The information commons: From data protection towards information stewardship

Bryce Goodman

Introduction
Modern society is characterized by a proliferation of information. As digital technologies play
increasingly important, and ubiquitous, roles in our everyday life, our actions leave a trail of
informational breadcrumbs (Mayer-Schnberger & Cukier, 2013). In aggregate, these traces lead to
an increasingly detailed view of their subjects (Lazer et al., 2009). At the same time, the ability to
access this information has never been easier (The Economist, 1999).1 It is no surprise that the
protection of personal information has become one of the central concerns of the information age
(Floridi, 2006; Rainie, 2015).

In The Historical Roots of Our Ecologic Crisis, White writes:

What we do about ecology depends on our ideas of the man-nature relationship. More
science and more technology are not going to get us out of the present ecologic crisis until
we find a new religion, or rethink our old one. (1967, p. 1208)
If we substitute privacy for ecology and information for nature, Whites words are equally apt for
the dilemma at hand. It is increasingly clear that the privacy challenges brought about by new
technologies require more than merely technical solutions. And though there is widespread
agreement that privacy is important, the ethics of informational privacy is rife with contention at
both a normative and axiological level (Acquisti, Brandimarte, & Loewenstein, 2015). There is not
only disagreement about the right way to deal with personal information, but ambiguity at the level
of what, exactly, constitutes personal information and why it is valuable (Floridi, 2006). Until these
latter questions are addressed, the former remain intractable.

The traditional axiological view is that information derives value from its connection to an
individual. This approach asserts that individuals have an a priori claim over their personal
2

information. An analogy with ownership rights is frequently deployed to develop a framework for
regulating personal information: personal information is construed as a form of personal property,
3
with all its attendant rights (Mell, 1996; Murphy, 1995). A defining characteristic of private
property is a prohibition on use or access without obtaining consent from the owner (Burns, 1985).
Thus, within this paradigm, consent plays the critical role in determining whether access to
information is morally permissible (Manson & ONeill, 2007).

This paper argues that this approach fails to account for the ecological value of information, value
which arises at the aggregate level and is not reducible to the sum of its parts. Much of the value of
information cannot be captured in terms of individual interests or rights, and the ethical
importance of informed consent has been overblown. A new paradigm for valuing and respecting
informational privacy is needed. To this end, we offer a new analogy of an informational
commons, and argue for a transition from data protection towards information stewardship.

1
C.f. Floridis (2013, pp. 232235) discussion of how ontological friction, which limits the flow of information in a
system, has been progressively (though not irreversibly) eroded by new technologies.
2
C.f. Warren and Brandeis, who canonically describe the right to privacy the right to ones personality (1890).
However, as Floridi (2013, p. 242) notes, the authors elsewhere write that it is difficult to regard the right as one of
property, in the common acceptation of the term.
3
For an excellent overview, see (Schwartz, 2004).
The paper is structured as follows:
Part I reviews conceptions of privacy modelled upon individual rights of ownership, and
argues that these conceptions fail to provide an adequate axiological account of
informational privacy.
Part II builds upon the argument in Part I and utilizes privacy in large scale genetic
research as a case study to illustrate practical challenges associated with an individual rights-
based conception of privacy.
Part III introduces the concept of ecological value, and argues for an analogy between the
protection of personal information and the preservation of the natural environment. The
notion of an information commons is introduced to provide an alternative to the individual
rights-model for both valuing and protecting personal information.

Part I
Many theorists have sought to develop a concept of privacy on the model of personal property
(Mell, 1996; Murphy, 1995; Thomson, 1975).4 5 The idea is that people have a special interest in
information about themselves, and that this special interest justifies treating personal information as
the property of that individual.6 One might think of personal information as akin to an object a
person owns (Laudon, 1996). If Alice owns a bushel of apples, it is up to Alice to decide who can
have one, and at what price. To take an apple without permission would be stealing, and so too for
her personal information. This approach allows one to import ideas from property law into the
informational sphere. If Bob asks Alice to sign a contract trading an apple for an orange, that
contract is only valid if it is signed freely and without false pretenses. Similarly, informational
transactions (e.g. sharing, copying, etc.) are only legitimate if they are preceded by freely given
consent.7

