Blog · Review Essay · Last reviewed June 14, 2026

Privacy in Context and the Rules of Information Flow

Helen Nissenbaum's Privacy in Context gives AI governance a missing grammar. Privacy is not just secrecy, ownership, or a consent checkbox. It is the integrity of information flows inside social contexts: who sends what, about whom, to whom, under what conditions, and for what purpose.

The Book

Privacy in Context: Technology, Policy, and the Integrity of Social Life was published by Stanford University Press in November 2009 through Stanford Law Books. The publisher lists it at 304 pages, with hardcover ISBN 9780804752367, paperback ISBN 9780804752374, and ebook ISBN 9780804772891.

Nissenbaum is the Andrew H. and Ann R. Tisch Professor of information science at Cornell Tech and the Cornell Ann S. Bowers College of Computing and Information Science. Cornell Tech also lists her as director of the Digital Life Initiative, with research across privacy, trust, accountability, security, ethics, policy, law, computing, digital media, and data science. That range matters. The book is not a narrow privacy-law manual. It is a theory of how information technology disturbs social life by moving data out of the settings that once gave it meaning.

The book predates large language models, app-store identity systems, today's data-broker economy, AI companions, and workplace copilots. Its central concept has only become more useful. Contextual integrity names the privacy harm that appears when information still looks "public," "consented to," or "already shared," but has been moved into a new institutional relation where the old expectations no longer hold.

Privacy as Context

The argument starts from a simple observation: people share information all the time. A patient tells a doctor intimate facts. A student submits work to a teacher. A worker explains a disability accommodation to human resources. A customer gives a payment processor financial details. A friend tells another friend something fragile. None of these acts means the information has become free material for every other actor.

Contextual integrity asks whether an information flow fits the norms of the social context in which it occurs. The key variables include the information subject, the sender, the recipient, the kind of information, and the transmission principle that governs the flow. Confidentiality, stewardship, reciprocity, legal compulsion, sale, consent, and professional duty are not interchangeable routes. They change what the information means.

This makes the book a direct companion to Sorting Things Out, The Digital Person, Data and Goliath, and Seeing Like a State. Each book rejects the fantasy that records are neutral once captured. A record becomes powerful through the institution that reads it, the category it is placed in, and the action it authorizes.

Nissenbaum's strongest move is to break the stale public/private distinction. A fact can be visible in one setting and still be violated by extraction into another. A courthouse record, school assignment, search query, location ping, medical note, workplace chat, or social post may be accessible in some sense, but accessibility is not permission for every downstream use. The question is not "was the data secret?" The question is "what relationship made this flow appropriate, and what relationship is now using it?"

Privacy in Context also explains why notice-and-consent systems fail so reliably. A consent banner or terms-of-service checkbox tries to compress a whole social relationship into a moment of individual choice. It asks the person to understand future flows, unknown recipients, model training, mergers, government requests, retention periods, inference, resale, breach risk, and product redesign before clicking.

That model is especially weak when refusal is costly. A worker may need the platform to keep a job. A parent may need the school portal. A patient may need the hospital system. A tenant may need the landlord's app. A creator may need a social platform. A citizen may need the government website. The click exists, but the relationship is not symmetrical.

Contextual integrity shifts the burden. Instead of asking whether a user technically accepted a flow, it asks whether the flow is appropriate to the context's purposes, roles, and governing norms. A school can collect student work to teach. That does not automatically make the work training data for a vendor's general-purpose model. A hospital can collect symptoms to treat. That does not automatically make the notes marketing data, actuarial data, or product telemetry. A workplace can route messages to accomplish work. That does not automatically make every sentence a permanent behavioral profile.

The AI-Age Reading

Read in 2026, Privacy in Context is one of the clearest books for thinking about AI data reuse. The AI stack constantly tempts institutions to collapse contexts. Data gathered for communication becomes training material. Data gathered for safety becomes scoring material. Data gathered for support becomes product improvement. Data gathered for identity becomes fraud detection, ad targeting, risk analysis, or model memory.

Large models intensify the problem because they do not merely store information. They learn patterns, infer sensitive facts, summarize records, generate explanations, personalize interfaces, and act through tools. A training set can absorb traces from many contexts and return them as a general capability. A retrieval system can collapse source boundaries inside one answer. A model memory feature can make a user's past disclosure operational in future moments the user did not imagine.

