Ethics in IT — Week 2 · Ch. 4
Privacy
Four kinds of privacy. Six laws built on a 1986 model. And a Supreme Court that just rewrote the rules.
13 slides ~16 minutes ETH-05 · The Factionless
By the end of this module, you will distinguish four types of privacy, map the US privacy law framework, analyze the Carpenter decision's reshaping of the third-party doctrine, evaluate Amazon's workplace monitoring through four ethical frameworks, and apply Privacy by Design principles.
Slide 2 of 13
Why Privacy Is Hard in IT
The data is small. The aggregation is total. The harm is invisible until it isn't.
Each datum is small
A single location ping. A single search query. One purchase. None of these feel like privacy violations in isolation.
Aggregation is total
Five years of those data points reveal where you live, work, sleep, worship, who you visit, and what you fear. The whole is exponentially more sensitive than the sum.
Harm is delayed
The privacy violation today becomes the discrimination, the manipulation, or the breach in five years. The decision-maker who collects can't see the harm; the harmed person can't see the decision.
The professional position: the IT professional building data systems is the person who sees the aggregation potential before anyone else. The privacy decision is theirs to flag.
Slide 3 of 13
Four Types of Privacy
"Privacy" is shorthand for four distinct rights. Each carries different IT implications.
Informational
What it protects: control over what personal info is collected, stored, shared.
IT context: data collection, profiling, behavioral tracking, third-party sharing.
Physical
What it protects: personal space and body — freedom from physical monitoring.
IT context: workplace cameras, biometrics, location tracking.
Decisional
What it protects: personal choices without interference or monitoring.
IT context: health decision privacy, financial monitoring, employment-based personal-conduct restrictions.
Associational
What it protects: association with others without monitoring or disclosure.
IT context: social network analysis, email metadata, mobile contact monitoring.
The metadata trap: "we don't read your messages, just the metadata" is a sleight of hand. Associational metadata frequently reveals more about a person than the content they sent. Who you talk to is privacy.
Slide 4 of 13
US Privacy Law: Sectoral
No single privacy statute. Sector-specific laws stitched together — with gaps the size of the modern economy.
HIPAA (1996)
Healthcare data. Covered entities + business associates. Breach notification. Penalties up to $1.9M / category / year.
COPPA (1998)
Children online. Verifiable parental consent before collecting personal info from under-13s.
FERPA (1974)
Educational records. Students 18+ control access; parents control under-18 records. No release without consent.
ECPA (1986)
Electronic communications. Government access to email; employer monitoring (consent exception). Pre-cloud framework.
USA PATRIOT Act (2001)
National security surveillance. Section 215 enabled bulk call-records collection. Constitutionally contested.
GDPR (EU, 2018)
All EU resident data. Specific informed consent. Right to erasure. Data minimization. Extraterritorial reach.
Slide 5 of 13
The 1986 Problem
ECPA was written when email was new and the cloud didn't exist. The law has not caught up to the data.
The architectural reality: if your data system serves US-only users, the gaps are real. If it serves any EU resident, GDPR applies regardless of where you are. Most modern systems must default to GDPR-compliance because the EU population isn't easily separable.
Slide 6 of 13
Case: Amazon Workplace Monitoring
Productivity scanners. AI-powered cameras. Algorithmic discipline. Wristbands that track hand movements.
The system: Amazon warehouse operations use handheld scanners that track productivity in real time, AI cameras that monitor worker movements, and algorithmic performance management that automatically generates disciplinary actions when productivity falls below thresholds. Workers must meet quotas the algorithm tracks. Some discipline is automated to the degree that human review is bypassed.
What's at stake: the same physical privacy and decisional privacy frameworks that limit government surveillance also apply to workplace monitoring — but the consent doctrine has historically tilted heavily in employer favor. The ethical question isn't whether it's legal (it is). It's whether it's right.
Slide 7 of 13
Amazon Through Four Frameworks
No framework gives a clean answer. The strength is in the disagreement.
Utilitarian
Efficiency gains reduce consumer costs. But injury rates, stress, turnover are harms in the calculus. The net welfare answer is contested.
Deontological
Does monitoring treat workers as means to efficiency rather than as ends? Automated discipline without human review removes Kant's required moral judgment from the loop.
Fairness (Rawls)
Behind the veil of ignorance, would a rational person choose this monitoring system not knowing whether they'd be employer or worker? Almost certainly not.
Common Good
If replicated across the economy, what does this do to the institution of dignified work? The cumulative cultural cost is part of the analysis.
