Privacy and Contextual Integrity: Framework and Applications
Adam Barth Anupam Datta John C. Mitchell
Stanford University
{abarth, danupam, jcm}@cs.stanford.edu
Helen Nissenbaum
New York University
helen.nissenbaum@nyu.edu
Abstract
Contextual integrity is a conceptual framework for un-
derstanding privacy expectations and their implications de-
veloped in the literature on law, public policy, and political
philosophy. We formalize some aspects of contextual in-
tegrity in a logical framework for expressing and reasoning
about norms of transmission of personal information. In
comparison with access control and privacy policy frame-
works such as RBAC, EPAL, and P3P, these norms focus
on who personal information is about, how it is transmit-
ted, and past and future actions by both the subject and the
users of the information. Norms can be positive or neg-
ative depending on whether they refer to actions that are
allowed or disallowed. Our model is expressive enough to
capture naturally many notions of privacy found in legisla-
tion, including those found in HIPAA, COPPA, and GLBA.
A number of important problems regarding compliance with
privacy norms, future requirements associated with specific
actions, and relations between policies and legal standards
reduce to standard decision procedures for temporal logic.
1 Introduction
In the past few decades, we have seen a radical intensi-
fication in the social practices of gathering, storing, manip-
ulating, and sharing information about people (henceforth,
“personal information”). In many instances, new practices
have aroused suspicion, indignation, and protest not only
among legal experts, social critics, and privacy advocates,
but also in the popular media and among the general pub-
lic. Recent controversies range from the introduction of
Caller ID to Lotus Marketplace Households and EZ Pass,
from Carnivore and “total information awareness” to Inter-
net cookies and online profiling. While there are philosoph-
ical theories of the nature and value of privacy, these tend to
offer an account of what privacy is—say, control over infor-
mation about oneself—and may explain why it ought to be
valued and protected in liberal democracies. In contrast, the
framework of contextual integrity has arisen in recent years
to provide guidance on how to respond to conflicts between
values and interests and to provide a systematic setting for
understanding privacy expectations and the reasons that cer-
tain events cause moral indignation [30, 32].
This paper presents a formal framework for expressing
privacy expectations and privacy practices, inspired by con-
textual integrity. We begin with a simple model of the trans-
mission of personal information, containing communica-
tions such as “Alice gives Bob a certain type of information
about Charlie,” and use first-order temporal logic for ex-
pressing and reasoning about norms of transmission. The
central concepts drawn from contextual integrity include
contexts, roles, and a focus on the type of information trans-
mitted (Charlie’s height) rather than specifics of the data
(Charlie is 5’10” tall). Roles within contexts are used to ex-
press that communication which is perfectly acceptable be-
tween a psychiatrist and patient is completely unacceptable
between a human resource specialist and a job applicant.
Temporal logic with past and future operators is used to say,
for example, that certain information may be disclosed only
if the subject mentioned has previously given permission or
that if certain information is made public, notification must
be sent to the concerned party. While contextual integrity
was developed to support specific, substantive philosoph-
ical and legal positions, our goal is to formalize concepts
from contextual integrity so that privacy guidelines, poli-
cies, and expectations can be stated precisely, compared,
and enforced by an information processing system.
We define two kinds of norms, which we call positive and
negative, as temporal logic formulas of two certain forms.
These two kinds of norms generalize “allow” and “deny”
rules in traditional access control for our setting with tem-
poral conditions. A positive norm permits communication if
its temporal condition is satisfied, whereas a negative norm
permits communication only if its temporal condition is sat-
isfied. These norms are interpreted in a model of commu-
nicating agents who “respect” the norms if the trace history
of their communication satisfies a temporal formula con-
structed from the norms by taking the disjunction over pos-
itive norms and the conjunction over negative norms.
