Interoperability is a topic that has long been of interest to me. How networks, platforms, and devices work with each other–or sometimes fail to–is an important engineering, business, and policy issue. Back in 2012, I spilled out over 5,000 words on the topic when reviewing John Palfrey and Urs Gasser’s excellent book, Interop: The Promise and Perils of Highly Interconnected Systems.

I’ve always struggled with the interoperability issues, however, and often avoided them became of the sheer complexity of it all. Some interesting recent essays by sci-fi author and digital activist Cory Doctorow remind me that I need to get back on top of the issue. His latest essay is a call-to-arms in favor of what he calls “adversarial interoperability.” “[T]hat’s when you create a new product or service that plugs into the existing ones without the permission of the companies that make them,” he says. “Think of third-party printer ink, alternative app stores, or independent repair shops that use compatible parts from rival manufacturers to fix your car or your phone or your tractor.”

Doctorow is a vociferous defender of expanded digital access rights of many flavors and his latest essays on interoperability expand upon his previous advocacy for open access and a general freedom to tinker. He does much of this work with the Electronic Frontier Foundation (EFF), which shares his commitment to expanded digital access and interoperability rights in various contexts.

I’m in league with Doctorow and EFF on some of these things, but also find myself thinking they go much too far in other ways. At root, their work and advocacy raise a profound question: should there be any general right to exclude on digital platforms? Although he doesn’t always come right out and say it, Doctorow’s work often seems like an outright rejection of any sort of property rights in networks or platforms. Generally speaking, he does not want the law to recognize any right for tech platforms to exclude using digital fences of any sort.

Where to Draw the Lines?

As someone who has authored a book about the importance of permissionless innovation, I need to be able to answer questions about where these lines between open versus closed systems are drawn. Definitions and framing matter, however. I use “permissionless innovation” as a descriptor for one possible policy disposition when considering where legal and regulatory defaults should be set. Another conception of permissionless innovation is more of an engineering ideal; a general freedom to connect, tinker, modify, etc. (I speak more about these conceptions in my latest book, Evasive Entrepreneurs.) Of course, someone advocating permissionless innovation as a policy default will sometimes be confronted with the question of what the law should say when someone behaves in an “evasive” fashion in the latter conception of permissionless innovation.

Doctorow would generally answer that question by saying that law should not be rigged to favor exclusion through laws like the DMCA (and specifically the law’s anti- circumvention provisions), Computer Fraud and Abuse Act, patent law, and various other rules and laws. “[T]he current crop of Big Tech companies has secured laws, regulations, and court decisions that have dramatically restricted adversarial interoperability.”

Generally speaking, I agree. I’m not a fan of technocratic laws or regulations that seek to micro-manage interoperability and which stack the deck in favor of exclusionary conduct with steep penalties for evasion. But does that mean adversarial interoperability should be permitted in all cases? Should there exist any sort of common law presumption one way or the other when a user or competitor seeks access to an existing private platform or device?

Specifics matter here and I don’t have time to get into all the case studies that Doctorow goes through. Some are no-brainers, like the infamous Lexmark case involving refillable printer ink cartridges. Other cases are far more complicated, at least for me. Does Epic, creator of Fortnite, have a right of adversarial interoperability that it can exercise against Apple and their AppStore? As Dirk Auer suggests in a new essay, this episode looks more like a straightforward pricing dispute. Epic is making it out to be much more than that, suggesting Apple is guilty of unfair and exclusionary practices that require a legal remedy.

Why not take that logic further and just say Apple’s App Store us tantamount to a natural monopoly or digital essential facility that Epic and everyone else is entitled to on whatever terms they want? For that matter, why not apply the same logic to Epic’s Fortnite platform or even its Unreal Engine? Does every other gaming developer have a right to piggyback on the juggernaut that Epic has built?

This gets to the core question about Doctorow’s concept of adversarial interoperability: Exactly what should common law and the courts say platform owners make access rights a simple pricing matter and say: “You pay or you are out.” Like Doctorow and EFF, I don’t want Apple to benefit from any special favors from laws like DMCA. Where we differ is that I would still leave the door open for Apple to exercise various other common law contractual rights or property rights in court.

