Disaster Privacy/Privacy Disaster

20 Pages Posted: 29 Jul 2019

See all articles by Madelyn Sanfilippo

Madelyn Sanfilippo

University of Illinois at Urbana-Champaign; CITP, Princeton University

Yan Shvartzshnaider

York Univesity, Lassonde School Of Engineering

Irwin Reyes

University of California, Berkeley

Helen Nissenbaum

Cornell Tech; Cornell Tech NYC

Serge Egelman

University of California, Berkeley - Department of Electrical Engineering & Computer Sciences (EECS); International Computer Science Institute (ICSI)

Date Written: July 26, 2019


Privacy expectations during disasters differ significantly from non-emergency situations. Recent scandals, such as inappropriate disclosures from FEMA to contractors, illustrate that tradeoffs between emergencies and privacy must be made carefully. Increased use of social technologies to facilitate communication and support first responders provide more opportunities for privacy infringements, despite increased regulation of disaster information flows to government agencies and with trusted partners of the government. This paper specifically explores the actual practices followed by popular disaster apps. Our empirical study compares content analysis of privacy policies and government agency policies, structured by the contextual integrity (CI) framework, with static and dynamic app analysis documenting the personal data they send. We identify substantive gaps between regulation and guidance, privacy policies, and information flows generated by apps/platforms, resulting from ambiguities and exploitation of exemptions. Results also indicate gaps between governance and practice, including: (1) many apps ignore transmission principles self-defined in policy; (2) while some policies state they “might” access location data under certain conditions, those conditions are not met as 12 apps included in our study capture location immediately upon download; and (3) not all third parties data recipients are identified in policy, including instances that violate expectations of trusted third parties. We visually map disaster information flows during disasters and around third party and government apps within the disaster response domain, and emphasize information exchanges between specific actors and the differences between actual flows of personal information and regulatory and policy specifications.

Keywords: privacy, contextual integrity, disasters, emergency communications

Suggested Citation

Sanfilippo, Madelyn and Shvartzshnaider, Yan and Reyes, Irwin and Nissenbaum, Helen F. and Nissenbaum, Helen F. and Egelman, Serge and Egelman, Serge, Disaster Privacy/Privacy Disaster (July 26, 2019). TPRC47: The 47th Research Conference on Communication, Information and Internet Policy 2019, Available at SSRN: https://ssrn.com/abstract=3427562 or http://dx.doi.org/10.2139/ssrn.3427562

Madelyn Sanfilippo (Contact Author)

University of Illinois at Urbana-Champaign ( email )

601 E John St
Champaign, IL Champaign 61820
United States

CITP, Princeton University ( email )

22 Chambers Street
Princeton, NJ 08544-0708
United States

Yan Shvartzshnaider

York Univesity, Lassonde School Of Engineering ( email )

4700 Keele Street
Toronto, Ontario M3J 1P3

Irwin Reyes

University of California, Berkeley ( email )

310 Barrows Hall
Berkeley, CA 94720
United States

Helen F. Nissenbaum

Cornell Tech

111 8th Avenue #302
New York, NY 10011
United States

Cornell Tech NYC

111 8th Avenue #302
New York, NY 10011
United States

Serge Egelman

International Computer Science Institute (ICSI) ( email )

Berkeley, CA
United States

University of California, Berkeley - Department of Electrical Engineering & Computer Sciences (EECS) ( email )

Berkeley, CA 94720-1712
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics