Privacy as Trust

Ari Ezra Waldman

Most of us think of the private world as a place distinct or separate from other peo-
ple: that is, private spheres presume the existence of public spheres, but only as
things from which to detach. The right to privacy, in this way, is a right to keep
others out. I disagree. Privacy is about social relationships and the assumptions and
expectations that allow those relationships to exist. The right to privacy is, there-
fore, about protecting those relationships, many of which are defined by trust. This
essay develops this idea in detail, arguing for a reorientation of privacy scholarship
around sociological principles of interpersonal trust.

Privacy and Trust

In my article, “Privacy as Trust: Sharing Personal Information in a Networked

World,” I argued that privacy scholarship has traditionally been founded on rights-
based principles indebted to Locke and Kant. Many of the best known conceptuali-
zations of privacy – as, for example, the right to be let alone, a right to secrecy, a
guarantee of autonomy, or the separation of the personal and the public – reflect
the primacy of the individual as distinct from his social or community self. Some
of these rights-based views see privacy as freedom from something: from others,
from the public, from the government, from the prying eyes of others. Other rights-
based theories see privacy as the freedom for something, such as autonomy,
choice, and the full realization of individual rights. In either case, the result is the
same: privacy is individualistic, a right against society. I also showed the limits of
a rights-based approach: if they ever fully captured what we mean by privacy,
rights-based theories are in any event incapable of comprehending the role privacy
plays in a modern world in which terabytes of data, gleaned from cookies and web
beacons, can predict our behavior, categorize our interests, and help web-based
platforms tailor our internet experiences. I would now like to offer a new proposal:
at least in the information-sharing context, privacy is really a social construct based
on trust.
Trust is broader than just our intuitive conception of confidentiality. It is a so-
cial norm of interactional propriety based on our expectations of others’ behavior.
It animates our sharing and disclosing behavior because we decide to disclose dif-
ferent information to different groups based on our expectations of what they will
do with it. Precisely because trust is a salient determinant of our decision to share
2 Ari Ezra Waldman

personal information, privacy law – the collective judicial decisions, legislative en-
actments, and supporting policy arguments regulating disclosures, searches and
seizures, data aggregation, and other aspects of informational knowledge about
us – should be focused on protecting relationships of trust.

The Sociology of Trust

In contrast to several rights-based theories, privacy-as-trust focuses not on the what

or where of disclosure, but rather on how the disclosing party interacts with her
audience and the social context of that interaction. Disclosures made in contexts of
trust are private and should be protected as such. In this section, I describe what I
mean by trust and the genesis and indicia of a trusting context.
For all the research and analysis on trust done by social psychologists, sociolo-
gists, economists, and others, there is still some disagreement on what social scien-
tists mean by trust (see Nannestad). Though we may disagree on the margins, the
literature on trust suggests broad agreement at the core: trust is an expectation re-
garding the actions and intentions of particular people or groups of people, whether
known or unknown, whether in-group or out-group (see Newton and Zmerli; Möl-
lering). This kind of trust is what sociologists call particularized social trust: it is
interpersonal, directed at specific other people or groups, and forms the basis of
person-to-person interaction. Among those that know each other, trust emerges
from experience; among those that do not, trust is transferred from those we do.
Trust allows us to take risks, cooperate with others, make decisions despite com-
plexity, and create order in chaos, among so many other everyday functions. Trust
not only has positive effects on society, it is also essential to all social interaction,
is at the heart of how we decide to share information about ourselves, and helps
explain when we feel our privacy invaded.

What is Trust?

The trust we have in each other is about creating and reacting to expectations of
others’ behavior and it is at the foundation of almost every daily social interaction,
including our sharing of personal information. Georg Simmel knew this. He said
that society would “disintegrate” without the trust that people have in each other
(see Simmel 178). As the sociologist Niklas Luhmann noted, trust in others is so
essential that an “absence of trust would prevent [man] even from getting up in the
morning” (see Luhmann 4).
Particularized trust makes it possible to deal with uncertainty and complexity:
accosted with myriad stimuli and problems in modern life, we trust experts, others’
recommendations, and our experience to help us navigate them (see Parsons). We
put our faith in everything from brand names, doctors, and friends because it is im-
 Privacy as Trust 3

possible for any one person to have sufficient knowledge about everything to make
entirely rational decisions with complete knowledge. Knowledge is costly and hard
to come by and, often, decisions and actions have to come before knowledge even
exists (see Lewis and Weigert). As Simmel implied and Luhmann stated more ex-
plicitly, trust begins where knowledge ends.
In social environments, whether among offline or online friends, the decision to
share information is one example of action that comes before knowledge. Sharers
cannot know precisely what their audience members will do with information they
receive, so other than declining to share entirely, sharing is an exercise in trust.
With respect to our information, we trust that intimates will continue to act like in-
timates, that acquaintances will continue to act like acquaintances, and that
strangers will continue to act like strangers. With those expectations, we can de-
termine what to share with whom.

How Does Trust Develop?

