positive Control, and Republican Control are related to the three types of control that the claimant has if she has negative freedom, positive freedom, and republican freedom, respectively: Just like negative freedom, Negative Control has to do with the lack of interference from others. Part (i) of the definition of Negative Control reflects this aspect of negative freedom. However, Berlin did not only think of negative freedom as a condition of a lack of interference from others. He also wrote: ‘The defense of [negative] freedom consists in the "negative" goal of warding off interference’ (Berlin 1969, p. 20). Thus, Berlin’s idea of negative freedom also has an ‘active’ component; it also has to do with being able to ‘ward off’ interference. Part (ii) of the definition of Negative Control reflects this active of negative freedom. If one is not able to ‘ward off’ someone else’s attempt to access the personal information in question, then one does not have Negative Control over the access to said information.Footnote 12 If one puts up certain irreversible obstacles for oneself, then—at least on one interpretation of the notion—one’s negative freedom is diminished. Part (iii) of the definition of Negative Control reflects this aspect of negative freedom.Footnote 13
Just like positive freedom, Positive Control has to do with being able to do certain things. If one wants to give someone access to a piece of personal information, and one is able to give this someone access, then one has Positive Control. If one is not able give this someone access to the information, then one does not have Positive Control over the access to said information.Footnote 14
Just like republican freedom, Republican Control has to do with others not being able to do certain things to you. If others are not able to get access to one’s personal information, then one has Republican Control. If others are able to get access to one’s personal information, then one does not have Republican Control over the access to said information.Footnote 15
I have now defined and explained what I mean by Negative Control, Positive Control, and Republican Control, respectively. In the next section, I will show that if the control theorist makes clear that she interprets control as Negative Control, then the counterexamples to the CT that follow the A-strategy, and those that follow the B-strategy, are averted. Henceforth, I will call the resulting theory of interpreting control as Negative Control, the ‘Negative Control Account’.
Averting Counterexamples
In this section, I will show how the Negative Control Account averts the counterexamples that follow the A-strategy, and the counterexamples that follow the B-strategy. I believe that this goes for all counterexamples that follow one of these strategies. If the control theorist makes clear that control should be interpreted as Negative Control, then none of the counterexamples cut any ice against the CT. I will give two examples of this in relation to the A-strategy, and six examples of this in relation to the B-strategy, but I believe that the point generalizes. I will present the counterexamples one at a time. The point I make after each counterexample is exactly the same: If control is interpreted as Negative Control, then the counterexample in question loses its bite. I illustrate this point by repeating the same texts after each counterexample, replacing only the name of the author of the counterexample, and the description of the case in question.
Let us begin with the counterexamples that follow the A-strategy.Footnote 16 The first counterexample that follows the A-strategy comes from William Parent:
All of these definitions [the control definitions of privacy] should be jettisoned. To see why, consider the example of a person who voluntarily divulges all sorts of intimate, personal, and undocumented information about himself to a friend. She is doubtless exercising control, in a paradigm sense of the term, over personal information about herself as well as over (cognitive) access to herself. But we would not and should not say that in doing so she is preserving or protecting her privacy. On the contrary, she is voluntarily relinquishing much of her privacy. People can and do choose to give up privacy for many reasons. An adequate conception of privacy must allow for this fact. Control definitions do not. (Parent 1983, p. 273)
Parent’s idea is that when you voluntarily divulge personal information to a friend, you clearly diminish your privacy with respect to the friend. But control theorists cannot explain this, Parent says, because the person who voluntarily divulges personal information to his friend is in control. However, if control is interpreted as Negative Control, then the person straightforwardly loses control. According to the definition of Negative Control, A’s privacy is diminished if A voluntarily gives someone else access to the relevant information f. This is exactly what is at stake in the counterexample. The person in Parent’s counterexample voluntarily gives his friend access to all sorts of personal information, so according to the Negative Control Account, the person’s privacy is diminished.
The second counterexample that follows the A-strategy comes from Leonhard Menges:Footnote 17
Now, consider—as a third voluntary divulgence case—a person who has complete control and exercises it by revealing intimate facts to the public. To be realistic, take Peter Railton’s admirable Dewey Lecture (2015). In the lecture, Railton presents a series of moments from his personal life that constitute “a transition from insider to outsider, or back” (2015, p. 2). The final transition is constituted by his giving this very talk and then allowing others to upload the manuscript. That’s because he talks openly about his depression and, in particular, his “fear of social embarrassment and humiliation” (2015, p. 13). He says: “I now give to all of you my experience, as story, a tale, an example, you might tell others, or yourself, in order to open a non-threatening conversation with yourself or others about what seeking help can do” (Railton 2015, p. 15). (Menges 2020)
Again, if control is interpreted as Negative Control, then Peter Railton straightforwardly loses control. According to the definition of Negative Control, A’s privacy is diminished if A voluntarily gives someone else access to the relevant information f. This is exactly what is at stake in the counterexample. Peter Railton voluntarily gives the audience access to personal information, so according to the Negative Control Account Peter Railton’s privacy is diminished.
