A Taxonomy of Privacy Constructs for Privacy-Sensitive Robotics Matthew Rueben1, Cindy M. Grimm1, Frank J. Bernieri2, and William D. Smart1 Abstract— The introduction of robots into our society will also introduce new concerns about personal privacy. In order to study these concerns, we must do human- subject experiments that involve measuring privacy- relevant constructs. This paper presents a taxonomy of privacy constructs based on a review of the privacy liter- ature. Future work in operationalizing privacy constructs for HRI studies is also discussed. I. INTRODUCTION In the future, robots promise to become perva- sive in our society, if not ubiquitous. Already the advent of the Internet, webcams, and affordable mobile devices has changed the way we think about personal privacy; robots, many of which can move around the world, will further change this paradigm. Whereas webcams are tethered to stationary computers and mobile devices are car- ried by people, robots can go places and collect data without direct human aid, and perhaps even unbeknownst to humans altogether. This poses a new threat to personal privacy in all its senses: control over private information, the right not to be recorded, personal space and solitude, and so on. We call the study of privacy issues in robotics and how to mitigate them, “privacy-sensitive robotics.” This area of research itself probably belongs in the field of human-robot interaction, or HRI. In order to study privacy-sensitive robotics, we must do human-subject experiments; tackling a human-robot interaction problem without con- sulting the humans is a doomed endeavor. The 1Authors Rueben, Grimm, and Smart are with the Robotics Group at Oregon State University. ruebenm@oregonstate.edu cindy.grimm@oregonstate.edu bill.smart@oregonstate.edu 2Author Bernieri is with the School of Psychological Science at Oregon State University. frank.bernieri@oregonstate.edu problem is, “privacy” has many meanings, so testing hypotheses about “privacy” is impossible without being much more specific and choosing just a small part of “privacy” to work with. This paper presents a breakdown of “privacy” into many constructs (i.e., abstract ideas) organized into a hierarchical taxonomy based on a review of the privacy literature. II. BACKGROUND: ROBOTS AND PRIVACY Privacy-sensitive robotics can be thought of as a subset of human-robot interaction. Goodrich and Schultz have surveyed human-robot interaction [1] and Fong has surveyed socially-interactive robots [2]. The focus in both of these surveys is on au- tonomous robot behaviors, although in some cases, autonomy is shared between the human and the robot. Why do autonomous robots pose a privacy concern for humans? Research has revealed that humans often interact socially with machines. This phenomenon is often stated as “Computers Are Social Actors” (CASA) [3]. Any robot, then, can function as a social actor during a human-robot in- teraction. Broad discussions of privacy issues that are specific to robotics are only recently beginning to be published, especially outside of the robotics discipline. Calo gives a good overview as well as some newer insights [4]. Privacy is important in all human cultures [5], although different cultures have different norms for privacy and different mechanisms for enforcing those norms. Unfortunately, people are not always rational when they make decisions about privacy [6]. Re- searchers have even had to measure privacy atti- tudes separately from privacy behaviors because of how poorly people put their privacy preferences into action [7]. In research, the value of privacy is often quantified in monetary terms, and has arXiv:1701.00841v1 [cs.CY] 3 Jan 2017 been shown to depend on the context (i.e., whether privacy protection is being increased or decreased [8]). If robots can function as social actors in whichever human culture they inhabit, we want to study how we can enculturate robots with respect to our privacy norms. We call research that studies these questions “privacy-sensitive robotics.” III. A TAXONOMY OF PRIVACY CONSTRUCTS FOR HUMAN-ROBOT INTERACTIONS This section lays out our taxonomy of privacy constructs and summarizes the key literature be- hind it. Definitions of terms are to be found via the references where not defined hereafter. The taxonomy is as follows: 1) Privacy (see Leino-Kilpi et al. [9] for subdi- vision) a) Informational (see Solove [10] for sub- division) i) Invasion ii) Collection