Information Fiduciaries

I’ve set a reasonably modest goal for myself of writing 10 blog posts in April. Let’s see if I can get back on this bike (since I really miss it). This is post number 5! Over the last few weeks I've been asked a lot about my take on the Facebook news and I've struggled to add much to the conversation. I'm not shocked (this story has been around since 2015 in almost exactly its current form, a fact I don't think nearly enough people understand), we shouldn't be calling it a breach or a leak (that's not what happened), and I think it has a lot more to do with the new European data regulations called GDPR than most are mentioning. Outside of that I'm mostly left pondering questions/thought experiments like what is the minimum amount of targeting Facebook would have to hold on to in order to maintain 80% of its ad revenue (aka minimum viable targeting) and did they actually end up in this mess in an effort to directly make more money (the FB wants more data to sell to advertisers argument) or in an effort to drive engagement (which, of course, helps make more money). Not sure that second one matters, but it's interesting to me nonetheless. Anyway, mostly I'm left looking for opinions that go beyond the recitation of facts. On Sunday morning I was reading the Times opinion section and ran into an idea that felt new. Here it is from Jonathan Zittrain's op-ed "Mark Zuckerberg Can Still Fix This Mess":

On the policy front, we should look to how the law treats professionals with specialized skills who get to know clients’ troubles and secrets intimately. For example, doctors and lawyers draw lots of sensitive information from, and wield a lot of power over, their patients and clients. There’s not only an ethical trust relationship there but also a legal one: that of a “fiduciary,” which at its core means that the professionals are obliged to place their clients’ interests ahead of their own. The legal scholar Jack Balkin has convincingly argued that companies like Facebook and Twitter are in a similar relationship of knowledge about, and power over, their users — and thus should be considered “information fiduciaries.”

Information fiduciary is one of the first things I've read in all the morass of Facebook think-pieces that felt both new and useful. The basic idea is that Facebook (and other similar platforms) have a special relationship with users that resembles the kind of fiduciary responsibilities doctors and lawyers have with our data (critically, Balkin makes a distinction between the responsibility for data and advice, the latter of which Facebook obviously doesn't have). In his much longer and surprisingly readable paper on the idea he lays out an argument for why we should take the concept seriously. The paper starts by replaying a question Zittrain posed in 2014 New Statesman article after Facebook ran a get out the vote experiment that drove impressive numbers:

Now consider a hypothetical, hotly contested future election. Suppose that Mark Zuckerberg personally favors whichever candidate you don’t like. He arranges for a voting prompt to appear within the newsfeeds of tens of millions of active Facebook users—but unlike in the 2010 experiment, the group that will not receive the message is not chosen at random. Rather, Zuckerberg makes use of the fact that Facebook “likes” can predict political views and party affiliation, even beyond the many users who proudly advertise those affiliations directly. With that knowledge, our hypothetical Zuck chooses not to spice the feeds of users unsympathetic to his views. Such machinations then flip the outcome of our hypothetical election. Should the law constrain this kind of behavior?

Balkin argues that we don't really have any way to stop Facebook from doing that legally. The First Amendment gives them the right to political speech. We could hope that they wouldn't do it because of the backlash it would likely create (and it's true that it would probably be enough to prevent them), but do we feel good relying on the market in this case? After going through a bunch of options for dealing with the situation, Balkin lands on the fiduciary concept. "Generally speaking, a fiduciary is one who has special obligations of loyalty and trustworthiness toward another person," he writes. "The fiduciary must take care to act in the interests of the other person, who is sometimes called the principal, the beneficiary, or the client. The client puts their trust or confidence in the fiduciary, and the fiduciary has a duty not to betray that trust or confidence." In a more recent blog post Balkin argues that Facebook has effectively confirmed the idea with his response to Cambridge Analytica when Zuckerberg said, "We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again." But how would it all work? Well, Zittrain and Balkin tackled that too. In a 2016 Atlantic article, they present a theoretical framework for application in a similar way to the Digital Millennium Copyright Act (DMCA) which, while it has its flaws, is a solution that seems to generally work for the various parties involved. Here's their proposal for a Digital Millennium Privacy Act (DMPA):

The DMPA would provide a predictable level of federal immunity for those companies willing to subscribe to the duties of an information fiduciary and accept a corresponding process to disclose and redress privacy and security violations. As with the DMCA, those companies unwilling to take the leap would be left no worse off than they are today—subject to the tender mercies of state and local governments. But those who accept the deal would gain the consistency and calculability of a single set of nationwide rules. Even without the public giving up on any hard-fought privacy rights recognized by a single state, a company could find that becoming an information fiduciary could be far less burdensome than having to respond to multiple and conflicting state and local obligations.

This feels like a real idea that has value for all parties involved and a legitimate framework for implementation. I don't know that it will ever come to pass, but I'm excited to continue paying attention to the conversations around it.