A Dilemma for Privacy as Control

Although popular, control accounts of privacy suffer from various counterexamples. In this article, it is argued that two such counterexamples—while individually resolvable—can be combined to yield a dilemma for control accounts of privacy. Furthermore, it is argued that it is implausible that control accounts of privacy can defend against this dilemma. Thus, it is concluded that we ought not define privacy in terms of control. Lastly, it is argued that since the concept of privacy is the object of the right to privacy if the former cannot be defined in terms of control, neither can the latter.

Before turning to introduce the two counterexamples, to show how they can be combined into a dilemma, a few things need to be specified and clarified to avoid any misunderstandings. First, when I say 'privacy' I mean the concept of privacy, not the concept of the right to privacy. As was already pointed out already by Parent (1983a: 273, fn. 11), some confuse these distinguishable but related concepts. 2 The relation between these concepts is simple, if there is a right to privacy, then privacy is the object of the right to privacy.
Second, the dilemma I present is only a dilemma for control accounts of privacy, not control accounts of the right to privacy. Indeed, any reasonable control accounts of the right to privacy can resolve the counterexamples and avoid the dilemma. Yet, the arguments nevertheless provide an argument against control accounts of the right to privacy as well. This follows from the fact that if the concept of privacy should not be conceptualized as a control account, then-because privacy is the object of a right to privacy-neither should the concept of the right to privacy. Another way to formulate this is to say that if privacy is not best conceptualized as control account, but a so-called 'right to privacy' is, then that right is not a right to privacy, but a right to something else. 3 Third, although control accounts are often recognized as amongst the most popular conceptions of privacy (see, e.g., Macnish 2016: 417;Schwartz 1999: 820), this is probably due the popularity of defining the right to privacy in terms of control, rather than privacy as such. Yet, as I just stated, my arguments against control accounts of privacy also provides an argument against control accounts of the right to privacy. More importantly, there are those that defend pure control accounts of the concept of privacy as such, not merely the concept of the right to privacy (see fn. 7).
Fourth, what do I mean by control accounts? Conceptions of privacy comes in many forms. Privacy can be conceptualized as a descriptive or normative concept. The conceptual analysis can be limited to informational or bodily privacy. The concept of privacy can be analyzed as a state, condition, or as a measure. Irrespective of such choices, or irrespective of whether one is analyzing privacy or the right to privacy, many of these conceptions have various qualities in common. 3 That is, if the right to privacy should be conceptualized as a control account of privacy, then so must the concept of privacy (and vice versa). By modus tollens it follows that if either concept must not be defined as s control account, because it cannot (granted that it suffers from a serious counterexample), then neither should the other concept.
Footnote 1 (continued) That raises the question of whether these intuitions hold in absence of such structures or relations (i.e., in more mundane situations-cf. Rachels 1975 for a discussion about the importance of a conception of privacy that holds in ordinary situations) and whether the examples actually provide support in favor of contextualist accounts of (the right to) privacy (i.e., similar to ideas provided by Nissenbaum 2010 andSolove 2008). 2 For example, amongst legal scholars it is common to say "privacy is a right" (to support this, consider, e.g., that a Google search on "privacy is a right" within quotes, results in about 1,390,000 hits, e.g., https ://www.encyc loped ia.com/socia l-scien ces-and-law/law/law/right -priva cy). Although such talk may be sensible in the context, granted that in the legal domain the right to privacy is a more important concept than privacy, it is nevertheless a formulation that should be avoided if we want to speak correctly about distinct concepts (see also fn. 7). According to 'control accounts', privacy (or the right to privacy) should be conceptualized as some kind of control over some kind of matters (e.g., our information, our bodies, our belongings-to simplify I will henceforth call these matters 'private matters'). 4 Specifically, whether something is a control account of privacy depends on whether an agent's privacy (or right to privacy) is affect by control or something else (i.e., an agent's degrees of privacy, relative to some private matter, depend on the agent's degrees of control of that private matter). 5 This may be contrasted by socalled 'limited access accounts', according to which privacy (or the right to privacy) should be conceptualized as some kind of limited access (of other agents) to some kind of private matters. 6 To illustrate how we can determine whether a conception of privacy is a control accounts consider, for example, two types of control accounts of privacy that Schoeman (1984) has identified in the literature. First, "Privacy has been identified […] as the measure of control an individual has over" one's private matters (p. 2; private matters is used here as an abbreviation) Second, privacy has been equated "with control over access" to one's private matters (p. 3; private matters is used here as an abbreviation). In both these examples privacy is analyzed as some sort of control over some sort of private matters and control determines how an agent's privacy is affected. (See the fn. for more examples of control accounts). 