The analogy fails, however, when one considers that, unlike a bushel of apples, there is no limit to
8
how many people may simultaneously possess information. If Alice gives an apple to Bob, she
has one less apple. When Alice tells Bob a personal anecdote, she does not lose that anecdote, at
least not in the sense that she now has one less anecdote to give. Rather, Alice may lose control
over that anecdote, insofar as Bob now has the ability to share that anecdote if he so chooses. If the
anecdote is like the apple, Alice has no say in who Bob may share it with: when ownership of an
object is transferred, so too are its attendant rights (Samuelson, 2000). This is problematic if one

4
This view is often associated with Locke, who is regarded as having promot[ed] the idea that we do not merely exist
in our bodies, but also own them (Ursin, 2008, p. 276). For an opposing interpretation, see (Ryan, 1994).
5
Floridi contrasts this ownership-based interpretation with a reductionist interpretation, which sees the value of
informational privacy in a variety of undesirable consequences that may be caused by its breach, either personallyor
socially (2013, p. 240). We focus on the ownership-based account because, following Thomson (1975), we assert
(without argument) that the reductionist account is, actually, eliminative insofar as it fails to sufficiently distinguish
privacy from other values (e.g. freedom).
6
Westin defines privacy as the claim of an individual to determine what information about himself or herself should be
known to others, (2003, p. 431) and Margulis writes that privacy is control over transactions between person(s) and
other(s) (2003, p. 245)
7
One might argue over the extent to which freely given consent entails that the subject is also informed.
8
Cf. (Floridi, 2013, p. 242), which also lists additional limitations of the ownership-interpretation.

2
holds that there are both legitimate and illegitimate ways of using personal information irrespective
of whether it was obtained with due consent (Manson & ONeill, 2007).
---
An alternative view sees privacy as analogous to protecting a special demarcated space or territory
(Feinberg, 2014; Scanlon, 1975). The idea is that individuals have a certain personal sphere of
information, and that they have the right to control who may or may not access that sphere, and
under what conditions. Like the object-property account, the territory-property account has the
benefit of explaining why individuals have an a priori right to privacy: if personal information is
analogous to private property, illicit access to that information is similarly analogous to trespassing.

The analogy with territory allows for a more nuanced understanding of privacy by distinguishing
9
between the right to enter, which is limited, and the right of ownership, which is absolute. Alice
may invite Bob into her house for tea on a Tuesday, but this does not mean he has the right to re-
enter on a Wednesday. Further, the fact that Alice has invited Bob to come round for tea does not
mean he is entitled to take whatever he sees. There are certain norms that ought to govern Bobs
behavior as a guest of Alice. If she tells him that a room is off limits, for example, it would be
improper for him to enter.

While the territorial story goes some way addressing issues raised by the object-property account, it
fails to give a plausible explanation of how privacy works in practice. Consider: Alice tells Bob
something about herself, proposition P. Alice and Bob are now both in possession of proposition
P insofar as they have either expressed or heard it expressed. But suppose that Alice is speaking to
Bob in a crowded bar, and that Carol, through no fault of her own, overhears. Has Carol
10
trespassed? Perhaps she has, but out of negligence rather than malicious intent: just as a person
may accidentally wander onto private land in the woods, Carol has inadvertently entered Alices
private domain. But this too is an unsatisfactory account, for it could very well be the case that the
anecdote Alice told to Bob also involves Carol. Who is in the wrong now? We cannot give much
of an answer without specifying how Carol is involved, or how Bob relates to Alice and Carol, or
how Carol relates to Alice, etc. Consider:
Alice, a famous actress, tells Bob, her friend, that she has HIV. She is overheard by Carol.
Carol is a reporter.
Carol is Alices daughter.
Carol is Alices lover.
One can imagine a near-infinitude of variations, according to which our response varies
dramatically.
The flaws of a property-based approach to privacy are rendered even more salient when one
considers digital information, information that is collected, processed, stored and transmitted
electronically. Consider: Alice (a web browser) visits Bob (a website), and this visit is observed by
Carol (a traffic counter employed by Bob) without consent. It is difficult to see how one can
sensibly speak of Bob or Carol trespassing on Alices territory. Thus it rapidly becomes clear that
the structural relationship suggested by property rightsan owner, a piece of property, and third
11
partiescannot, on its own, provide a robust normative framework for personal information.
---

9
Cf. (Burns, 1985). Contra (Rose, 1998).
10
For an extended discussion of trespassing in cyber-space, see (Spinello, 2005).
11
For an attempt at resolution, see (Nissenbaum, 2009).

