Trust and online interaction.

• Author: Hurwitz, Justin

INTRODUCTION I. TRUST LOST A. What Is Meant by Trust B. The Early Internet C. Losing Trust D. The Post-Trust Internet II. LIVING WITHOUT TRUST A. Legal Recourse B. Vertical Integration C. "Establishing Trust". III. PROBLEMS WITH STANDARD SOLUTIONS TO LIVING WITHOUT TRUST A. Limitations of Legal Institutions B. Limitations of Vertical Integration C. Limitations of Endogenous Institutions IV. TOWARD A POST-TRUST LAW OF INTERMEDIARIES A. Moving Forward: The Approach and the Stakes B. A Framework for Intermediary Liability C. Some Specifics CONCLUSION INTRODUCTION

Of all the changes that are transforming the Internet, the loss of trust may be the most fundamental....[T]he simple model of the early Internet--a group of mutually trusting users attached to a transparent network--is gone forever. (1) The Internet's early architecture was built on a foundation of trust. From its inception in the 1960s through commercialization in 1993, the Internet was a relatively simple network that was designed, constructed, and used by a relatively small community of research and governmental institutions with broadly aligned incentives. In the decade following commercialization, even as these institutions gave way to diverse commercial interests, trust remained an organizing principle--the personal ties of technologists and their largely shared vision of a technological future drove use, investment, and research.

This trust-based architecture is quickly giving way to a post-trust future, however. As the Internet has matured, its architecture, uses, and the interests of its architects and users have become increasingly diverse and complicated. During the Internet's early development, a meaningful number of its users knew and cared how the Internet worked. They were vested in contributing to its development. This is no longer the case. Rather, the Internet now facilitates myriad private interests that mayor may not be aligned with the social interests of the developing Internet architecture.

This transition from the Internet as a community with a common purpose to the Internet as a platform that supports myriad, often conflicting, private interests is not necessarily a bad thing. Many communities are founded with a common purpose that allows their members to rely on informal, trust-based mechanisms to respond to, of avoid the need to respond to, conflicts. As these communities grow, their informal mechanisms give way to more formal ones. It is unsurprising that the Internet would follow a similar trajectory.

This Article considers one of the challenges of this evolution: the role of intermediaries' liability for the harm they cause to users. All online interactions are conducted through intermediaries--the routers, servers, applications, services, and switches that make up the Internet's "core." In the era of the trust-based Internet, intermediaries were largely passive participants in the technological ecosystem. This limited both the harm they could cause and the basis for liability against them. In today's Internet, intermediaries are increasingly active; they make real-time decisions about how to handle user data, and they have the ability to store or share that data for private purposes. In the post-trust Internet, intermediaries can cause real harm. Without trust, it remains unclear which institutions, if any, safeguard users from such ham.

This Article's focus differs from that of previous work in this area. Many scholars have considered the role of liability for Internet intermediaries, but their work has generally focused on using intermediaries to redress harms caused by users. (2) For instance, to what extent should an intermediary be considered a speaker for moderating (or not) harmful speech? Or, should intermediaries be vicariously or indirectly liable for the illegal acts of users? Should payment intermediaries be liable for curtailing certain classes of illegal activity? Scholars have previously addressed questions such as these when considering intermediary liability.

As the role of active intermediaries continues to expand, liability for harm that intermediaries themselves cause is increasingly significant. There are two basic reasons for this. First, users lacking the ability to seek recourse may demand that active intermediation not be used. Regulatory and proposed statutory responses to network neutrality and privacy concerns are early examples of such demands. If the technology can, in users' estimation, harm them in ways against which they cannot protect themselves, users will be reluctant to embrace such technology--even if it is otherwise beneficial.

Second, the dearth of non-trust based enforcement mechanisms will reduce the supply of active intermediation technologies. This is a second-order effect driven by a lack of demand: if users are unable to hold intermediaries accountable for harms they may cause, users will be less willing to use those intermediaries' services. This reduces demand, and therefore will reduce the quantity of active intermediation services offered, including research and development of new services.

Both of these problems are rooted in the transition away from trust-based interactions. In the trust-based Internet, there was little concern that active intermediation would be used to users' detriment. In the post-trust Internet, users cannot embrace active intermediaries without assurances that their data will be handled in accordance with their expectations. This Article argues that the availability of legal recourse plays an important role in establishing such assurances, both by providing an avenue of redress when expectations are frustrated and by creating incentives to develop technologies that enable lower-cost mechanisms to this end.

Whatever the form taken by the role of liability, its transformation complements ongoing efforts to address the concerns generated by active intermediation. Both regulation and ongoing technological development shape what intermediaries can do as well as what they actually do. But it is doubtful that regulation and technology alone can protect users from harmful intermediation; adding recourse to the courts may help to advance the goal of protecting users from harmful intermediation.

This Article proceeds in four parts. Part I considers the role of trust in the early Internet, how the evolving Internet is moving away from this trust-based model, and how the loss of trust affects and limits online institutions.

The Internet is not the only institution that operates without trust. Many institutions already operate in such an environment. Part II looks to how other institutions function absent trust. These institutions' approaches fall into three categories: vertical integration; reliance on internal mechanisms to enable trust-like interactions (e.g., reputation, encryption); and reliance on external mechanisms to enable trust-free interactions (e.g., legal institutions).

Part III considers the limitations and lessons from these standard approaches and synthesizes them into a set of principles for establishing intermediaries' liability. Each approach suggests ways that a post-trust Internet might operate, but the Internet's architectural characteristics also present certain challenges. The Internet is designed to accommodate myriad independent actors, making widespread integration among intermediaries unviable. Those intermediaries are also supposed to operate transparently to users, which presents additional challenges to legal institutions. These two design principles--independence and transparency (3)--present fundamental technical challenges to any mechanism designed to facilitate interactions between parties that do not trust each other.

The institutional constraints that result from the Internet's architectural characteristics suggest two separate goals for the law: (1) establishing liability for intermediaries that may cause harm to users and (2) creating incentives to influence the ongoing evolution of underlying technology in ways that may overcome these fundamental technical challenges. Part IV considers both of these goals and presents a framework to assess which legal rules should apply based upon the capabilities of the underlying technology. Under this framework, today's intermediaries would be governed by broad liability rules with the burden on intermediaries themselves to prove that they have not harmed users. As technology develops, however, this framework may give users greater control over how their data is used, such that intermediaries would be better governed by property rules with burdens placed on users to control their own data. Such an approach provides technologists with a menu of options, enabling them to understand the legal consequences that may follow from technical design decisions.

1. TRUST LOST

   This Part considers three topics: the role of trust in the early Internet, how the evolving Internet is moving away from this trust-based model, and how the loss of trust affects and limits online institutions.

   1. What is Meant by Trust

      Scholars of various stripes often speak about the role of trust on the Internet. (4) In this and other areas of scholarship, the term "trust" often goes undefined. (5) Despite this trend, it is useful to consider the meaning of trust at the outset of this discussion.

      In its most pithy form, this Article takes trust to mean "reliance without recourse." That is, one person trusts another when she relies on that other person in a way that exposes her to harm, but does so under circumstances where she has no recourse available should that harm come to pass. This meaning falls within a core concept of trust common to many authors. (6)

      More importantly, this definition captures the idea animating most discussions of online trust--an intangible and important coordinating principle that facilitated interactions on the early Internet, but one that is decreasingly viable as a coordinating...