Let us now turn to the counterexamples that follow the B-strategy. We begin with three counterexamples that turn on an interpretation of control as Positive Control. The first one comes from Daniel Farber:
To begin with, while voluntariness is an important aspect of privacy, the concept of control requires elaboration. Privacy would seem to cover nudity as an aspect of intimacy; the Peeping Tom is a classic invader of privacy. If privacy includes the right to "control" visual access to one's body, then it should include not only the right to preclude such access but also the right to allow it. Yet, it seems decidedly odd to say that public indecency laws violate a flasher's right to privacy. If anything, the flasher seems to be invading the privacy of others with an unwanted intimacy. (Farber 1993, pp. 514–515)
Farber’s idea is that control can plausibly be interpreted so that the flasher does not have control if he is not able to show his body to anyone he wants. The type of control at play here is Positive Control, since it has to do with the flasher wanting to give others access, but failing to do so. The fact that the flasher is not able to show his body to others is sufficient for Positive Control to be lost, but not sufficient for Negative Control to be lost. If the control theorist makes clear that control on the CT does not mean Positive Control, then Farber’s counterexample does not show that the CT is too broad, since then it does not follow that control is lost just because the flasher is not able to show his body to anyone he wants. Farber’s example has bite only if control is interpreted as Positive Control.
The second counterexample that turns on an interpretation of control as Positive Control comes from Steve Matthews:
A man might not be able to reveal some private information about himself, even if he wants to. Imagine he suffers from temporary dumbness just as he is about to tell his friends about his love life. In such a case, it doesn't appear that he suffers from a loss of privacy, even though he seems to lack the capacity to reveal his private information. In this case the man retains privacy but lacks control. (Matthews 2008, p. 141)Footnote 18
Matthews's idea is that control can plausibly be interpreted so that the man does not have control if he is not able to reveal his private information to his friends. The type of control at play here is Positive Control, since it has to do with the man wanting to give others access, but failing to do so. The fact that the man is not able to reveal private information to his friends is sufficient for Positive Control to be lost, but not sufficient for Negative Control to be lost. If the control theorist makes clear that control on the CT does not mean Positive Control, then Matthews's counterexample does not show that the CT is too broad, since then it does not follow that control is lost just because the man is not able to reveal private information to his friends. Matthews's example has bite only if control is interpreted as Positive Control.
The third counterexample that turns on an interpretation of control as Positive Control comes from Jeffrey Reiman:
... it might be objected that I can after all invite someone to watch me perform my excretory functions, and in this sense even the privacy that I have here includes my control over who gets access to me. But to think that this shows that such privacy necessarily includes control, one would have to maintain that if I couldn't invite a witness in to watch (say, because of draconian laws or unfailing taboos against doing so), that would mean that those functions were no longer shielded by privacy—and that sounds quite implausible. (Reiman 1995, pp. 30–31)
Reiman’s idea is that control can plausibly be interpreted so that you do not have control if you are not able to make other people watch you perform your excretory functions. The type of control at play here is Positive Control, since it has to do with wanting to give someone access, but failing to do so. The fact that you cannot succeed in making other people watch you perform your excretory functions is sufficient for Positive Control to be lost, but not sufficient for Negative Control to be lost. If the control theorist makes clear that control on the CT does not mean Positive Control, then Reiman’s counterexample does not show that the CT is too broad, since then it does not follow that control is lost just because you are not able to make other people watch you perform your excretory functions. Reiman’s example has bite only if control is interpreted as Positive Control.
Let us now proceed to three counterexamples that turn on an interpretation of control as Republican Control.Footnote 19 The first one also comes from Reiman, and it appears immediately before the quote above. Reiman writes:
If it is said that such prohibition [of performing the excretory functions in public] doesn't take away your ability to display such functions [the excretory functions], it only ups the cost of doing so, then it will follow that no one has any privacy in his home since crooks can break in even though it is prohibited. (Ibid.)
Reiman’s idea is that control can plausibly be interpreted so that you do not have control if crooks are able break into your house. The type of control at play here is Republican Control, since it has to do with the crooks being able to access if they want to. The fact that crooks are able to break in is sufficient for Republican Control to be lost, but not sufficient for Negative Control to be lost. If the control theorist makes clear that control on the CT does not mean Republican Control, then Reiman’s counterexample does not show that the CT is too broad, since then it does not follow that control is lost just because crooks are able to break in. Reiman’s example has bite only if control is interpreted as Republican Control.