The professional position: the engineer building these systems doesn't get to outsource the ethical analysis to "policy." Designing the threshold algorithm is the ethical decision. The choice of what counts as "below standard" is editorial.
Slide 8 of 13
Case: Carpenter v. United States
2018. The Supreme Court rewrites the third-party doctrine for the smartphone era.
The reasoning: data you "voluntarily" generate by carrying a phone isn't really voluntary in any meaningful sense. The third-party doctrine made sense when "sharing" meant a deliberate disclosure to a known recipient. CSLI is automatic, continuous, and reveals everything.
Slide 9 of 13
What Would You Do?
A court order — not a warrant. 500 customers. The SCA says you can comply. Should you?
You are a data architect at a telecommunications company. Law enforcement presents a court order (not a warrant) requesting six months of CSLI for 500 customers connected to an investigation. The Stored Communications Act permits compliance with a court order. The data request would expose the daily movements of 500 people, most of whom are not suspects. What does Carpenter mean for your decision? What does your professional ethics code require beyond the legal minimum?
Carpenter Says
After Carpenter, comprehensive CSLI requires a warrant under the Fourth Amendment. A court order may not be sufficient legal process. Push back on the request type.
Code Says
ACM/IEEE codes require avoiding harm to the public. 500 people's movements exposed without warrant-level cause is harm at scale — the legal floor is below the ethical ceiling.
Practical Move
Escalate internally. Engage legal counsel. Request the request be refiled as a warrant or narrowed to specific suspects. Document the conversation.
Slide 10 of 13
Privacy by Design
A philosophy, not a checklist. The design choice you make at architecture time is the privacy choice you've already made.
The Cavoukian principle: "A system that was not designed with privacy in mind cannot be made private by adding disclosures afterward. The disclosures explain what the system does. They do not change what the system does."
Slide 11 of 13
Four PbD Principles
Not optional. Each connects to a specific implementation pattern.
Proactive, not reactive
Principle: privacy protections built in before deployment.
Implementation: privacy impact assessments before launch; threat modeling includes privacy threats, not just security.
Privacy as the default
Principle: default = maximum privacy. Users opt in to share more, not opt out to share less.
Implementation: minimum default collection; granular consent; explicit opt-in for non-essential.
Data minimization
Principle: collect only what's needed for the stated purpose; don't keep beyond use.
Implementation: retention policies; purpose-limitation docs; regular audits; automated deletion.
End-to-end security
Principle: privacy spans the full data lifecycle — collection through disposal.
Implementation: encryption at rest + in transit; secure disposal; access control throughout.
Slide 12 of 13
The Default Is the Design
How a system behaves when nobody changes a setting tells you everything about whose interest the design serves.
Privacy-hostile defaults
Location sharing on. Ad personalization on. Data export disabled. "Make it easier to opt-in to share, harder to opt out."
The design declares: the user's privacy is for sale.
Privacy-respecting defaults
Location off until needed. Personalization off until enabled. Data export easy. "Most permissive setting requires explicit user choice."
The design declares: the user's privacy is the user's.
The professional duty: when the product manager argues for privacy-hostile defaults because they boost engagement metrics, the IT professional's role is to make the privacy cost visible in the same conversation. The metric-driven default is a value judgment dressed up as a business decision.
Slide 13 of 13
Module 5 Summary
Privacy — key takeaways.
1Four types of privacy: informational, physical, decisional, associational. Each has distinct IT implications and distinct legal regimes.
2Metadata is privacy. "We don't read your messages, just metadata" is sleight of hand — associational data often reveals more than content.
3US privacy law is sectoral. HIPAA / COPPA / FERPA / ECPA / PATRIOT — gaps the size of the modern economy. GDPR fills via extraterritoriality.
4ECPA was written in 1986. Pre-cloud, pre-smartphone. Most of US privacy law has not caught up to the data.
5Carpenter (2018): CSLI requires a warrant. Third-party doctrine doesn't apply when "sharing" is automatic and reveals comprehensive movements.
6Workplace monitoring is legal but contested. Amazon-style algorithmic discipline tests every framework: utilitarian, deontological, fairness, common good.
7Privacy by Design: proactive (before deployment), default (maximum privacy), minimization (collect only what's needed), end-to-end (full lifecycle).
8The default IS the design. A system's defaults reveal whose interest it serves. The IT professional's role is to make that visible at design time.
Next up: Module 6 — Freedom of Expression. First Amendment, Section 230, content moderation, and the question of who controls editorial judgment online.