3
An alternative approach, which Floridi terms the ontological interpretation, claims that an agent
owns his or her informationin the precise sense in which an agent is her information (2006, p.
17). On this account, a violation of privacy is more akin to kidnapping than trespassing (Floridi,
2013, p. 244). This has the advantage of avoiding some of the traps associated with property-based
accounts of personal information: since a person cannot separate herself from herself, there is
always a necessary connection between an individual and her personal information. Furthermore,
this approach encourages us to accord personal information importance not merely because it is
valuable to the person it concerns, but because it is an extension of that person. In Kantian terms,
protecting personal information becomes an end in itself.

However, this account leads to a conceptual muddle when the information in question pertains to
characteristics of a group. Returning to the web-browsing example, consider the case where Carol
notes that Alice is the fifth visitor to the site that hour. It neither makes sense to think of this
information as owned by Alice, nor to consider it as an extension of Alice herself.

Like the binary distinction suggested by territorial analogiesone is either on a piece of property or
off itthe ontological account fails to serve as a guide when there is not a clearly individuated link
12
between a single subject and the information in question. In short, information that is the result of
abstracting from aggregate observations does not fit well within the model of individual rights
(Vedder, 1999).

Part II
So far we have discussed the theoretical challenges with individual rights-based accounts of privacy.
We now turn to the problems that arise when this theory is put into practice.
---
The history of genetic research is paralleled by a concern over the need to protect genetic privacy
(Parthasarathy, 2004). The argument for genetic exceptionalism is premised on the idea that
individuals own their genetic information (Roche, Glantz, & Annas, 1996). According to its
proponents, genetic privacy is a fundamental and inalienable right that arises out of the special
relationship between persons and their genetic code (Anderlik & Rothstein, 2001).
Genetic exceptionalism proposes that the right to genetic privacy should be construed as an
absolute prohibition on access to an individuals genetic information without obtaining explicit and
informed consent (Roche et al., 1996). The requirement that consent is explicit means that consent
must be given either verbally or in writing, while the requirement that consent be informed means
that consent can only be legitimately given after an individual has knowledge of the specific nature
of the research he or she consents to (World Medical Association, 2001). Thus if Alice agrees to
share her genetic information for study A, she must be re-contacted before researchers can use her
information in study B.

Large-scale genetic studies frequently involve information from hundreds of thousands or millions
of participants. Genetic biobanks exist to store genetic and phenotypic information from large
cohorts precisely for this purpose (Elliott & Peakman, 2008; Roden et al., 2008; Ursin, 2008). The

12
Floridi is aware of this trap and tries to avoid it, claiming that while informational privacy requires a privacy holder,
the privacy holder need not be persons, [but] can be organizationsor artificial constructs (2013, pp. 251253).
Whether he succeeds is a separate question, beyond our current scope.

4
information is stored physically (in samples) and digitally (as records), and thus can easily be used
for multiple studies.

However, the strict application of informed consent proposed by genetic exceptionalism would
require researchers to re-contact and obtain explicit consent from each and every biobank donor
prior to every study (Ursin, 2008). This would effectively undermine one of the biobanks key
purposes, i.e. to facilitate the easy reuse of genetic information across a wide range of research
projects. Another challenge arises from the fact that genetic information is frequently de-identified,
making it difficult or impossible to determine the original donor. A paradox arises wherein the act
of protecting donors identities via anonymization renders impossible the act of obtaining informed
consent (McGuire & Gibbs, 2006).
---
Genetic exceptionalism exemplifies the ownership/rights account of privacy: it is founded upon the
idea that individuals own the information contained in their DNA, and therefore have a moral
claim over its use. While this may seem plausible at first gloss, further inspection reveals a number
of fundamental issues.