7 More complicated cases include, for example, Parent's (1983a) conception of privacy as "the condition of not having undocumented personal knowledge about one possessed by others" (p. 269), which some have identify as a control account 4 While there is some disagreement on what constitutes these private matters, I will set that aside for the purpose of this paper and hence I will treat conceptions of informational and bodily privacy as falling under the same concept (i.e., privacy). 5 If one thinks that privacy should be analyzed as a binary condition or state, then one should think of control is determining whether an agent has a condition of privacy, or whether an agent is in a state of privacy. 6 Although there are other alternatives, control and access accounts are often presented as two diametrical alternatives on how to conceptualize privacy. In this article, access accounts are introduced to enable us to distinguish control accounts from other accounts of privacy, specifically from the so-called access accounts. As you will see, this will be central in establishing that the dilemma cannot be avoided. 7 Examples of control account of privacy or the right to privacy include, for example, Fried (1968), who argues that "[Privacy] is the control we have over information about ourselves" (p. 482); Parker (1974) who argues that "Privacy is control over when and by whom the various parts of us can be sensed by others" (p. 281); Allen (2000) who argues that "'privacy' means personal data control or rights of data control; that the right of privacy is a right of personal data control; and that enhancing personal data control by individuals is the optimal end of privacy regulation" (p. 875); Moore (2008Moore ( , 2013, who argues that "A right to privacy is a right to control access to and uses of-places, bodies, and personal information" (p. 421); and Matthews (2008), who argues that "the condition of privacy is rightly qualified as something that obtains only if we presume it is under the control of the agent" (p. 131). There are many more examples of control accounts beyond those given above (e.g., Birnhack 2019: 289;Bülow 2014: 7;Calo 2019: 42;Falls-Corbitt and McLain 1992: 370;Frey 2000: 66-67;Froomkin 2000Froomkin : 1464Inness 1992: viii;Kang 1998Kang : 1203Rachels 1975: 326;Miller 1971: 25;and Westin 1967: 7-see also Parent 1983b: 343-345 for more early references). I will give further examples as I develop the article. Lastly, as previously noted, there are some examples-in the literature-of proponents of control accounts who say privacy when they mean the right to privacy. However, granted that some of the above examples clearly exemplify a control account of privacy as such, I will not spend any time making clarificatory interpretations for those that do not. (DeCew 2018). This is interesting, since-as you will see-Parent is highly critical of control accounts of privacy. In determining whether Parent's conception of privacy is a control account or not, it is illustrative to ask whether possession should be understood in terms of control or limited access.
On the one hand, it may be reasonable to conclude that it is a control account, if we think of possession as some sort of control; the question is if it satisfies the requirement that control should affect an agent's degree of privacy. On the other hand, since Parent talks about possession of knowledge, it is reasonable to think that his account is closer to a limited access account than a control account of privacy (given that knowledge standardly would require access to be possessed). 8 Lastly, before turning to the counterexamples it should be noted that this is a philosophical-rather than, for example, legal-investigation into the concept of privacy. That is, legal references are used in this work only in so far as they are relevant for the given purpose.

Control and the Parent/Macnish Dilemma
In introducing the dilemma against control accounts of privacy, I will start by using a control account of privacy conceptualized closely in line with one of Schoeman's examples: Privacy is control over (access to) one's private matters. This formulation is merely used for making the introduction of the first counterexample convenient. As you will see, nothing hangs on this first formulation. 9 In a classical counterexample, Parent argues that a person's privacy can be diminished even though the person has control over his private matters if he "freely divulges everything, no matter how intimate the facts, about himself" (cf. Parent 1983a: 273;1983b: 344). 10 Although this provides a challenge for control accounts, on at least one conception of control (on Parent's view, the person divulging everything "has control over this information. For he is deciding on his own to reveal it"; ibid); there is, however, a seemingly easy response for proponents of control accounts of privacy. One plausible response is to note that by divulging private matters a person has less control of those private matters than before. This is perhaps best illustrated by a slight modification of the control account: A person has privacy to the degree that she has control over (access to) her private matters. 11 Another type of counterexample claims that lack of control does not necessarily imply diminished privacy (i.e., that control accounts are too broad). Macnish (2016) have recently discussed variations of a case in which "I leave my diary on a table in a coffee shop and return to that shop 30 min later to retrieve it" (p. 420). Before turning to the details of the example, it is important to point out that while Macnish's talk about 'violations' can be read as concerning the right to privacy, it is actually about privacy as such. To clarify any potential misunderstandings, I have made notations (within parentheses) to make clear that we can also interpret the examples as concerning privacy-diminishing acts.