A communication action transmits information about a
subject from a sender to a recipient. Our model of “informa-
tion” includes a relation enabling agents to combine mes-
sages to compute additional information about the subject
(e.g., computing postal code from postal address), elucidat-
ing the notion of a “data hierarchy” found in P3P [15] and
EPAL [27]. To illustrate the expressiveness of this frame-
work and explain its use, we show how to capture privacy
provisions of HIPAA, COPPA, and GLBA as combinations
of positive and negative norms with temporal conditions.
A number of frameworks for defining and enforcing ac-
cess control and privacy policies have been proposed, in-
cluding RBAC [12, 14, 25], EPAL [7, 8, 38], and P3P [1,
2, 13, 15, 16, 34]. In comparison with access control and
previous privacy policy frameworks, our norms focus on
who personal information is about, how it is transmitted,
and past and future actions by both the subject and the users
of the information. Generally speaking, access control poli-
cies enable a system to decide whether to allow or deny
a specific action, typically by deriving a relation between
subjects, objects, and actions (possibly by grouping sub-
jects by role, etc.). Conventional access control systems
might make decisions based on the current state of the re-
sources that it governs, but generally do not inquire about
the past or impose restrictions on the future. Some privacy
policy languages, such as EPAL, have a rudimentary tem-
poral nature, in that a request to perform an action might
lead to an to allow or deny judgment and an “obligation.”
In EPAL, an obligation is usually an action that some agent
is required to perform in the future. Our norms can refer
explicitly to past and future actions using temporal opera-
tors. Thus, the decision to allow an action can depend on
what actions have occurred previously and can require ad-
ditional actions in the future, capturing both “opt-in” (a past
requirement) and confidentiality (a future requirement) us-
ing a single construct.
Access control does not conventionally track whom in-
formation is about: permission to read or write a file might
be granted or denied, but the decision is not based on who
is described by the information in the file. In our model,
the subject of information in a message is as important as
the sender and the recipient of the message. For example,
norms can permit doctors to communicate personal infor-
mation about their patients but forbid them from communi-
cating the personal information of their administrative as-
sistants.
Like much of the work on access control and privacy
languages in the computer security community, we express
privacy policies in a formal logic and relate issues of com-
pliance and refinement to the logical concepts of satisfia-
bility and entailment. Specific technical results in Sect. 4
include characterizations of policy consistency, entailment,
and compliance in Linear Temporal Logic (e.g., [29]). En-
tailment is key to understanding how to combine policies,
and how to compare one policy, such as HIPAA, with an-
other, such as the specific privacy practices of a clinic and
hospital. Previous work on privacy languages, particularly
EPAL, used a complex lattice-based definition of entail-
ment. In our model, entailment is captured as standard
logical implication. Policy combination is then achieved
through the usual logical operations of conjunction and dis-
junction.
Our current framework makes two simplifications:
norms are based only on the type of information commu-
nicated and information is assumed to describe an individ-
ual rather than a group of individuals. For example, we can
easily express that it is acceptable for a physician to record
certain types of information, but it is outside the scope of
our current language to say that the average salary of bank
managers can be released only if it does not identify a par-
ticular individual’s salary. We believe it will be fruitful to
develop precise connections with research on data privacy
and aggregation in the future, but for simplicity we do not
consider these extensions in the current paper.
The remainder of the paper is organized as follows. Sec-
tion 2 overviews contextual integrity. Section 3 contains
our model and defines our formal language CI. Section 4
investigates properties of and relations between policies ex-
pressed CI. Section 5 evaluates the expressiveness of CI
by encoding privacy provisions from legislation in the lan-
guage. Section 6 compares our framework with several ac-
cess control and privacy languages. Section 7 concludes.