Traditionally, social scientists argued that trust emerged rationally over time as part
of an ongoing process of engagement with another: if A interacts with B over time
and B usually does x during those interactions, A is in a better position to predict
that B will act similarly the next time they interact. The more previous interactions,
the more data points A has on which to base his trust. This prediction process is
based on past behavior and assumes the trustor’s rationality as a predictor (see
Doney et al.; Good). Given those assumptions, it seems relatively easy to trust
people with whom we interact often (see Macy and Skvoretz).
Some scholars suggest that past experience is the only source of interpersonal
trust (see Luhmann; Offe; Yamagashi and Yamagashi). But, as Eric Uslaner has
noted, past experience is only one basis for trusting particular other people. Anoth-
er is a common identity, or faith “in your own kind” (573). This should sound fa-
miliar to anyone who has taken an undergraduate course in sociology: Max Weber
thought that common membership in the Protestant sect in early America allowed
people who did not really know each other to trust that they would be competent
contractual partners. And we know that trust develops among strangers and ac-
quaintances, with whom we do not have the benefit of repeated interaction. Trust
not only develops earlier than the probability model would suggest; in certain cir-
cumstances, trust is also strong early on, something that would seem impossible
under a probability approach to trust (see McKnight et al.). Sometimes, that early
trust among strangers is the result of a cue of expertise, a medical or law degree,
for example (see Doney et al.). But trust among lay strangers cannot be based on
expertise or repeated interaction, and yet, such trust is quite common.
Sociologists suggest that reasonable trust among strangers emerges when one
of two things happen: (1) when strangers share a stigmatizing social identity, or
4 Ari Ezra Waldman

(2) when they share strong ties in an overlapping network. In a sense, we transfer
the trust we have in others that are trustworthy and very similar to us to a stranger
or use the stranger’s friends as a cue to his trustworthiness. This transference pro-
cess takes information about a known entity and extends it to an unknown entity
(see Doney et al.). This explains why trust via accreditation works: we transfer the
trust we have in a degree from a good law school, which we know, to one of its
graduates, whom we do not. We are willing to trust doctors we have never met
even before they give us attentive care, exhibit a friendly bedside manner, and
show deep knowledge of what ails us because we trust their expertise, as embodied
by the degrees they hang on their walls. Transference can also work among layper-
sons. The sociologist Mark Granovetter has shown that economic actors transfer
trust to an unknown party based on how embedded the new person is in a familiar
and trusted social network. Hence, networking is important to getting ahead in any
industry and recommendation letters from individuals employers know well are of-
ten most effective. This is the theory of strong overlapping networks: someone will
do business with you, hire you as an employee, trade with you, or enter into a con-
tract with you not just if you know a lot of the same people, but if you know a lot
of the right people, the trustworthy people, the parties with whom others have a
long, positive history; it is not just how many people you know, it’s whom you
know.
The same is true outside the economic context. The Pew Research Center has
found that of those teenagers who use online social networks and have online
‘friends’ that they have never met off-line, about 70 % of those ‘friends’ had more
than one mutual friend in common (see Lenhart and Madden). Although Pew did
not distinguish between types of mutual friends, the survey found that this was
among the strongest factors associated with ‘friending’ strangers online.
The other social factor that creates trust among strangers is sharing a salient in-
group identity. Such trust transference is not simply a case of privileging familiari-
ty, at best, or discrimination, at worst. Rather, sharing an identity with a group that
may face discrimination or has a long history of fighting for equal rights is a proxy
for one of the greatest sources of trust among persons: sharing values (see Par-
sons). At the outset, sharing an in-group identity is an easy shorthand for common
values and, therefore, is a reasonable basis for trust among strangers. Social scien-
tists call transferring known in-group trust to an unknown member of that group
category-driven processing or category-based trust (see Williams). But I argue that
it cannot just be any group and any identity; trust is transferred when a stranger is a
member of an in-group, the identity of which is defining or important for the trus-
tor. For example, we do not see greater trust between men and other men perhaps
because the identity of manhood is not a salient in-group identity (see Doney et
al.). More likely, the status of being a man is not an adequate cue that a male
stranger shares your values. Trust forms and is maintained with persons with simi-
 Privacy as Trust 5

lar goals and values and a perceived interest in maintaining the trusting relationship
(see Six; Welch et al.). But it is sharing values you find most important that breed
trust (see Jones and George). For example, members of the LGBT community are,
naturally, more likely to support the freedom to marry for gays and lesbians than
any other group. Therefore, sharing an in-group identity that constitutes an im-
portant part of a trustor’s persona operates as a cue that the trustee shares values
important to that group and will continue to behave in accordance with those val-
ues.
There are several reasons why the aforementioned factors – salient in-group
identity, strong overlapping networks, and experience – are the proper bases for es-
tablishing when trust among strangers is reasonable and, therefore, when the priva-
cy of those contexts should be protected by society. First, it represents the best so-
cial science research into human behavior. It reflects how we actually behave and
helps determine when we share our personal information with others. Legal rules
that reflect and foster positive social behavior have the best chance at success and
making society better. Second, these are reasonable bases for trust. It is hard to ar-
gue that trusting based on identity, strong overlapping networks, and expertise is
reckless. Third, and most importantly for the law of privacy, that most people ar-
guably trust based on these factors suggests that society should be willing to rec-
ognize expectations of trust and privacy based on these factors.

Breaches of Privacy as Breaches of Trust

I argue that a private context is a trusting context. Trust reflects a behavioral ex-
change between two people or among several people or groups. As an exchange –
an implied social deal – trust is expressed whenever there is social interaction. And
for any interaction that involves sharing some piece of information about our-
selves, trust and privacy go hand in hand. That is, we retain privacy rights in con-
texts of trust. Now that we know how to identify trust, we can see the link between
trust and privacy through several examples of invasions of privacy. The only
framework that explains why all of them feel like invasions of privacy is trust: in
each case, our expectations of the behavior of others were violated.
1) Barging into a bathroom or reading a diary. Though a classic invasion of
privacy, our sense of invasion cannot be based on something inherent to a bath-
room – the stall’s walls or the bathroom door – or a diary – its lock or its owner’s
name embossed on the front cover; otherwise, privacy would be limited to when
we are enclosed by walls or within our property boundaries.
2) An inappropriate question. A simple question can be an invasion of priva-
cy. An employer who demands to hear about a female employee’s sexual history
could be creating a hostile work environment for women. We find such questions
6 Ari Ezra Waldman