Macnish argues that if I find the diary in the hands of a stranger, we may likely feel violated (i.e., we may feel that our privacy has been diminished). It is clear that the diary has been out of my control, but as Macnish argues it is not obvious that our privacy has been violated (diminished). For imagine, that upon returning to the coffee shop "the stranger smiles and hands me the book. She explains that she has not opened it, but saw me leave without it and collected it to await my return. She knows how intimate her own diary is, so she respected my privacy and kept it shut" (ibid). 12 A possible problem with Macnish's counterexample is that it seems to suppose a conception of control that implies fairly extreme counterexamples: even if I do not leave my diary behind, the presence of a physically stronger person could affect my control of the access to my diary. In a wide sense of control, I am not in control because the person could easily over-power me and take my diary. However, this is not the kind of control that proponents of control accounts seem to have in mind. Thus, one possible response to Macnish counterexample is to say that what matters is not having control, but that people act in a way that respects that I should have control of my private matters. Thus, in Macnish's example my privacy is retained, because the woman respects that I should have control. Some have attempted to capture such an idea of control (see, e.g., Rössler 2005: 8). 13 12 As pointed out to me by Julia Mosquera it should be recognizes that just the fact that the woman knows that I have a diary may affect my privacy. In this example we should set that issue aside to focus on whether her control of diary is affecting my privacy further or if that would require that she accesses the information within the diary. 13 Rössler writes: "I want to propose the following definition of privacy: Something counts as private if one can oneself control the access to this 'something'" (2005: 8). There's a lot to be said about this proposal (e.g., she seems to conflate the concept of privacy with what is private), but what is important comes at the end of the paragraph: "the concept of 'control' also brings to light the inherent normative moment, for the term 'private' is not normally used in a purely descriptive manner but always has prescriptive elements. The word 'can' must thus be understood in the sense of 'can and/or should and/or may'. Not always when I can in fact control the access to 'something' is this 'something' also 'private (as when, for example, I have stolen someone else's diary), and vice versa" (ibid). This is an embryo to the kind of idea that I discuss above. In Macnish example, I should have control over my diary, so the stranger should not and may not access it.
However, as an anonymous reviewer points out, Rössler seems to deny this (see p. 117). Nonetheless, what I am interested in is the conception Rössler sketches in his introduction and how that conception 11 If we compare with Schoeman's two generic examples of control accounts of privacy, this may be a recognition of the virtues of the former rather than the latter formulation.
Thus, the following revision would resolve Macnish counterexample: A person P has privacy to the degree that other's respect that P should have control over (access to) P's private matters (henceforth I will use 'Should-modification' as the name for this conception of privacy). This resolves the counterexample, since this is precisely what the woman does.
There may be various reasons to be critical of the Should-modification, but that is of less importance since the main question is whether it can resolve Macnish counterexample while avoiding a dilemma. Also, if there are reasons to be skeptical of the Should-modification, then that just supports my argument against control accounts. 14 More importantly, we may think that alternative formulations would resolve the counterexample. 15 However, the Should-modification is here used merely as an example of a structure of possible solutions that depend on how the other people act. That is, it is one example of the idea that a person's privacy may be retained to the degree that other people act in an appropriate-i.e., privacy preserving-way (whatever that means). Thus, instead of merely arguing against the Should modification, or any other specific examples, I will show that all modifications of this type (i.e., those that focus on how other people act to preserve our control) will fail. I will do that by providing a counterargument against both the Should-modification and the broadly and unspecified idea that I can retain my privacy to the degree that people act in an appropriate way (which should cover all alternatives of how people may act to respect my privacy by respecting my control; cf. fn. 15).