The second counterexample that turns on an interpretation of control as Republican Control comes from Judith Jarvis Thomson:
If my neighbor invents an X-ray device which enables him to look through walls, then I should imagine I thereby lose control over who can look at me: going home and closing the doors no longer suffices to prevent others from doing so. But my right to privacy is not violated until my neighbor actually does train the device on the wall of my house. (Thomson 1975, p. 304)
Thomson’s idea is that control can plausibly be interpreted so that you do not have control if your neighbor invents an X-ray device which enables him to look through walls. The type of control at play here is Republican Control, since it has to do with the neighbor being able to access if she wants to. The fact that the neighbor is able to look through the wall if she wants to is sufficient for Republican Control to be lost, but not sufficient for Negative Control to be lost. If the control theorist makes clear that control on the CT does not mean Republican Control, then Thomson’s counterexample does not show that the CT is too broad, since then it does not follow that control is lost just because your neighbor invents the X-ray device. Thomson’s example has bite only if control is interpreted as Republican Control.
The third counterexample that turns on an interpretation of control as Republican Control comes from Kevin Macnish:
Imagine that I have returned to the coffee shop after a 30 minute interval to find my diary on the table. It is unopened. I panic for a moment, but on seeing me the stranger smiles and hands me the book. She explains that she has not opened it, but saw me leave without it and collected it to await my return. She knows how intimate her own diary is, so she respected my privacy and kept it shut, as well as making sure that no one else would be able to read it. I feel an enormous sense of relief, thank her and leave with my dignity intact. In this case, I do not think that my privacy has been lessened. When I see my diary in another’s possession, I fear that my privacy has been violated, and indeed it might have been. However, as long as the diary is not actually opened and read no reduction in privacy has occurred. Note that this is true even though the diary was not under my control for 30 minutes. (Macnish 2018, pp. 421–422)
Macnish’s idea is that control can plausibly be interpreted so that you do not have control if you forget your diary on the table in a coffee shop. The type of control at play here is Republican Control, since it has to do with the stranger being able to access if she wants to. The fact that the stranger is able to look in the diary is sufficient for Republican Control to be lost, but not sufficient for Negative Control to be lost. If the control theorist makes clear that control on the CT does not mean Republican Control, then Macnish’s counterexample does not show that the CT is too broad, since then it does not follow that control is lost just because the stranger could read the diary. Macnish’s example has bite only if control is interpreted as Republican Control.
I have now given two examples of how the Negative Control Account averts counterexamples that follow the A-strategy, and six examples of how it averts counterexamples that follow the B-strategy. I believe that these points generalize to any attempt to construct a counterexample to the CT that follows either the A-strategy or the B-strategy, respectively. If the critics of the CT can give a counterexample that follows either of these strategies, and presupposes a notion of control that is Negative Control, then they have provided a genuine counterexample to the CT. Unfortunately, as we shall see in the next section, interpreting control as Negative Control collapses the CT into the Access Theory (AT).
How Negative Control Collapses the Control Theory into the Access Theory
It should be clear by now that the control theorist can avert the classic counterexamples if she simply points out that control should be interpreted as Negative Control. Although this point holds regardless, it is interesting to consider the prospects of interpreting control as Negative Control. Interpreting control as Negative Control solves many problems for the control theorist, but if doing so introduces new problems, then at least this is a relevant consideration for the control theorist. I believe that defining privacy in terms of Negative Control collapses the CT into the AT.Footnote 20 Historically, the AT has been the main rival to the CT (Macnish 2018). So, if interpreting control as Negative Control collapses the CT into the AT, then this is very worrying for the control theorist. The control theorist must either accept this collapse, or come up with an alternative interpretation of control that avoids the collapse.
The AT comes in many different versions, but common to all of them is the idea that actual access to the personal information in question is both necessary and sufficient for an individual’s privacy to be diminished:
The Access Theory (AT)
An individual A has informational privacy relative to another individual B and to a personal fact f about A if and only if B does not actually access f.Footnote 21
Just like the CT, the AT comes in many different variations. A common commitment among access theorists, however, seems to be that others must actually access the information in question in order for privacy to be diminished (Macnish 2018, p. 421). A crucial motivation behind the AT is the idea that control does no work in determining whether someone has privacy or not. All that matters, according to the AT, is whether someone actually accesses f. It has recently been argued that the access in question is best understood as an actual epistemic access, and that the degree to which A’s privacy is diminished depends inter alia on how strong the epistemic relation is between B and f (Blaauw 2013; Matheson 2007; Kappel 2013; Fallis 2013). Nothing of importance hangs on whether this specification of the AT is true, but for present purposes, it is helpful to think of the access in question as an actual epistemic access.
Here is how the CT collapses into the AT, if control is interpreted as Negative Control: According to the definition of Negative Control, it is a necessary condition for A’s privacy to be diminished that someone else actually accesses f. To see this, recall that there are two ways to diminish Negative Control. The first way of diminishing privacy occurs if (i) and (ii) are not satisfied. This involves someone else attempting to access f, and succeeding because A cannot prevent it. In that case, f is accessed. An example of this would be if a hacker gains access to A’s online diary, despite A’s best efforts to keep the hacker from accessing. The second way of diminishing privacy occurs if (iii) is not satisfied. This involves A voluntarily letting someone else access f. In that case too, f is accessed. An example of this would be if A voluntarily sends a copy of the diary to the hacker. So, either way, if A loses Negative Control, then someone has accessed f. This makes the Negative Control Account completely coextentional with the AT. Therefore, an access theorist can insist that what drives our intuitions when we think that A’s privacy is diminished is the fact that someone accesses f, rather than the fact that A loses control over f.
