between experiences, people,
and technology, showcasing
emerging innovations and industry
tion Practices. It presently doesn’t have
much else. Models and mechanisms
that support privacy are scarce, not generally known, and rarely understood by
either customers or developers.
As more things become digitized, informational privacy increasingly covers
areas for which Fair Information Practices were never envisioned. Biometrics,
physical surveillance, genetics, and behavioral profiling are just a few of the
areas that are straining Fair Information Practices to the breaking point.
More sophisticated models are emerging for thinking about privacy risk, as
represented by the work of scholars
such as Helen Nissenbaum and Daniel
Solove. However, if not associated with
privacy protection mechanisms and
supported by translation guidance, the
impact of such models is likely to be
much less than they deserve.
A recent example is the development and deployment of whole-body
imaging (WBI) machines at airports
for physical screening of passengers.
In their original incarnation, these machines perform what has been dubbed
a “virtual strip search” due to the body
image that is presented. These machines are currently being deployed at
U.S. airports in a way that is arguably
compliant with Fair Information Practices. Yet they typically operate in a way
that many people find offensive.
The intended purpose certainly is
not to collect, use, disclose, and retain
naked images of people; it is to detect
potentially dangerous items they may
be carrying on their persons when
screened. Fair Information Practices
include minimization of personal information collected, used, disclosed,
and retained, consistent with the intended purpose.
This has profound implications
for how image data is processed,
presented, and stored. It should
be processed so at no point does
there ever exist an exposed body im-
age that can be viewed or stored. It
should be presented in a nonexposed
form (for example, a chalk outline
or a fully clothed person) with indi-
cators where things have been de-
tected. None of it should be retained
beyond the immediate encounter.
That almost none of these design
elements were originally specified
illustrates what too often happens
in the absence of applicable models
and mechanisms and their requisite
translation, along with principles,
into effective requirements.