Footnote 13 (continued) can be used to resolve Macnish's counterexample. Whether that conception of privacy is compatible with the rest of Rössler's analysis is beyond the scope of this paper. 14 There are at least three potential problems with the Should-modification. First, it may seem that the addition of 'should' blocks the potential for a purely descriptive (non-normative) conception. While this is not necessarily problematic, some might find this less attractive. Second, and more importantly, it may seem that the addition of 'should' makes the conception say something about what ought to be the case. We might worry that this conflates privacy with the right to privacy, since even if we can conceptualize privacy as a normative concept (or as a value), it ought not say anything about what ought to be the case. Third, we can question whether the Should-modification can be classified as a control account of privacy at all, since it seems that what affects our control on that account is determined not by control but by should or others respect. Thus, it is questionable whether we can say that it is control that affects an agent's privacy.
However, there are plausible ways to respond to all three worries. The first and second because it is questionable whether the conception is actually normative (the scope of the concept of 'should' arguably goes over other's respect, which can be dealt with descriptively). Concerning the third, it is illustrative to compare with the discussion about Parent's definition of privacy, which I suggested could be settled by reference to whether the definition essentially was about control or limited access. If that principle applies here, the modification should still be considered a control account of privacy.
Conversely, it should be recognized that a modification of control account can still fail to be control account, without becoming a limited access account. So, a further argument would be needed to defend the above account. Yet, this is beside the point since I am merely using the Should-modification as an example of a more general idea about how to resolve Macnish counterexample. 15 For example, we may think that we do not need to add 'should' (i.e., that it is sufficient that the woman respects 'my control'). This was suggested to me by Gustaf Arrhenius. Since this suggestion depends on the woman acting in an appropriate way (i.e., a way that preserves my control) I will address this option as well.
The main problem with this type of response is that they re-activate a variation of Parent's counterexample. Parent's counterexample was that according to some control accounts of privacy (i.e., those which equate privacy with control) I cannot diminish my privacy by sharing private matters, if I am in control when doing so. This is counterintuitive, since I obviously can diminish my privacy by sharing private matters (this needs to be recognized by any proponent of a control accountand most do-since it reduces my control of my private matters). So, we modified the account by noting that one has less control of one's private matters if one has shared them. However, if we accept that I can retain my privacy to the degree that people respect that I should have control (or more broadly: when people act in an appropriate way-whatever that is), then on the basis of such a supposition it would follow that I cannot diminish my privacy by sharing private matters as longs as the receiving party fully respects that I should have control over (access to) those private matters (or more broadly: acts in a fully appropriate way). 16 For example, if we accept the Should-modification (or more broadly: modifications depending on people acting in an appropriate way) as a conception of privacy it would follow that if a couple accidentally reveals intimate facts about their intimate relations (perhaps by accidentally leaving a live-streaming web camera on), then this would not affect their privacy as long as those viewing the stream fully respect that the couple should have control (or more broadly: if they act in a fully appropriate way). However, this conclusion-which follows from accepting the Should-modification or any modification depending on how people act-is highly counterintuitive, especially if we suppose that the stream was shared to very many people. (Of course, people can act in a way that would limit the effect on the couple's privacy, for example, by closing-i.e., limiting their access to-the streamed content; but the question here is whether the couple's privacy would be affected.) Thus, we should conclude that our privacy can be diminished even if everyone involved respects who should have control (or more broadly: acts appropriately). Therefore, privacy as such cannot be defined by the Should-modification (nor by any conception that modifies how people behave). Consequentially, these two counterexamples form a dilemma for control accounts of privacy (the Parent/Macnish dilemma). Avoiding one of the problems implies that one must bite the bullet on the other problem (i.e., by adapting a solution that would resolve Macnish counterexample, a variation of Parent's counterexample would be re-activated).
Next, I will consider a possible solution that depends on modifying what kind of control that is at stake and what we need to have control over; and I will show why that route is also blocked for control accounts of privacy.

Can the Parent/Macnish Dilemma be Resolved?
To solve, or avoid, the dilemma, we need to revise the control accounts of privacy in a way that avoids both counterexamples (without yielding any further problems). Consider, for example, the following alternative (henceforth 'Control-Presentation'): A person has privacy to the degree that she has control over how she can present herself to others. 17 While this alternative may be problematic for various reasons, let us set that aside to first consider if it can resolve the dilemma. Consider the two counterexamples. First, Parent's counterexample is resolved since when I spill my guts about all kinds of private facts, I do-as a result of that action-have less control over how I can present myself (thus, affecting my privacy). Second, in Macnish's counterexample, control accounts wrongly implied that the fact that the woman had control over the diary affected my privacy (although she kept it shut). However, on the Control-Presentation conception my privacy is not affected, since by keeping the diary shut, she avoids affecting my control over how I present myself to others. In order to affect my control over how I present myself to others, the woman would have to read my diary (supposing it contains information that affects how I can present myself to others).
