Technology Article 133 Harv. L. Rev. 497

A Skeptical View of Information Fiduciaries

Responses:

Download
See Footnotes


The concept of “information fiduciaries” has surged to the forefront of debates on online-platform regulation. Developed by Professor Jack Balkin, the concept is meant to rebalance the relationship between ordinary individuals and the digital companies that accumulate, analyze, and sell their personal data for profit. Just as the law imposes special duties of care, confidentiality, and loyalty on doctors, lawyers, and accountants vis-à-vis their patients and clients, Balkin argues, so too should it impose special duties on corporations such as Facebook, Google, and Twitter vis-à-vis their end users. Over the past several years, this argument has garnered remarkably broad support and essentially zero critical pushback.

This Article seeks to disrupt the emerging consensus by identifying a number of lurking tensions and ambiguities in the theory of information fiduciaries, as well as a number of reasons to doubt the theory’s capacity to resolve them satisfactorily. Although we agree with Balkin that the harms stemming from dominant online platforms call for legal intervention, we question whether the concept of information fiduciaries is an adequate or apt response to the problems of information insecurity that he stresses, much less to more fundamental problems associated with outsized market share and business models built on pervasive surveillance. We also call attention to the potential costs of adopting an information-fiduciary framework — a framework that, we fear, invites an enervating complacency toward online platforms’ structural power and a premature abandonment of more robust visions of public regulation.

Introduction

Digital businesses such as Facebook, Google, and Twitter collect an enormous amount of data about their users. Sometimes they do things with this data that threaten the users’ best interests, from allowing predatory advertising and enabling discrimination to inducing addiction and sharing sensitive details with third parties. Online platforms may also disserve their users and the general public in myriad other ways, including by facilitating the spread of disinformation and the harassment of certain categories of speakers. The European Union has responded to some of these concerns with a comprehensive personal data law, the General Data Protection Regulation1 (GDPR). After years of relative neglect, U.S. policymakers, roused by Russian interference in the 2016 presidential election and the Facebook–Cambridge Analytica scandal, have begun to consider a range of reforms to enhance consumer privacy, corporate transparency, and data security on the internet.2 To an unprecedented degree, technology firms in general and online platforms in particular find themselves “in Congress’s sights.”3

Among the reforms under consideration is the idea of treating online platforms as “information fiduciaries.” Professor Kenneth Laudon appears to have coined this phrase in the early 1990s.4 Since 2014, it has been identified with Professor Jack Balkin, who has developed the idea over a series of papers.5 Ordinary people, Balkin observes, are deeply dependent on and vulnerable to the digital companies that accumulate, analyze, and sell their personal data for profit. To mitigate this vulnerability and ensure these companies do not betray the trust people place in them,6 Balkin urges that we draw on principles of fiduciary obligation. Just as the law imposes special duties of care, confidentiality, and loyalty on doctors, lawyers, accountants, and estate managers vis-à-vis their patients and clients, so too should it impose such duties on Facebook, Google, Microsoft, Twitter, and Uber vis-à-vis their end users — although Balkin concedes that the duties would be “more limited” in the digital context.7

Support for this idea is swelling. Dozens of legal scholars have endorsed Balkin’s proposal or discussed it approvingly.8 Journalists have covered it with undisguised enthusiasm; a recent Bloomberg subheadline reads: “America needs data rules that won’t crush the tech industry. One law professor may have figured out a solution.”9 Lawmakers from both parties have expressed interest.10 Last December, a group of fifteen Democratic senators took the next step and introduced legislation that would require online service providers to act as fiduciaries for their users, drawing directly from Balkin’s proposal.11 Facebook CEO Mark Zuckerberg has now signaled his support as well.12 Balkin is the legal academy’s preeminent diagnostician of how theories can move over time from the margins to the mainstream, from “off-the-wall” to “on-the-wall.”13 He is also an ingenious idea entrepreneur whose own theory of information fiduciaries is rapidly making this very transition.