invasive even though a given person may have no qualms about revealing a detail
that might seem intimate to others.
3) Revealing someone else’s secrets. This kind of invasion must be based on
more than the mere fact of transforming something from secret to non-secret.
Spouses can reveal their friends’ secrets to each other; indeed, there is anecdotal
evidence that many people expect that to happen. What’s more, if the existence of
privacy rights hinged on the on-off switch of revelation versus secrecy, there
would be precious few private things left in a world of rampant voluntary and in-
voluntary disclosure.
4) Data aggregation and categorization (see Nissenbaum 2004; Solove
2004). But there is nothing inherently private, in the conventional sense, about the
data, which could range from the last book you purchased on Amazon to your pre-
scription drug history: all of it was given to a third-party intermediary at some
point. As Daniel Solove has argued, analyzing and aggregating information you al-
ready disclosed to a third party could not be considered an invasion of privacy if
our conception of privacy is based on strict secrecy.
5) Listening to a conversation between two other people at a party (see Nis-
senbaum 1998). But if the invasion hinges on the mere fact of overhearing, privacy
transforms everything that passes through one’s audiovisual attention field into
eavesdropping.
6) Putting public records online. However, as Helen Nissenbaum (2004) not-
ed, those records are already public; putting them online is a mere administrative
convenience, not an invasion of privacy on any traditional understanding of the
term.
Scholars have been unable to identify what these diverse invasions of privacy
have in common. Indeed, Solove has argued that there is no single common de-
nominator unifying all privacy problems under one schema. Rather, invasions of
privacy have certain “family resemblances” with some overlap in some contexts
(2002: 1126). I decline to give up the ghost of coherence so easily. Indeed, each of
these examples does have something in common: they have a behavioral, interac-
tional element, and each behavior becomes an invasion of privacy because it vio-
lates the trust expected to exist in the given relationship. The privacy invasion, that
is, stems not from anything special about the information or the space, but from the
erosion of the behaviors expected to the particular interaction.
Unannounced entry, whether into a bathroom or onto another’s blanket on an
empty beach, breaches the trust and discretion implied by occupying a space. A
person with whom you discuss work, sports, love, mortgage payments, and your
daughters’ dirty diapers may be able to ask about a recent sexual dalliance, but the
same question from a casual friend at work may not only strike you as invasive, but
could be considered harassment (see Scott). Revelation of another’s secrets could
violate our privacy if the information has diffused to a wide, unexpected audience,
 Privacy as Trust 7

but not if it remained among close friends (see Strahilevitz). Eavesdropping is only
an invasion of privacy when outsiders do it, not when an intended interaction part-
ner hears a conversation and then participates. And revealing secrets to a spouse is
not a breach of another’s privacy because we expect strong trust and discretion in
marital relationships. What matters in each context is the relationship between the
disclosing party and her audience: violations of expected future behavior of the au-
dience are invasions of privacy.
The pattern holds for data gathering, aggregation, categorization, and subse-
quent disclosure to third parties, as well. Data mining and making public records
more accessible may be perceived as invasions of our privacy because the subse-
quent actions taken with our admittedly public data violate the expectations we had
of the behavior of third parties in whom we trusted. Indeed, as Daniel Solove
(2004) and Frank Pasquale have argued, third parties that collect, store, and use our
data should be considered and regulated as trusted fiduciaries of our property. That
proposal makes sense because trust is at the foundation of the relationship between
individuals and stewards of our information.

The Effects: Tort of Breach of Confidentiality

Privacy-as-trust is a pragmatic, sociological approach to understanding privacy be-

havior and crafting a legal response. It captures our intuitive sense about intrusions
into privacy. It then links them together into a single doctrine – namely, that be-
cause trust is an essential element of social interaction and at the core of our sense
of invasion of privacy, privacy law should protect, foster, and incentivize disclo-
sures in situations of trust. That doctrinal coherence offers judges a workable path
for resolving questions of privacy law: after identifying the nature of the relation-
ship between the parties involved, judges should look to the presence of experi-
ence, strong overlapping networks, and identity to determine whether a given dis-
closure was made in a context of trust. If so, the sharer should retain a privacy
interest in the information disclosed; if not, the privacy interest is extinguished.
This interpretive framework has the potential to function in a variety of con-
texts. I will discuss one here: should those who widely disseminate personal infor-
mation about you be liable for an invasion of privacy even if you had previously
disclosed the information to a select, limited few? This has profound implications
for any number of ongoing legal controversies, from so-called ‘revenge porn’ and
online harassment to an overzealous media intruding into the lives of private per-
sons.
If trust is at the core of privacy, then the remedy for invasions of privacy should
remedy the breach of trust. And if trust can exist or be breached (and privacy can
be maintained or invaded) among intimates as well as certain strangers given the
8 Ari Ezra Waldman

right social context, then the remedy for invasions of privacy should be similarly
broad in scope. Fortunately, the trust-based tort of breach of confidentiality, which
has a long tradition in Anglo-American common law, can provide a clear, practical
way forward for victims of privacy invasions and for judges looking for answers to
vexing problems of modern privacy. Stunted in American law by various contin-
gent historical factors – most notably, William Prosser’s failure to include it in his
article on “privacy torts” (see Richards and Solove) – the breach of confidentiality
tort unleashes us from traditional privacy scholarship and reflects the meaning and
implications of privacy-as-trust: it focuses not on the individual or the nature of the
information, but rather on the social relationship in which the information is
shared.
Neil Richards and Daniel Solove have recounted the history of the tort of
breach of confidentiality, showing how embedded it is in Anglo-American law,
and proposed a rejuvenation of the tort in the United States by importing modern
confidence jurisprudence from Britain. Woodrow Hartzog has also proposed a ro-
bust tort of confidentiality. I would like to build on their work and show how the
tort is premised on particularized social trust and propose modifications to the tort
based on the lessons of this essay. I then apply the tort of breach of confidentiality
to determine when we retain privacy interests in previously disclosed information,
concluding that the tort can better protect personal privacy in a world of rampant
disclosures to myriad third parties.