I suspect Doctorow would deny any such claims by Apple or anyone else. If so, I would like to see him spell out in more precise terms exactly what Apple’s property rights and contractual rights are in this instance. Or, again, should we just treat the App Store as a digital commons with unfettered open access rights for developers? If so, would Apple be required to still manage the resource once it is a quasi-commons?

I think that would end miserably, but would like to hear Doctorow’s preferred approach before saying more. I suspect a lot rides on the distinction between “open” verses “proprietary” standards, but compared to Doctorow and EFF, I am willing to embrace a world of both open and proprietary systems, and many hybrids in between. I don’t want the law favoring one type over the other, but that means I need to endorse a generalized property right for digital operators such that they can still exclude others (even in the absence of artificial regulatory rights like DMCA creates). Again, I suspect Doctorow would reject that standard, preferring a generalized right of access, even if that means the platforms become de facto commons.

More Radical Steps

Elsewhere, Doctorow has said is that some of these questions would be better addressed through more aggressive antitrust regulation. Mere data portability or mandatory interoperability isn’t enough for him. “Data portability is important,” Doctorow says, “but it is no substitute for the ability to have ongoing access to a service that you’re in the process of migrating away from.”

In his latest online book on “How to Destroy Surveillance Capitalism,” Doctorow suggests that it is time to “make Big Tech small again” through an “anti-monopoly ecology movement.” That “means bans on mergers between large companies, on big companies acquiring nascent competitors, and on platform companies competing directly with the companies that rely on the platforms.” And he desires a host of other remedies.

So, here we have the convergence of interoperability policy and antitrust policy, with a layer of property confiscation layered on top apparently. “Now it’s up to us to seize the means of computation, putting that electronic nervous system under democratic, accountable control,” he insists in his latest manifesto.

What’s funny about this is that Doctorow begins most of his essays by pointing out all the ways that politics is the problem when it comes to access issues, only to end by suggesting that a lot more political meddling is the required solution. He repeatedly laments how large tech players have so often been able to convince lawmakers and regulators to pass special laws or regulations that work to their favor. Yet, in his We-Can-Build-A-Better-Bureaucrat model of things, all those old problems will apparently disappear when we get the right people in power and get rid of those nefarious capitalist schemers.

Thus, what really animates Doctorow’s advocacy for adversarial interoperability is a deep suspicion of free market capitalism and property rights in particular. In this worldview, interoperability really just becomes a Trojan Horse meant to help bring down the entire capitalist order. Am I exaggerating? “As to why things are so screwed up? Capitalism.” Those are his exact words from the conclusion of his latest book.

Adversarial Innovation & Evolutionary Interop

Still, Doctorow raises many legitimate issues about interconnection and digital access rights. But we need a better approach to work though these questions than the one he suggests.

In my lengthy review of the Palfrey and Gasser Interop book, I tried to sketch out an alternative framework for thinking seriously about these issues. I referred to my preferred approach as “experimental interoperability” or “evolutionary interoperability.” I described this as the theory that ongoing marketplace experimentation with technical standards, modes of information production and dissemination, and interoperable information systems, is almost always preferable to the artificial foreclosure of this dynamic process through state action. The former allows for better learning and coping mechanisms to develop while also incentivizing the spontaneous, natural evolution of the market and market responses.

Adversarial interoperability is important, but not nearly as important as adversarial innovation and facilities-based competition. Stated differently, access rights to existing systems is an important value, but the incentives we have in place to encourage entirely new systems is what really matters most. At some point, a generalized right of access to existing systems discourages the sort of platform-building that could help give rise to the sort of creative destruction we have seen at work repeatedly in the past and that we still need today. Taken too far, adversarial interoperability threatens to undermine this goal. Why seek to build a better alternative platform if you can just endlessly free ride off someone else’s by force of law?

Thus, I prefer to work at the margins and think through how to balance these competing claims of access / interoperability rights versus contractual / property rights. My take will be too utilitarian for not only Doctorow but also for some libertarians, who want clear answers to all these questions based upon their preferred natural law-oriented constructions of rights. The problem with that approach is that it leads to all-or-nothing extremes (complete digital property rights, or virtually none) and that approach is fundamentally unworkable and destructive. We need to work harder about how to balance these rights and values in pro-competitive, pro-innovation fashion.

