Jack Balkin: jackbalkin at yahoo.com
Bruce Ackerman bruce.ackerman at yale.edu
Ian Ayres ian.ayres at yale.edu
Corey Brettschneider corey_brettschneider at brown.edu
Mary Dudziak mary.l.dudziak at emory.edu
Joey Fishkin joey.fishkin at gmail.com
Heather Gerken heather.gerken at yale.edu
Abbe Gluck abbe.gluck at yale.edu
Mark Graber mgraber at law.umaryland.edu
Stephen Griffin sgriffin at tulane.edu
Jonathan Hafetz jonathan.hafetz at shu.edu
Jeremy Kessler jkessler at law.columbia.edu
Andrew Koppelman akoppelman at law.northwestern.edu
Marty Lederman msl46 at law.georgetown.edu
Sanford Levinson slevinson at law.utexas.edu
David Luban david.luban at gmail.com
Gerard Magliocca gmaglioc at iupui.edu
Jason Mazzone mazzonej at illinois.edu
Linda McClain lmcclain at bu.edu
John Mikhail mikhail at law.georgetown.edu
Frank Pasquale pasquale.frank at gmail.com
Nate Persily npersily at gmail.com
Michael Stokes Paulsen michaelstokespaulsen at gmail.com
Deborah Pearlstein dpearlst at yu.edu
Rick Pildes rick.pildes at nyu.edu
David Pozen dpozen at law.columbia.edu
Richard Primus raprimus at umich.edu
K. Sabeel Rahmansabeel.rahman at brooklaw.edu
Alice Ristroph alice.ristroph at shu.edu
Neil Siegel siegel at law.duke.edu
David Super david.super at law.georgetown.edu
Brian Tamanaha btamanaha at wulaw.wustl.edu
Nelson Tebbe nelson.tebbe at brooklaw.edu
Mark Tushnet mtushnet at law.harvard.edu
Adam Winkler winkler at ucla.edu
Of course, Zuckerberg didn't actually use the words "information fiduciary." But he did say two things that are effectively equivalent to it.
First, he said:
We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again.
In other words, because Facebook holds so much data about people, and because its operations are not transparent, people are vulnerable to how Facebook uses their data. This means that people must trust Facebook not to abuse their confidence. Facebook's right to hold the data depends on its responsibilities not to use abuse that trust. This is, in essence, the assumption of a fiduciary duty-- the duty not to abuse the trust that vulnerable parties must place in another who performs services for them.
Examples in the pre-digital age are the duties of professionals like lawyers and doctors-- they hold sensitive personal information about their clients in order to perform services for those clients. Their clients must trust them in order so that professionals can perform these services, and hence professionals take on a duty of good faith, trustworthiness, and non-manipulation. In the same way, Facebook provides a service-- a social network-- that many people find especially valuable. In the course of providing that service, people provide enormous amounts of data about themselves, making them (and their friends and loved ones) ever more vulnerable to Facebook. By providing that service, Facebook takes on the responsibility not to take advantage of their vulnerability. It has a duty not to abuse their trust, and as Zuckerberg says, if the company abuses their trust, "we don't deserve to serve you."
Second, describing Cambridge Analytica's misrepresentations to Facebook and its misuse of personal data for commercial purposes, Zuckerberg said:
This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.
In other words, Zuckerberg argued that Facebook had a duty to protect its end-users from abuse, not merely from its own actions, but also from the actions of those with whom it shares data. My view is that Facebook's fiduciary obligations "run with the data," so that Facebook has a duty to make sure that whenever it allows another person or business to see, view, or employ Facebook's end-users' data, these persons and businesses must take on the same duties of trust and non-manipulation that Facebook itself must take on.
It is important to emphasize what I am not saying. I am not saying that Facebook has now agreed to whatever legal rules come with the concept of "information fiduciary." Those rules and obligations need to be worked out over time. (In particular, see this Atlantic article that I wrote with Jonathan Zittrain of Harvard Law School, which lays out a basic proposal.)
Nor I am saying that Facebook has essentially confessed judgment to a host of lawsuits based on breach of confidence or breach of fiduciary duty. I am quite sure that Facebook's lawyers would deny that Zuckerberg has done this.
What I am saying is that this is an important moment in the development of legal and ethical norms for the Algorithmic Society. The founder of one of the largest and most powerful companies in the digital age has said (1) we have a duty of trust toward our end users; (2) we breached that trust; and (3) we breached that trust by allowing a third party we deal with to manipulate and abuse our end-users' trust in us.
This is the acknowledgement of a new category of businesses for the digital age. I call it an information fiduciary.