After two days of convincing testimony before Congress, there has never been more interest in regulating Facebook. In question after question this week, lawmakers seemed to consider that new rules were needed to rein in Facebook, with proposals such as the Markey-Blumenthal CONSENT Act (which would require consent to share data), taking into account the central scenario. At the same time, it seems that Congress will not act soon; Most of the bills come from the Democratic minority, and both houses are already stalling.
In both hearings, Zuckerberg insisted that he was not opposed to the new legal restrictions on the platform, although he refused when asked to support specific measures. But there was a time when he showed more interest than usual: when Representative Brian Schatz (D-HI) mentioned the concept of information librarian Yale Law professor Jack Balkin, Zuckerberg seemed to be encouraged.
"I think it's certainly an interesting idea," said Zuckerberg, "and Jack is very considerate in this space, so I think he deserves consideration."
"It's definitely an interesting idea."
Balkin's idea is simple: we are trusting services like Facebook with our data, and that trust must come with concrete legal responsibilities. For this to happen, Balkin proposes designating cloud service providers as "fiduciaries of information," linking them to a code of conduct for the entire industry, modeled after similar designations in law, medicine and finance. In the abstract, the rule would require that Facebook and other companies do not act against the user's interest, letting the courts decide the penalties when they do so. Fundamentally, the Balkin fiduciary rule could be implemented by any number of agencies, including state legislatures, allowing privacy advocates to completely bypass Congress.
Balkin says it's a very necessary course correction for the industry. "I do not want these companies to crash and burn," Balkin told The Verge. "For me, the most important balance that must be achieved is to ensure that it can provide viable social networks, without allowing particular business practices that are manipulative."
Creating a "fiduciary information" designation could also be more effective than the other options currently facing Congress. Both the Markey-Blumenthal bill and the EU GDPR focus on the importance of user consent and ensure that it is as clear and informed as possible. In practical terms, that means telling users what data is being collected and then having them click on a box that says "I accept." Balkin says the approach is too easy for platforms to play. "It is very easy to obtain the consent of the end users," says Balkin. "They will simply click and leave." So consent-based reforms often look very good on paper, but they have no practical effect. "Even if we add mandatory complements for data collection (such as in the Markey Bill) or clearer descriptions of how it use the data (as mandated by the GDPR), there is a good chance that users simply click on the warnings without reading them.
"It is very easy to obtain the consent of the end users, they will simply click and leave."
Balkin's fiduciary approach would attack the problem from a different angle. Instead of having users understand the data they share, it establishes in advance that the services are in a privileged position and bear the blame if things go wrong. In a way, this is how Facebook talks about its relationship with users. Again and again this week, Zuckerberg talked about gaining user confidence, and how the platform only works when users trust Facebook with their data. Balkin's fiduciary government would place that trust in legal terms: stating that Facebook users have no choice but to share data with Facebook and, as a result, demand that the company be careful with that data and not use it against the interests of the user. If Facebook did not fulfill its duties, it could be taken to court, although the nature of the procedure and possible sanctions will depend on how the rule is written.
That may sound unusual, but it's a surprisingly common concept in law. Physicians already have a fiduciary duty to their patients, forcing physicians to recommend treatment based solely on genuine medical needs. Lawyers have a similar fiduciary duty with their clients, which prevents them from cheating a client for their own benefit. In each case, the purpose of the designation is to recognize an imbalance of power. Doctors know a lot about medicine that patients can not expect to maintain; The only option is to trust your doctor and apply additional penalties for anyone who violates that trust. According to Balkin, we are at the same disadvantage when we deliver data to Facebook and other technology companies.
"It's the kind of scandal that awakens people."
Facebook has no fiduciary duty for its users at this time, but there are several ways to establish one. Congress could pass a federal law that establishes fiduciary responsibilities for Facebook, or a federal agency such as the Department of Labor could use the existing authorities to make the designation. In a recent example, the Department of Labor appointed investment advisors as fiduciaries, a regulation that President Trump later revoked.
That might seem like a remote possibility with disorganized Congress and Trump more interested in pushing regulations back than in adding new ones, but it could also happen at the state level. Privacy-focused states like New York and California could pass their own laws, which could be equally binding without conflicting with federal law. Like any regulation, the new rule would likely face a serious legal challenge, most likely for reasons of federal priority or first amendment, but Balkin has written extensively on how to deal with those challenges.
A fiduciary rule would not solve all problems with Facebook. It would not address concerns about the power of monopoly. Nor would it address the deeper concerns about how Facebook deforms society in general, subverts democracy or radicalizes groups through the effects of filter bubbles. Those are really difficult issues, and there are few clear ideas on how to address them in the law, even if Congress so wishes. Even if Balkin's rule is met, there will still be a lot of work to be done. But for the specific question of how technology companies handle our data, the idea of an "information fiduciary" could be the easiest way to add a legal weight to floating ideas about trust and privacy on platforms. As more and more personal information finds its way into the public sphere, the Balkin model is one of the few ideas we have to protect ourselves.
"There is a sense in which this Cambridge Analytica scandal is just the tip of the iceberg," says Balkin. "But it's the kind of scandal that awakens people." That's why Mark Zuckerberg will spend a couple of days testifying on Capitol Hill. If there had not been a scandal, no one would have paid attention to the problem. "