Would You Be Tempted By This 'Grand Bargain' On Privacy?
from the behold-the-information-fiduciaries dept
Digital privacy and the control of personal data have emerged as two of the main online battlegrounds in recent years, as the flood of Techdirt posts on the subject attests. One of the central questions is how we can use global online services like Facebook and Google without surrendering control of the information we provide them. The US and the EU take contrasting approaches here, both of which have attracted plenty of supporters and detractors.
But what about alternatives: might there be another way to tackle this crucial subject that is effective and reasonably fair to all? Jack M. Balkin and Jonathan Zittrain, respectively professors at the law schools of Yale and Harvard, believe there is. Together, they've written an article that appears in The Atlantic, entitled "A Grand Bargain to Make Tech Companies Trustworthy," while Balkin has published a more rigorous 52-page version for UC Davis Law Review (pdf). Their starting point is the fact that many of the problems encountered with digital privacy have already been solved in the analog world:
Doctors, lawyers, and accountants ... have to keep our secrets and they can't use the information they collect about us against our interests. Because doctors, lawyers, and accountants know so much about us, and because we have to depend on them, the law requires them to act in good faith -- on pain of loss of their license to practice, and a lawsuit by their clients. The law even protects them to various degrees from being compelled to release the private information they have learned.
These are examples of "fiduciaries", "a person or business with an obligation to act in a trustworthy manner in the interest of another." The idea of Balkin and Zittrain is to create a new class of "information fiduciaries" who are similarly permitted to work with our personal data, on the condition that they do not use it against our interests. For example:
Google Maps shouldn't recommend a drive past an IHOP as the "best route" on your way to a meeting from an airport simply because IHOP gave it $20. And if Mark Zuckerberg supports the Democrat in a particular election, Facebook shouldn't be able to use its data analysis to remind its Democratic users that it's election day -- while neglecting to remind, or actively discouraging, people it thinks will vote for Republicans.
That sounds an interesting approach, but the tricky part, of course, is drawing up what exactly the responsibilities of these new information fiduciaries should be -- and what they should get in return. Balkin and Zittrain propose something they dub a "grand bargain". Here's what the online services gathering our data would promise:
They would agree to a set of fair information practices, including security and privacy guarantees, and disclosure of breaches. They would promise not to leverage personal data to unfairly discriminate against or abuse the trust of end users. And they would not sell or distribute consumer information except to those who agreed to similar rules. In return, the federal government would preempt a wide range of state and local laws.
And here's something else that those signing up to this code would get by way of recompense:
Congress could respond with a "Digital Millennium Privacy Act" that offers a parallel trade-off to that of the DMCA: accept the federal government's rules of fair dealing and gain a safe harbor from uncertain legal liability, or stand pat with the status quo.
In other words, alongside the DMCA, a new DMPA. So what do Techdirt readers think: is that a bargain you'd accept?
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: fiduciary responsibility, grand bargain, privacy, safe harbors
Reader Comments
Subscribe: RSS
View by: Time | Thread
https://www.scientificamerican.com/article/how-data-brokers-make-money-off-your-medical-records/
h ttp://www.networkworld.com/article/2858297/microsoft-subnet/38-govt-agencies-to-collect-share-and-us e-americans-electronic-health-records.amp.html
How can I trust any grand bargain for privacy when trust has been so flippantly broken in increasingly horrifying ways every month?
The degree of trust needed for a grand bargain is well beyond anything either the private or public sector can provide.
Fuck you both you creepy, voyeuristic, thieving authoritarian assholes.
[ link to this | view in chronology ]
Re:
the banksters, the kongreeskritters, the feebs, alphabet spooks, etc, ALL under fiduciary relationships with us (and the constitution), and yet ALL failing miserably... what are the consequences, where are the 'fiduciary police' to enforce the strictures, why -when those major fiduciary institutions have failed us- will some new, magical ones work flawlessly ? ? ?
secondly, what does ANY of this so-called privacy mean if a gummint goon simply flashes an NSL or even just a badge with motherfuckin' eagles on it, bitchez ? ? ?
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Really?
fiduciary. 1) n. from the Latin fiducia, meaning "trust," a person (or a business like a bank or stock brokerage) who has the power and obligation to act for another (often called the beneficiary) under circumstances which require total trust, good faith and honesty.
[ link to this | view in chronology ]
They would promise not to ... blah blah blah ...
Doctors, lawyers, and accountants have to keep our secrets because they bound by law, not "promises". Promises aren't worth the disappearing ink they're so often written in.
[ link to this | view in chronology ]
But Will They Pinky Swear?
All participants could leak with impunity so long as they checked all of the boxes.
[ link to this | view in chronology ]
There is no grand bargain
It's indeed the prelude of something very unpleasant coming in the future.
