"Can you keep this confidential? How do you know?"

by Raemon3 min read21st Jul 202040 comments

111

Robust AgentsCommunication CulturesPrivacyCommunity
Frontpage

Pet peeve about privacy: I think people are woefully inadequate at asking, and answering, "Can you keep this confidential?"

Disclosure: I am not inherently great at keeping information private. By default, if a topic came up in conversation, I would accidentally sometimes say my thoughts before I had time to realize "oh, right, this was private information I shouldn't share."

I've worked over the past few years to become better at this – I've learned several specific skills and habits that make it easier. But I didn't learn those skills in school, and no one even really suggested I was supposed to learn them. People seemed to just assume "people can keep secrets, and it's low cost for them to do so."

And... maybe this is just me. But, people say to me "hey, can you keep this private?", in a tone that implies I'm not really supposed to say no. And that's the best case. I've also observed things like...

...people saying "hey, this is confidential", and then just saying the thing without checking in.

...people saying "sign this NDA", without really checking I have the skills to honor that agreement, and if I were to not sign, I'd... probably get fired? Unclear.

...people gathering for a Circle or other private safe space, and saying (best case) "do we all agree to keep things here confidential? Raise you hand?" and worst case, just flatly asserting "This is a safe space, things are confidential here". (And I have seen at least one instance where someone I actively trusted later betrayed that trust)

...people saying "You can report things to our [org / HR department / point-person], and they will keep things confidential." But, I know that in the hiring process for that org or department, no one ever checked that people actually had privacy skills.

And meanwhile, I have almost never heard anyone say something like "I have been given 10 bits of private-info over the past few years, and I accidentally leaked two of them", or even "I have paid any attention at all to how leaky I am with regards to confidential information."

What is a secret, even?

Meanwhile, people seem to vary in what they even mean by "secret" or "private information." Some people take them as serious oaths, some people just kinda sorta try to keep the R0 of the info lower than 1. Sometimes it seems to mean "carry this information to your grave", and sometimes it means "I dunno keep this on the down-low for awhile until the current controversy blows over."

Some people reading this might be surprised this is even a big deal. I gave a lightning-talk version of this blogpost last weekend, and one person asked "does this really matter that much, outside of major company NDAs or state-secrets?" Another person expressed similar skepticism. 

I think it varies. The problem is exactly that most of the time, secrets aren't that big of a deal. But people don't seem to take time to get on the same page of exactly how big a deal they are, which is a recipe for mismatched expectations. 

It's a bigger deal for me, because I live in social and professional circles adjacent to EA Grantmaking where line between the personal and professional is (perhaps unfortunately) a bit blurry. Sometimes, I talk to people exploring ideas that are legit infohazardous. Sometimes, people are hesitant to talk because they're worried it may affect their career. 

It's also important to me from a Robust Agency standpoint – I'd like to be a reliable agent that people can coordinate with in complicated domains. Many other people in the x-risk ecosystem also seem interested in that. I think "the ability to exchange information, or reliably not exchange it" is a key skill, and worth cultivating because it enables higher order strategies.

What to do with all this?

I don't have a clear next action with all this. Right now, there's a vague social norm that you're supposed to be able to keep secrets, and that certain types of information tend to be private-by-default, but outside of things like "your social security number", there's not much agreement on what.

What I've personally taken to doing is giving myself a TAP, where as soon as I notice that a conversation or relationship is moving in the direction where someone might want to give me private information (or vice versa), I say "hey, I'd like to have a little meta-discussion about privacy."

And then we have a chat. If the conversation literally just broached the idea that one of us share private info, I try to avoid face-to-face contact to avoid micro-expressions revealing information. (Someone else recently suggested leaving more pauses in the conversation, so that reaction-time didn't reveal information either). 

Then, I ask some questions like:

Can you keep a secret?

How do you know?

What exactly do you mean by secret?

Meanwhile, acknowledging: "Hey, so, in the past few years I've leaked at least one important bit of private-info. I haven't kept track of how much private info I didn't leak. But, I've also been working on gaining skills that make me more reliable at keeping things private, and making it lower cost for myself to take on confidential information. I'm fairly confident I can keep things private if I have to, but it's still a moderate cost to myself and I have to choose to do it on purpose. So please don't assume I'm keeping anything private unless I've specifically told you so."

I think it'd be good if such meta-conversations became more common. 

I think they most importantly should be common if you are creating an organization that relies a lot on confidentiality. If you're promising to your clients that their information is private, but you aren't actually checking that your employees can keep confidence, you're creating integrity debt for yourself. You will need to pay it down sooner or later. 


This is (hopefully) the first post in the Privacy Practices sequences. The next post will (probably) be "Parameters of Privacy."

111