There is No Such Thing as Optimal Interoperability

In sum, there is no such thing as “optimal interoperablity.” Sometimes proprietary or “closed” systems will offer the public features and options that they will find preferable to “open” ones.  “There are many reasons why consumers might prefer ‘closed’ systems – even when they have to pay a premium for them,” argues Dirk Auer in a separate essay. It could be greater convenience, security, or other things. Palfrey and Gasser correctly noted in their book that, “the state is rarely in a position to call a winner among competing technologies” (p. 174). Moreover, they concluded:

“Lawmakers need to keep in view the limits of their own effectiveness when it comes to accomplishing optimal levels of interoperability. Case studies of government intervention, especially where complex information technologies are involved, show that states tend to be ill suited to determine on their own what specific technology will be the best option for the future (p. 175)

A thousand amens to that! The law should not artificially foreclose experimentation with many different types of platforms, standards, devices and the interoperability that exists among them.

The success of the Internet and the modern digital economy was due to its open, generative nature, driven by the ethos of “permissionless innovation.” A “light-touch” policy regime helped make this possible. Of particular legal importance was the immunization of online intermediaries from punishing forms of liability associated with the actions of third parties.

As “software eats the world” and the digital revolution extends its reach to the physical world, policymakers should extend similar legal protections to other “generative” tools and platforms, such as robotics, 3D printing, and virtual reality.

In other words, we need a Section 230 for the “maker” movement.

The Internet’s Most Important Law

Today’s vibrant Internet ecosystem likely would not exist without “Section 230” (47 U.S.C. § 230) of the Telecommunications Act of 1996. That law, which recently celebrated its 20^th anniversary, immunized online intermediaries from onerous civil liability for the content and communications that travelled over their electronic networks.

The immunities granted by Section 230 let online speech and commerce flow freely, without the constant threat of legal action or onerous liability looming overhead for digital platforms. Without the law, many of today’s most popular online sites and services might have been hit with huge lawsuits for the content and commerce that some didn’t approve of on their platforms. It is unlikely that as many of them would have survived if not for Section 230’s protections.

For example, sites such as eBay, Facebook, Wikipedia, Angie’s List, Yelp, and YouTube all depend on Section 230 immunities to shield them from potentially punishing liability for the content that average Americans post to those sites. But Section 230 protects countless small sites and services just as much as those larger platforms and it has been an extraordinary boon to online commerce and speech.

Extending Immunities to Other General-Purpose Technologies: 3 Models

To foster generativity and permissionless innovation for the next wave of tech entrepreneurs, it may be necessary to immunize some intermediaries (i.e., platform providers or device manufacturers) from punishing forms of liability, or at least to limit liability in some fashion to avoid the chilling effect that excessive litigation can have on life-enriching innovation. Specifically, they should be immunized from liability associated with the ways third-parties use their platforms or devices to speak, experiment, or innovate.

“The past ten years have been about discovering new ways to create, invent, and work together on the Web,” noted Chris Anderson in his book Makers: The New Industrial Revolution. “The next ten years will be about applying those lessons to the real world.” But that can only happen if we get public policy right.

Thus, the creators of newer general-purpose technologies may need to receive certain limited immunizations from liability for the ways third-parties use their devices. If troublemakers use general-purpose technologies to do harm—i.e., cybersecurity violations, privacy invasions, copyright infringement, etc.—it is almost always more sensible to hold those problematic users directly accountable for their actions.

The other approach—holding those intermediaries accountable for the actions of third parties—will discourage innovators from creating vibrant, open platforms and devices that could facilitate new types of speech and commerce. Therefore, an embrace of permissionless innovation requires a rejection of such middleman deputization schemes.

There are three different existing immunity models we might consider applying to emerging general-purpose technologies.

Model #1: Section 230 & online services

The first model, of course, is Section 230 itself.  Section 230 stipulated that it is the policy of the United States “to promote the continued development of the Internet and other interactive computer services and other interactive media,” and “to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation.” To accomplish that, the law made it clear that, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”

Since implementation of Section 230 two decades ago, courts have generally read this immunity fairly broadly, so much so that some critics have argued that 230’s scope has been enlarged well beyond congressional intent. Even if that is true, I believe that has been a net positive (excuse the pun) and that it is not only wise to preserve that sweeping immunity but extend it to other technologies and sectors.

