18 October 2015

Fiduciaries, Accountability and Innovation

'Regulating Secrecy' by W Nicholson Price in (2015) Washington Law Review (forthcoming) comments -
Regulation interacts with intellectual-property exclusivity in socially problematic ways by encouraging secrecy at the expense of innovation, efficiency, and competition. In the extensive scholarship on intellectual property and innovation, the role of regulation has gone largely unexplored. This Article is the first to theorize how regulation empowers intellectual property generally, to explain why this strengthening is problematic for trade secrecy but not for patents, and to offer the solution of regulator-enforced disclosure.
When a regulator defines a product or a process, it becomes much harder to invent around that product or process. Any associated intellectual-property exclusivity thus gets much more powerful. When the FDA approves a new drug, patents covering that chemical become much costlier to invent around because similar but non-identical chemicals lack the tremendous benefit of FDA approval. This patent/regulation interaction, however, can be noted and explicitly addressed by policy, as in the case of the Hatch-Waxman Act, which facilitates generic drug entry once drug patents expire. Regulation strengthens trade secrecy too, but more problematically. Biologics, which comprise the most innovative and expensive drugs today, are the path-dependent result of complex, secret manufacturing processes. Meeting the FDA’s definition of a biologic requires reverse-engineering its complex, secret process, making trade secrecy much more valuable and stifling competition and innovation. In such situations, regulation can push firms to choose secrecy over patents in precisely those socially important industries, like drugs, medical devices, and pesticides, where disclosure is most important.
Where regulation creates problems, however, it also offers the hope of a solution. Regulators are in a strong position to require disclosure directly: regulated firms have strong incentives for candor, regulators have the necessary expertise, and regulatory incentives can offset the costs of disclosure. More effective regulator-mediated disclosure would increase oversight and enable cumulative innovation, while retaining incentives for invention in regulated industries.
'Why Privacy and Accountability Trump Security' by Adam D. Moore comments
In this paper I will argue that establishing and maintaining practices promoting privacy and accountability will typically trump security concerns. While it is true that in specific instances security may outweigh privacy, this is not true once we glance upward to the level of practices. Along the way I will present and critique four prominent pro-security arguments entitled: “Just Trust Us,” “Nothing to Hide,” “the Consent Argument,” and “Security Trumps.”
Moore argues
Imagine you live in a world where each individual is responsible for his or her own security. This world is full of risks, from thieves, thugs, and extortionists to grifters, Ponzi-scheme artists, and hustlers. Also, imagine that you are not very good at providing security for yourself and decide to outsource this important task. Surveying the possibilities, you find that by moving to different areas, there are several distinct options.
In the Thomas Hobbes security zone, individuals are monitored around the clock without regard to privacy, liberty, or property. Total transparency and access yield nearly complete security. Using facial-recognition technology, virtual frisking, big data and predictive analytics, and video recorders, along with a host of other known and secret technologies, each individual is monitored and recorded around the clock. The chief security officer, known as Mr. Leviathan, is virtually unaccountable for how he conducts his business and is not subject to the sorts of intrusions common to typical Thomas Hobbes policy holders. Moreover, Mr. Leviathan is more or less free to pick fights with other security providers in other zones, upgrade surveillance equipment, and militarize his security forces at the expense of policy holders.
John Locke Inc., the primary competitor to Thomas Hobbes, falls at the other extreme. In the John Locke zone, security is promoted by protecting individual rights to life, liberty, property, and privacy. With a known and written law, recourse to impartial judges, and robust accountability provisions, basic rights are set aside only in rare cases. When rights are set aside, automatic and public review processes inform everyone of the reasons for some action or policy. Moreover, security officers are not free to start fights with other security agencies and are subject to the same sorts of rights and penalties as other John Locke policy holders.
While fictional, there are some interesting lessons to be learned by engaging in this sort of thought experiment. If you had to pick between these security agencies, which one would you choose and why? Arguably, if these were the only two choices, the obvious winner is the John Locke agency. There are lots of reasons. The most compelling, in my view, is that the Thomas Hobbes agency itself becomes a security threat. Without robust accountability, it would be hard to maintain that giving this sort of power to some company or government promotes, rather than undermines, individual security. Criminals, terrorists, or grifters are nowhere near as dangerous as Thomas Hobbes style governments. There are too many examples for us to deny Lord Acton’s dictum that “power tends to corrupt, and absolute power corrupts absolutely.”   If information control yields power and total information awareness radically expands that power, then we have good reason to pause before trading privacy for security.
Also note how security is tied to accountability and to the overall legitimate functions of an agency or state. Simply put, the more a state does for us, the more power it will likely need to complete its tasks. Standing against this increase in power will be the accountability provisions necessary to protect security. Giving a security provider a big gun with no or few accountability protections will debase security.
But this is exactly what we have been doing in the United States for decades. Consider the National Security Agency’s current bulk collection of data under PRISM, which would have remained secret had it not been for the whistleblowing of Edward Snowden.  Or consider abandoned programs such as the Terrorist Information and Prevention System (TIPS) and Total Information Awareness (TIA), which were attempts by the US government to circumvent Fourth Amendment privacy protections. Proposed new legislation, such as the Cyber Information Sharing and Protection Act (CISPA), would expand both surveillance authority and secrecy for our government agencies.
In response to these concerns, security officials typically offer one of four different arguments. According to the “just trust us” argument, we should let those in power decide the correct balance between privacy, accountability, and security. A second view minimizes privacy interests by calling into doubt the activities privacy may shield. This view, called “nothing to hide,” maintains that individuals should not worry about being monitored. Only those who are engaged in immoral and illegal activity should worry about government surveillance. A third strand, similar to the “nothing to hide” argument, is the view that “security trumps.” This latter account holds that security interests are, by their nature, weightier than privacy claims. Security is about life, limb, and property, and these interests will nearly always trump privacy or accountability concerns. Ken Himma, in this volume, defends a “security trumps” position. The final argument centers on consent. Many individuals voluntarily offer information, even private information, on social media sites, email, web pages, blogs, smartphones, and the like. By engaging in these activities, we are consenting that others may watch. The “consent” argument maintains that citizens have agreed to be monitored.
After presenting each of these arguments in more detail, an analysis and critique will be offered. While perhaps compelling at first glance, each of these arguments has serious flaws and should be rejected. The reason privacy and accountability trump security is because without the appropriate balance between these three important values, there can be no robust security.
'Information Fiduciaries and the First Amendment', a draft UC Davis Law Journal article by Jack Balkin, develops the theory of information fiduciaries.