Genetic information that is derived from an individual will rarely if ever be relevant to only that
individual because the vast majority of genetic information is shared (Sommerville & English,
1999). If Alice discovers she has a paternally inheritable gene, and Bob is Alices father, Alice now
knows that Bob has that gene as well. It stands to reason that neither Alice nor Bob can be said to
exclusively own this information, even though its source is clearly Alice.

The model of individual ownership also obfuscates the fact that many communities have a shared
interest in what happens with their members genetic information (Bisaz, 2012; Bloustein, 1976;
Bodmer & Bonilla, 2008). If Alice, Bob and Carol all have a rare disease that is undergoing genetic
study, they may each have a strong interest in ensuring that the others participate. If Alice and Bob
share their information, but Carol does not, her action puts the three of them at a disadvantage,
even though she still stands to benefit from the results of any research. The point is not that Carols
right to genetic privacy is outweighed by the importance of the research per se, but that Carols
decision to instantiate that right will likely have consequences that extend well beyond her
personal sphere or inviolate personality.

The upshot of these examples is to show that casting genetic privacy only in terms of the interest of
individuals provides an impoverished account of the value of genetic information and leads to both
13
practical and conceptual difficulties. Simply put, large scale genetic research has little to do with
the genetic information of individuals qua individuals. Rather, such research is both dependent on 14

and relevant to groups. When genes are discovered through large scale statistical analysis, what
has really been established is a statistically significant difference between a group defined by
possessing a certain gene, and a group defined by its absence (Klein et al., 2005).

The same is true for most applications of big data to human behavior (e.g. Lazer et al., 2009;
Lazer, 2015). As Pentland writes, social physics describes how humans behave as a group in

Contra. (Anderlik & Rothstein, 2001; Roche, Glantz, & Annas, 1996)
13

14
Unlike early genetic research, which focused on identifying one-to-one relationships between genes and physiology.
See (Founti et al., 2009).

5
terms of statistical regularities that span the population. But when it comes to individuals, our
idiosyncrasies emerge to defeat our best social physics models (Pentland, 2014, p. 190). Thus for
big data in general, and genetics in particular, most information concerns the properties of groups,
not individuals.
---
Our discussion identified a number of issues that arise from an individual-rights/ownership account
of informational privacy, which we now summarize:
Individuation: Individual rights belong to individuals, whereas information may belong to many,
or to none. An example of the former are certain types of genetic information, e.g. if Alice learns
she has Huntingtons disease and Bob is her brother, Alice also learns that Bob has a chance of
inheriting the disease. An example of the latter is aggregated and anonymized information, e.g. that
a certain genotype is correlated with an elevated risk of dementia.
Transfer of title: Physical property is divisible from its owner. Consequently, property rights can be
exchanged: one of the fundamental properties of ownership rights is the right to transfer those
15
rights (Burns, 1985). But in the case of personal information, there can never be an absolute
transfer (Samuelson, 2000): Alice does not cease to be in possession of information about herself
16
no matter what contract she signs with Bob. Furthermore, any account that suggests rights to
personal information can be wholly divorced from the subject of that information violates the
intuition that individuals have an a priori and inalienable interest in information that concerns
17
them.
Value: The framework of individual rights accords information value to the extent that it can be
claimed by a rights-bearer. This poses a challenge closely related to, yet distinct from,
individuation. In many cases, information is worth far more together than it is apart. Consider:
Bob and Alice are running for class president. There are four women in the class aside
from Alice (Carol, Diana, Elizabeth and Francesca) and four men aside from Bob (Chris,
David, Eric and Frank).
If we learn that Carol is voting for Alice we now know something about Carol, but know nothing
about how the women are voting as a group. On the other hand, if we only know that half the
women will vote for Alice, we know something about how the women are voting as a group, but
nothing about how individual women are voting. If we are trying to predict who will win the
election, or studying how gender affects voting preferences, we may only be interested in this
aggregate-level information. Such information, therefore, can be incredibly valuable. And yet this
value does not derive from the value of each individuals personal information per se. Firstly, we
may genuinely not care about the voting preference of Carol, or Chris, but only be interested in
how men and women vote on the whole. Secondly, it is not obviously the case that more
information from more people is necessarily more valuable. If we are only interested in predicting
the class election, we do not gain anything from knowing who has slept with who, or knowing how
people who are not in the class would vote. In other words, the value of information is often not
additive, as the property-analogy would suggest.