The only bargain is when I can use the internet and have the right to my own privacy. Once that right is missing then you're actually altering thr whole ecosystem. Also I should have alternatives to the mainly US based platforms. This type of monopoly is creating dysfunctions and affecting the lives of millions of people who don't want to be part of the game. Any other bargain is at a loss.
[ link to this | view in chronology ]
You get what you pay for
The data they collect is entirely separate from the services they provide to us.
Unless this is proposing we pay Facebook/Google for the services they provide it doesn't fit the current reality
[ link to this | view in chronology ]
Lest the elephant be forgotten...
Unless that 'bargain' included legally binding wording[1] such that the government could no longer use their favorite trick, 'Third Party Doctrine' to grab anything and everything they wanted, the biggest, if perhaps not the most immediate threat(in the sense that while they are the biggest threat, most times they're not likely to drain your bank account just for kicks like less sophisticated criminals would) to public privacy would still be free to continue on as usual, making for a poor deal to put it mildly.
As for the deal itself, I'm thinking no. If a doctor or lawyer violates patient/client confidentiality they get sued, possibly losing their license, making for a hefty incentive to protect the privacy of those that come to them.
In the summary at least I'm not seeing that, all I see is a promise to be responsible in exchange for special treatment and exception from various laws, which would seem to be awesome for the companies, but not likely very good for the public.
If I trusted the companies to honor both the letter and the spirit of the law put together for something like this, rather than exploiting it immediately...
If I trusted that the law would be written well and not leave open glaring loopholes and/or otherwise be trivial to abuse(the comparison to the DMCA does not exactly inspire confidence)...
If I trusted that the government would punish both appropriately and consistently companies that were found to violate the law...
If all of the above were true I might consider it an acceptable trade-off, but since I don't believe any of the above would be true I'd say it's a nice idea in theory, but not happening in practice.
[1]Not that I think for a second that this would actually stop them, because let's face it pretty much the entire government considers laws to be optional at best at this point, but it would at least nice to have it on the books to cause at least a micro-second of hesitation on the government's behalf before they screw over the public again.
[ link to this | view in chronology ]
Re: Lest the elephant be forgotten...
what game ? ? ?
what rules ? ? ?
what refs ? ? ?
i don't know anymore...
[ link to this | view in chronology ]
Dubious solution to the wrong problems
This strikes me as a solution in search of a problem.
Google Maps shouldn't recommend a drive past an IHOP as the "best route" on your way to a meeting from an airport simply because IHOP gave it $20.
People will switch from Google to another map provider if it starts making recommendations that are not best for its users.
Outside of government snooping and tinfoil hat scenarios, what privacy (as opposed to security) breaches of practical concern would be addressed by this “grand bargain”?
Do I really care if a few advertisers learn more about me? I’ll ignore them (or ad-block them) just the same either way.
The entities that really might use my information against me probably wouldn’t be bound by the “grand bargain” anyway. Even if they were, the notion of “against our interests” is far too vague. Fiduciaries under current law have rights and responsibilities derived from a long history of tradition and litigation. To what custom would we refer to determine the standards these new “information fiduciaries” are expected to meet?
I would say, for example, that employers should not be able to use information from web or social media searches in hiring or promotion decisions except under limited circumstances and with the applicant’s voluntary, unprompted consent. (That is, if you think your Facebook record is a plus, you can offer it for consideration; but they can’t look it up if you don’t offer, and not offering can’t be used against you.) The logic of this is that freedom of expression is a fundamental right, and shouldn’t be constrained by fears that a future employer might judge you for expressions that occurred outside the workplace.
I don’t see how the “grand bargain” would do anything about that or similar problems. These would have to be addressed by specific laws covering specific situations in which potential users of information must respect our privacy.
Restraints on government snooping don’t belong in a “grand bargain” with information repositories; they should apply to the government, always, regardless of the information source.
As for security... Best practices in security evolve constantly. If it’s not already this way, a law that specifies or clarifies that in lawsuits, information retainers should generally be assumed to have exercised reasonable and prudent care if their systems are current with accepted best practices in security, and to have failed to exercise reasonable and prudent care if they are not, would seem to be all that’s needed to put liability in the correct place.
The other major security fix, of course, would be to once and for all figure out how to make end-to-end encryption for all one-to-one (or one to any explicitly enumerated list) communication simple, convenient and automatic for everyone, even people who don’t understand what it is or why they might need it. If I send email to my friend, only she should be able to read it, even though she has no idea what encryption is—she just thinks her email account has a password, like it always did. If I send a private message on Facebook, only the recipient should be able to read it—Facebook should have no way of knowing what it said. When Bobby sends Sally a dick pic... you get the idea. The challenge is how to retrofit this so it “just works” without people having to change the way they use familiar services.