The Tort of Breach of Confidentiality

The tort of breach of confidentiality is premised on particularized social trust and

would impose liability when someone who is expected to keep confidences divulg-
es them. I propose that the claim would have three elements: a successful plaintiff
must prove that (1) the information is simply not trivial or already widely known,
(2) the original disclosure happened in a context that indicated trust, and (3) the use
of the information caused an articulable, though not necessarily individualized,
harm. These elements are based on the work of Richards and Solove and Helen
Nissenbaum’s (2004 theory of privacy as contextual integrity, but the claim con-
struct departs from those influences to learn the lessons of privacy-as-trust. Those
lessons are that we expect to retain privacy even after initial disclosures, that
strangers can receive information in contexts of trust reasonably developed by
identity, strong overlapping networks, and other indicia of trust based on the totali-
ty of the circumstances, and that, as injuries to trusting relationships, privacy harms
may antedate any specific, personalized, or defamatory effects. Admittedly, this
proposal would take privacy tort law in a new direction; but that reorientation is
necessary to protect personal privacy in a networked world filled with involuntary
and voluntary disclosures.
 Privacy as Trust 9

Confidentiality law has always been premised on privacy-as-trust. For example,

the centuries old common law evidentiary privileges, where confidentiality law got
its start, prohibit one party to a special relationship from revealing the others’ se-
crets in court (see Richards and Solove). As the Supreme Court has stated repeat-
edly, the attorney-client privilege “encourage[s] full and frank communication”
and allows both parties to feel safe to share facts, details, and impressions without
fear of disclosure (Upjohn v. United States 389); that is, it protects the relationship,
fosters the confidence necessary to share, and puts the weight of the law behind
each party’s expectation that the other would behave with discretion And the other
special relationships that traditionally warranted confidentiality and discretion –
those between a doctor and patient, a clergyman and penitent, a principal and
agent, a trustor and trustee, a parent and child, to name just a few – are all premised
on the expectation that the parties will continue to behave in a manner that protects
a disclosee’s confidences (Richards and Solove).
Notably, the kind of trust at the foundation of special relationship privileges is
precisely the kind of particularized social trust that I argue is at the heart of priva-
cy. We trust that our attorneys, doctors, confessors, and other fiduciaries will keep
our confidences not because we have long historical data sets that over time prove
they do not divulge our secrets. Rather, confidentiality is the norm because of ex-
pertise, strong overlapping networks, and transference. Lawyers, doctors, and
priests, for example, all have canons of ethics that promise confidentiality. We tend
to choose our physicians and lawyers, at least, based on personal recommendations
from our embedded networks: we ask close friends and those we know well and
transfer the trust we have in them to their recommendations. Particularized social
trust, therefore, is at the heart of these relationships and the law of evidentiary priv-
ileges is meant to protect that trust.
Confidentiality law reflects privacy-as-trust even as British confidentiality ju-
risprudence has unmoored the tort from the narrow confines of particular relation-
ships. Richards and Solove cite several cases, many of them dual intellectual prop-
erty and confidential relationship cases, to show that the required relationships
were never very narrow. Those relationships have become even more attenuated in
modern British confidentiality law, which only hinges “on the acceptance of the in-
formation on the basis that it will be kept secret” (Stephens v. Avery 1998): Con-
sider the 1969 case of Coco v. Clark, which, according to Richards and Solove,
“crystallized” British confidence law (161). Coco involved a trade secret, but the
court took the opportunity to define the three elements necessary for a breach of
confidentiality claim: the information (1) needs “the necessary quality of confi-
dence about it,” it (2) “must have been imparted in circumstances importing an ob-
ligation of confidence,” and there must be (3) some use of the information to the
disclosee’s “detriment” (Coco v. Clark). Richards and Solove show that subsequent
case law has shown these categories to be quite broad: the “quality of confidence”
10 Ari Ezra Waldman

prong merely means that the information is “neither trivial nor in the public do-
main” and the “circumstances” prong extends beyond defined relationships and
even to friends (163). The damage prong has never been clearly explained, but it
appears that British law does not require the kind of specific, particularized harm
that is common to American tort law (164), as evidenced by several British cases
that have found the disclosure per se harmful.
This jurisprudence reflects many of the lessons of privacy-as-trust. By defini-
tion, the tort recognizes that we can retain privacy interests in information already
disclosed; after all, the tort holds the subsequent disseminators liable. Most im-
portantly, it distinguishes between disclosure in contexts of trust and wider publici-
ty. Privacy-as-trust would extend the British cases beyond friends to the social ob-
ligations that arise even among acquaintances and strangers, cabined by the
presence of the indicia of trust of experience, strong overlapping networks, identi-
ty, and expertise. This jurisprudence should also extend beyond cases involving
traditional defamatory or reputation damages that result from wide dissemination
of information. Under privacy-as-trust and confidentiality law, the breach of confi-
dence is an invasion of privacy because of the damage the breach has done to our
expectations and relationships. As such, plaintiffs could satisfy the injury require-
ment of the claim by showing that possessors of personal information distributed
the data to third parties for purposes unrelated to why the data was given in the first
place.
In cases like Dwyer v. American Express and Shibley v. Time, for example, the
judges and attorneys involved were asking the wrong questions. Had plaintiffs
made a breach of confidentiality claim based on privacy-as-trust, things may have
turned out differently. Dwyer involved American Express (Amex) cardholders who
objected to the company’s consumer tracking habits: Amex collected hundreds of
data points on cardholders, tiered them based on spending habits and other factors,
and rented both the raw data and the list to third party partners. Objecting to having
their data sold to third parties they knew nothing about, cardholders filed a claim
for intrusion upon seclusion, one of Prosser’s privacy torts. That claim requires that
there be “an unauthorized intrusion” into a plaintiff’s private life, but because users
of American Express cards “voluntarily, and necessarily, giv[e] information to
[American Express] that, if analyzed, will reveal a cardholder’s spending habits
and shopping preferences,” there could be no intrusion (Dwyer v. American Ex-
press 1354). The court rejected the claim. Adopting a “secrecy paradigm” ap-
proach, the court found that the information had ceased to be private: cardholders
had already given up their privacy willingly by using the card with full knowledge
that Amex was gathering their data.
A similar fate met the claim in Shibley. In that case, a magazine subscriber sued
the publisher for selling subscription lists to a direct mail advertising business, but
the court rejected the claim because, among other things, there was nothing private
 Privacy as Trust 11