This is why "we only use public data" is often an inadequate defense. Public to whom, in what role, under what norm, at what scale, with what retention, with what inference, and with what future use? A street photo, a forum post, a court docket, a product review, a classroom discussion, and an open-source issue are not morally identical because a crawler can reach them.

AI makes contextual collapse feel technically natural. The model wants a corpus. The enterprise wants a connector. The assistant wants memory. The dashboard wants all signals in one place. But social life is not one place. It is many overlapping settings with different obligations. The power of Nissenbaum's framework is that it lets governance defend those differences without pretending data should never move.

Agents That Cross Boundaries

The next pressure point is agentic AI. A normal app usually sits inside a somewhat legible context: the banking app, the school portal, the clinic system, the team chat. An agent is designed to cross boundaries. It reads email, calendars, documents, tickets, customer records, code repositories, payment tools, browsers, and internal databases, then acts across them.

That boundary crossing is the product's value. It is also the privacy risk. The agent may have permission to read a document in one role and use the extracted fact in another. It may summarize a private exchange into a management report. It may pull a health clue into a scheduling decision. It may combine procurement data, chat sentiment, and performance metrics into a recommendation that no single context would have authorized.

Contextual integrity turns agent governance into a design problem. Access control is not enough. The system needs source boundaries, purpose limits, transmission principles, retention rules, role separation, audit trails, and user-facing explanations that name the context of each flow. A good agent should not merely ask "can I access this file?" It should ask "for this task, in this role, under this relationship, should this information flow to this recipient?"

That is a higher bar than most current enterprise AI systems clear. Permission inheritance tells the model what it can see. Contextual integrity asks what the model may appropriately carry across the boundary after seeing it.

Where the Book Needs Friction

The book's framework is powerful, but not self-executing. Social contexts can be unjust. A workplace norm may already favor surveillance. A school norm may already normalize suspicion. A policing norm may already treat some communities as risk sources. Preserving contextual norms is not always the same as protecting people.

Nissenbaum anticipates this by treating norms as open to evaluation, not as sacred tradition. Still, AI-era readers need to pair contextual integrity with political economy, civil-rights analysis, labor power, disability justice, and public-interest technology. Otherwise the framework can become too polite: a map of existing expectations where the deeper problem is that the expectations were built by unequal institutions.

The second difficulty is operational. Translating contextual integrity into systems requires more than a privacy policy. It requires machine-readable roles, data lineage, purpose binding, retention controls, model-use restrictions, interface design, human appeal, and institutional willingness to say no to convenient reuse. The 2006 formalization work by Barth, Datta, Mitchell, and Nissenbaum shows that some parts can be expressed in logical privacy rules, but real organizations rarely maintain their information flows with that level of precision.

The third difficulty is inference. AI systems can derive sensitive information from data types that seem harmless. A norm may restrict medical data, but a model may infer health from purchases, movement, language, sleep, or social ties. Contextual integrity still helps, but it has to govern inferences and generated classifications, not only original records.

What This Changes

The practical lesson is to stop asking privacy questions only at the point of collection. Collection matters, but AI governance also needs to ask about movement, transformation, training, retrieval, memory, inference, summarization, disclosure, and action.

A contextual-integrity review of an AI system would ask: What context produced the data? Who is the subject? Who sent it? Who receives it? What kind of information is it? What principle allowed the flow? Is it being retained, combined, trained on, or used to act in a different context? Can the affected person see and contest that movement? What social purpose is being served, and what power is being expanded?

This test is sharper than generic privacy talk. It can distinguish a hospital tool that summarizes notes for the treating clinician from a vendor pipeline that uses those notes to train a commercial model. It can distinguish a school tutor that forgets session details from a student model that follows a child across years. It can distinguish an enterprise assistant that respects role boundaries from one that quietly turns every document into cross-department memory.

Privacy in Context belongs on the AI shelf because it makes one neglected point hard to avoid: information systems do not only know things. They move things between relationships. When those movements violate the roles, duties, and limits that make social life trustworthy, the harm is not solved by better notice, cleaner UI, or more accurate prediction. The system has changed the meaning of the information, and with it, the terms on which people become readable to power.

Sources

Book links are paid affiliate links. As an Amazon Associate I earn from qualifying purchases.

Buy on Amazon Browse Books

Return to Blog · Return to Books