Scott Peppet, Privacy Intermediaries
Comment by: Allan Friedman
Workshop draft abstract:
The Article explores the possibility of introducing “Privacy Intermediaries” into sensitive informational privacy domains. Privacy intermediaries are third parties that take on a neutral role as between two parties to an informational transaction (e.g., a web user and a web site, a search engine and an advertiser, a GPS-enabled smartphone user and a Starbucks, etc.). Privacy intermediaries gather information from one party and pass it to another, but they can de-identify or alter it to conceal a user’s identity. They have fiduciary duties to those they serve—duties not to reveal information without true consent; duties to secure information; duties to keep confidences. The general idea is that in some contexts, privacy intermediaries may be able to provide the information needed for efficiency purposes while keeping much raw data private.
Privacy intermediaries are not an entirely new idea. Computer scientists have studied “interactive techniques” involving active data administrators who selectively filter and disclose information; health regulators have built the (somewhat related) idea of “health information trustees” or “information custodians” into draft health information legislation; mobile technology developers are exploring the idea of “data vaults” to make sensor data useful but private; and privacy advocates have argued for personal data storage and vendor relationship management. Several recent startups—Personal.com, i-Allow.com, the Locker Project—are pursuing these ideas in the market. This Article is the first legal scholarship to investigate the idea of privacy intermediaries in depth, and the first to explore its legal implications.
Those implications are complex. Most recent privacy scholarship has questioned the growing power of Internet intermediaries; this Article argues that we may need to strengthen, not weaken, intermediaries to bolster privacy. But how would privacy intermediaries work? What business model makes sense, is there a case for governmental subsidy, and what legal reforms (to Section 230, the third party doctrine, etc.) might be needed to truly effect their potential?
This Article explores these questions. Although it examines a prescriptive idea—the call for neutral third-party fiduciary Internet intermediaries—it is less a prescriptive argument for privacy intermediaries than an investigation of their potential and problems.