2 Overview of Contextual Integrity
Contextual integrity is a philosophical account of privacy
in terms of the transfer of personal information. It is not
proposed as a full definition of privacy, but as a normative
model, or framework, for evaluating the flow of informa-
tion between agents (individuals and other entities), with a
particular emphasis on explaining why certain patterns of
flow provoke public outcry in the name of privacy (and why
some do not). In the approach encompassed by contextual
integrity, the intricate systems of social rules governing in-
formation flow are the crucial starting place for understand-
ing normative commitments to privacy. While contextual
integrity is itself a relatively recent term, the idea of con-
textually relative norms has been “in the air,” recognized in
various ways in the literature (e.g., [33, 36, 37]), and ex-
plored in some specific ways in a variety of work dealing
with professional confidentiality rules. Four constructs are
key to defining contextual integrity: informational norms,
appropriateness, roles, and principles of transmission.
We begin, however, with concept of a context to cap-
ture the idea that people act and transact in society not sim-
ply as individuals in an undifferentiated social world, but
as individuals in certain capacities (roles), in distinctive so-
cial contexts, such as health care, education, employment,
the marketplace, and so on. These contexts should be un-
derstood as structured settings whose features have evolved
over time—sometimes long periods of time—subject to a
host of contingencies of place, culture, historical events,
and more. Features which characterize particular contexts
include the assemblages of roles (sometimes open-ended)
and the set of behavior-guiding norms that prescribe (and
proscribe) actions and practices, when, for example, people
consult a physician (or are the physician), attend school (or
teach), and shop (or sell).
One further feature is key to understanding what we
mean here by “contexts,” for not only are they character-
ized by roles and norms but also by certain ends, or values.
In the case of health care, an onlooker (say, from another
planet) observing a typical health care setting of a hospital,
will be unable make proper sense of the goings-on without
appreciating the underlying purpose behind it, that is, alle-
viating illness and promoting health. Although settling the
exact nature of the ends and values for any given context is
not a simple matter—even in the case of health care, which
is relatively robust—the central point is that the roles and
norms of a context make sense, largely, in relation to them.
Because this point, though relevant to the larger theory of
contextual integrity, is not crucial to the specific goals of
this paper, we will not elaborate on it any further. Instead,
our formalization deals with contexts frozen at a particular
moment in history, focusing on expressing their attendant
norms precisely.
For purposes of understanding privacy, norms that ap-
ply to the transmission (or communication) of personal in-
formation from one party to another, which we call “infor-
mational norms,” are singularly important. In a health care
context, for example, informational norms limit what physi-
cians can say to others about the health condition of patients
under their care. Contextual integrity, then, is a feature of
situations in which the informational norms of a context
have been respected; when any of these norms have been
unjustly breached, than we say that contextual integrity has
been violated.
One of the key defining aspects of informational norms,
and judgments that contextual integrity has or has not been
violated, is the type (category, nature, class) of information
in question. Unlike a number of prominent normative ac-
counts of privacy, the approach taken here rejects the idea
that a simple dichotomy—usually between public and pri-
vate (sensitive, intimate) information—is sufficient for ad-
judicating privacy claims. Instead, there is potentially an in-
definite variety of types of information that could feature in
the informational norms of a given context. We suggest the
term “appropriateness” as a way to signal whether the type
of information in question conforms to the relevant informa-
tional norms. Thus, for example, in the context of a job in-
terview for the position of bank manager in the present-day
United States, information about applicants’ marital status
is inappropriate, but it is appropriate in the context of dat-
ing (or courtship). Because information type is so salient
an influence on people’s judgments that a violation has oc-
curred, earlier accounts of contextual integrity had posited
norms of appropriateness as distinct from norms of trans-
mission. Our effort to formalize contextual integrity has
revealed, however, that, at a certain level of generality, both
can be covered by the form of transmission norm explored
in this paper.
Associated with every communication there are three rel-
evant entities (agents, principals): the one from whom the
information flows, the one to whom the information flows,
and the one—the information subject—about whom the in-
formation is. Entities are considered to be acting in certain
capacities, or roles, which are articulated with varying de-
grees of detail, within the relevant contexts. In academic
departments, for example, the roles of chair, tenured fac-
ulty, assistant professor, student, administrator, and so forth,
each are associated with a set of duties and privileges. Thus,
contextual integrity maintains that roles are key variables af-
fecting the rich and complex sensibility people demonstrate
in their judgments over whether a violation has occurred.
