When consent is given (or not withheld) or the data is anonymized, virtually any information practice becomes
permissible. These procedural mitigations have long relieved decision-mak-ers of the burden of rendering judgment on the substantive legitimacy
of specific information practices and
the ends that such practices serve. It is
time to recognize the limits of purely
procedural approaches to protecting
privacy. It is time to confront the substantive values at stake in these information practices and to decide what
choices can and cannot legitimately be
placed before us—for our consent.
1. Barocas, S. and Nissenbaum, H. Big data’s end run
around anonymity and consent. In Privacy, Big Data,
and the Public Good: Frameworks for Engagement. J.
Lane, V. Stodden, S. Bender, and H. Nissenbaum, Eds.
Cambridge University Press, NY, 2014.
2. Barr, A. Google may ditch ‘cookies’ as online ad
tracker. USA Today (Sept. 17, 2013).
3. Cate, F.H. The failure of fair information practice
principles. In Consumer Protection in the Age of
the “Information Economy.” J. K. Winn, Ed. Ashgate,
Burlington, VT, 2006, 341–378.
4. Cate, F.H. and Mayer-Schonberger, V. Notice and
consent in a world of big data. International Data
Privacy Law 3, 2 (May 20, 2013), 67–73.
5. Klösgen, W. KDD: Public and private concerns. IEEE
Expert: Intelligent Systems and Their Applications 10,
2 (Feb. 1995), 55–57.
6. Mislove, M. et al. You are who you know: Inferring
user profiles in online social networks. In WSDM
‘ 10 Proceedings of the Third ACM International
Conference on Web Search and Data Mining. ACM, N Y,
2010, 251–60; DOI: 10.1145/1718487.1718519.
7. Narayanan, A. and Shmatikov, V. Myths and fallacies of
‘personally identifiable information.’ Commun. ACM 53,
6 (June 2010), 24; DOI: 10.1145/1743546.1743558.
8. Nissenbaum, H. A contextual approach to privacy
online. Daedalus 140, 4 (Oct. 2011), 32–48; DOI:
9. O’Leary, D.E. Some privacy issues in knowledge
discovery: The OECD personal privacy guidelines.
IEEE Expert: Intelligent Systems and Their
Applications 10, 2 (Apr. 1995), 48–59.
10. Piatetsky-Shapiro, G. Knowledge discovery in personal
data vs. privacy: A mini-symposium. IEEE Expert:
Intelligent Systems and Their Applications 10, 2 (Apr.
11. Solove, D.J. Privacy self-management and the consent
dilemma. Harvard Law Review 126, 7 (May 2013), 1880.
12. Steel, E. and Angwin, J. On the Web’s cutting edge,
anonymity in name only. The Wall Street Journal (Aug.
13. Walker, J. Data mining to recruit sick people. The Wall
Street Journal (Dec. 17, 2013).
Solon Barocas ( email@example.com) is a postdoctoral
research associate at the Center for Information
Technology Policy at Princeton University.
Helen Nissenbaum ( firstname.lastname@example.org) is a
professor of media, culture, and communication at New
An expanded version of the arguments presented in this
Viewpoint appears in Barocas and Nissenbaum.
authors thank Arvind Narayanan and an anonymous
reviewer for their helpful feedback and gratefully
acknowledge research support from the Intel Science and
Technology Center for Social Computing and NSF awards
DGE-0966187 and CNS-1355398.
Copyright held by authors.
while anonymous identifiers can make
it more difficult to use information
about a specific user outside an organization’s universe, they do nothing
to alleviate worries individuals might
have about their fates within it—the information they are presented, the opportunities they are offered, or the way
they are treated in the marketplace.
Whatever protections this arrangement offers are further undermined
by the kinds of inferences companies
can draw having discovered patterns
in large assemblages of diverse datasets. A company that may have been
unable to learn about individuals’
medical conditions without matching
records across datasets using personally identifiable information may be
able to infer these conditions from the
more easily observable or accessible
qualities that happen to correlate with
13 If organizations become sufficiently confident to act on these uncertain inferences, the ability to draw
these inferences will pose as serious
a threat to privacy as the increasingly
well-recognized risk of de-anonymiza-tion. But rather than going to the trouble of attempting to re-associate “
anonymized” medical files with specific
individuals, companies might instead
discover patterns that allow them to
estimate the likelihood someone has
a particular medical condition. That
certain institutions could meaningfully affect a person’s experiences and
prospects in the absence of identifying
information or without violating re-cord-keepers’ promises of anonymity
defies the most basic intuitions about
the value of anonymity.
We Are Not Saying…
There is no role for consent and anonymity in privacy protection. Consent
and anonymity should not bear, and
should never have borne, the entire
burden of protecting privacy. Recognizing their limits allows us to assess
better where and under what conditions they may perform the work for
which they are well suited.
Privacy loses the trade-off with big
data. This tired argument misunderstands the nature and value of privacy
and mistakes means for ends. Weaknesses in existing procedures for protecting privacy do not undercut the viability of privacy itself.
We need to try even harder to achieve
fail-safe anonymization and effectively operationalize notice and consent.
Though worthy goals, the practices
described here bypass not only weak
mechanisms but also defeat the ideal.
What to Do?
Mathematicians and computer scientists will continue to worry about reidentification. Policymakers will continue down the rabbit hole of defining
personally identifiable information
and informed consent. Social scientists and designers will continue to
worry about refining notice and choice.
In the meantime, miners of big data
are making end runs around informed
consent and anonymity.
A lesson may be drawn from biomedicine where informed consent
and anonymity function against a rich
ethical backdrop. They are important
but not the only protective mechanisms in play. Patients and research
subjects poised to sign consent forms
know there are limits to what may be
asked of them. Treatment or research
protocols that lie outside the norm
or involve a higher than normal risk
must have passed the tests of justice
and beneficence. In other words, clinicians and researchers must already
have proven to their expert peers and
institutional review boards that the
protocols being administered or studied are of such great potential value
to the individual subject or to society
that the reasonable risks are worthwhile. Consent forms have undergone
ethical scrutiny and come at the end
of a process in which the values at
stake have been thoroughly debated.
The individual’s signature is not the
sole gatekeeper of welfare.
By contrast, informed consent and
anonymity have served as the sole
gatekeepers of informational privacy.
Big data extinguishes
what little hope
remains for the notice
and choice regime.