Threats to privacy are very much like Justice Potter Stewart's classic statement about obscenity -- they are hard to describe, but you know them when you see them.
But there's a problem when people try to describe what they understand as "privacy" -- they often use the same word to mean different things. Different people, of course, have different sensitivities, and the fear of something different can prevent realization of the beneficial elements of the Internet's changing landscape.
Failure to identify what privacy means when we discuss threats to privacy contributes to the confusion.
As discussions begin anew about regulatory and legislative efforts to address privacy, this confusion about how to define it makes policy-making difficult. It creates an uncertain environment for technological innovation and leads too often to sloganeering that prevents us from addressing real harms and embracing technology that can better connect our world.
Never miss a local story.
During my time at Facebook, we saw legitimate privacy challenges and sloganeering. Our attempts to address these challenges with smart design based on empowering consumers to make their own choices about sharing hit the mark often and have helped the site build a user base of more than half a billion people worldwide, but not always.
A candid discussion of what I call the "three privacies" can assist this debate that often generates more heat than light.
Generally speaking, people mean three things when they talk about threats to their privacy.
DATA PROTECTION WORRY: People are rightly concerned about any collection of data about them, and want to maintain some control over what is collected and who has access to it.
But sometimes discussing protecting data devolves into the assertion that no one should be collecting any data about anyone, or that technology should create for them powers they don't have in the real world.
For instance, the "neuralizer" from the movie "Men in Black" -- a device that erases everyone's memory who has encountered aliens -- is something that some privacy advocates seem to want and think people are entitled to despite the fact it never has existed. But the reality is that a robust economy based on trust and actual consumer expectations around how they want to interact in commercial and social ways on the Internet requires data collection and retention to work effectively.
For a variety of reasons, practical and philosophical, privacy in the form of pure anonymity is far afield from the core of most peoples' privacy concerns. Most people realize the value of sharing some data about their online and offline experiences. Once they acknowledge this, their focus rightly shifts from avoiding any collection whatsoever to assuring a basic set of rules around use of their data.
Years after it went off the air, the "Cheers" rule still prevails -- sometimes you want to go where everybody knows your name.
Those who are comfortable with the idea that some data must be collected about them to enhance their consumer experience embrace the opportunity to share information and thereby personalize their online and offline experiences. They willingly join loyalty programs, conduct banking online and sign up for newsletters, and use online tools such as e-mail, blogs and social networks.
DATA SECURITY WORRY: People who embrace this modern world largely focus on worries about unauthorized access to the data that they know needs to be collected. Often, their concerns focus on financial fraud that may result from this access.
PHYSICAL SECURITY WORRY: Some people are additionally worried that any information about them out there in the world might be used at some point to cause them or their family physical harm.
These three worries that are part of the word "privacy" are related -- most people probably would say they feel elements of all three, with one predominating for them.
Common among the three conceptions is the important idea that people must retain reasonable control over their information -- that is what we can say is truly at the core of all privacy concerns.
In the data protection context, regulators and companies can assure that consumers have clear notice about who is collecting the data and for what purpose, and insist that data collectors set and enforce clear rules around access.
In the United States, federal and state legislation addresses types of data in different ways, and core consumer protection concepts are used by regulatory agencies such as the Federal Trade Commission in enforcement actions. Europe has taken a comprehensive approach to requiring that entities that collect any type of personal data have full disclosure, and has set up a dedicated data protection regulatory regime.
In the data security context, the entity collecting the data has obligations to prevent hacking or other unauthorized access to the personal information in its possession. Some regulation, such as California's pioneering requirement that organizations disclose security breaches of certain types of personal information, has been effective, and the FTC has been a leader in holding companies to their promises to users.
Finally, in the physical security context, the focus is on how personal data might be used to contact and harm someone. We see this most often in concerns about kids being contacted inappropriately by adults, but there also are worries about "cyberstalking" and "cyberbullying." State attorneys general are taking the lead in the United States, and the European Commission also has been quite active.
Responsible businesses set rules on their collection and use of personal data that address these worries -- some in response to the regulatory environment and others just because it is good corporate citizenship. They educate their users on techniques to build a safer and more trusted environment around personal data and use their power to enhance community and protect privacy online.
At Facebook, we addressed each of these worries with diverse strategies, from enforcing an authentic and real-name culture that drove responsibility for every user, to deployment of technology that caught likely abusers and abuses such as spammers and adult attempts to prey on kids, to the development of staff expertise and building of relationships with law enforcement. As potential threats evolved, we could adapt the Internet's first comprehensive infrastructure that allows individuals reasonable control over individual data elements -- choosing settings that allow sharing that range from individual friends to the entire Internet -- to address those threats.
That type of innovation by companies is critical to protecting any of the three privacies. Any attempt at regulation or enforcement in these areas needs to recognize that technology inevitably will be moving faster than regulatory efforts.
Companies should be involved in active conversations with regulators to clarify the problems that are out there and how they are addressing them, and regulators should be pushing for clear disclosure and assuring that companies keep their promises.
Policy-makers and companies must assure consumers that proposals to protect their privacy identify what type of privacy a given proposal is trying to protect, and how the proposals enhance reasonable control over consumers' information.
Innovation, and thus actual protection of individuals' interest in each of the three privacies, depends on understanding the problems we are trying to address.
Kelly was the first general counsel and chief privacy officer of Facebook, and was a 2010 candidate for California attorney general.