iii) Processing iv) Dissemination b) Physical i) Personal Space [11] ii) Territoriality [11], [12], [13] (see Altman [14] for subdivision) A) Intrusion B) Obtrusion C) Contamination iii) Modesty [15] c) Psychological i) Interrogation [11] ii) Psychological Distance [16] d) Social i) Association [15] ii) Crowding/Isolation [14] iii) Public Gaze [17] iv) Solitude [15] (see Westin [11] for subdivision) v) Intimacy vi) Anonymity vii) Reserve A. The Literature behind the Taxonomy We recommend the Stanford Encyclopedia of Philosophy article on privacy by Judith DeCew as a comprehensive guide to the definition of privacy [18], especially in law and philosophy. Most of the references in this section we owe to the bibliography from that article. 1.a-d Leino-Kilpi et al. [9] divide privacy as follows: 1) Physical privacy, over personal space or ter- ritory 2) Psychological privacy, over thoughts and values 3) Social privacy, over interactions with others and influence from them 4) Informational privacy, over personal infor- mation 1.a.i-iv Informational privacy refers to privacy concerns about personal information. In 1960, William Prosser divided (informational) privacy into four parts. His formulation continues to be referenced today. Briefly, Prosser divides (infor- mational) privacy into intrusion, public disclosure, false light, and appropriation. These mean the following. First, intrusion into one’s private affairs includes trespassing, search, and remote intrusion such as wire tapping. Second is public disclosure of private facts. Third is publicly portraying the victim in a false light, e.g., by misattributing to the victim a statement or opinion. Fourth is appro- priation, or pretending to be the victim for one’s own advantage. Daniel Solove has constructed a taxonomy of privacy concepts based on Prosser’s formulation. It is shown in Figure 1 as a general overview of informational privacy concerns. We use the highest level of Solove’s hierarchy for 1.a.i- iv. 1.b.i-ii Privacy could be defined in terms of one’s personal space or territory. These concepts are found readily in proxemics literature as well as in psychology and ethology (i.e., animal behavior studies) in general, but are not often connected with privacy. Patricia Newell includes territoriality in her review of Perspectives on Privacy [12], although she also cites a study that separates between the two [19]. Leino-Kilpi et al. [9] define physical privacy as being over personal space and territory, and Westin also mentions it when he links human privacy ideas with animal behavior [11]. Social psychologist Irwin Altman pulls together the related concepts of privacy, personal space, Fig. 1. Daniel Solove’s visual “model” of his taxonomy of (informational) privacy [10]. territoriality, and crowding [14]. His book, along with Burgoon’s article [13] (discussed below), is a good foundation for environmental and spatial factors related to privacy. Judee Burgoon presents a communication per- spective on privacy, including territoriality, in a broad survey [13]. She argues that more “physical” privacy could consist of blocking more communi- cation channels, including sight, sound, and even smell (e.g., the smell of food being cooked next door). We would add further channels enabled by technology: phone calls, text messages, Facebook posts, and the like. Alternatively, Burgoon writes that to have more territory, higher-quality territory (e.g., better-insulated walls), and more unques- tioned control over that territory is to enjoy more physical privacy. 1.b.iii Allen lists modesty as an important phys- ical privacy concern in medical settings, especially from the philosophical standpoints of Christian ethics and virtue ethics [15]. Modesty may drive patients to request same-sex or even same-race doctors. 1.c.i According to Westin’s account of privacy in U.S. law, the right to privacy swelled in the late 1900’s [11]. The Supreme Court continued to try cases in which new technologies created privacy concerns beyond physical entry and tangible items. According to Westin, new protections included “associational privacy” over group memberships (this is distinct from 1.d.i) and “political privacy” over unfair questioning on account of political positions. 1.c.ii Proxemics can include psychological dis- tance as well as physical distance (see Hall [16] cited by Mumm and Mutlu [20]). 