The Resolution on the Misuse of Behavioral Data Surveillance in Libraries, recently passed at ALA Midwinter, calls for libraries and vendors to reject behavioral data surveillance of patrons. While we are familiar with the concept of data surveillance, the last item in the resolution contains something that some in the library world are not as familiar with – information fiduciaries. This concept also appears in the recently published 10th edition of the Intellectual Freedom Manual. There’s a likely chance that “libraries as information fiduciaries” will continue to gain ground in the professional discourse around library privacy, so let’s take some time to explore this concept.
Information Fiduciaries Basics
The fiduciary concept is centuries old. Typically, a fiduciary is a person(s) who is entrusted with a valuable asset from another person(s). You might have come across the fiduciary term when dealing with finances – for example, a financial advisor might be considered a fiduciary for a client. A fiduciary relationship is built on trust. The fiduciary is trusted to act in the interest of the party that trusts them enough to manage valuable assets or represent them in sensitive matters.
The concept of information fiduciaries, popularized by Jack M. Balkin in his 2014 blog post about the concept, took the fiduciary concept of managing assets and expanded the assets definition to include information about a person. This expansion would then charge the fiduciary to manage the person’s information with the person’s interests. In Balkin’s post, the expansion to information assets would call on fiduciaries to practice a higher level of information privacy, including not using or disclosing personal information against the user’s interests.
If this seems similar to the legal concept of “duty of care,” it should be! Duty of care is a legal concept that can be a part of fiduciary duties. The fiduciary is required to act in an informed and responsible way that will not harm others in the relationship. In the case of information fiduciaries, the fiduciary duty of care would be on the company that collects the user’s data; therefore, the company would need to put the user’s interests ahead of their interest.
Too Little, Too Late?
Nonetheless, the information fiduciary concept isn’t without its critics. David E. Pozen and Lina M. Khan argue that the concept cannot reconcile the business models of social media companies who rely on using personal data with the interests of the person to sustain the company’s business model. Pozen and Khan point out the tension between the already existing financial fiduciary relationship with shareholders (that rely on the business model) and the proposed information fiduciary relationship with users. Even Balkin admits that behavioral advertising, which exploits personal information for business gain, might continue after a company takes on an information fiduciary role. In a sense, applying an information fiduciary model to existing digital company business models is trying to close the barn door after the horses escaped – you’re asking a company who has built their revenue model on exploiting user information to give up their revenue stream. Having a company become an information fiduciary after the fact isn’t going to resolve them to move away from personal information abuse.
There are other critiques of the information fiduciary concept to consider. While the Electronic Freedom Frontier generally supports information fiduciary regulations, they recognize that the concept has several limitations including governance of third-party data relationships with other third-parties, limitations around restricting the collection of user data, and the uncertainty of how the recently created concept of information fiduciary would work in practice concerning legal enforcement of any fiduciary regulations. EFF argues that information fiduciary must not replace other data privacy regulations and practices. Information fiduciaries are not comprehensive in protecting user privacy and must be approached as such.
What About Libraries?
The information fiduciary is still relatively new, but there have already been calls from the library world to adopt the fiduciary role in patron data management. We will explore some of these calls, as well as how information fiduciary might look like at the library, in part two in the coming weeks!
Becky Yoose is the founder of and Library Data Privacy Consultant for LDH Consulting Services, helping libraries and vendors navigate the intersection of library data and privacy. Becky received her MA-LIS from University of Wisconsin – Madison in 2008, and has been a Certified Information Privacy Professional/United States (CIPP/US) with the International Association of Privacy Professionals since 2018. You can find her online at yobj.net and @yo_bj on Twitter.