Model #2: Firearm manufacturing

Another immunization model can be found in the Protection of Lawful Commerce in Arms Act of 2005 (Pub. L. No. 109-92, 119 Stat. 2095). Although “lawsuits alleging negligent distribution plagued the firearm industry until 2005,” the Protection of Lawful Commerce in Arms Act “effectively ended the ‘gun tort’ era,” notes Peter Jensen-Haxel. The law did so by granting gun manufacturers immunities for such legal actions. (It would seem that, by extension, those who use 3D printers to create firearms will also be immunized from civil actions.)

Importantly, unlike Section 230, which provided broad immunity by default to all online platforms, the Protection of Lawful Commerce in Arms Act applied to manufactures/sellers that fit into the certain qualifications (i.e., they get immunity if they comply with certain licensing rules, record keeping requirements, etc.). This tension between broad versus targeted immunity will become the subject of debate for emerging general-purpose technologies as scholars and policymakers contemplate optimal default liability rules.

Model #3: Vaccines

A final legal immunization model comes, ironically, from the world of medical immunizations. As part of the National Childhood Vaccine Injury Act of 1986 (42 U.S.C. §§ 300aa-1 to 300aa-34), Congress created The National Vaccine Injury Compensation Program, “after lawsuits against vaccine companies and health care providers threatened to cause vaccine shortages and reduce U.S. vaccination rates, which could have caused a resurgence of vaccine preventable diseases.”

As described by the U.S. Department of Health and Human Services, the program, “is a no-fault alternative to the traditional legal system for resolving vaccine injury petitions.” Thus, those suffering injuries from vaccines are able to seek compensation from this program instead of having to sue vaccine companies.

As Avery Johnson of the Wall Street Journal noted in 2009 article about the program, “A spate of lawsuits against vaccine makers in the 1970s and 1980s had caused dozens of companies to get out of the low-profit business, creating a public-health scare. The strategy worked and the public health implications have been sizable. Vaccines have driven huge reductions — and in the case of smallpox, for instance, complete eradications — of major childhood diseases.”

This model is obviously very different than Section 230 and the Protection of Lawful Commerce in Arms Act in that it includes a government-created compensation fund provided as an alternative to civil lawsuit remedies. In all likelihood, such a compensation fund would not be necessary for new general-purpose “maker” technologies or sectors.

Nonetheless, this model could, perhaps, have some relevance for certain narrow classes of those technologies. For example, 3D-printed medical devices might be one area where it would make sense to exempt from liability the creators of 3D printers and the platforms over which 3D printer blueprints are distributed. But if there is significant resulting harm from some of those devices or plans, it remains unclear how compensation would work and who would be picking up the tab for it. The National Vaccine Injury Compensation Program offers one potential answer, although it may not be wise to craft such a consumer-funded or taxpayer-supported program for other reasons. Even if creating a government-run compensation fund was eventually seen as a good idea, we cannot determine how big the fund should be until some actual harms occur.

Three Sectors to Cover

Next, we should consider which sectors or technologies should be eligible for such immunities.

I wish it was possible to craft some sort of “General-Purpose Technology Immunization Act” that would shield such platforms and technologies from onerous liability associated with third-party uses. Realistically, however, it is not likely such a broad-based regime could achieve political traction. There would just be too many opposing forces. Moreover, there may be some unique distinctions between technologies and sectors which necessitate specialized legal regimes.

In any event, I believe a good case can be made for adopting some sort of legal immunity regime for three specific technologies: Robotics, 3D printing, and immersive technology (i.e., virtual reality and augmented reality).

Robotics

Ryan Calo, professor of law at the University of Washington School of Law, has done important work on the law of robotics and he has suggested that such legal immunities may need to be extended to this field. In his 2011 Maryland Law Review article on “Open Robotics,” Calo made his case as follows:

To preempt a clampdown on robot functionality, Congress should consider immunizing manufacturers of open robotic platforms from lawsuits for the repercussions of leaving robots open.  Specifically, consumers and other injured parties should not be able to sue roboticists, much less recover damages, where the injury resulted from one of the following: (1) the use to which the consumer decided to put the robot, no matter how tame or mundane; (2) the nonproprietary software the consumer decided to run on the robot; or (3) the consumer’s decision to alter the robot physically by adding or changing hardware. This immunity would include lawful and unlawful uses of the robot. (p. 134) . . . The immunity I propose is selective: Manufacturers of open robots would not escape liability altogether. For instance, if the consumer runs the manufacturer’s software and the hardware remains unmodified, or if it can be shown that the damage at issue was caused entirely by negligent platform design, then recovery should be possible. The immunity I propose only applies in those instances where it is clear that the robot was under the control of the consumer, a third party software, or otherwise the result of end-user modification. Because this issue will not always be easy to prove, we should expect litigation at the margins. I am thus arguing for a compromise position: A presumption against suit unless the plaintiff can show the problem was clearly related to the platform’s design. (p. 136)

I find this entirely convincing and I also believe Calo is wise to begin with robotics as the first target for such legal immunization because such technologies are already being widely manufactured and deployed today.

These liability questions are already being widely debated, for example, in the field of autonomous systems and driverless cars in particular. I’d like to believe that the common law would sort out these things fairly quickly and that an efficient liability regime would emerge from autonomous technologies in short order.

Alas, because America lacks a “loser pays” rule, a perverse incentive exists for overly-zealous trial lawyers to file an avalanche of lawsuits at the first sign of any problem. This could significantly hamper the development of autonomous technologies, which have the potential to immediately decrease the staggering death toll associated with human error behind the wheel. Therefore, it may be necessary for Congress to craft some sort of limited immunity regime for autonomous technology makers to ensure that the development of these potential life-saving technologies is not discouraged by the looming threat of perpetual litigation.

3D Printing

3D printing would be my second choice for a general-purpose technology that should be covered by some sort of intermediary immunity model.

In a forthcoming law review article for the Minnesota Journal of Law, Science & Technology, Adam Marcus and I argue that “the manufacturers of 3D printing devices and the website operators hosting blueprints for 3D-printed objects may need to be protected from liability to avoid chilling innovation. In this sense, a ‘Section 230 for 3D printing’ might be needed.”

We discuss three specific ways that 3D printers could be used by third-parties in such a way that existing laws or regulations are implicated and someone might seek to bring action against the manufacturers of 3D printers or 3D printing marketplaces, like Shapeways or Thingiverse. These cases involve things like 3D-printed prosthetics, which could raise policy concerns at the Food and Drug Administration, and 3D-printed toys or sculptures, which could present intellectual property issues.

But perhaps the most interesting case study for liability purposes will be 3D-printed firearms, which are already raising a great deal of controversy. Marcus and I argue, once again, that “the proper focus of regulation should remain on the user and uses of firearms, regardless of how they are manufactured.” And because, as already noted, the Protection of Lawful Commerce in Arms Act immunizes gun manufacturers from legal liability for third-party actions, it would seem logical that the law’s protections would extend to 3D-printed firearms. Moreover, Section 230 itself (and perhaps also the First Amendment) might also apply to 3D printing design schematics that appear on various websites or 3D printing marketplaces.

Generally speaking, Marcus and I argue, “imposing liability on third parties—sites hosting schematics, search engines, and manufacturers of devices—seems neither workable nor wise. There exists a broad spectrum of general-purpose technologies that can be used to facilitate criminal activity,” we note, such as cars, computers, or paper printers. But we don’t blame those intermediaries when those technologies are used by third parties in criminal acts. The same principle should apply to 3D printers.

Things get more complicated when intellectual property issues are brought into the debate. In an important 2014 article, “Patents, Meet Napster: 3D Printing and the Digitization of Things,” Deven R. Desai and Gerard N. Magliocca sketched out the potential case for some sort of limited immunity as it pertains to patent infringement and 3D printing. “An obstacle to the growth of 3D printing that Congress should consider addressing is that individuals who engage in that activity are strictly liable if they infringe a patent,” they note, but they continue on to add that:

Exempting personal 3D printing from patent infringement without undermining other aspects of the regulatory scheme will not be easy. It would not be a good idea for Congress to create a fair use exception for all patents or make infringement an intentional tort, as those changes would sweep too far. Targeting 3D printing itself is a possibility, but in that case the legislation would have to distinguish between personal and commercial activity, as there is no rationale for saying that all 3D printing leading to patent infringement, including what Fortune 500 firms do, should be permitted. Drawing that kind of line with a substantive legal standard, though, will generate years of litigation and may not effectively separate the good from the bad. One alternative, should Congress opt to give personal 3D printing some immunity, would be to set a relatively high minimum amount-in-controversy for federal jurisdiction over any [patent] infringement claims involving this technology. (p. 1717)

Getting this balance right will be tricky, yet essential. “Patent law and industries that rely on patents will have to adapt to this new environment or face potential obsolescence,” Desai and Magliocca correctly conclude.