about his name, address, and magazine preferences. Under the conventional under-
standings of privacy, both the Dwyer and Shibley decisions were correct; a concep-
tion of privacy based on control presumes that individuals assume the risk of sub-
sequent disclosure when they voluntarily reveal their personal information to
others.
A tort for breach of confidentiality based on privacy-as-trust offers another way
forward. Under the confidentiality tort, the fact that the information was previously
revealed is irrelevant; what matters is the social context. Therefore, Dwyer and
Shibley should have turned on a broader social analysis of the disclosure context:
was information given to a third party for a particular purpose – purchases on cred-
it or magazine subscriptions – and without the expectation of wider use? Did data
usage policies state that customer data would be sold? Had the companies licensed
their customers’ information before? Were data partnerships with third parties suf-
ficiently routinized such that customers would be aware that information sharing
would occur? These factors respect the role trust plays in initial disclosures, and
they are the questions lawyers must ask to determine if the elements of a breach of
confidentiality claim could be made successfully. The dockets do not provide any
answers, which proves that privacy law has been asking the wrong questions for
some time.

Further Disclosure of Previously Revealed Information

Individuals often disclose personal information to one other person or a small

group. Men and women in romantic relationships share intimate photos of one an-
other, coworkers overhear telephone or water cooler conversations, and individuals
trade idle gossip at cocktail parties. The general rule of thumb in American privacy
law is that these individuals assume the risk of further disclosure and thus have no
recourse when the recipient of information disseminates it to a wider audience. But
privacy-as-trust would hold that, in certain contexts, when someone reveals private
information to one or several persons, he could reasonably expect that the recipi-
ents would not disseminate his information any further. Therefore, a third party’s
further disclosure of that information, this time to a different and, likely, larger au-
dience, could constitute an invasion of privacy and a breach of confidentiality.
Currently, there are two problems to address: some courts do not accept this
idea at all and when others do, there appears to be no coherent scheme for judging
when a previous disclosure leaves a privacy interest intact. Lior Strahilevitz ad-
dressed these issues in an insightful and powerful article, “A Social Network Theo-
ry of Privacy,” arguing that social science literature on social network theory, or
information dissemination among persons, could give judges an articulable, quanti-
12 Ari Ezra Waldman

tative method for adjudicating limited privacy cases. 1 Strahilevitz’s work puts us
on a path toward a more just and fair privacy jurisprudence. However, his theory is
incomplete, weaker than privacy-as-trust, and risks further marginalizing already
disadvantaged groups. I propose that a robust breach of confidentiality tort in-
formed by British law and the principles of privacy-as-trust would better protect
personal privacy and offer judges a clear, practical tool for adjudicating these cas-
es.
Several cases illustrate the danger and lack of coherence in the current law,
many of which formed the basis for Strahilevitz’s social network theory. In Sand-
ers v. ABC, the California Supreme Court found that an undercover news reporter
violated one of her subject’s privacy interests in the content of his conversations
with her when she broadcast those conversations on television. ABC had argued,
however, that any privacy right was extinguished by the simple fact that the sub-
ject’s co-workers had been present and overheard the broadcasted conversations.
The court disagreed. Privacy, the court said, “is not a binary, all-or-nothing charac-
teristic. […] ‘The mere fact that a person can be seen by someone does not auto-
matically mean that he or she can legally be forced to be subject to being seen by
everyone’” (72). Here, the court was able to distinguish between information that
was public only to several co-workers versus information publicized to the broad-
cast audience of ABC News.
A similar question was resolved in a similar way in Y.G. v. Jewish Hospital and
Multimedia WMAZ, Inc. v. Kubach. In Y.G., a young couple that underwent in vitro
fertilization in violation of the doctrines of their conservative church found their
images on the nightly news after attending a gathering at their hospital. Prior to the
segment, only hospital employees and a parent knew of their plans to have a family
and the party was only attended by hospital employees and other participants in the
in vitro fertilization program. The court rejected the argument that the couple’s at-
tendance at the party waived their privacy rights, holding that the couple “clearly
chose to disclose their participation to only the other in vitro couples. By attending
this limited gathering, they did not waive their right to keep their condition and the
process of in vitro private, with respect to the general public” (502). And in Ku-

1
Social network theory is the cross-disciplinary study of how the structure of networks affects
behavior. A network is just a set of objects – people, cells, power plants – with connections
among them – social encounters, synapses, grids. They are all around us: a family is a (social)
network, as is the (neural) network in a brain and the (distribution) network of trash pick-up
routes in New York City. To see one visualization of diffusion through a network, dab the nib
of a marker into the middle of a piece of construction paper and you will see, in real time, the
diffusion of ink from one origin point, or node, through the lattice-like network of fibers that
make up the paper. Facebook is the paradigmatic modern social network: its overarching net-
work has nearly 1.5 billion nodes (members), but it also has billions of subnetworks, where
nodes overlap, interact, and share information. It is a network’s ability to invite, disseminate,
and retain information that concerns us.
 Privacy as Trust 13

