When I teach the intersections between freedom of speech
and privacy, I like to introduce the concept of information
fiduciaries in order to explain what is at stake. The concept of an information fiduciary helps us understand how we might protect digital privacy while not running afoul of the First Amendment. It helps us understand how we might adjust the third party doctrine of Smith v. Maryland without abolishing the doctrine altogether. And it also has applications in other areas of cyberlaw.
I. Information Fiduciaries
Traditionally, a fiduciary is a person who has a relationship
of trust with a party (the beneficiary), and who is authorized to hold something
valuable-- for example-- the beneficiary's assets or other property-- and manage
them on the beneficiary's behalf. Fiduciaries have duties of loyalty and of care. In managing the beneficiary's assets, the
fiduciary must act with care in the beneficiary's interest and, at the very least, must
not use these assets against the beneficiary's interests. The
fiduciary's duty of loyalty may also create a duty of honesty to disclose to the beneficiary
how the fiduciary is handling the assets or property. Usually the duty of loyalty also requires that the fiduciary avoid creating conflicts of interest between the fiduciary
and beneficiary, and also includes a duty against self dealing-- i.e., using the
beneficiary's assets to benefit the fiduciary because of the danger that the
assets will be used to the beneficiary's detriment. Things are more complicated
than this, and in fact, there are whole bodies of law that deal with fiduciary
relationships, but these are the basics.
Suppose that the asset in
question is information. By this I do not mean simply intellectual property
owned by the beneficiary, but also personal or sensitive information
about the beneficiary. In that case, the fiduciary is an information
fiduciary and the person is an information beneficiary.
Does the law
recognize information fiduciaries? Yes it does. The most obvious examples are in
the law of malpractice. Lawyers, doctors, and accountants have duties to use
confidential information about their clients to the client's advantage and not
to disclose information against the client's interest. To this extent, the
professional is an information fiduciary and the client is an information
beneficiary.
The idea of an information fiduciary matters when the
fiduciary discloses or uses sensitive information about the beneficiary to the
beneficiary's disadvantage without permission. First, in some cases, the
government may impose a duty of disclosure in some cases, but it generally
requires a very good reason to breach the confidence. Second, the fiduciary may
not disclose sensitive information to third parties or use the information
against the client's interest, and if this duty is breached, the client has a
cause of action in tort. Note, moreover, that this cause of action is not
barred by the First Amendment. A lawyer, doctor or accountant generally does not
have a First Amendment right to disclose sensitive information about their
clients or use that information in self-dealing even though a perfect stranger
with no professional relationship might have a First Amendment right to do so.
The fiduciary relationship creates a duty that, in this particular context,
trumps the interest in freedom of expression.
II. Online Service Providers as Information Fiduciaries
Now think about information
fiduciaries in the digital age. Many of the online services that people use
require them to trust companies with sensitive personal information. If the
companies are not information fiduciaries, but are simply arm's length
strangers, this trust may be abused. The companies have no duty not to
disclose sensitive personal information or use it in ways that might conflict with
the end user's interests unless the companies have agreed to assume these duties
by contract-- often in the Terms of Service or EULA. Moreover, companies may also reserve
for themselves the right to change the ToS or EULA-- including the privacy provisions--with notice to the customer.
But suppose that an online service
provider is an information fiduciary. Then the OSP has a duty not to use its end
users' personal information against the end users' interests, even without an
explicit contractual promise. That fiduciary duty might be recognized by the
common law, or it might be fleshed out by statute or administrative regulation,
as it often is in the case of the professions.
A fiduciary duty would limit
the rights the company would otherwise enjoy to collect, collate, use and sell personal information about the end user. In particular, there would be no
general First Amendment right to disclose sensitive data or use sensitive data
to the disadvantage of the end user. (To be sure, such a right might exist in
certain circumstances depending on how strong the fiduciary duty was and whether
the duty allows waiver or consent to disclose in certain circumstances.) The
online service provider would also have to consider whether its information
practices created a conflict of interest and act accordingly. Moreover, the
online service provider's duties of loyalty and care might require it to disclose
how it was using the customer's personal information.