Balkin explains
This article introduces the concept of an information fiduciary to explain how many different kinds of privacy protections can be consistent with the First Amendment.
An information fiduciary is someone who, because of their relationship with another, assumes special duties with respect to the information they obtain in the course of the relationship. Traditional information fiduciaries include professionals with special skills like doctors and lawyers. Clients cannot easily observe and monitor what professionals do and are dependent on professional expertise; moreover, professionals expect and encourage clients to have confidence in them. Lacking knowledge, skill, and the ability to monitor, clients must trust that these fiduciaries will not abuse their position and misuse the information they obtain from their clients.
For similar reasons, many online service providers and cloud companies should be considered as information fiduciaries with respect to their customers, clients, and end users. They keep their operations secret and they encourage end-users to trust them; moreover, end-users do not understand and cannot monitor how their information will be used in the future.
The duties of this new class of digital information fiduciaries may differ from and be more limited than those of traditional fiduciaries. Permissible regulations depend on the nature of their businesses and the kinds of trust and confidence they encourage from their end-users and clients. Governments may impose privacy regulations to enforce these fiduciary obligations without violating the First Amendment.
Similar reasoning explains how courts should modify the third-party doctrine in Fourth Amendment law. People should have a reasonable expectation that those who owe them fiduciary duties of trust and confidence will not betray them to third-parties, including the government. If new digital online service providers are information fiduciaries, end-users should have reasonable expectations of privacy in at least some of the information shared with them. Hence governments must show probable cause and/or obtain a warrant to access this information. The same reasons that governments may protect personal information under the First Amendment also provide justifications for a reasonable expectation of privacy under the Fourth Amendment.