Immersive Technology

A final sector we might eventually want to apply some sort of intermediary immunity model to is immersive technology. “Immersive technology” refers to services that currently utilize wearable devices (such as a head-mounted display or headset) to let users explore virtual worlds, virtual objects, or hologram-like projections. Immersive technology can be separated into two different, but related groups: virtual reality (VR) and augmented reality (AR).

These technologies are still in the cradle, but many companies are already developing VR and AR technologies for both entertainment and professional uses. As they gain more widespread usage, immersive technologies could raise some policy issues, including concerns about privacy, intellectual property (ex: who owns certain “experiences”), and potentially even worries about distraction and addiction.

It would not be surprising, therefore, if some critics begin advocating greater regulation of, or liability for, VR and AR intermediaries. If that happens, policymakers will need to consider immunizing them from the threat of lawsuits or else innovation will die in these sectors.

Conclusion

Following the general logic of permissionless innovation, and understanding the importance of keeping intermediaries free of punishing liability for what others might do with their general-purpose technologies and platforms, the proper focus of regulation should remain on the user and uses of those technologies.

Accordingly, policymakers should craft a “Section 230 for the maker movement” by adopting legal protections for robotics, 3D printing, and immersive technology. At the same time, we should seek out better solutions—legal and otherwise—to the old problems that might persist or new ones that might come about due to the use of these new devices and platforms. But we should not let hypothetical worst-case scenarios and concerns about future technologies lead us down a path where intermediaries are “deputized” or hit with punishing liability for downstream actions by third parties.

Note#1 : This is a preliminary sketch of a law review article I would eventually like to write entitled, “A Section 230 for the “Makers” Movement: Extending Section 230 Immunities to Robotics, 3D Printing & Virtual Reality.” Toward that end, I welcome suggestions for (a) which general-purpose technologies deserve some sort of immunization, and also (b) what other legal immunity regimes exist that we could learn from. Please forward any ideas you might have along to me.

Note #2: My thanks to Adam Marcus and Christopher Koopman for their helpful suggestions on this essay.

I’ve been thinking about the “right to try” movement a lot lately. It refers to the growing movement (especially at the state level here in the U.S.) to allow individuals to experiment with alternative medical treatments, therapies, and devices that are restricted or prohibited in some fashion (typically by the Food and Drug Administration). I think there are compelling ethical reasons for allowing citizens to determine their own course of treatment in terms of what they ingest into their bodies or what medical devices they use, especially when they are facing the possibility of death and have exhausted all other options.

But I also favor a more general “right to try” that allows citizens to make their own health decisions in other circumstances. Such a general freedom entails some risks, of course, but the better way to deal with those potential downsides is to educate citizens about the trade-offs associated with various treatments and devices, not to forbid them from seeking them out at all.

The Costs of Control

But this debate isn’t just about ethics. There’s also the question of the costs associated with regulatory control. Practically speaking, with each passing day it becomes harder and harder for governments to control unapproved medical devices, drugs, therapies, etc.  Correspondingly, that significantly raises the costs of enforcement and makes one wonder exactly how far the FDA or other regulators will go to stop or slow the advent of new technologies.

I have written about this “cost of control” problem in various law review articles as well as my little Permissionless Innovation book and pointed out that, when enforcement challenges and costs reach a certain threshold, the case for preemptive control grows far weaker simply because of (1) the massive resources that regulators would have to pour into the task on crafting a workable enforcement regime; and/or (2) the massive loss of liberty it would entail for society more generally to devise such solutions. With the rise of the Internet of Things, wearable devices, mobile medical apps, and other networked health and fitness technologies, these issues are going to become increasingly ripe for academic and policy consideration.

A Hypothetical Regulatory Scenario

Here’s an interesting case study to consider in this regard:  Can  3D printing  of prosthetics be controlled? Clearly prosthetics are medical devices in the traditional regulatory sense, but few people are going to the FDA and asking for permission or a “right to try” new 3D-printed limbs. They’re just doing it. And the results have been incredibly exciting, as my Mercatus Center colleague Robert Graboyes has noted.

