Progress on Privacy

The third privacy protection comes through fiduciaries. This is both an old and a new idea. In their book Net Worth: Shaping Markets When Customers Make the Rules (Harvard Business Review Press, 1999), John Hagel and Marc Singer coined the term infomediary, for "a trusted third party" or "a kind of agent" that will "become the custodians and brokers of customer information". In "A Grand Bargain to Make Tech Companies Trustworthy" (The Atlantic, October 3, 2016), law professors Jack Balkin of Yale and Jonathan Zittrain of Harvard advance the concept of an information fiduciary: "a person or business that deals not in money but in information". Like doctors, lawyers and accountants, fiduciaries "have to keep our secrets and they can't use the information they collect about us against our interests". This gives companies like Facebook and Google a job they didn't know they took on when they began to gather mountains of personal information about us. "The important question is whether these businesses, like older fiduciaries, have legal obligations to be trustworthy. The answer is that they should."

This is a legal and rhetorical hack of the first water. Brilliant.

It also nicely frames up advances in regulation, which is the fourth form of privacy protection. In Australia and the European Union, personal data protection is already baked into in laws imposing strong privacy protection obligations on those collecting personal data about us. Of special interest is the General Data Protection Regulation, aka the GDPR, in the EU. Search on Google for this, and you'll have to look down past a pile of advertising toward "compliance" offices at big companies before you get to the link I just used (to the GDPR's Wikipedia article). That's because the sanctions imposed on violators include "a fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher" (Article 83, Paragraph 5 & 6). That doesn't hit until 2018, but it's a big ouch in the meantime. But, with the looming threat of GDPR enforcement, new terms coming from the individual (another great hack) can offer genuine relief, even if lawmakers didn't see them coming. (Note that I avoid the term "user". That's because "user" positions the individual as the subordinate party, always "using" something provided by others. When the individual is the first party, sites and services such as those addressed by the GDPR are the actual users of personal data, and of terms to which they agree before using that data.)

On page 121 of Free Culture (Penguin Press, 2004), Lawrence Lessig introduced a diagram that has since attained the status of canon (Figure 5).

Figure 5. Lawrence Lessig's Diagram of the Individual as the Target of Regulation

Below it he explains, "At the center of this picture is a regulated dot: the individual or group that is the target of regulation, or the holder of a right....The ovals represent four ways in which the individual or group might be regulated—either constrained or, alternatively, enabled."

We're talking about enablement here, and the assertion of rights. So think of those arrows pointing outward from the individual, influencing all four of those domains.

So how do these four approaches to privacy protection match up with those domains? Encryption is pure architecture. Balkin and Zittrain's fiduciary hack is on norms and law. New privacy rules such as the GDPR are already law. And terms proffered by individuals, in a freedom-of-contract way, are laws of their own, supported by architecture in the form of code, and influencing both norms and the market as well.

The result will be privacy that's as casual and uncontroversial online as it is in the offline world. But first we have to finish scaling up terms and the code and protocols required to make them work. Those four domains aren't going to fix themselves.


Doc Searls is the Editor in Chief of Linux Journal