Wednesday, March 21, 2018

Mark Zuckerberg Announces that Facebook is an Information Fiduciary


Today in response to the Cambridge Analytica scandal, Facebook founder Mark Zuckerberg announced what I have long contended-- that Facebook is an information fiduciary. Indeed, along with Google, it is one of the most important information fiduciaries in our present age.

Of course, Zuckerberg didn't actually use the words "information fiduciary." But he did say two things that are effectively equivalent to it.

First, he said:

We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again.

In other words, because Facebook holds so much data about people, and because its operations are not transparent, people are vulnerable to how Facebook uses their data.  This means that people must trust Facebook not to abuse their confidence. Facebook's right to hold the data depends on its responsibilities not to use abuse that trust.  This is, in essence, the assumption of a fiduciary duty-- the duty not to abuse the trust that vulnerable parties must place in another who performs services for them.

Examples in the pre-digital age are the duties of professionals like lawyers and doctors-- they hold sensitive personal information about their clients in order to perform services for those clients. Their clients must trust them in order so that professionals can perform these services, and hence professionals take on a duty of good faith, trustworthiness, and non-manipulation. In the same way, Facebook provides a service-- a social network-- that many people find especially valuable.  In the course of providing that service, people provide enormous amounts of data about themselves, making them (and their friends and loved ones) ever more vulnerable to Facebook.  By providing that service, Facebook takes on the responsibility not to take advantage of their vulnerability. It has a duty not to abuse their trust, and as Zuckerberg says, if the company abuses their trust, "we don't deserve to serve you."

Note that Zuckerberg does not ground this duty on the specific terms of Facebook's privacy policy-- a complicated contract that few people have actually read. If the duty of trustworthiness were based wholly on the terms of the contract, then if Facebook changed the privacy policy, the duty to protect its end-users would magically vanish.

Rather, Zuckerberg argues out that from 2007 onward, Facebook has changed its policies in order better to protect its end-users from abuse and manipulation. Whether this is in fact a correct account of Facebook's policies I leave to one side. The important point is that he is representing to the world at large that Facebook's aim is more than simply living up to whatever its vaguely worded privacy policy (i.e., its contract with end-users) happens to say. Rather, he argues that Facebook has a duty of trustworthiness and good faith that transcends the specific words of the privacy policy. This is a the duty of an information fiduciary.

Second, describing Cambridge Analytica's misrepresentations to Facebook and its misuse of personal data for commercial purposes, Zuckerberg said:

This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.

In other words, Zuckerberg argued that Facebook had a duty to protect its end-users from abuse, not merely from its own actions, but also from the actions of those with whom it shares data. My view is that Facebook's fiduciary obligations "run with the data," so that Facebook has a duty to make sure that whenever it allows another person or business to see, view, or employ Facebook's end-users' data, these persons and businesses must take on the same duties of trust and non-manipulation that Facebook itself must take on.

It is important to emphasize what I am not saying. I am not saying that Facebook has now agreed to whatever legal rules come with the concept of "information fiduciary." Those rules and obligations need to be worked out over time. (In particular, see this Atlantic article that I wrote with Jonathan Zittrain of Harvard Law School, which lays out a basic proposal.)

Nor I am saying that Facebook has essentially confessed judgment to a host of lawsuits based on breach of confidence or breach of fiduciary duty. I am quite sure that Facebook's lawyers would deny that Zuckerberg has done this.

What I am saying is that this is an important moment in the development of legal and ethical norms for the Algorithmic Society. The founder of one of the largest and most powerful companies in the digital age has said (1) we have a duty of trust toward our end users; (2) we breached that trust; and (3) we breached that trust by allowing a third party we deal with to manipulate and abuse our end-users' trust in us.

This is the acknowledgement of a new category of businesses for the digital age. I call it an information fiduciary.

Older Posts
Newer Posts