bach, an HIV-positive man who had disclosed his status to friends, health care per-
sonnel, and his HIV support group retained a privacy interest in his identity. The
court reasoned that a television station could not defy its promise to pixelate his
face merely because of Kubach’s previous disclosures because those disclosures
were only to those “who cared about him […] or because they also had AIDS”
(494). Kubach, the court said, could expect that those in whom he confided would
not further disclose his condition.
And then there are those cases that reject the notion that anyone could retain
privacy interests in disclosed information. In permitting agents of General Motors
to interview associates of Ralph Nader and use the information they gathered under
false pretenses to discredit him and his criticisms of the company, a court held that
“[i]nformation about the plaintiff which was already known to others could hardly
be regarded as private” (Nader v. General Motors 770), ignoring that those “oth-
ers” were Nader’s friends. Similarly, in an ironically well-publicized case, a Mich-
igan court found that Consuelo Sanchez Duran, the Colombian judge that indicted
drug kingpin Pablo Escobar, had no privacy right in her re-located Detroit address;
she used her real name when shopping and leasing an apartment and told several
curious neighbors why she had security guards. The court said that these actions
rendered her identity “open to the public eye” (Duran v. Detroit News 720).
The results of these cases vary. But most importantly, there seems to be no co-
herent and consistent way of determining when a previous disclosure extinguishes
a privacy right. Rights-based theories are of little help. The sharers in these cases
freely and voluntarily disclosed information to others and privacy theories based
on separation, secrecy, and exclusion cannot adequately extend beyond an initial
disclosure. They would either give individuals unlimited power over disclosure or
justify the rigid bright line rules that characterized Nader and Duran. In cases like
Y.G. and Kubach, a central animator of the holdings was the fact that the plaintiffs’
free and voluntary agreements to attend the hospital party or go on television, re-
spectively, depended upon the defendants’ assurances that their identities would
not be publicized (Y.G. 501; Kubach 494). They never chose to be identified and,
therefore, the publicity violated their right to choose to be private. This makes little
sense as a workable theory of privacy. It would grant individuals total control over
a right that must be balanced against others and offers no instruction on where to
draw the line between sufficient and insufficient publicity.
Perhaps social network theory could answer these previous disclosure ques-
tions. After a comprehensive review of this literature, which need not be repeated
here, Strahilevitz gleaned several practical lessons for adjudicating cases like Nad-
er, Y.G., and Kubach. He suggests that acquaintances, or ‘weak ties,’ help spread
simple information from one network to another – gossip, anecdotes – but do a
poor job of spreading complex information or aggregating bits of data together.
Close-knit individuals tend to aggregate data better, but are rarely responsible for
14 Ari Ezra Waldman

letting information escape. And more controversial or ‘juicy’ bits of information

spread faster and easier from one network to another (972-73).
Strahilevitz goes on to apply these lessons to the cases above. In Kubach, the
plaintiff had told medical professionals as well as friends and family about his
HIV-positive status. Strahilevitz concludes that since norms prevent patient infor-
mation from flowing from doctors and since several studies suggest that HIV-
status information is rarely divulged outside of certain tight networks, the infor-
mation was unlikely to get out on its own. Therefore, Kubach had a privacy interest
on which he could sue ABC for its wide dissemination of his private information
(977). Strahilevitz finds Y.G. harder to decide. He has no study on how knowledge
of in vitro fertilization travels in a network. Instead, he relies on the assumption
that “there appears to be less stigma associated with in vitro fertilization” than, say,
HIV-status (978). The pertinent information – that the couple was using in-vitro in
contravention of their religious community’s wishes – was hard to piece together,
so not many people at the gathering would be privy to it. And many of the partici-
pants would have been either co-participants or health care providers and thus less
likely to spread the news. Strahilevitz found the court’s decision to recognize a pri-
vacy interest “defensible,” though not a slam dunk under social network theory
(978).
Social network theory, however, would say Duran came out wrong. Strahilevitz
notes that shopping and eating in restaurants are “weak-tie interactions,” so using
one’s real name would only become interesting and likely to spread through a net-
work if a waiter was able to piece together that the woman to whom he just served
salad was the Colombian judge who indicted Pablo Escobar (979). “Perhaps,”
Strahilevitz notes, “a Colombian waiter would have put two and two together”
(979), but the interactions were too fleeting and the information too complex to be
likely to get out and reach a wide audience.
None of Strahilevitz’s conclusions are unreasonable. In fact, they make a great
deal of sense in part because of the attractive elements of his social network theory.
Like Helen Nissenbaum’s (2004) privacy as contextual integrity, a social network
theory elevates the social context of a given interaction over formal rules and the
mere fact of disclosure. It also highlights the important role social science can play
in adjudicating modern legal questions. But there remain several questions. Social
network theory does not explain why we share in the first place, which makes it
difficult to assess whether an individual shared personal information with an objec-
tively reasonable expectations of privacy. There is also the question of evidence.
Strahilevitz never states how lawyers would go about proving complexity of in-
formation, how fast or slow a given piece of information would flow in a network,
or how to identify important nodes in a network. Without proof, we are left with
assumptions and a judge’s personal views, which would further marginalize popu-
lations whose networks look very different from those of mainstream members of
 Privacy as Trust 15