[ link to this | view in chronology ]
Re: Dubious solution to the wrong problems
[ link to this | view in chronology ]
Re: Dubious solution to the wrong problems
ok, i'll bite; not if it's s subtle they don't know it...
[ link to this | view in chronology ]
Re: Re: Dubious solution to the wrong problems
If it’s that subtle, then it’s not a very big problem.
The big problems (in my opinion) are when information is taken from one context and used in an entirely different one. When your old Facebook posts get scrutinized by an employer. When email you sent to your girlfriend winds up in the hands of your vice principal. When the government is pasting together the history of calls to and from your cellphone and drawing conclusions.
If Google manipulates search results, I can compensate, or stop using them. If Facebook starts promoting some posts and burying others based on a political agenda, I can compensate, or stop using them. If I want to be confident they’re not subtly skewing my perception of reality... I have to do the same thing I have to do anyway, use multiple sources of information and think for myself. Every source of information subtly skews your perception of reality, whether or not they’re explicity paid to do so.
[ link to this | view in chronology ]
Re: Dubious solution to the wrong problems
[ link to this | view in chronology ]
This is a step in the right direction
The current problem with the Information Technology companies is that they are only concerned with the data economy and how to maximize their earnings from it. If there were such a thing as data fiduciaries and they were legally enforced I see three possible things that the IT companies will do:
1) They will leave the country and go base their headquarters in a place with more lax restrictions on using data
2) They will adapt their business model so that they can still play in the data economy from a different angle or in some similar economy where their users are only a resource
3) They will try to build a more durable and long term designed network system like Automatic already has been trying to do with wordpress.
[ link to this | view in chronology ]
Oh, hell no.
We find ourselves where we are because people violate this stuff CONSTANTLY and nothing bad ever happens to them. I give you as Exhibit A: telemarketing robocalls. We get a dozen a day. Every day. Despite being on the no-call list, despite using a call-blocker, despite it being illegal. This "grand bargain" won't be any different: it will be violated before the ink is dry because those doing so know that they'll never be held accountable.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A good start
It would have to apply to anyone who "computes" on your behalf. Credit card processors would be obligated to stake reasonable measures to protect your data. Retailers would have to take reasonable measures to protect your buying habits. GPS navigators would have to be transparent about how advertisers affect routing algorithms, and protect your location history.
(Objections raised above regarding governmental exceptions/intrusions are valid and interesting.)
[ link to this | view in chronology ]
Re: A good start
I later dumped my cell phones, and use my cards only at the ATM, and pay cash everywhere else. Retailers are not going to accept any 'Grand Bargain' easily. Of course this leave me liable to asset forfeiture when some cop decides I have too much money in my pocket to proceed down the street. Another travesty.
So far as the government is concerned, they should have a fully compliant (so far as the 4rth Amendment is concerned, and judges who actually recognize the full implications of the 4rth Amendment, as it was written) with specificity to track anyone, anywhere, worldwide. I know this is not likely to happen any time soon, but one could hope that integrity still exists in this world. I am not going to engage in holding my breath.
[ link to this | view in chronology ]
Re: Re: A good start
[ link to this | view in chronology ]
Even more, I don't know what consumers really get out of this. What happens if, for example, Facebook agrees to this and then doesn't comply? Do I get anything? Am I part of some class action where eight years from now they send me a check for $2.38?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
You're Proposing a State Run Advertisnig Agency.
Prefacing this discussion a little bit so if you are confused by that statement.
In the 1950's, you had basically 2 generations of people alive at that time; you had a younger demographic who had just been through a great depression and a world war, and you had an older demographic who knew what the world was like before the war and depression and wanted to return to it. You had tremendous, systemic distrust of government and business. The USSR comes along, discovers the science of psychological warfare the Germans were using, and begins using that in the US in the form of its ideological subjugation program (among others). The program flames the fire of anti-federal government sediment, and arguably created the Hippie and Free love movement, as well as 2nd and 3rd wave feminism; Vietnam and Korea ensue, and right around the 70's we get this international cabal of bankers in power (G20, IMF, there are others) who begin to bring in a "new world order".
For the United states this means a long-term, multi-generational program of consolidating industries and manipulating the public. Our existing domestic spying and espionage programs were really targeted towards countering the offensive psychological warfare of the USSR, and when the USSR balkanized in the early 90's, the Spooks, Gooks and TLA's we have today diversified into the commercial market. Search you-tube for "Psyop Antehm", it's an actual ad company.
For example, what we call the "mainstream media" in the US really should be called the "state run media", because it is; read Ben Barbadian's media monopoly some time for a good run down of how it go there and what it is. Go read the BLS OES job data; there are something like 4 times the public relations positions in the united states than there are journalists. The state run media is in the business of selling narratives and infotainment, and they have consolidated from dozens of companies down to 4 today.