But let’s imagine what the regulators might do if they really wanted to impose their will and limit the right to try in this context:

• Could government officials ban 3D printers outright? I don’t see how. The technology is already too diffuse and is utilized for so many alternative (and uncontroversial) uses that it doesn’t seem likely such a control regime would work or be acceptable. And if any government did take this extreme step, “global innovation arbitrage” would kick in. That is, innovators would just move offshore.
• Could government officials ban the inputs used by 3D printers? Again, I don’t see how. After all, we are primarily talking about plastics and glue here!
• Could government officials ban 3D printer blueprints? Two problems with that. First, such blueprints are a form of free speech and government efforts to censor them would represent a form of prior restraint that would violate the First Amendment of the U.S. Constitution. Second, even ignoring the First Amendment issues, information control is just damned hard and I don’t see how you could suppress such blueprints effectively when are they are freely available across the Internet. Or, people would just “torrent” them, as they do (illegally) with copyrighted files today.
• Could government officials ban and/or fine specific companies (especially those with deep pockets)? Perhaps, but that is likely a losing strategy since 3D printing is already so highly decentralized and is done by average citizens in the comfort of their own home (and often for no monetary gain). So, attempting to go after a handful of corporate players and “make an example out of them” to deter others from experimenting isn’t likely to work. And, again, it’ll just lead to more offshoring and undergrounding of these devices and innovative activities.
• Could government officials ban the sale of certain 3D printing applications? They could try, but enterprising minds would likely start using alternative payment methods (like Bitcoin) to conduct their deals. But the question of payments is largely irrelevant in many fields because much of this activity is non-commercial and open-source in character. People are freely distributing blueprints for 3D-printed prosthetics, for example, and they are even giving away the actual 3D-printed prosthetic devices to those who need them.
• Could government officials just create a licensing / approval regime for narrowly-targeted 3D printed medical devices? Of course, but for all the reasons outlined above, it would likely be pretty easy to evade such a regime. Moreover, the very effort to enforce such a licensing regime would likely deter many beneficial innovations in the process, while also leading to the old cronyist problems associated with firms engaging in rent-seeking and courting favor with regulators in order to survive or prosper.

Anyway, you get the point: The practicality of control makes a difference and at some point the enormous costs associated with enforcement become an ethical matter in its own right. Stated differently, it’s not just that citizens should generally be at liberty to determine their own treatments and decide what drugs they ingest and what medical devices they use, it’s also the case that regulatory efforts aimed at limiting that right have so many corresponding enforcement costs that can spillover on to society more generally. And that’s an ethical matter of a different sort when you get right down to it. But, at a minimum, it’s an increasingly costly strategy and the costs associated with such technological control regimes should be considered closely and quantified where possible.

The Need for a Shift toward Risk Education

Let’s return to the question I raised above regarding the educational role that the FDA, or governments more generally, could play in the future. As I noted, a world in which citizens are granted the liberty to make more of their own health decisions is a world in which they could, at times, be rolling the dice with their health and lives. The highly paternalistic approach of modern food and drug regulation is rooted in the belief that citizens simply cannot be trusted to make such decisions on their own because they will never be able to appreciate the relative risks. You might be surprised to hear that I am somewhat sympathetic to that argument. People can and do make rash and unwise decisions about their health based on misinformation or a general lack of quality information presented in an easy-to-understand fashion. As a result, policymakers have taken the right to make these decisions away from us in many circumstances.

Although motivated by the best of intentions, paternalistic controls are not the optimal way to address these concerns. The better approach is rooted in risk education. To reiterate, the wise way to deal with the potential downsides associated with freedom of choice is to educate citizens about the relative risks associated with various medical treatments and devices, not to forbid them from seeking them out at all.

What does that mean for the future of the FDA? If the agency was smart, it would recognize that traditional command-and-control regulation is no longer a sensible strategy; it’s increasingly unworkable and imposes too many other costs on innovators and personal liberty. Thus, the agency needs to reorient its focus toward becoming a risk educator. Their goal should be to help create a more fully-informed citizenry that is empowered with more and better information about relative risk trade-offs.