The Control-Presentation conception of privacy resolves the dilemma by limiting the kinds of object we need control over (how we present ourselves to others). However, it also changes the conception of control as such. My control over how I can present myself to others is not affected by the fact that someone could interfere with it (as the concept of control discussed by Macnish would). It is affected only by actual interference. More importantly, it is affected by access alone. That is, the Control-Presentation conception of privacy does not seem to be affected by less or more control, but by less or more limited access, since privacy-in the given example-is affected by another person's access alone. Thus, the Control-Presentation conception of privacy resolves the dilemma by taking the form of a limited access account. My privacy is unaffected because the woman has not accessed the 17 This idea is inspired by Marmor (2015), who argues that the right to privacy is a right "grounded in people's interest in having a reasonable measure of control over the ways in which they can present themselves (and what is theirs) to others" (pp. 3-4, cf. Rössler 2005: 116). Despite being inspired by Marmor, the Control-Presentation should not be read as an interpretation of Marmor's conception of privacy. There are several reasons for that. First, Marmor does not defend a conception of privacy, neither does he strictly defend a conception of the right to privacy. Indeed, in the previous quoted sentence Marmor talks of a right to privacy grounded in certain interests. Thus, that Marmor's conception of a right to privacy is grounded in a control-based interest does not necessarily imply that the right needs to be conceptualized as a control account. This would require further analysis of Marmor's paper. Second, even if it could be argued that Marmor defends a control account of privacy in accordance with this interest (which may be defended based on the examples he discusses in his paper), such a conception of the right to privacy should obviously be refuted, since there are many ways we can infringe upon a person's reasonable control over how she presents herself without infringing upon her privacy (e.g., if you are about to hold a speech and someone burns your notes for that speech, or if someone destroys significant parts of your belongings, then, although some of your rights are infringed, your right to privacy is not infringed). Cf. fn. 18.
It is important to note that Control-Presentation is not used in this article as a proposal of how to conceptualize control accounts of privacy. It is used to show that the dilemma is genuine (i.e., that it cannot be resolved). content of my diary. To affect my privacy, she needs to access the content of my diary. That means that Control-Presentation fails to satisfy the requirement that a control account of privacy should be affected by control, because privacy is affected by access (rather than control).
One may try to rescue the Control-Presentation conception, by noting that although access affects privacy on the Control-Presentation conception, privacy can also be affected by control on the Control-Presentation conception. Even if we accept such a weak argument, this does not seem to help. For example, we could diminish someone's control over how they present themselves to others by exerting control over how they present themselves to others (e.g., by threatening them or by being in position to introduce rules that control their behavior). The problem is that this does not seem to be something that generally affects a person's privacy, making the Control-Presentation account too broad. For example, forcing a student to stand up in class when answering a question certainly affects the student's control over how she presents herself the rest of the class, but while such a practice could be criticized it arguably does not affect her privacy. 18 Thus, we should conclude that while the Parent/Macnish is a genuine dilemma, the dilemma can be avoided. But that requires an account of privacy according to which our privacy is affected by access alone (i.e., not a control account of privacy).

Conclusions
In this article I have argued that control accounts of privacy suffer from a dilemma. I have argued that this dilemma cannot be avoided by taking into consideration other people's behavior. Instead, it can only be avoided by giving up the concept of control in favor of limited access. Hence, privacy should not-because it cannot-be defined as a control account.
Furthermore, I have argued that since privacy is the object of the right to privacy, it follows that if privacy cannot be defined as control account, then neither should the right to privacy. Thus, even if the dilemma does not affect the concept of the right to privacy, it nevertheless establishes an argument against a control account of the right to privacy, in virtue of establishing a counterexample to a control account of privacy.
Lastly, I want to thank Sven Ove Hansson, Kevin Macnish, and Niklas Möller for comments on earlier drafts.
Funding I gratefully acknowledge that this article was written, in part, by support from MSB (Swedish Civil Contingencies Agency) through their funding of the SECURIT research program. I also gratefully acknowledge open access funding provided by Stockholm University.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creat iveco mmons .org/licen ses/by/4.0/