This post builds, in part, on the ideas I got during 1st Istanbul Privacy Symposium: Data Protection and Innovations, especially conversations with R.E. Leenes. Everything that is wrong here is obviously my fault; but want to acknoweldge that many point here were inspired by others. 

In his excellent Fixing Social Media’s Grand Bargain Jack Balkin demonstrates how the “nature” of digital capitalism creates perverse incentives for social media companies to surveil, addict and manipulate their users. He then surveys a range of regulatory options, ranging from treating social media as public actors in some ways, to antitrust and pro-competition law, to finally reiterate his intriguing idea to treat social media companies as “information fiduciaries”.

In this brief post, I would like to build upon Balkin’s idea, and offer an additional perspective on both the problem and the possible solutions. I want to argue that the role for law is not only to mitigate the results of the “nature” of digital capitalism, but to disrupt the very incentives that led to the Grand Bargain. I first look at the conditions that led the current model, and put to question the assumption that this model is necessary. I also question the assumption that the surveillance and manipulation problem can be fixed within this paradigm. Then, I take look at the “information fiduciaries” proposal, and iterate my reservations towards it, also re-characterizing the ways in which GDPR is constructed. It’s an imperfect instrument, but in my opinion, for different reasons than Balkin puts forward. Finally, I throw in a couple of alternative ideas – coming from consumer law mindset – which are one way to go about changing the very incentives that led to the Grand Bargain.

Where are we?

Obviously, there is not one problem with the ways social media companies currently operate, and so there will be not one solution to all of them. Hence, at some point we could do with a map of what exactly are the challenges, what precisely are the regulatory goals, and what regulatory means have  a chance of bringing these goals about. However, it seems to me that an analysis of the causes and possible cures for the “grand bargain” makes for a good start.

The “grand bargain”, according to Balkin, is: online companies (social media, search engines etc.) offer their marvelous products to users without asking for money, but in exchange collect, analyze and act upon user’s personal data. These companies make money out of advertising. The more time users spend using their products, the more ads they will see. The more data companies have about users, the more effective targeted ad campaigns will be. Hence, the incentive to surveil, addict and manipulate.

This bargain is the “nature” of digital capitalism, Balkin tells us. I could not agree more, if by “nature” we mean an explanation of how things are right now. However, I would question the assumption – especially if we are to talk about political economy – that the things must be this way. Two questions are worth addressing: how did we get where we are; and how can we get out?

How did we get here?

Jaron Lanier interestingly argues that the mistake has been made at the very begging of the Internet’s public existence. We allowed two, possibly contradictory, ideas to flourish at the same time. On the one hand, a radical idea that stuff online should be free. That one should not pay for using browsers, visiting websites, sending emails etc. On the other, the liberal idea that innovation is good and tech entrepreneurship should be incentivized. Given the strong commitment to both, advertising was the only solution. And when online companies realized that the by-product data can be useful, and machine learning algorithms can squeeze a lot of knowledge out of it, the arms race in micro-targeted, behavioral advertising started. Two observations here.

First, it is by no means obvious or proven that targeted advertising leads to “more efficient advertising campaigns, which allow greater revenues”. One obviously assumes that – why else would companies, rational economic actors, spend money on it? But more and more research seems to show that these increased revenues are minimal (if existent at all), and companies’ behavior is a herd phenomenon, based on a hype.

Second, we should seriously ponder the question whether an internet and a public sphere in which stuff is free and on the same time users retain privacy and autonomy is possible. Whether it makes sense to strive for a world where one does not pay with money for using email, social media, browsers and search engines; and in which one retains full (or high) privacy and autonomy. The answer, obviously, will not be binary. But we should spend time thinking whether the trade off between free usage of convenient innovative products, and personal privacy and autonomy, is not inevitable.

“Information fiduciaries” cure symptoms, not the cause

Balkin’s “information fiduciaries” idea has two huge advantages and three problems. It’s a good idea, because it’s 1) simple and 2) possible to realize by courts. It seems to me problematic when one thinks about its 1) operationalization in design process; 2) oversight and enforcement; and 3) the fact that it does not change the perverse incentives, but merely puts legal constraints on how to act upon them.

EU’s adventure with enacting the GDPR seems to make two things clear in the American context. It might be impossible to push any complex data processing regulation through the over-lobbied Congress. And even if it was possible, the result will be so complex and watered-down that it won’t do us any good. That is where employing the concept of a “fiduciary” by the common law courts seems very tempting.