By saying that the Negative Control Account becomes coextentional with the AT, I mean the following: In any given case, if the Negative Control Account gives the verdict that A’s privacy is diminished, the AT also gives this verdict. When I say that this collapses the Negative Control Account into the AT, I do not mean that the Negative Control Account gives the same verdicts as the AT for the same reasons. Following Menges, I mean only that the Negative Control Account and the AT are coextentional in the way described above (Menges 2020, p. 3), and that this gives the access theorist room to insist that in any given case, what explains A’s diminishment of privacy is the fact that someone else accesses f, and not the fact that A loses Negative Control over f.Footnote 22
Now, a control theorist might insist that CT is not coextentional with the AT, because there are cases where privacy is diminished even though no one accesses any personal information. But it is difficult to see how such a case could be constructed without making the exact same mistake as critics of the CT have made; namely interpreting control as Republican Control. Any case where f is not actually accessed, but where A lacks some sort of control over f, seems to be akin to the threatened loss cases provided by Thomson, Macnish, etc., where A does not have Republican Control. Thus, this type of reply is not available to the control theorist if she wants to avert the counterexamples that follow the B-strategy in the way that I have suggested in this paper. In other words, the control theorist cannot define Negative Control in a way that avoids the collapse if they also want to maintain that privacy is not diminished just because A does not have Republican Control.
The control theorist might insist instead that there are cases where privacy is diminished even though no one accesses any personal information, and where this verdict does not rely on the republican interpretation of control. For instance, the control theorist might point to something like Jakob Mainz and Rasmus Uhrenfeldt’s recent Wiretapping case:
Wiretapping
Smith and Jones are neighbors. Unbeknownst to Jones, Smith wiretaps Jones’ telephone, using a fancy device which allows Smith to listen in on Jones’ conversations without violating Jones’ property rights. As it happens, Jones is on vacation for several months, and does therefore not use the telephone in that time period. (Mainz and Uhrenfeldt 2020)
Wiretapping is meant to elicit the intuition that a violation of the right to privacy can occur, even if no one gets access to personal information. Smith does not access personal information about Jones, because Jones happens not to use the telephone. Nevertheless, it might seem as if Smith violates Jones's right to privacy (ibid.). The control theorist might point to something like Wiretapping to explain why the CT does not collapse into the AT if control is interpreted as Negative Control. At least on one reading of Negative Control, Jones's privacy is diminished, because conditions (i) and (ii) are not satisfied. Smith attempts to get access, but the reason why he fails is not because of Jones's intentional actions directed at preventing others from accessing. On this reading of Negative Control, it is not coextentional with the AT. However, if an implication of interpreting control as Negative Control is that Jones's privacy is diminished in Wiretapping, then this counts against the Negative Control Account. Wiretapping is meant to show that a violation of the right to privacy can occur even if no one accesses personal information. It does not show that a diminishment of privacy can occur even if no one accesses personal information. It is not clear at all that Jones's privacy is diminished in Wiretapping.Footnote 23 So, if the control theorist insists that the Negative Control Account does not collapse into the AT because the former implies that there is no diminishment of privacy in Wiretapping, then so much the worse for the control theorist.
The access theorist, on the other hand, can straightforwardly insist that Jones’s privacy is not diminished because Smith does not get access to any personal information about Jones. In fact, it is not clear either that a violation of the right to privacy occurs in Wiretapping. It seems more intuitive to say that what happens in Wiretapping is an attempt to violate Jones's right to privacy. In order for this attempt to succeed, Smith would have needed to actually access Jones's personal information, which he did not. In this counterfactual case, it would also be the case that Jones's privacy is diminished. But then, the access theorist could plausibly reply that this loss of privacy occurs exactly because Smith accesses Jones's personal information. It therefore seems that the control theorist needs to accept that the CT collapses into the AT, if she interprets control as Negative Control.Footnote 24 In the next section, I will present an objection to my argument.
The Source Control Objection
In this section, I will discuss an objection to my argument. According to this objection, the control theorist can avoid the collapse into the Access Theory, if she interprets control as ‘source control’ instead of Negative Control. As I will show in this section, the source control account should be rejected for independent reasons. Thus, even if this objection is true, the control theorist should not interpret control as source control.
As mentioned in the introduction, Leonhard Menges has recently defended a version of the CT that he calls the ‘source control account of privacy’. The account is novel, and suggests a promising alternative answer to the question of how the control theorist should interpret ‘control’. Menges argues—although he does not use this terminology—that his account can both avert the counterexamples to the CT that follow the A-strategy and those that follow the B-strategy. He also argues that his account does not collapse into the AT. If all of this is correct, then the control theorist can follow Menges's account instead of the Negative Control Account, and thus avoid the collapse into the AT. However, I believe that there is reason to think that Menges's account does in fact not avert all counterexamples that follow the A-strategy.