1.d.i and iv Privacy might also include solitude, i.e., being physically removed from other people. Solitude is more than a freedom from trespassing; one needn’t be at home to desire solitude. Anita Allen includes solitude in her article on privacy and medicine [15]. In the medical setting, the sick often want to be comforted by company, but also to have some time alone. This could be especially true for patients with terminal illnesses, who might want to reflect on their lives and make some important decisions. In such cases we tend to respect their wishes. Allen also mentions “associational privacy,” the ability to choose one’s own company [15]. She notes that patients do not merely desire intimacy, but rather “selective intimacy” with certain loved ones, and this is an aspect of privacy to consider. 1.d.ii Altman calls both crowding and isolation failures to regulate the amount of interaction with others [14]. It may seem odd to call social isolation a privacy issue, but it is a logical conclusion from within Altman’s theory of privacy (see Appendix). 1.d.iii Lisa Austin offers a more nuanced defini- tion of privacy: freedom from “public gaze” [17]. She argues that this updated definition deals with the problem of new technologies to which older definitions of privacy do not object. In particular, Austin is concerned about cases wherein people know they are under surveillance, about the col- lection of non-intimate but personal information (e.g., in data mining), and about the collection of personal information in public. She claims that other, older definitions of privacy do not agree with our intuition that these technologies (could) invade our privacy by denying us our freedom from “public gaze.” 1.d.iv-vii Alan Westin lists four different states of privacy: solitude, anonymity, intimacy (i.e., be- ing alone with someone), and reserve (i.e., keeping to oneself) [11]. IV. FUTURE WORK This taxonomy takes the broad concept of pri- vacy and breaks it into more specific constructs. We have split the single trunk into what we see as its main branches, and some of those branches have also been shown to fork off, too. To study privacy in human-robot interaction (e.g., in human- subject experiments), we need the leaves of this privacy tree. Unlike the trunk and branches, the leaves are no longer abstract constructs; instead, they are concrete measures. For example, one op- erationalization of personal information collection (1.a.ii) would be whether someone knows your social security number – a simple, binary measure. Other measures might be contextual, e.g., given that you are alone in a room with a PR2 robot staring at you, do you feel comfortable chang- ing your shirt? This comfort level, a proxy for modesty (1.b.iii), could be measured, for example, by a questionnaire. All such measures would tap the extent to which a person’s privacy has been preserved or violated. REFERENCES [1] M. A. Goodrich and A. C. Schultz, “Human-robot interac- tion: a survey,” Foundations and trends in human-computer interaction, vol. 1, no. 3, pp. 203–275, 2007. [2] T. Fong, I. Nourbakhsh, and K. Dautenhahn, “A survey of so- cially interactive robots,” Robotics and autonomous systems, vol. 42, no. 3, pp. 143–166, 2003. [3] C. Nass, J. Steuer, and E. R. Tauber, “Computers Are Social Actors,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ser. CHI ’94. New York, NY, USA: ACM, 1994, pp. 72–78. [4] R. Calo, “Robots and privacy,” ROBOT ETHICS: THE ETHI- CAL AND SOCIAL IMPLICATIONS OF ROBOTICS, Patrick Lin, George Bekey, and Keith Abney, eds., Cambridge: MIT Press, Forthcoming, 2010. [5] I. Altman, “Privacy Regulation: Culturally Universal or Cul- turally Specific?” Journal of Social Issues, vol. 33, no. 3, pp. 66–84, 1977. [6] A. Acquisti and J. Grossklags, “Privacy and rationality in individual decision making,” IEEE Security & Privacy, no. 1, pp. 26–33, 2005. [7] B. Berendt, O. Gnther, and S. Spiekermann, “Privacy in e- commerce: stated preferences vs. actual behavior,” Communi- cations of the ACM, vol. 48, no. 4, pp. 101–106, 2005. [8] A. Acquisti, L. K. John, and G. Loewenstein, “What is privacy worth?” The Journal of Legal Studies, vol. 42, no. 2, pp. 249– 274, 2013. [9] H. Leino-Kilpi, M. Valimaki, T. Dassen, M. Gasull, C. Lemonidou, A. Scott, and M. Arndt, “Privacy: A Review of the Literature,” International Journal of Nursing Studies, vol. 38, pp. 663–671, 2001. [10] D. J. Solove, “Understanding privacy,” 2008. [11] A. F. Westin, Privacy and Freedom. New York, NY: Athenaeum, 1967. [12] P. B. Newell, “Perspectives on Privacy,” Journal