Speaking of GDPR, Balkin is clearly skeptical of this “neoliberal” regulation. As imperfect as GDPR might be, I disagree strongly with his characterization that “GDPR relies heavily on securing end-user consent (…) [and] is still based on a contractual model of privacy protection”. This is an American idea, and with regard to the GDPR, is simply not true. GDPR is an administrative regulation per excellence. It clearly specifies duties of data controllers, including a need to demonstrate a legal basis of processing, a consent being only one of them. In other words, what companies write in their terms of service and privacy polices does not affect their obligations, and does not change what there are or are not allowed to do with personal data. The “individual rights and transparency” part of the Regulation belongs to the oversight and enforcement side, which relies on the mix of public and private engagement. Realizing that public supervisory authorities will never have enough power to combat huge tech by themselves, GDPR equips individuals with information and access rights, which allows for “class action” by NGOs, increasing the chance of spotting infringements. This is not perfect, but it’s not imperfect for the reasons Balkin invokes. And this helps one see where “information fiduciaries” come short of being the cure.

First, this sounds like a great idea, but even with a good-will company, at some point engineers need guidance on how to implement it. Does showing me ads of sleeping pills at 3 a.m.  go against the duties of care, confidentiality and loyalty? Sure, I guess. Do those duties impose an obligation to pull-off addicting games from my platform? That’s where stuff gets tricky. GDPR’s problem is that it’s long and complex. But the problems caused by social media in 2018 are very complex as well.

Second, if we imagine that social media companies do become information fiduciaries, and even if we assume that their duties are specified sufficiently well, the question is: what do we do if they violate their duties? The big difference between doctors, lawyers and nurses sharing my secret, and social media building up a system that manipulates me and addicts me, is that in the second case I might simply not know. Fiduciary model works perfect, if we assume that people will realize when these duties are infringed. But that is a bold assumption.

Finally, Balkin’s proposal does not really change the incentives to make money out of advertising; it just puts constraints on the ways in which social media companies would be legally allowed to do so. It does not disrupt the grand bargain, it civilizes it. And that is where my biggest skepticism lies. Because, as I wrote above, it just might be impossible to sustain innovation and free access to products without some sort of abuse of power stemming from access to data and control over products.

To “Fix” Social Media, Change their Incentives

Here we get back to the question if the “nature” of the digital capitalism is fixed. And, as Larry Lessig made us see already 20 years ago, the answer is no. Instead of taking it as given and thinking of how to civilize it, let us think how to disrupt the very system that gave rise to these business models.

From the perspective of political economy, my conviction is that we should not (only) regulate data processing, or privacy, directly; but regulate the market in a way that will change the incentives. How?

For example, ban the targeted advertising. Or some forms of it. Or some types of content. Especially if we learn that they do not really work.Ban news feeds shaped by an unknown algorithms. Require that users are in control of the choices. If companies are not allowed to use the data they collect and patterns they infer, the incentive to collect and use it dramatically goes down.

The immediate response I fear is “but the First Amendment!”. I fear it, because I know nothing about it, and cannot properly engage in a discussion. But just let me say: even Americans have bans on ads of cigarettes or alcohol; or rules on ads of medications. Even with the First Amendment there are bans on speech directly endangering the national security (don’t want to use the “t” word, since the perfect surveillance will immediately hit me;). So if social media are/might be addictive and cause mental health problems (as it seems they are); and if they created environments where a foreign power can influence American presidential elections; it seems to me that health or national security could be some arguments justifying such an intrusion.

Or let’s do something else. Make it obligatory to offer a track-free, ad-free, paid option.  Facebook’s yearly revenue is $40 billion, and it has 2 billion users. That is 20 bucks per user per year. We pay ten dollars for Netflix and Spotify and Amazon Prime monthly; why not for Facebook or Google? Sure, that is not an option for many people in less wealthy countries; as I said, it’s of course more complex. And yes, Amazon and Netflix also surveil and addict us. So such a move is not sufficient. But it’s easier to make them stop, when they have a secured income from sources other than abusive ads, manipulation or political propaganda.

Those are obviously imperfect ideas. But they are just one possible way to go about the claim that I’m certain off: the role for law is to change the incentives that led to the “grand bargain”, not only to mitigate the bargain’s results.