We admire Balkin’s ingenuity and applaud his efforts to advance the cause of platform regulation. Yet while we largely agree with his analysis of why certain digital firms should be regulated more vigorously, we question whether the concept of information fiduciaries is an adequate or apt response to the problems of information asymmetry and abuse that he stresses, much less to more fundamental problems associated with market dominance and with business models that demand pervasive surveillance. The primary aims of this Article are, first, to identify a number of lurking ambiguities and tensions in the theory of information fiduciaries and, second, to raise concerns about the theory’s capacity to resolve them satisfactorily.14 The Article also calls attention to the potential costs of adopting an information-fiduciary framework — a framework that, we fear, invites an enervating complacency about issues of structural power and a premature abandonment of more robust visions of public regulation.

* Academic Fellow, Columbia Law School.

** Professor of Law, Columbia Law School. For helpful comments and conversations, we thank Alex Abdo, Jack Balkin, Danielle Citron, Evan Criddle, Kristen Eichensehr, Andrew Gold, James Grimmelmann, Claudia Haupt, Thomas Kadri, Amy Kapczynski, Ramya Krishnan, Ronald Krotoszynski, Genevieve Lakier, Kyle Langvardt, Ethan Leib, Barry Lynn, Tamara Piety, Robert Post, Jed Purdy, Neil Richards, Marc Rotenberg, Chuck Sabel, Ganesh Sitaraman, Matt Stoller, Tim Wu, and Jonathan Zittrain, as well as workshop participants at Cornell Tech, University of Denver Sturm College of Law, University of Maryland School of Law, and Yale Law School.

Footnotes

  1. ^ Council Regulation 2016/679, 2016 O.J. (L 119) 1. The GDPR, which was adopted in 2016 and entered into force in May 2018, id. at 87, replaced a 1995 directive on data protection, Council Directive 95/46/EC, 1995 O.J. (L 281) 31.

    Return to citation ^

  2. ^ See, e.g., Mark R. Warner, Potential Policy Proposals for Regulation of Social Media and Technology Firms 5–23 (2018), https://graphics.axios.com/pdf/PlatformPolicyPaper.pdf [https://perma.cc/8VCL-TSHM] (surveying policy options).

    Return to citation ^

  3. ^ Heather Whitney, Emerging Threats: Search Engines, Social Media, and the Editorial Analogy 2 (David Pozen ed., 2018), https://s3.amazonaws.com/kfai-documents/documents/4959005632/Search-Engines--Social-Media--and-the-Editorial-Analogy.pdf [https://perma.cc/2RT4-A9HE].

    Return to citation ^

  4. ^ See Kenneth C. Laudon, Markets and Privacy, ICIS 1993 Proc. 65, 70–71 (proposing a “National Information Market,” id. at 70, within which “information fiduciaries would naturally arise” and “would accept deposits of information from depositors and seek to maximize the return on sales of that information in national markets or elsewhere in return for a fee,” id. at 71).

    Return to citation ^

  5. ^ Balkin first promoted the idea in a 2014 blog post. Jack M. Balkin, Information Fiduciaries in the Digital Age, Balkinization (Mar. 5, 2014, 4:50 PM), https://balkin.blogspot.com/2014/03/information-fiduciaries-in-digital-age.html [https://perma.cc/L277-CZLG] [hereinafter Balkin, Digital Age]. He most fully elaborated his views in Jack M. Balkin, Lecture, Information Fiduciaries and the First Amendment, 49 U.C. Davis L. Rev. 1183 (2016) [hereinafter Balkin, Information Fiduciaries]. Additional discussions include Jack M. Balkin, Essay, Free Speech in the Algorithmic Society: Big Data, Private Governance, and New School Speech Regulation, 51 U.C. Davis L. Rev. 1149, 1160–63 (2018) [hereinafter Balkin, Algorithmic Society]; Jack M. Balkin, Essay, Free Speech Is a Triangle, 118 Colum. L. Rev. 2011, 2047–54 (2018) [hereinafter Balkin, Triangle]; Jack M. Balkin & Jonathan Zittrain, A Grand Bargain to Make Tech Companies Trustworthy, The Atlantic (Oct. 3, 2016), https://www.theatlantic.com/technology/archive/2016/10/information-fiduciary/502346 [https://perma.cc/3PL4-3SQT]; and Jack M. Balkin, Fixing Social Media’s Grand Bargain 11–15 (Hoover Working Grp. on Nat’l Sec., Tech. & Law, Aegis Series Paper No. 1814, 2018), https://www.hoover.org/sites/default/files/research/docs/balkin_webreadypdf.pdf [https://perma.cc/774R-AD7D] [hereinafter Balkin, Fixing Social Media]. Professor Jonathan Zittrain has also been an important theorist and advocate of the information-fiduciary concept. See, e.g., Balkin & Zittrain, supra; Jonathan Zittrain, Facebook Could Decide an Election Without Anyone Ever Finding Out, New Republic (June 1, 2014), https://newrepublic.com/article/117878/information-fiduciary-solution-facebook-digital-gerrymandering [https://perma.cc/K2EE-8YJ5]; Jonathan Zittrain, How to Exercise the Power You Didn’t Ask For, Harv. Bus. Rev. (Sept. 19, 2018), https://hbr.org/2018/09/how-to-exercise-the-power-you-didnt-ask-for [https://perma.cc/W233-C7Q6] [hereinafter Zittrain, How to Exercise]; Jonathan Zittrain, Opinion, Mark Zuckerberg Can Still Fix This Mess, N.Y. Times (Apr. 7, 2018), https://nyti.ms/2EsJ0La [https://perma.cc/LMA7-EVKE] [hereinafter Zittrain, Fix This Mess].