The notion of a transmission principle may be the most
distinctive aspect of the approach to privacy through contex-
tual integrity. These principles are the specific constraints
(terms or conditions) regulating flow of information from
entity to entity prescribed by informational norms. One
such principle is confidentiality, prohibiting agents receiv-
ing information from sharing it with others in the future.
Although confidentiality is prominent, there are many other
principles of transmission, for example, reciprocity, deter-
mining that information flow is bi-directional (occurring in
friendship but not between a patient and a physician). An-
other is dessert, determining that an agent deserves to know
or learn something about the subject, perhaps, people de-
serving to know whether their lovers are HIV positive. An
important family of transmission principles hinges on the
awareness and consent of the information subject; in one
instance, a subject might be forced to reveal information, in
another, a subject might know (or not know) whether infor-
mation has been transmitted, in a third, the subject consents
to transmit information, and so on. Norms prescribe which
transmission principles ought to govern the flow of infor-
mation and is understood to be violated if the principles are
not followed. It is worth noting that control by subjects of
the flow of information about themselves, which features
definitively in certain theories, is merely one transmission
principle—albeit an important one—among many. There is
probably no end to the variation in transmission principles.
3 A Formal Model of Contextual Integrity
In this section, we formalize a fragment of contextual
integrity. Our model consists of communicating agents
who take on various roles in contexts and send each other
messages containing attributes of other agents. The evo-
lution of the knowledge of individual agents depends on
messages they receive and computation rules that enable
agents to infer further attributes. Agent interactions give
rise to execution histories, or traces. In our specific model,
norms of transmission are expressed using Linear Tempo-
ral Logic (LTL) formulas interpreted over these traces, al-
though the choice of linear time over other temporal logics
may not be highly significant.
3.1 Agents, Attributes, and Messages
We begin by modeling communicating agents. Associ-
ated with each agent is a collection of the attributes that
agent knows. Let P be a set of agents, and let T be a set
of attributes. For example, Alice and Bob are agents, and
“postal address” and “height” are attributes. A knowledge
state κ is a subset of P × P × T . If (p, q, t) ∈ κ, we say
agent p knows the value of attribute t of agent q. For exam-
ple, Alice knows Bob’s height. We omit “group” attributes,
for example the average height of Alice, Bob, and Charlie.
Data Model. To structure attributes, we include compu-
tation rules. Our computation rules provide an abstract pre-
sentation of possible inferences, enabling agents to compute
the attribute “postal code” from the attribute “postal ad-
dress”. Formally, a computation rule is a pair (T, t), where
T ⊆ T and t ∈ T . Intuitively, if Alice knows the value
of each attribute in T for Bob, then Alice can compute the
value of attribute t for Bob. We express this formally as a
relation on knowledge states:
∀κ.∀p, q ∈ P.if {p} × {q} × T ⊆ κ, then κ
(T,t)
−−−→ κ
0
where κ
0
= κ ∪ {(p, q, t)}. That is, agent p learns attribute
t about agent q. Let I be a set of computation rules. The
relation
I
−→ is the transitive closure of
(T,t)
−−−→ for (T, t) ∈ I.
Communication Model. An agent can send a message to
another agent provided the sending agent knows all the at-
tributes communicated by the message. For example, Al-
ice can send a message to Bob containing Charlie’s height
just in case Alice herself knows Charlie’s height. After re-
ceiving such a message, Bob learns Charlie’s height. Mes-
sages m are drawn from a set M. Associated with each
message m is a (possibly empty) set of attributes which the
message contains, content(m) ⊆ P × T , which is closed
under computation rules. For example, a message that con-
tains a postal address necessarily contains the correspond-
ing postal code. We refer to the act of sending a message
as a communication action and represent such actions as
triples (p
1
, p
2
, m), where agent p
1
is the sender, agent p
2
is
the recipient, and m is the message being sent. A commu-
nication action transforms knowledge states as follows:
∀κ, ˆκ.∀p
1
, p
2
∈ P.∀m ∈ M.
if κ
I
−→ ˆκ and {p
1
} × content(m) ⊆ ˆκ,
then κ
(p
1
,p
2
,m)
−−−−−−→ κ
0
,
where κ
0
= ˆκ ∪ {p
2
} × content(m). The contents of the
message are first computed by the sender (at ˆκ) and then
learned by the recipient (at κ
0
).