We've had financial warfare being exacted upon the public for several generations now. First through regulation (NAFTA, CAFTA, et-cetera), flooding the markets with foreign products and services, and 2nd wave feminism (Elizabeth Warren's talks on family incomes; women entered the work force but family income didn't rise, instead we got a healthcare oligopoly and banks got rich off of real-estate).
Due to all of that, advertising has had to adapt, and what it is slowly adapting to do is to locate and target individuals, groups, or "psychographics", select the most appropriate pre-compiled psychological warfare package (some combination of applications of psychovisuals such as the screen changing every few seconds or flashing at the rate of a heart beat, or flashing a single frame of text, or scrolling text at the bottom, and psychoacoustics such as metered speech or introducing "trigger" sounds at the rate of a heart-beat) in order to bilk the most money out of the group. Some exploits try to install back-doors for later (set the consumers expectations or blackmail them into maintaining their sense of status as two examples). Obviously, we have an incredible education system that pumps lots of young people into the firing line of this; Problem with a lot of this stuff is you just don't notice it's going on because it's deeply embedded into the culture at this point and that's part of the game. Get an entire generation on social media and get their kids on social media too, instead of conversations happening at dinner, they happen over some social media App and 15 agencies are investing billions of dollars in figuring out how to exploit that relationship. It's the same exploit methodology as a certain large fast food chain. Get the little tyke to shove cheap carbs laced with psychoactive ingredients in their mouths (MSG, Aspartame, there are others that arguably alter mood as well like caffeine does for some), give them a prize, call it something esoteric and slightly creepy like a "Happy Meal", do a massive PR Campaign to frame this as trustworthy, and see how many millions of people you can get into the unquestioning habitation of associating an artificially triggered Dopamine Dump with patronizing their restaurant. You laugh at the ridiculousness, but there are very obese people who have fallen victim, and I'm sure before they became obese they would've liked to know that.
Obviously, we're a far cry from Blipverts with advertising and there's enough lash-back against them and this federalized infrastructure we're facing (Big healthcare, big government, big telecom, big everything) that the machine is basically grinding to a halt at this point. I like to say Psychological warfare is what the rich used on the poor to maintain control, but much like the social skills of the well-to-do (they do things like tell you "we'll talk later" and never do), once the public gets smart to them, it's like a cow to slaughter. What comes after that is in my opinion, a glorious and much better world and society than we have today.
But I Digress.
[ link to this | view in chronology ]
"Grand Bargain" requires trust
Trust in this area was long ago pissed away.
Any security protocol that relies on trust is inherently untrustworthy.
[ link to this | view in chronology ]
Sure, Why Not?!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Unfortunately, the bargain is provably broken
I put it on Facebook. I posted on Techdirt. It's public, full stop. 40 "friends", thousands of techdirt readers, and every web crawler ever invented can machine read it.
It's been said that three people can keep a secret if two of them are dead! I can't trust my computer to be a fiduciary, I can't trust *all* of my friends and techdirt readers (some of them aren't gentle, unfortuneately!), much less larger entities, and I don't have a good way to compare notes to find the breaches.
When I find a problem, justice is basically unavailable because of the asymmetry...Techdirt just covered Baltimore Live!
[ link to this | view in chronology ]
---
...and this is different from existing conditions, how?
I see "promise" and "unfairly" and "abuse" and "trust" and "except". That translates to, "we have your data and we'll sell it to anyone who'll pay, and there's nothing you can do about it you schmuck, ha ha ha."
They're attempting to slide the Overton Window over to their side by a fake "compromise."
[ link to this | view in chronology ]
John Gilmore, 25 years ago
“I want a guarantee -- with physics and mathematics, not with laws -- that we can give ourselves things like real privacy of personal communications.” — John Gilmore, March 28, 1991
From the same talk:
We also need real control of identification. We need the option to be anonymous while exercising all of these other rights. So that even with our photos, our fingerprints and our DNA profile, they can't link our communication and trade and financial activities to our individual person.
Now I'm not talking about lack of accountability here, at all. We must be accountable to the people we communicate with. We must be accountable to the people we trade with. And the technology must be built to enforce that. But we must not be accountable to THE PUBLIC for who we talk to, or who we buy and sell from.
Gilmore had the right idea, 25 years ago. The keys to privacy are strong encryption and accountable anonymity. We have the encryption, but it’s still not automatic, so that even non-geeks and people who don’t realize they need it (until it’s too late) would be using it. Aside from Bitcoin, I don’t see much progress at all on accountable anonymity.
[ link to this | view in chronology ]
Re: John Gilmore, 25 years ago
The next link in progress is to be able to own a computer I can actually trust, in the sense that I know it isn't sending all my data off to your favorite trust-abusing entity.
[ link to this | view in chronology ]
ASSUME?
[ link to this | view in chronology ]
Ummm...Private companies?
[ link to this | view in chronology ]