of Environ- mental Psychology, vol. 15, pp. 87–104, 1995. [13] J. Burgoon, “Privacy and communication,” in Communication Yearbook 6, M. Burgoon, Ed. Routledge, 1982, no. 6. [14] I. Altman, The Environment and Social Behavior: Privacy, Personal Space, Territory, and Crowding. Monterey, CA: Brooks/Cole Publishing Company, 1975. [15] A. Allen, “Privacy and Medicine,” in The Stanford Encyclo- pedia of Philosophy, spring 2011 ed., E. N. Zalta, Ed., 2011. [16] E. T. Hall, The Hidden Dimension. Doubleday, Garden City, 1966. [17] L. Austin, “Privacy and the Question of Technology,” Law and Philosophy, vol. 22, no. 2, pp. 119–166, 2003. [18] J. DeCew, “Privacy,” in The Stanford Encyclopedia of Philos- ophy, fall 2013 ed., E. N. Zalta, Ed., 2013. [19] J. J. Edney and M. A. Buda, “Distinguishing territoriality and privacy: Two studies,” Human Ecology, vol. 4, no. 4, pp. 283– 296, 1976. [20] J. Mumm and B. Mutlu, “Human-robot proxemics: physical and psychological distancing in human-robot interaction,” in Proceedings of the 6th international conference on Human- robot interaction. ACM, 2011, pp. 331–338. [21] H. Nissenbaum, “Privacy as contextual integrity,” Wash. L. Rev., vol. 79, p. 119, 2004. [22] A. D. Moore, “Privacy: its meaning and value,” American Philosophical Quarterly, pp. 215–227, 2003. [23] J. C. Inness, Privacy, intimacy, and isolation. Oxford University Press, 1992. APPENDIX Here we add some very important theories about privacy that didn’t make it into this paper because they are too general, but are essential for under- standing privacy as a whole (and hence any one construct in our taxonomy). Altman’s theory defines privacy as a boundary regulation process wherein people try to achieve their ideal privacy state by using certain mech- anisms to regulate interaction with others [14]. Notice how this definition allows privacy to some- times mean more interaction with others, and sometimes less interaction; successfully switching between the two is the key. Along these lines, Altman calls privacy a dialectic process, i.e., a contest between two opposing forces – withdrawal and engagement – which alternate in dominance. Hence, privacy to Altman is dynamic in that the desired level of engagement changes over time for a given individual. This theory is necessary for understanding Altman’s discussion of personal space, territoriality, and crowding. Helen Nissenbaum’s approach to privacy, which she calls “contextual integrity,” focuses on the idea that different norms of information gather- ing and dissemination are observed in different contexts [21]. Privacy is violated in a given con- text when the norms for information gathering or dissemination within that context are broken. Nissenbaum argues that some scenarios, especially public surveillance, are intuitively felt by many to be potential privacy violations, and that while U.S. legal policy overlooked these scenarios (at time of writing), “contextual integrity” does a better job of accounting for our intuitive concerns [21]. Adam Moore defines privacy as, “control over access to oneself and information about oneself” [22]. This is a “control-based” definition of pri- vacy, in which it doesn’t matter whether some- body accesses you or your information, but rather whether you can control that access. Control- based definitions account for situations in which someone invites others into his close company, or willingly gives out personal information. These actions would violate privacy if privacy is the state of being let alone, or of having all your personal information kept to yourself. But authors holding to control-based definitions of privacy maintain that the person in question is still in control, so there’s no violation; this especially makes sense in the legal context. Julie Inness wrote the book on privacy as it relates to intimacy [23]. She proposes that intimate interactions must be motivated by liking, love, or care in order to be intimate. As evidence she points to Supreme Court decisions wherein constitutional privacy protection was conferred to issues of the family and sexual health due to the personal, emotional impacts that made those issues intimate. In this way, Inness seems to define privacy as the protection of intimate matters, where intimacy comes from the motivation and not the behavior itself (e.g., kissing is not automatically intimate). She recognizes that this definition of intimacy is subjective, making legal rulings more difficult.