    Return to citation ^

  6. ^ In recent years, a number of privacy law scholars have highlighted ways in which privacy and trust are intertwined online, if not co-constitutive. See, e.g., Ari Ezra Waldman, Privacy as Trust: Information Privacy for an Information Age (2018); Neil Richards & Woodrow Hartzog, Taking Trust Seriously in Privacy Law, 19 Stan. Tech. L. Rev. 431 (2016).

    Return to citation ^

  7. ^ Jack M. Balkin, Lecture, 2016 Sidley Austin Distinguished Lecture on Big Data Law and Policy: The Three Laws of Robotics in the Age of Big Data, 78 Ohio St. L.J. 1217, 1229 (2017) [hereinafter Balkin, Three Laws of Robotics]; Balkin, Information Fiduciaries, supra note 5, at 1226; Balkin, Fixing Social Media, supra note 5, at 12.

    Return to citation ^

  8. ^ On our reading, the academic literature taking up the idea of information fiduciaries has been overwhelmingly supportive. For representative responses from leading scholars of internet law, see Frank Pasquale, Lecture, Response: Toward a Fourth Law of Robotics: Preserving Attribution, Responsibility, and Explainability in an Algorithmic Society, 78 Ohio St. L.J. 1243, 1244 (2017) (“I believe that Balkin’s concept of information fiduciary is well developed and hard to challenge.”); and Tim Wu, Opinion, An American Alternative to Europe’s Privacy Law, N.Y. Times (May 30, 2018), https://nyti.ms/2LIrMy4 [https://perma.cc/8FHR-CMTG] (“[Technology] companies should be considered, to borrow a term coined by the law professor Jack Balkin, ‘information fiduciaries’ . . . .”). The closest we have found to a skeptical note is Professor Jane Bambauer’s suggestion that an “expansion of Balkin’s proposal” to cover additional classes of data collectors, such as Netflix and Amazon, “could cause unsettling distortions of free speech protection.” Jane R. Bambauer, Response, The Relationships Between Speech and Conduct, 49 U.C. Davis L. Rev. 1941, 1949 (2016) (emphasis added). As far as we are aware, this Article is the first to apply any sustained critical scrutiny to the information-fiduciary concept.

    Return to citation ^

  9. ^ Editorial, How to Make Facebook and Google Behave, Bloomberg (Apr. 24, 2018, 8:00 AM), https://www.bloomberg.com/opinion/articles/2018-04-24/make-facebook-and-google-information-fiduciaries [https://perma.cc/5SFX-FK25] [hereinafter Bloomberg Editorial]. On a single day this past spring, Balkin’s proposal received glowing coverage in multiple popular pieces. See Russell Brandom, This Plan Would Regulate Facebook Without Going Through Congress, The Verge (Apr. 12, 2018, 11:32 AM), https://www.theverge.com/2018/4/12/17229258/facebook-regulation-fiduciary-rule-data-proposal-balkin [https://perma.cc/WHW7-G3AP]; Yves Faguy, Regulating Facebook to Make It an Information Fiduciary, Nat’l Mag. (Apr. 12, 2018), https://web.archive.org/web/20180416050935/http://www.nationalmagazine.ca/Articles/April-2018/Regulating-Facebook-to-make-it-an-information-fidu.aspx [https://perma.cc/WS8N-XTBF]; Nathan Heller, We May Own Our Data, but Facebook Has a Duty to Protect It, New Yorker (Apr. 12, 2018), https://www.newyorker.com/tech/annals-of-technology/we-may-own-our-data-but-facebook-has-a-duty-to-protect-it [https://perma.cc/KN75-RSZ5].