the American judiciary. A friend going through in vitro fertilization might be a ra-
ther ordinary piece of information for a network of young persons, progressive
women, and members of the LGBT community. The same could hardly be said for
radically different networks of radically different people.
A social network theory of privacy also has a problematic relationship with
strangers. In some cases, if a stranger knows something about you, social network
theory would extinguish your privacy rights (Strahilevitz 974). But we know that
should not be the case: privacy based on trust can exist among strangers given so-
cial cues that invite revelation and a subsequent interaction. Privacy-as-trust would
amend Strahilevitz’s network theory to appreciate the context of information shar-
ing with strangers and retain privacy interests in information shared with strangers
who nevertheless exist in a relationship of trust and discretion. The tort for breach
of confidentiality may provide a clear, practical alternative.
Armed with the tools of privacy-as-trust and confidentiality tort, we can con-
sider limited privacy cases anew. Currently, the cases are resolved using either a
bright line rule that extinguishes privacy after a minor disclosure to even one per-
son or, to use Strahilevitz’s phrase, an ad hoc “I know it when I see it” standard
(973). Ralph Nader and Consuelo Duran had told several people information about
themselves, but a bright line disclosure rule extinguished any remaining privacy in-
terest in that information as against the world. But, under privacy-as-trust, what
matters is not the mere fact that Mr. Nader and Ms. Duran told something to others,
but rather the context in which they told it. The exact nature of the questions asked
is not clear from the record in Nader, but we do know that among those inter-
viewed were Mr. Nader’s “friends” (770). We know from British confidentiality
law that circumstances giving rise to an obligation of confidence can arise amidst
disclosures to friends. Duran also makes clear that Ms. Duran only told three
neighbors – namely, those with whom she had previous interactions – why she
needed security guards and used her real name to lease a home. The nature of the
information, not to mention the minimal disclosure to a close-knit group, would
engender trust against further disclosure and may satisfy the requirements of the
confidentiality tort.
In Sanders, ABC had argued that it could broadcast the conversation in ques-
tion because several of Sanders’s co-workers overheard it at the time. The sub-
stance of the clip was rather banal: Sanders noted that he used to be a stand-up co-
median and that he was hardly enamored with his current job doing over-the-phone
psychic readings. Given the original audience and the lack of anything newsworthy
or interesting in the conversation, Strahilevitz’s social network theory would sug-
gest that it is highly unlikely that information would have been widely disseminat-
ed but for the ABC news report. Here, the result under privacy-as-trust and the
confidentiality tort would be the same. Sanders felt comfortable disclosing infor-
mation because the few people around, his work associates, were trusted to exer-
16 Ari Ezra Waldman

cise the appropriate discretion about whatever non-work information they happen
to overhear. A privacy interest remains.
Kubach was about HIV-status disclosure, something that the sociologist Gene
Shelley and others have found is usually only disclosed in environments contextu-
alized by trust. This kind of information has also been found to be the kind of in-
formation that would give rise to an obligation of confidence under British law (see
Toulson and Phipps). Therefore, especially given the social, political, and public
health benefits associated with disclosure, privacy-as-trust and the confidentiality
tort would note the strong trust that exists in an HIV support group, protect Ku-
bach’s privacy, and help foster the trust and discretion that permits HIV-status dis-
closure in the first place. The breach of confidentiality tort would be satisfied: the
information has the necessary confidential quality, it was only disclosed to friends,
doctors, and an HIV support group, and its dissemination could do significant
damage. And, in Y.G., the attendance at the hospital gathering among other in-vitro
couples and hospital personnel suggests that any information was being disclosed
in an environment of trust, much like Kubach disclosing his status to a support
group or to fellow members of the HIV-positive community. The couple in Y.G.
shared with other attendees what they thought was stigmatizing social identity;
they became a tight-knit, socially-embedded group, even though they were
‘strangers’ in the traditional sense of the word. What’s more, the hospital staff
could also be trusted as experts in their fields. Privacy-as-trust and the confidential-
ity tort would both protect the couple’s privacy and encourage them to seek the
support of others.
Privacy law focused on trust better protects privacy and the socially beneficial
effects of sharing and gives judges a coherent scheme for answering limited disclo-
sure questions. It reflects our intuitive understanding of the injustice of bright line
rules extinguishing privacy rights after one disclosure. And it understands the im-
portance of context in sharing behavior. In these ways, a breach of confidentiality
tort that accepts that trust and discretion can exist among relative strangers would
provide an effective antidote to the current confusion on privacy.

Conclusion

Privacy-as-trust has wide policy implications. It offers judges a clear path to adju-
dicate information privacy cases, and it suggests that a robust breach of confidenti-
ality tort may be an effective weapon against breaches of privacy, from wide dis-
semination on YouTube to the scourge of nonconsensual pornography, or ‘revenge
porn.’ It can be used by victims of cyber harassment when embarrassing, intimate,
or stigmatizing videos are publicized. It also can affect any aspect of the law that
 Privacy as Trust 17

focuses on publicity or publicness because it tries to draw a line between public

and nonpublic information.
Some might argue that privacy-as-trust replaces one elusive term – privacy –
with another – trust – and, therefore, does little to clarify a vexing and varied con-
cept. There is undoubtedly disagreement among social scientists about the nature
and determinants of trust, but I have endeavored to clarify the argument in this ar-
ticle by showing how there is remarkable uniformity at the core of trust literature. I
have also narrowed the scope of the discussion to the information-sharing context
and provided tools for practical implementation through the tort of breach of confi-
dentiality.
Seeing privacy as a behavioral exchange of trust and discretion will undoubted-
ly change how we talk about privacy and, as I have discussed, give judges and le-
gal policymakers clear paths to address certain privacy questions. Privacy-as-trust
aims to reorient the way we think and write about information privacy. One of its
goals is to break convention and inspire further study. But its primary goal is the
protection of privacy in a digital world where information flows are instantaneous,
inexpensive, and constant. Situating privacy within its social role is a necessary
step toward answering questions posed by Internet, mobile, and future, as yet un-
imagined, technologies. Sometimes, protecting privacy in this world can feel like
tilting at a windmill. But that is only true if we think about privacy in its conven-
tional form. Internet and digital technologies have tapped into an innate human de-
sire to share. Privacy studies should not resist that; they should embrace it.

Works Cited

Primary Sources

Coco v. A.N. Clark (Engineers) Ltd. [1969] R.P.C. 41 (U.K.).