3.2 Roles, Contexts, and Traces
In order to model contextual integrity, we impose addi-
tional structure that associates agents with roles as part of
contexts. Let R be a set of roles and C be a partition of
R. We refer to elements c ∈ C as contexts and the roles
r ∈ c as the roles of context c. For example, “teller” is a
role in a banking context and “doctor” is a role in a health
care context. The roles are structured by a partial order ≤
R
.
If r
1
≤
R
r
2
, then r
1
is a specialization of role r
2
and, sym-
metrically, r
2
is a generalization of r
1
. For example, a psy-
chiatrist is a specialization of a doctor, which in turn is a
specialization of a health care provider.
Agents can be active in multiple roles simultaneously.
For example, Alice can be at once a doctor in a health care
context and a customer in a banking context. A role state ρ
is a subset of P × R. If (p, r) ∈ ρ, we say agent p is active
in, or plays, role r. For example, if (Alice, psychiatrist) ∈
ρ, then Alice is active in the role of psychiatrist. We re-
quire role states to be closed under role generalization, that
is if r
1
≤
R
r
2
and (p, r
1
) ∈ ρ, then (p, r
2
) ∈ ρ. Return-
ing to our example, if (Alice, psychiatrist) ∈ ρ, Alice must
be active in the role of doctor in addition to that of psy-
chiatrist. There are many instances of each context (many
banks, many hospitals), but for clarity we omit instances.
The history of the agent world is an (infinite) trace: a
sequence of triples (κ, ρ, a), where κ is a knowledge state,
ρ is a role state, a is a communication action, and
κ
n
a
n+1
−−−→ κ
n+1
, for all n ∈ N.
The role state can change freely from one state to the next.
We view the role state as an input to the model. For exam-
ple, a hospital provides as input to the policy mechanism a
record of which of its employees are nurses, which are doc-
tors, etc. The knowledge state, however, evolves in concert
with the communication actions. This prevents Alice from
spontaneously learning Charlie’s birthday.
σ |=
0
∀p
1
, p
2
, q : P.∀m : M.∀t : T.
incontext(p
1
, c) ∧ send(p
1
, p
2
, m) ∧ contains(m, q, t) →
_
ϕ
+
∈norms
+
(c)
ϕ
+
∧
^
ϕ
−
∈norms
−
(c)
ϕ
−
(1)
positive norm: inrole(p
1
, ˆr
1
) ∧ inrole(p
2
, ˆr
2
) ∧ inrole(q, ˆr) ∧ (t ∈
ˆ
t) ∧ θ ∧ ψ
negative norm: inrole(p
1
, ˆr
1
) ∧ inrole(p
2
, ˆr
2
) ∧ inrole(q, ˆr) ∧ (t ∈
ˆ
t) ∧ θ → ψ
Figure 1. Norms of Transmission Represented as a Temporal Formula
3.3 Temporal Logic
We employ a standard temporal logic for expressing
properties of traces of agent actions (e.g., [29]). The tem-
poral operators are used to capture the principles of trans-
mission. For example, if Alice tells Bob her age under
the principle of confidentiality, then, in the future, Bob
must not disclose Alice’s age. The past operators are also
useful for capturing “opt-in” and other similar privacy id-
ioms. Several temporal logics are appropriate for formaliz-
ing contextual integrity, including linear temporal logic and
branching-time temporal logic. We employ linear temporal
logic, in particular multi-sorted, first-order LTL. The inter-
ested reader can find the details in Appendix A. We use
formulas generated by the following grammar:
ϕ ::= send(p
1
, p
2
, m) | contains(m, q, t) |
inrole(p, r) | incontext(p, c) | t ∈ t
0
|
ϕ ∧ ϕ | ¬ϕ | ϕUϕ | ϕSϕ |
2
ϕ | ∃x : τ.ϕ
Intuitively, send(p
1
, p
2
, m) holds in a state if agent p
1
just
sent message m to agent p
2
, contains(m, q, t) holds if mes-
sage m contains attribute t of agent q, inrole(p, r) holds in
a state if agent p is active in role r, incontext(p, c) holds in
a state if agent p is active in a role of context c, t ∈ t
0
holds
if attribute t can be computed from (is a component of) at-
tribute t
0
, and ϕUψ holds just in case ϕ holds until ψ holds
(ψ must eventually hold). The modality “since,” written S
is the past version of U.