    Return to citation ^

  10. ^ See, e.g., 164 Cong. Rec. S2026 (daily ed. Apr. 10, 2018) (statement of Sen. John Cornyn) (“Perhaps we should treat social media platforms as information fiduciaries and impose legal obligations on them, as we do with lawyers and doctors, who are privy to some of our most personal, private information.”); Warner, supra note 2, at 14–15 (listing Balkin’s idea first on a list of policy options for Congress to consider in the area of “Privacy and Data Protection,” id. at 14); Heller, supra note 9 (observing that, “[t]o a striking degree, the fiduciary model was the one toward which discussion . . . converged” in an April 2018 Senate hearing on Facebook); see also Zittrain, How to Exercise, supra note 5 (“We’ve found that our [information-fiduciary] proposal has bipartisan appeal in Congress . . . .”).

    Return to citation ^

  11. ^ Data Care Act of 2018, S. 3744, 115th Cong. (2018); see also Press Release, Office of Senator Brian Schatz, Schatz Leads Group of 15 Senators in Introducing New Bill to Help Protect People’s Personal Data Online (Dec. 12, 2018), https://www.schatz.senate.gov/press-releases/schatz-leads-group-of-15-senators-in-introducing-new-bill-to-help-protect-peoples-personal-data-online [https://perma.cc/4PPN-WJL7] (describing the proposed legislation, referred to as the “Data Fiduciary Act” by Senator Cory Booker, as “establishing a fiduciary duty for online providers”).

    Return to citation ^

  12. ^ When Senator Brian Schatz, a lead sponsor of the Data Care Act, raised Balkin’s information-fiduciary idea at a high-profile hearing last year, “Zuckerberg seemed to perk up. ‘I think it’s certainly an interesting idea,’ Zuckerberg said, ‘and Jack is very thoughtful in this space, so I do think it deserves consideration.’” Brandom, supra note 9. At a more recent event with Zittrain, Zuckerberg described the “idea of [Facebook] having a fiduciary relationship with the people who use our services” as “intuitive” and consistent with Facebook’s “own self-image . . . and what we’re doing.” At Harvard Law, Zittrain and Zuckerberg Discuss Encryption, “Information Fiduciaries” and Targeted Advertisements, Harv. L. Today (Feb. 20, 2019), https://today.law.harvard.edu/at-harvard-law-zittrain-and-zuckerberg-discuss-encryption-information-fiduciaries-and-targeted-advertisements [https://perma.cc/5JNH-T8DQ] [hereinafter Zittrain and Zuckerberg].

    Return to citation ^

  13. ^ Jack M. Balkin, Constitutional Redemption 12 (2011); see id. at 61, 69–70, 88, 119, 177–83; Jack M. Balkin, From Off the Wall to On the Wall: How the Mandate Challenge Went Mainstream, The Atlantic (June 4, 2012), http://www.theatlantic.com/national/archive/2012/06/from-off-the-wall-to-on-the-wall-how-the-mandate-challenge-went-mainstream/258040 [https://perma.cc/Y4LD-8RR5].

    Return to citation ^

  14. ^ Given that the firms Balkin would designate as information fiduciaries vary in the services they provide, the business models they use, and the market dominance they enjoy, any analysis of the designation’s appropriateness or helpfulness will necessarily vary to some extent by firm. For purposes of this analysis, we focus above all on Facebook, both because Facebook is Balkin’s main example of a digital information fiduciary and because it is the company whose practices have most galvanized privacy reformers in recent years. Facebook also happens to offer a particularly stark case study in the inadequacies of the information-fiduciary framework.

    Return to citation ^
Download
Topic:

December 10, 2019

More from this Issue

See Full Issue