According to Menges, control theorists should interpret control as what he calls ‘source control’. This notion of control is inspired by the classic Frankfurt-cases known from the literature on free will, such as the following:
Jones has resolved to shoot Smith. Black has learned of Jones’s plan and wants Jones to shoot Smith. But Black would prefer that Jones shoot Smith on his own. However, concerned that Jones might waver in his resolve to shoot Smith, Black secretly arranges things so that, if Jones should show any sign at all that he will not shoot Smith (something Black has the resources to detect), Black will be able to manipulate Jones in such a way that Jones will shoot Smith. As things transpire, Jones follows through with his plans and shoots Smith for his own reasons. No one else in any way threatened or coerced Jones, offered Jones a bribe, or even suggested that he shoot Smith. Jones shot Smith under his own steam. Black never intervened. (McKenna and Coates 2020, sect. 3.2).
Menges explains that while Jones could not have avoided killing Smith, Jones still exercises an important kind of control when he decides to shoot Smith without any intervention. We can, as Menges writes, ‘… have an important kind of control over what we do without having effective choice over whether or not we do it’ (Menges 2020, p. 8). The type of control that Jones exercises is what Menges calls source control. If one has this kind of control, then one is the right kind of source of one’s actions. Menges leaves it unsatisfactorily unclear what exactly source control is, and he is aware of that (Menges 2020, p. 9). Nevertheless, control theorists should interpret control as source control, Menges says:
My main proposal is that privacy theorists can and should spell out privacy in terms of source control. According to the resulting source control account of privacy, an agent has privacy with regard to a certain piece of information just in case the person is the right kind of source of the relevant information flow if the information flows at all. In other words: an agent’s having privacy with regard to a piece of information consists in the agent’s being such that if the information flows to others, then the agent is the right kind of source of this information flow. (Menges 2020, p. 9)
Menges goes through a series of cases in order to show that his source control account generates the intuitively correct results in all of these cases. I will not go through all of these cases here, but I will note that I agree with Menges that the source control account does avert nicely all the counterexamples that follow the B-strategy. However, Menges also claims that the source control view averts the counterexamples that follow the A-strategy. He argues that the privacy of the person in Parent’s counterexample is not diminished, as long as he is the right kind of source of sharing the information. That is, Menges bites Parent’s bullet and says that the privacy of the person in Parent’s counterexample is not diminished. He thinks that the person’s privacy is not diminished, but that he rather includes the friend and possibly others in his private realm (Menges 2020, p. 6).Footnote 25
Like most contemporary privacy scholars, I find this result very counterintuitive in itself. It seems strange that one’s privacy is not diminished when one divulges all sorts of personal information to a friend. But I also think that this verdict has counterintuitive implications. For instance, it implies that even if the person voluntarily divulges all personal facts about himself to every living person on earth, then—as long as he is the right kind of source of sharing the information—his privacy is not diminished even a tiny bit. That is, the person has full privacy with respect to everyone, even though everyone knows everything about him. This seems like a very counterintuitive result. To illustrate, consider the following thought experiment:
Moving Day
Every citizen of Private Ville lives in regular houses made of bricks. Every citizen of Private Ville is being wiretapped against his or her will by someone from outside of Private Ville. One day, every citizen of Private Ville chooses to move to houses that are made of fully transparent glass. Everyone that walks by such a house can see everything that happens inside the house. And, because the walls are made of thin glass, everyone outside the house can also hear every little sound from inside the house. No one is wiretapping the citizens of Private Ville in the new houses. But the people who were doing the wiretapping are now standing outside the glass houses, watching and listening to what citizens of Private Ville do inside their houses. The citizens of Private Ville are fully aware of this.Footnote 26
On the assumption that every citizen of Private Ville exercises source control when they choose to live in such a house, and when they choose to say and do things within the house, it follows from the source control account that by moving into the glass houses the citizens of Private Ville are performing a privacy enhancing action.Footnote 27 They go from not having privacy with regard to information about what happens inside their houses—because they did not have source control when they were wiretapped against their will—to having full privacy with regard to this information—because they now exercise source control. This seems very strange. The information still flows to the outsiders of Private Ville as before, but now it also flows to everyone else who happens to walk by. And yet, the source control account implies that the citizens of Private Ville now have more privacy than before.
Note that even if this is not a completely counterintuitive result, at least it seems that Menges's source control account does not handle counterexamples that follow the A-strategy nearly as straightforwardly as the Negative Control Account does. The source control account, and the Negative Control Account, seem to handle counterexamples that follow the B-strategy equally well. But the Negative Control Account handles counterexamples that follow the A-strategy much more straightforwardly than the source control account does. Recall that on the Negative Control Account, the privacy of the person in Parent’s counterexample is diminished because part iii) of the definition of Negative Control is not satisfied. Thus, the Negative Control Account can straightforwardly handle voluntary divulgence cases like Moving Day. So, all things being equal, the Negative Control Account seems more promising than the source control account when it comes to handling the counterexamples to the CT that follow the A-strategy. It is therefore all the more problematic for the control theorist that the Negative Control Account collapses into the AT.