Duran v. Detroit News. 504 N.W.2d 715 (Mich. Ct. App. 1993).
Dwyer v. American Express. 652 N.E.2d 1351 (Ill. Ct. App. 1995).
Multimedia WMAZ, Inc. v. Kubach. 443 S.E.2d 491 (Ga. Ct. App. 1994).
Nader v. General Motors. 255 N.E.2d 765 (N.Y. 1970).
Sanders v. ABC. 978 P.2d 67 (Cal. 1999).
Shibley v. Time. 341 N.E.2d 337 (Ohio Ct. App. 1975).
Stephens v. Avery [1988] 2 W.L.R. 1280 (U.K.).
Upjohn v. United States. 449 U.S. 383 (1981).
Y.G. v. Jewish Hospital. 795 S.W.2d 488 (Mo. Ct. App. 1990).
18 Ari Ezra Waldman

Secondary Sources

Doney, Patricia, Joseph Cannon, and Michael Mullen. “Understanding the Influ-
ence of National Culture on the Development of Trust.” The Academy of Man-
agement Review 23.3 (1998): 601-20. Print.Good, Diego (ed.). Individuals, In-
terpersonal Relations, and Trust in, Trust: Making and Breaking Cooperative
Relations. New York: B. Blackwell, 1988. Print.
Granovetter, Mark. “Economic Action and Social Structure: A Theory of Embed-
dedness.” American Journal of Sociology 91.3 (1985): 481-510. Print.
Hartzog, Woodrow. “Reviving Implied Confidentiality.” Indiana Law Review 89
(2014): 763-806. Print.
Jones, Gareth, and Jennifer George. “The Experience and Evolution of Trust: Im-
plications for Cooperative Teamwork.” The Academy of Management Review
23.3 (1998): 531-46. Print.
Lenhart, Amanda, and Mary Madden. “Teens, Privacy, and Online Social Net-
works.” Pew Internet and American Life Project. 18 April 2007. Web. 15 Au-
gust 2015. <http://www.pewinternet.org/2007/04/18/teens-privacy-and-online-
social-networks/>.
Lewis, J. David, and Andrew Weigert. “Trust as a Social Reality.” Social Forces
63.4 (1985): 967-85. Print.
Luhmann, Niklas. Trust and Power. New York: John Wiley & Sons, 1979. Print.
Macy, Michael, and John Skvoretz. “The Evolution of Trust and Cooperation
Among Strangers: A Computational Model.” American Sociological Review
63.5 (1998): 638-60. Print.
McKnight, D. Harrison, Larry Cummings, and Norman Chervany. “Initial Trust
Formation in New Organizational Relationships.” Academy of Management
Review 23.3 (1998): 473-90. Print.
Möllering, Guido. “The Nature of Trust: From Georg Simmel to a Theory of Ex-
pectation, Interpretation and Suspension.” Sociology 35.2 (2001): 403-20. Print.
Nannestad, Peter. “What Have We Learned About Generalized Trust, If Any-
thing?” Annual Review of Political Science 11 (2008): 413-36. Print.
Newton, Ken, and Sonja Zmerli. “Three Forms of Trust and Their Association.”
European Political Science Review 3.2 (2011): 169-200. Print.
Nissenbaum, Helen. “Privacy as Contextual Integrity.” Washington Law Review
79.1 (2004): 101-39. Print.
---. “Protecting Privacy in the Information Age: The Problem of Privacy in Public.”
Law & Philosophy 17 (1998): 559-96. Print.
Offe, Claus. “How Can We Trust Our Fellow Citizens.” Democracy and Trust. Ed.
Mark Warren. Cambridge: Cambridge University Press, 1999. Print.
Parsons, Talcott. Action Theory and the Human Condition. New York: Free Press,
1978. Print.
 Privacy as Trust 19

Pasquale, Frank. The Black Box Society: The Secret Algorithms that Control Mon-
ey and Information. Cambridge, MA: Harvard University Press, 2015. Print.
Richards, Neil, and Daniel Solove. “Privacy’s Other Path: Recovering the Law of
Confidentiality.” Georgetown Law Journal 96 (2007): 123-82. Print.
Scott, Gini Graham. Mind Your Own Business: The Battle for Personal Privacy.
Plenum Press, 1995. Print.
Simmel, Georg. The Philosophy of Money. Routledge, 1990. Print.
---. “The Sociology of Secrecy and of Secret Societies.” American Journal of Soci-
ology 11.4 (1906): 441-98. Print.
Six, Frederique, Bart Nooteboom, and Adriaan Hoogendoorn. “Actions that Build
Interpersonal Trust: A Relational Signaling Perspective.” Review of Social
Economy 68.3 (2010): 285-315. Print.
Solove, Daniel. The Digital Person: Technology and Privacy in the Information
Age. New York: New York University Press, 2004. Print.
---. “Conceptualizing Privacy.” California Law Review 90.4 (2002): 1087-154.
Print.
Strahilevitz, Lior Jacob. “A Social Networks Theory of Privacy.” University of
Chicago Law Review 72 (2005): 919-88. Print.
Toulson, The Hon R. G., and Charles Phipps. Confidentiality. London, UK: Sweet
and Maxwell, 1996. Print.
Uslaner, Eric. “Producing and Consuming Trust.” Political Science Quarterly 115
(2000): 569-90. Print.
Waldman, Ari Ezra. “Privacy As Trust: Sharing Personal Information in a Net-
worked World.” University of Miami Law Review 69 (2015): 301-71. Print.
Welch, Michael, David Sikkink, and Matthew Loveland. “The Radius of Trust: Re-
ligion, Social Embeddedness and Trust in Strangers.” Social Forces 86.1
(2007): 23-46. Print.
Williams, Michelle. “In Whom We Trust: Group Membership as an Affective Con-
text for Trust Development.” Academy of Management Review 26 (2001): 377-
396. Print.
Yamagishi, Toshio, and Midori Yamagishi. “Trust and Commitment in the United
States and Japan.” Motivation and Emotion 18 (1994): 129-66. Print.