Wednesday, March 05, 2014

Information Fiduciaries in the Digital Age


When I teach the intersections between freedom of speech and privacy, I like to introduce the concept of information fiduciaries in order to explain what is at stake. The concept of an information fiduciary helps us understand how we might protect digital privacy while not running afoul of the First Amendment. It helps us understand how we might adjust the third party doctrine of Smith v. Maryland without abolishing the doctrine altogether.  And it also has applications in other areas of cyberlaw.

I. Information Fiduciaries

Traditionally, a fiduciary is a person who has a relationship of trust with a party (the beneficiary), and who is authorized to hold something valuable-- for example-- the beneficiary's assets or other property-- and manage them on the beneficiary's behalf.  Fiduciaries have duties of loyalty and of care. In managing the beneficiary's assets, the fiduciary must act with care in the beneficiary's interest and, at the very least, must not use these assets against the beneficiary's interests.  The fiduciary's duty of loyalty may also create a duty of honesty to disclose to the beneficiary how the fiduciary is handling the assets or property. Usually the duty of loyalty also requires that the fiduciary avoid creating conflicts of interest between the fiduciary and beneficiary, and also includes a duty against self dealing-- i.e., using the beneficiary's assets to benefit the fiduciary because of the danger that the assets will be used to the beneficiary's detriment. Things are more complicated than this, and in fact, there are whole bodies of law that deal with fiduciary relationships, but these are the basics.

Suppose that the asset in question is information. By this I do not mean simply intellectual property owned by the beneficiary, but also personal or sensitive information about the beneficiary. In that case, the fiduciary is an information fiduciary and the person is an information beneficiary.

Does the law recognize information fiduciaries? Yes it does. The most obvious examples are in the law of malpractice. Lawyers, doctors, and accountants have duties to use confidential information about their clients to the client's advantage and not to disclose information against the client's interest. To this extent, the professional is an information fiduciary and the client is an information beneficiary.

The idea of an information fiduciary matters when the fiduciary discloses or uses sensitive information about the beneficiary to the beneficiary's disadvantage without permission. First, in some cases, the government may impose a duty of disclosure in some cases, but it generally requires a very good reason to breach the confidence. Second, the fiduciary may not disclose sensitive information to third parties or use the information against the client's interest, and if this duty is breached, the client has a cause of action in tort. Note, moreover, that this cause of action is not barred by the First Amendment. A lawyer, doctor or accountant generally does not have a First Amendment right to disclose sensitive information about their clients or use that information in self-dealing even though a perfect stranger with no professional relationship might have a First Amendment right to do so. The fiduciary relationship creates a duty that, in this particular context, trumps the interest in freedom of expression.

II. Online Service Providers as Information Fiduciaries

Now think about information fiduciaries in the digital age. Many of the online services that people use require them to trust companies with sensitive personal information. If the companies are not information fiduciaries, but are simply arm's length strangers, this trust may be abused. The companies have no duty not to disclose sensitive personal information or use it in ways that might conflict with the end user's interests unless the companies have agreed to assume these duties by contract-- often in the Terms of Service or EULA. Moreover, companies may also reserve for themselves the right to change the ToS or EULA-- including the privacy provisions--with notice to the customer.

But suppose that an online service provider is an information fiduciary. Then the OSP has a duty not to use its end users' personal information against the end users' interests, even without an explicit contractual promise. That fiduciary duty might be recognized by the common law, or it might be fleshed out by statute or administrative regulation, as it often is in the case of the professions.

A fiduciary duty would limit the rights the company would otherwise enjoy to collect, collate, use and sell personal information about the end user. In particular, there would be no general First Amendment right to disclose sensitive data or use sensitive data to the disadvantage of the end user. (To be sure, such a right might exist in certain circumstances depending on how strong the fiduciary duty was and whether the duty allows waiver or consent to disclose in certain circumstances.) The online service provider would also have to consider whether its information practices created a conflict of interest and act accordingly. Moreover, the online service provider's duties of loyalty and care might require it to disclose how it was using the customer's personal information.

Moreover, if an online service provider were considered an information fiduciary, this should change the end user's reasonable expectations of privacy. An end user should have a reasonable expectation of privacy that an information fiduciary will not hand over sensitive information to others.  Courts might therefore modify the third party doctrine of Smith v. Maryland accordingly.  Requests for sensitive personal information from information fiduciaries -- but not from other types of third parties-- might constitute searches and require that the government obtain a warrant.  In the alternative, Fourth Amendment doctrine could be modified so that the government could not obtain sensitive personal information from an information fiduciary without sufficiently good reasons.

III. Who Should be Considered Digital Information Fiduciaries?

Of course, all of this simply raises the central question. May the state-- or common law courts--treat online service providers as information fiduciaries, as they do for members of certain professions or other kinds of fiduciaries?

It's important to understand that the First and Fourth Amendments, considered in the abstract, cannot answer this question. Rather, the protections of the First and Fourth Amendments come into play *after* we have made judgments about what kinds of social roles in contemporary society are sufficiently analogous to more traditional kinds of fiduciaries.

Governments should be able to consider developing relationships of trust in sensitive personal information in the digital age, and create new categories of fiduciary/beneficiary obligations that are organized around the collection and storage of sensitive personal information.

It is no answer to say that permissible restrictions on disclosure and self-dealing speech apply only to traditional professions like those of law and medicine, because they predate the ratification of the First Amendment in 1791. Although some professions and some kinds of fiduciary obligations predate the First Amendment, others arose much later on.  Rather, the question is a functional one, which reasons by analogy. Should we treat certain online businesses, because of their importance to people's lives, and the degree of trust and confidence that people inevitably must place in these businesses, in the same way that we treat certain professional and other fiduciary relationships?

In answering this question, we should consider the following:

First, there are many types of fiduciary duties. We do not have to treat Facebook or Google exactly the same as your pediatrician, psychotherapist, or accountant. The kinds of obligations that online service providers assume should be carefully calibrated to the kinds of services they actually provide, and the kinds of dependence they produce and encourage in their end users.

Given the nature of these businesses, and their dependence on trade secrecy, the restrictions on self-dealing and the duties of candor might be importantly different. Thus, the law of privacy for Facebook or Google need not be the same as the law of doctor-patient confidentiality.

Second, the question of whether an online sevice provider is an information fiduciary is not the same as the question whether it is an essential facility in antitrust law or a common carrier in telecommunications law. The question does not depend on the size of the entity, but rather on the kind of services it offers, the kind of trust it engenders, and the kind of dependence it creates.  A large entity might be a information fiduciary, but not simply because it is large or because it has a sufficiently great market share; a small entity might also be an information fiduciary.

Third, there are many kinds of online service providers; a one-size-fits-all approach will no do. For example, there are many kinds of search engines.  The mere fact that an online application has search functionality should not make it an online information fiduciary.

Fourth, because there are so many ways of structuring online services, including ways nobody has yet imagined, it may be difficult for legislatures and courts to draw lines. Therefore, as Jonathan Zittrain has suggested, it might be appropriate to offer online service providers an incentive to designate themselves as information fiduciaries in return for certain benefits that come with the designation. These might include, among other things, special tax incentives, or legal immunities.

Many years ago Ed Castronova suggested the idea that we might govern virtual worlds through what he called statutes of interration (a play on statutes of incorporation). I adapted this idea in my own work on virtual worlds. I have argued that even though virtual environments are privately owned, governments could create framework statutes that would require platform owners to respect the free speech and privacy of the end users in return for special legal status and benefits. We might be able to adapt this idea to today's online service providers to create new classes of digital information fiduciaries.