Now, control theorists have often replied to Parent that on the CT, the privacy of the person is in fact diminished, because the person loses control over whether the friend will distribute the personal information to others (Gavison 1980, p. 427; Matheson 2007, p. 255; Lundgren 2020, pp. 168–169). While this reply is intuitively appealing, it is not available to Menges if he wants to remain consistent. The reason is that this reply to Parent claims that the privacy of the person who voluntarily divulges personal information to a friend is diminished. But, as we have seen, Menges explicitly denies this. So, Menges cannot fall back on this reply if he wants to remain consistent.
It may be true that the control theorist can avoid the collapse into the AT, if control is interpreted as source control rather than Negative Control. But, the control theorist should not interpret control as source control regardless, because the source control account cannot handle the counterexamples that follow the A-strategy. This leaves the control theorist with the Negative Control Account which—as we have seen—collapses into the AT.
Concluding Remarks
In this paper, I have defended the AT. I have done so indirectly by developing a new version of the rival CT that is immune to all the classic objections, and showing how this version collapses into the AT. The novel distinction between three types of control, Negative Control, Positive Control, and Republican Control respectively, allows the control theorist to avert both the counterexamples to the CT that follow the A-strategy, and those that follow the B-strategy. If the control theorist points out that control should be interpreted as Negative Control, then all the counterexamples lose their bite. This result itself helps clear up the messy and extensive literature on how best to define privacy. I believe that I have identified a way to save the CT from the most worrying counterexamples against it. This is not a victory for the control theorist, however, given the solution implies that the CT collapses into the AT.
I have discussed a recent version of the CT—the source control account—that does not collapse into the AT. This version does not avert the counterexamples that follow the A-strategy, though. Moving forward, this leaves three options available to the control theorist: The first option is to admit defeat because the Negative Control Account collapses into the AT. The second option is to follow the source control account and look for more plausible ways to handle the counterexamples that follow the A-strategy. The third option is to look for a third version of the CT that handles all the counterexamples and does not collapse into the AT. Regardless of which direction the discussion goes, I believe that progress is made.
Notes
According to which ‘An individual A has informational privacy relative to another individual B and to a personal fact f about A if and only if there are extraordinary limitations on B’s ability to know f’ (Matheson 2007, p. 253). This theory has been defended by prominent theorists like Ruth Gavison (1980) and Anita Allen (1988).
According to which ‘An individual A has informational privacy relative to another individual B and to a personal fact f about A if and only if (1) f is undocumented and (2) B does not know f’ (Matheson 2007, p. 253).
According to which ‘An individual A has informational privacy relative to another individual B and to a personal fact f about A if and only if B does not know f’ (Matheson 2007, p. 259). This theory has been put forward by Matheson himself. Several theorists have recently endorsed altered versions of this theory. See e.g. (Blaauw 2013), (Kappel 2013), and (Fallis 2013).
Variations of the Control Theory can be found in (Warren and Brandeis 1890), (Westin 1970), (Fried 1968), (Rachels 1975), (Moore 2003; Moore 2010), (Gross 1971), (Parker 1974), (Matthews 2008), (Roessler 2005) (Benzanson 1991), (Goldberg, Hill, and Shostack 2001), (Altman 1976), (Calo 2011), (Miller and Weckert 2000), (Inness 1992), (Birnhack 2019), (Falls-Corbitt and McLain 1992), (Frey 2000), and (Froomkin 2000). Some of these theorists call it the ‘control account’ instead.
I write ‘alleged’ counterexamples, because I do not—for reasons I will spell out in this paper—believe that they are genuine counterexamples to the Control Theory. Throughout the paper, when I write ‘counterexample’ I mean an alleged counterexample, unless specified otherwise.
See (Menges 2020) for a recent defense of a novel version of the Control Theory.
To see why it is important to include the part about random circumstance, consider the following example: B is about to access A’s personal information. A is not capable of preventing B from accessing, but just before B accesses, B is struck by lightning and dies. If the part about random circumstances were not included, it would follow from the definition that B diminishes A’s privacy, which seems odd (thanks to Leonhard Menges for suggesting this example to me). Similarly, it is important to include the part about incompetence. Suppose, for example, that B attempts to peep in between A’s curtains by jumping up and down on the sidewalk. But A lives on the 5th floor, so even when B jumps as high as he can, there is no chance that he will succeed. If the part about incompetence was left out, B would diminish A’s privacy. Again, that would be odd. Thanks to an anonymous reviewer for pointing this out to me, and thanks to Jens Damgaard Thaysen for suggesting the example.
These definitions are revised versions of the definitions first put forward in (Mainz and Uhrenfeldt 2020).