15
Contra. (Rose, 1998)
16
At best, the right to use that information may be transferred. But even this poses conceptual challenges, for in many
cases the most significant use of information is simply its possession.
17
See (Schwartz, 2004).

6
This list is by no means exhaustive. Nor is it decisive: one might still plausibly argue that, in spite of
these defects, an individual rights/ownership approach to informational privacy still provides the
most coherent account. Our task is thus to outline an alternative.

Part III
In the age of big data, information is worth more together than it is apartoften times infinitely
more. The individual rights/ownership model fails to capture this important aspect of information,
and is thus unable to accommodate both the attendant benefits and risks of data use in practice.
This section will argue that, oftentimes, the value attributed to information is better understood on
an ecological model. This is especially true when the treatment of information does not merely
affect the rights or property of individuals, but has significant consequences at an aggregate or
systemic level.
---
The term ecological value is intended to refer to the value of a system or state of affairs as a
whole, i.e. value that is not reducible to its subcomponents. An orchestra consists of many
simultaneous beautiful musical performances. Each has value on its own. The value of the
orchestra, however, is not merely the sum total of those individual performances. It might be
more, and it might be less: a tuba player on her own may struggle to impress, and a single off-key
player can ruin an otherwise flawless symphony.

The use of the term ecological is deliberate. In conservation biology, an ecology is an account of
both entities and relationships found in the natural world (Haeckel, 1866). An ecology is an
abstraction, shaped and bounded by the scale of observation (Levin, 1992). Consequently, no
single ecological account is exhaustive: a city park comprises plant, animal and bacterial ecologies
(Straton, 2006). Furthermore, we can sensibly discuss the well-being of an ecology as related to yet
18
distinct from the well-being of any individual entities. Kill a few trees and the forest still stands;
replant those trees elsewhere and the forest is destroyed.
19
Information can also be understood as comprising both interlocking and autonomous ecologies.
Consider the earlier example where Carol overhears Alice telling Bob she has HIV. We noted that
the normative significance of this event depends not merely on what is overheard (the
informational content), but also the relationship between the individuals. In other words, context
matters: it is important to know whether this event takes place in a crowded bar or in Alices home,
whether Carol is a family member or stranger, etc. The same piece of information may belong to
multiple ecologies and have value that varies in each.

Ecological value encompasses not only the value that something has at this moment, but also the
value that it may possess going forward in time. A lake is no less valuable when it is frozen in winter
than when it is host to migrating birds in spring. Ecologies are not static, but dynamic and
generative (Lindeman, 1942). So too is information: it may be used by an agent as a resource for
decision making, or generated as a product of action, or simply stored for future use (Floridi, 2013,
p. 20).
---
If all environmental protections have a common purpose, it may be to protect the generative

18
Cf. Levels of Abstraction in (Floridi, 2013)
19
Cf . Floridis notion of an infosphere (Floridi, 1999).

7
capacity of ecologies (Groom, Meffe, & Carroll, 2005). In general, this means preventing changes
that make it more difficult for a diversity of life to flourish. For example, even though certain
species of microbes thrive in cyanide, its use is restricted because the majority of living things
humans includeddo not. It would be inaccurate, however, to suggest that such a ban is intended
to prevent harm to this or that individual living thing. Rather, it is the diversity of life as a whole
that matters (Cardinale et al., 2012).
Historically, a commons is an area that is set aside for communal use, such as grazing livestock,
and played a vital role in many peoples livelihoods (Ostrom, 2015). The notion of an
environmental commons suggests that all living things have an interest in the state of the
environment, and that these interests cannot be effectively represented by discrete rights of
ownership (Ostrom, Burger, Field, Norgaard, & Policansky, 1999). The environmental commons
comprise various biological and physical systems, such as the oceans and atmosphere, upon which
20
both human and non-human life depends (Dietz, Ostrom, & Stern, 2003).