Moreover, if
an online service provider were considered an information fiduciary, this should
change the end user's reasonable expectations of privacy. An end user should have a reasonable expectation of privacy that an information fiduciary will not hand over sensitive information to others. Courts might therefore modify
the third party doctrine of Smith v. Maryland accordingly. Requests for sensitive personal information from information fiduciaries -- but not from other types of third parties-- might constitute searches and require that the government obtain a warrant. In the alternative, Fourth Amendment doctrine could be modified so that the government could
not obtain sensitive personal information from an information fiduciary without sufficiently good reasons.
III. Who Should be Considered Digital Information Fiduciaries?
Of course, all of
this simply raises the central question. May the state-- or common law
courts--treat online service providers as information fiduciaries, as they do
for members of certain professions or other kinds of fiduciaries?
It's
important to understand that the First and Fourth Amendments, considered in the
abstract, cannot answer this question. Rather, the protections of the First and
Fourth Amendments come into play *after* we have made judgments about what kinds
of social roles in contemporary society are sufficiently analogous to more
traditional kinds of fiduciaries.
Governments should be able to consider
developing relationships of trust in sensitive personal information in the
digital age, and create new categories of fiduciary/beneficiary obligations that
are organized around the collection and storage of sensitive personal
information.
It is no answer to say that permissible restrictions on disclosure and self-dealing speech apply only to traditional professions like those of law and medicine, because they predate the ratification of the First Amendment in 1791. Although some professions and some kinds of fiduciary obligations predate the First Amendment, others arose much
later on. Rather, the question is a functional one, which reasons by analogy.
Should we treat certain online businesses, because of their importance to
people's lives, and the degree of trust and confidence that people inevitably
must place in these businesses, in the same way that we treat certain
professional and other fiduciary relationships?
In answering this question, we should consider the following:
First, there are many types of fiduciary duties. We do not have to treat Facebook or Google exactly the same as your pediatrician, psychotherapist, or accountant. The kinds of obligations that online service providers assume should be carefully calibrated to the kinds of services they actually provide, and the kinds of dependence they produce and encourage in their end users.
Given the nature of these businesses, and their dependence on trade secrecy, the restrictions on self-dealing and the duties of candor might be importantly different. Thus, the law of privacy for Facebook or Google need not be the same as the law of doctor-patient confidentiality.
Second, the question of whether an online sevice provider is an information fiduciary is not the same as the question whether it is an essential facility in antitrust law or a common carrier in telecommunications law. The question does not depend on the size of the entity, but rather on the kind of services it offers, the kind of trust it engenders, and the kind of dependence it creates. A large entity might be a information fiduciary, but not simply because it is large or because it has a sufficiently great market share; a small entity might also be an information fiduciary.
Third, there are many kinds of online service providers; a one-size-fits-all approach will no do. For example, there are many kinds of search engines. The mere fact that an online application has search functionality should not make it an online information fiduciary.
Fourth, because there are so many ways of structuring online services, including ways nobody has yet imagined, it may be difficult for legislatures and courts to draw lines. Therefore, as Jonathan Zittrain has suggested, it might be appropriate to offer online service providers an incentive to designate themselves as information fiduciaries in return for certain benefits that come with the designation. These might include, among other things, special tax incentives, or legal immunities.
Many years ago Ed Castronova suggested the idea that we might govern virtual worlds through what he called statutes of interration (a play on statutes of incorporation). I adapted this idea in my own work on virtual worlds. I have argued that even though virtual environments are privately owned, governments could create framework statutes that would require platform owners to respect the free speech and privacy of the end users in return for special legal status and benefits. We might be able to adapt this idea to today's online service providers to create new classes of digital information fiduciaries.
UPDATE: I've expanded on these ideas in an article entitled Information Fiduciaries and the First Amendment, available on SSRN.