In order to fully flesh out what Negative Control consists of, it would be necessary to explain what exactly constitutes an ‘attempt’ to access f. One might think, for example, that the mere fact that I attempt to get access to my neighbor’s health records by reading his mind, does not count as a genuine attempt. Likewise, it would be necessary to explain if A loses Negative Control if the individual who attempts to access f fails for reasons unrelated to A’s intentional actions directed at preventing the individual from accessing f. I will leave these and related questions for another occasion. Note, however, that if these questions give rise to counterexamples to the definition of Negative Control, then it is a problem for the control theorist, not for the argument I make in this paper.
One might think that the exhibitionist is in fact exercising control in this example. This may be true, but note that this form of control is Positive Control.
Others have explored the relation between privacy and republicanism. See e.g. (Newell 2018), (Roberts 2014), (van der Sloot 2018), and (Hoye and Monaghan 2018). However, these theorists do not apply the notion of republican freedom to the notion of control as I do, but rather argue that privacy is important for retaining republican freedom.
Note that in this case, both i) and ii) will not be satisfied, and therefore A’s privacy is diminished.
An anonymous reviewer suggested to me that it seems strange that the definition of Negative Control implies that A has Negative Control in a situation where A does not voluntarily let someone else access f, and no one attempts to access. The definition is formulated like this because Negative Control is something that you have under normal circumstances, when no one even attempts to interfere. Plausibly to my mind, it would be even stranger to suggest that A only has Negative Control when someone actually attempts to access. Presumably, in order for A to lose control, she must have it in the first place.
See the ‘Too Much Info’ cases from (Mainz and Uhrenfeldt 2020) for examples of this.
An anonymous reviewer suggested to me that if A has Positive Control (is able to share information with others if she wants to), then A lacks Republican Control. I do not see how that follows. Suppose that A wants to share information f with B, and she goes on and does so. Does this mean that A did not have Republican Control? No. In order for A to lack Republican Control, it must be the case that B could just get access to f anyway, even if A had not herself decided to share f with B. But it is perfectly possible that B cannot access f if she wants to, even if A voluntarily shares f with B.
These counterexamples are instances of the voluntarily divulgence cases.
Note that Menges does not take this to be a counterexample to the CT. As we shall see in a later section, Menges develops a new version of the CT that he believes to be immune to counterexamples like Parent’s.
According to a footnote in (Matthews 2008, p. 141), Matthews got this example from Daniel Cohen in a personal correspondence.
Lundgren makes a structurally similar move when he argues that the problems of the CT can only be averted by giving up the concept of control in favor of the concept of limited access (Lundgren 2020, p. 172).
Menges claims that Lundgren’s argument is meant to show that the CT collapses into the AT. However, Lundgren never calls it a collapse. Supposedly, we can have a weak and a strong sense of collapsing. According to the weak one, a theory collapses into another theory if the first theory gives the same verdict as the second one. According to the strong one, a theory collapses into another theory if the first theory gives the same verdict as the second one, for the same reasons. Like Menges, I follow the weak sense of collapsing, when I say that the Negative Control Account collapses into the AT.
Except perhaps with regards to the information that Jones does not use the phone. But note that Smith does access this information.
An anonymous reviewer suggested to me that the point about collapse is not very interesting because Negative Control is defined in a way that makes it obvious that losing Negative Control entails that someone has access. However, I believe that this is a feature, not a bug. The point is exactly that if the control theorist wants to avoid all the classic counterexamples against the CT, then she needs to define control in a way that entails that a loss of control entails access. To see this, consider the implications of removing the parts of the definition that makes it obvious that a loss of control entails that someone has access. What you will find is that removing these parts of the definition simply reactivates some of the classic objections against the CT.
See (Inness 1992, p. 46) for a similar reply to Parent.
Moving Day is inspired by an example from (Floridi 2006, p. 110).
Menges argues one way to think about source control in relation to privacy is that a person is the right kind of source of the information flow if the person has a first-order desire that the information flows to others, and a second-order desire that she has the first-order desire (Menges 2020, p. 9). On this version of source control, I would need to say that the citizens in Private Ville have both first-order and second-order desires that the information about what they do inside the glass houses flows to the people outside the houses. However, Menges also says that this is not the view he argues for (ibid.).
References
Allen, Anita. 1988. Uneasy access: Privacy for women in a free society. Rowman & Littlefield Publishers.
Altman, Irwin. 1976. Privacy: A conceptual analysis. Environment and Behavior 8 (1): 141–141.
Benzanson, Randall. 1991. Privacy, personality, and social norms. The Case Western Reserve Law Review. 41 (3): 681–687.
Berlin, Isaiah. 1969. Two concepts of liberty. Clarendon Press.
Birnhack, Michael. 2019. A process-based approach to informational privacy and the case of big medical data. Theoretical Inquiries in Law 20: 257–290.
Blaauw, Martijn. 2013. The epistemic account of privacy. Episteme 10 (2): 167–177.
Bok, Sissela. 1989. Secrets: On the ethics of concealment and revelation. New York: Vintage Books.