In modern times, environmental considerations have begun to restrict what people can and cannot
do with private property (Lewis, 1988). Alice may legally own forested land, but be prevented from
cutting down the trees or setting them alight. The concept of absolute dominion over territory is
incompatible with the idea of an environmental commons because biological and physical systems
transcend boundaries of legal ownership (White, 1967).
---
The concept of an environmental commons offers a useful heuristic for unpacking the value of
information. As we have seen, the shift towards an ecological view emphasizes the value of
information to both individuals and the systems to which they belong. The model of individual
ownership fails to provide a satisfactory account of how to value or responsibly deal with
information that concerns properties of a group rather than individuals. The ecological model
provides a different paradigm for recognizing this value, and allows us to designate certain classes
21
of information as belonging to an informational commons.

An informational commons comprises information which individuals have an interest in without

22
having a right over. Actions that violate the informational commons will usually cause harm at
both individual (discrete) and aggregate (systemic) levels. To continue the environmental
metaphor, a source of air pollution is both acutely harmful to the individuals who live nearby and
systemically harmful to the environs as a whole. Similarly, a breach of privacy may have
consequences for both the individuals whose data has been accessed, as well as the level of trust
placed in the system as a whole. Intuitively, individuals who are considering participation in a
genetic biobank are less likely to do so if there are reports that a previous donors information was
illicitly accessed. The dimensions of harm in this case are manifold: beyond the individual whose
information was accessed, there is harm to the (current and future) researchers who are less able to
perform research and to the (current and future) patients who are less able to benefit. Because
these harms involve future persons, the scope of damage is not reducible to the individuals acutely
affected by breach (Roberts & Wasserman, 2009). This is analogous to a toxic spill at sea: there
will be immediate damage to the people who live by the body of water, but also longer-term
implications that extend both geographically and temporally.

20
Cf. (Lovelock & Margulis, 1974)
21
For a more detailed discussion of information commons, see (Bollier, 2013; Lessig, 2002).
22
More precisely, it is information that individuals do not have an exclusionary right over.

8
One practical consequence of this view is to recast the purpose of informed consent. A commons
is easily destroyed by overgrazing (Hardin, 1968). However it is also destroyed by walls that prevent
access (Dietz et al., 2003). Similarly, an informational commons is equally threatened by both
abusive access and arbitrary restrictions. If we move away from a theory of privacy that takes
individual ownership rights as its paradigm, the act of obtaining informed consent no longer plays
such a central role in determining what uses of information are or are not acceptable. Rather than
balancing competing claims from research and individuals, the aim of regulation becomes
23
preserving the long-term viability of the informational commons. In cases where information
pertains to a group rather than an individual, the presence or absence of informed consent may be
wholly irrelevant. This can cut in both directions. We may think that an insurance company ought
not to have access to its insures genetic information even if they consent (Diver & Cohen, 2001;
Hudson, 2007). On the other hand there may be cases where no consent is required if such a
requirement would undermine the integrity of the informational commons and pose
insurmountable barriers to access. The moral impetus migrates from recognizing rights to
24
promoting trust.

Conclusion
Our analysis began by parsing accounts of informational privacy in terms of individual ownership
rights. This approach is built on the premise that the value of information is grounded in a
connection with an individual. But, in certain cases, this foundation is eroded by both conceptual
and practical challenges: the model of individual rights does not accommodate instances where
information concerns groups or more than one individual (e.g. genetic research), and thus fails as a
practical guide for regulating information in such cases.

These obstacles prompted the search for a new route to understanding the value of information.
We followed a course paved by terms and concepts from conservation biology, ecology and
environmentalism. This ecological axiology not only clarifies some of the conceptual muddles
from the rights-based approach but, in many cases, provides more feasible direction for
informational privacy in practice. The model of a commons encourages a perspectival shift from
data protection towards information stewardship.

Works Cited excluded to comply with page limit, but available upon request.

23
Cf. (Naess, 1973)
24
For a different argument with similar conclusions, see (Manson & ONeill, 2007).