2
ϕ holds iff ϕ holds in the next
state. Finally, ∃ is rigid existential quantification.
To simplify notation, we use the following standard sym-
bols:
1
for “eventually,”
0
for “henceforth,”
Q
and
`
for the past versions of
1
and
0
, respectively, and W for
“wait for.” The formula ϕWψ holds if either
0
ϕ holds or
ϕUψ holds.
3.4 Norms of Transmission
Norms of transmissions are expressed as temporal for-
mulas. Each norm is either positive or negative. A positive
norm might state that doctor Alice can send patient Char-
lie’s test results to researcher Bob if Bob keeps the records
in confidence. Negative norms are dual: they state commu-
nication can occur only if the temporal condition is satis-
fied. For example, doctor Alice can send patient Charlie’s
test results to researcher Bob only if Bob keeps the records
in confidence. In the positive case, some other norm could
authorize the communication and Bob would not be obliged
to keep the results confidential, whereas in the negative case
Bob must keep the results confidential regardless of how he
obtained them from Alice.
We say a trace σ satisfies the norms of context c if For-
mula (1) of Fig. 1 holds. Formula (1) takes a disjunc-
tion over the positive norms of transmission for context c,
denoted norms
+
(c), and a conjunction over the negative
norms of transmission for context c, denoted norms
−
(c).
Thus, in order to satisfy the norms, a communication must
be allowed by at least one of the positive norms and it must
respect all of the negative norms.
The syntactic forms of positive and negative norms are
depicted in Fig. 1, where p
1
, p
2
, and q are variables of sort
P , ˆr
1
, ˆr
2
, and ˆr are terms of sort R, t is a variable of sort T ,
ˆ
t is a term of sort T , θ is an agent constraint, and ψ is a tem-
poral condition. An agent constraint θ is a formula free of
temporal operators with free variables among p
1
, p
2
, and q.
It expresses a relation among the sender, the recipient, and
the subject, for example, that the sender and the subject are
one and the same agent. A temporal condition ψ formalizes
the notion of a principle of transmission and is a temporal
formula with free variables among p
1
, p
2
, q, m, and t. It
requires certain future actions to occur and certain past ac-
tions to have occurred (see Sect. 5 for concrete examples of
norms).
One subtle consequence of the construction of For-
mula (1) is the treatment of attributes. Each individual norm
applies to a downwardly closed set of attributes (downward
in the information ordering on attributes induced by the
computation rules). This captures the usual implication that
the statement “allow disclosure of postal address” also al-
lows the disclosure of postal codes. The formula univer-
![Figure 5. Comparison of various privacy languages. The symbol × indicates the feature is absent from the language, ◦ indicates partial or limited functionality, and • indicates the feature is fully functional. Note, [6] gives an extension of EPAL that is closed under combination.](/figures/figure-5-comparison-of-various-privacy-languages-the-symbol-m7ii6gqi.webp)