Calo, M. Ryan. 2011. The boundaries of privacy harm. Indiana Law Journal 86 (3): 1131–1162.
Davis, Steven. 2009. Is there a right to privacy? Pacific Philosophical Quarterly 90: 450–475.
Fallis, Don. 2013. Privacy and lack of knowledge. Episteme 10 (2): 153–166.
Falls-Corbitt, Margaret, and Michael McLain. 1992. God and Privacy. Faith and Philosophy 9 (3): 369–386.
Farber, Daniel. 1993. Book Review: Privacy, Intimacy, and Isolation. By Julie C. Inness. Constitutional Commentary 198: 510–519.
Floridi, Luciano. 2006. Four challenges for a theory of informational privacy. Ethics and Information Technology 8: 109–119.
Frey, R. 2000. Privacy, control, and talk of rights. Social Philosophy and Policy 17 (2): 45–67.
Fried, Charles. 1968. Privacy. Yale Law Journal 77 (3): 475–493.
Froomkin, Michael. 2000. The death of privacy? The Stanford Law Review 52: 1461–1544.
Gavison, Ruth. 1980. Privacy and the limits of law. The Yale Law Journal 89 (3): 421–471.
Goldberg, Ian, Austin Hill, and Adam Shostack. 2001. Trust, ethics and privacy. Boston University Law Review 81 (2): 407–422.
Gross, Hyman. 1971. Privacy and autonomy. In Nomos XIII: Privacy, pp 169–181.
Hoye, J. M., and Jeffrey Monaghan. 2018. Surveillance, freedom and the republic. European Journal of Political Theory 17(3): 343–363.
Inness, Julie. 1992. Privacy, intimacy, and isolation Oxford University Press.
Kappel, Klemens. 2013. Epistemological dimensions of informational privacy. Episteme 10 (2): 179–192.
Lundgren, Björn. 2020. A dilemma for privacy as control. The Journal of Ethics 24: 165–175.
Macnish, Kevin. 2018. Government surveillance and why defining privacy matters in a post-Snowden world. Journal of Applied Philosophy 35(2): 417–432.
Mainz, Jakob, and Rasmus Uhrenfeldt. 2020. Too much info: Data surveillance and reasons to favor the control account of the right to privacy. Res Publica 27 (2): 287–302.
Matheson, David. 2007. Unknowableness and informational privacy. Journal of Philosophical Research 32: 251–267.
Matthews, Steve. 2008. Privacy, separation, and control. The Monist 91 (1): 130–150.
Menges, Leonhard. 2020. A defense of privacy as control. The Journal of Ethics. Online first.
Miller, Seuman, and John Weckert. 2000. Privacy, the workplace and the internet. Journal of Business Ethics 28: 255–265.
Moore, Adam D. 2003. Privacy: Its meaning and value. American Philosophical Quarterly 40 (3): 215–227.
Moore, Adam. 2010. Privacy rights: Moral and legal foundations. Pennsylvania State University Press.
Newell, Bryce Clayton. 2018. Privacy as antipower. In pursuit of non-domination. European Data Protection Law Review 4 (1): 12–16.
Parent, William. 1983. Privacy, morality and the law. Philosophy & Public Affairs 12 (4): 269–288.
Parker, Richard. 1974. A definition of privacy. Rutgers Law Review 27: 275–296.
Pettit, Philip. 1999. Republicanism: A theory of freedom and government. Oxford University Press.
Rachels, James. 1975. Why privacy is important. Philosophy & Public Affairs 4 (4): 323–333.
Reiman, Jeffrey H. 1995. Driving to the panopticon: A philosophical exploration of the risks to privacy posed by the highway technology of the future. Privacy. 11: 159–176.
Rickless, Samuel. 2007. The right to privacy unveiled. San Diego Law Review 44 (4): 773.
Roberts, A. 2014. A republican account of the value of privacy. European Journal of Political Theory 14 (3): 320–344.
Roessler, Beate. 2005. The Value of Privacy. Polity.
Solove, Daniel J. 2002. Conceptualizing privacy. California Law Review 90 (4): 1087–1156.
Thomson, Judith Jarvis. 1975. The right to privacy. Philosophy & Public Affairs 4 (4): 295–314.
van den Haag, Ernst. 1971. On Privacy. In Privacy: Nomos XIII, 149–168.
van der Sloot, Bart. 2018. A new approach to the right to privacy, or how the European court of human rights embraced the non-domination principle. Computer Law and Security Review 34 (3): 539–549.
Warren, Samuel, and Louis Brandeis. 1890. The right to privacy. Harvard Law Review 4 (5): 193–220.
Westin, Alan F. 1970. Privacy and Freedom. Bodley Head.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
There are no conflicts of interests to declare.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Mainz, J. An Indirect Argument for the Access Theory of Privacy. Res Publica 27, 309–328 (2021). https://doi.org/10.1007/s11158-021-09521-4
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11158-021-09521-4