Anchoring Vignettes for Defining Privacy

Defining Privacy
by the National Academy of Sciences Committee on Privacy in the Information Age

For a report that was ultimately published as Engaging Privacy and Information Technology in a Digital Age, a NAS Committee on Privacy in the Information Age adopted the method of Anchoring Vignettes, for defining difficult theoretical concepts, to clarify what our highly diverse committee membership meant by "privacy". In the process, we wrote this outline and the anchoring vignettes that follow.

Privacy is a complicated, protean concept that is difficult to define at a theoretical level under any single, logically consistent "umbrella" theory. Doing so in a way that meets with universal consensus, and anticipates the continuing rapid changes in information technology, is probably impossible. Indeed, our committee has considered a variety of analytical definitions of privacy, and we found none that were fully satisfactory. Definitions that are vague tend to produce more agreement (by letting different individuals interpret the same words in different ways) but, since our purpose is clarity and understanding, such definitions are counterproductive.

Although agreement on a broad analytical definition of privacy may be difficult or impossible, our discussions of the privacy implications of specific events and practices have been much easier to understand and agree about. We have therefore collected numerous such examples we think we understand, and tried to build the outlines of an implied definition of privacy from the bottom up. We use the technique of anchoring vignettes to define each example in a common framework. An anchoring vignette is a brief description of a named (hypothetical) person in a specific situation, with some level of privacy or privacy violation described from his or her perspective. The vignettes are organized into sets, each of which reflects a range of privacy from most to least on a single dimension. For example:

[Jonathan] was arrested on charges of assault and battery last year. He lives in a county which stores records of criminal charges at the police headquarters, where there is no public access.
[Monali] was arrested on charges of assault and battery last year. She lives in a county which maintains all records of criminal charges for public inspection at the county courthouse.
[David] was arrested on charges of assault and battery last year. He lives in a county which maintains all records of criminal charges at the county courthouse for public inspection and in an electronic database, to which any police officer or county official has access.
[Andrea] was arrested on charges of assault and battery last year. She lives in a county which posts all criminal charges on the internet. The webpage includes pictures and detailed profiles of all arrested.

The specific names in these vignettes help to fix ideas but could (and do) refer to anyone (which is the reason they are in brackets). One way to think about these vignettes is to imagine you were asked a survey question about each vignette or even about yourself: "How much privacy [does 'name' or do you] have? (a) unlimited, (b) a lot, (c) moderate, (d) some, (e) none." The imagined survey context helps us make the examples concrete and clarifies how they are to be read. Although anchoring vignettes are often used for survey research, defining privacy from the bottom up as we are doing does not involve administering a survey or necessarily asking these questions of others.

Anchoring vignettes thus help us collect, articulate, and organize our numerous examples of privacy violations and protections in a somewhat more digestible and precise way. They also seem to be a good tool for illustrating, expressing, and communicating our existing conceptions of privacy. The technique, by itself, is simply a way to model and communicate our current understanding and definition in way that is much easier to come to agreement about. We have found that the exercise of articulating what we mean theoretically by writing out a set of concrete examples in the form of anchoring vignettes forces us to come to improved analytical understandings about particular dimensions of privacy and about the entire terrain viewed from the top-down, but there are no guarantees that this will always occur or be sufficient when it does.

We have organized the vignettes below into an implied definition of an individual's privacy that stems from asking "privacy from whom and about what". The major categories of privacy are then organized by the persons and institutions from whom an individual might want privacy. (We view the privacy of groups, such as the trade secrets of companies, or of average IQ scores of ethnic groups, as an important but separate issue that we have not tackled.) Then within each of these major categories, which of course overlap and interact to some degree, we list, in the form of sets of anchoring vignettes, some of the examples of the kinds of information that individuals might want to protect. [The examples are intended to illustrate the actual levels of privacy and not the risks to privacy (which may or may not eventually be realized), possible prior consent to or knowledge of privacy violations by individuals, the tradeoffs between privacy and other values, or what level of each type of privacy should be ensured by legislation or litigation.] Although Americans certainly differ in the importance they attach to each category, and to each example within a category, we believe the order of the vignettes within each set will be viewed similarly across individuals (possibly with the extent of ties differing but no systematic differences in ordering reversals).

We believe that the sets of anchoring vignettes we offer below serve to define privacy in a way that is easy to agree about. Of course, for each set of anchoring vignettes (denoting one type of privacy), different people will have different views about what thresholds delineate levels of privacy below which should be considered undesirable, unethical, illegal, or immoral. Agreement on normative issues like these will always be difficult or impossible to achieve. The anchoring vignette-based definition of privacy thus does not resolve all normative issues, but it helps to clearly define the playing field.

Privacy from: (click on links to see vignettes)

Employer
- Surveillance about work
- Drug testing
Family
- Thoughts and Communication
- Parental Intrusion
Friends, Acquaintances, and Neighbors
Researchers
- Survey research
- Medical research
Business
Government

The definition of privacy implied by these anchoring vignettes does not suggest a unique assessment of total or absolute privacy, only how much an individual has in each of the separate domains. To produce a single, overall indicator of privacy requires a decision about the relative importance of each of the domains, which of course may vary across citizens of different cultures, regions, occupations, or demographic groups (even though we expect almost all to order the vignettes within each set in the same way). As a consequence, the choice of the "right" privacy-related legislation, policy implementation, and judicial decision in any context -- formalized as an implicit choice among weights on each dimension -- remains a normative or political decision, not a scientific one, and it is not a decision the technique of anchoring vignettes can make for us.

This process of measuring a concept -- by breaking it down into its component parts in order to measure each as well as possible, and then aggregating by some (possibly normative) criterion -- is not fundamentally different from the process of measuring other complicated concepts across most fields of human knowledge.

Privacy Vignettes Main Page
Anchoring Vignettes Site | Committee on Privacy in the Information Age