Overcoming the Opposition & Getting Consent Mechanisms Right

Such an approach (i.e., shifting the FDA’s mission from being primarily a risk regulator to becoming a risk educator) will encounter opposition from strident defenders and opponents of the FDA alike.

The defenders of the FDA and its traditional approach will continue to insist that people can  never be trusted to make such decisions on their own, regardless of how much information they have at their disposal or how many warnings we might give them. The problem with that position is that it treats citizens like ignorant sheep and denies them the most basic of all human rights: The right to live a life of your own choosing and to make the ultimate determinations about your own health and welfare. And, again, blindly defending the old system isn’t wise because traditional command-and-control regulatory methods are increasingly impractical and incredibly costly to enforce.

Opponents of the FDA, by contrast, will insist that the agency can’t even be trusted to provide us with good information for us to make these decisions on our own. Additionally, critics will likely argue that the agency might give us the wrong information or try to “nudge” us in certain directions. I share some of those concerns, but I am willing to live with that possibility so long as we are moving toward a world in which that is the only real power that the FDA possess over me and my fellow citizens. Because if all the agency is doing is providing us with information about risk trade-offs, then at least we still remain free to seek out alternative information from other experts and then choose our own courses of action.

The tricky issue here is getting consent mechanisms right. In fact, it’s the lynchpin of the new regime I am suggesting. In other words, even if we could agree that a more fully-informed citizenry should be left free to make these decisions on their own, we need to make sure that those individuals have provided clear and informed consent to the parties they might need to contract with when seeking alternative treatments. That’s particularly essential in a litigious society like America, where the threat of liability always looms large over doctors, nurses, hospital, insurers, and medical innovators. Those parties will only be willing to go along with an expanded “right to try” regime if they can be assured they won’t be held to blame when citizens make controversial choices that they advised them against, or at least clearly laid out all the potential risks and other alternatives at their disposal. This will require not only an evolution of statutory law and regulatory standards, but also of the common law and insurance norms.

Once we get all that figured out—and it will, no doubt, take some time—we’ll be on our way to a better world where the idea of having a “right to try” is the norm instead of the exception.

(My thanks to Adam Marcus for commenting on a draft of this essay. For more general background on 3D printing, see his excellent 2011 primer here, “3D Printing: The Future is Here.”)

This morning at 9:45, the Senate Committee on Commerce, Science, and Transportation is holding a full committee hearing entitled, “The Connected World: Examining the Internet of Things.” According to the Committee press release, the hearing “will focus on how devices — from home heating systems controlled by users online, to wearable devices that track health and activity with the help of Internet-based analytics — will be made smarter and more dynamic through Internet technologies. Government agencies like the Federal Trade Commission, however, are already considering possible changes to the law that could have the unintended consequence of slowing innovation.”

It is my pleasure to have been invited to testify at this hearing. I’ve long had an interest in the policy issues surrounding the Internet of Things. All my relevant research products can be found online here, including my latest law review article, “The Internet of Things and Wearable Technology Addressing Privacy and Security Concerns without Derailing Innovation.“

My testimony, which can be found on the Mercatus Center website here, begins by highlighting the three general conclusions of my work:

1. First, the Internet of Things offers compelling benefits to consumers, companies, and our country’s national competitiveness that will only be achieved by adopting a flexible policy regime for this fast-moving space.
2. Second, while there are formidable privacy and security challenges associated with the Internet of Things, top-down or one-size-fits-all regulation will limit innovative opportunities.
3. Third, with those first two points in mind, we should seek alternative and less costly approaches to protecting privacy and security that rely on education, empowerment, and targeted enforcement of existing legal mechanisms. Long-term privacy and security protection requires a multifaceted approach incorporating many flexible solutions.

I continue on to elaborate on each point and then conclude my testimony on a note of optimism:

we should also never forget that, no matter how disruptive these new technologies may be in the short term, we humans have an extraordinary ability to adapt to technological change and bounce back from adversity. That same resilience will be true for the Internet of Things. We should remain patient and continue to embrace permissionless innovation to ensure that the Internet of Things thrives and American consumers and companies continue to be global leaders in the digital economy.

My testimony also includes 7 appendices offering more detail for those interested.  Two of those appendices focus on defining the parameters of the Internet of Things as then documenting the projected economic impact associated with this rapidly-growing market.  The other appendices reproduce essays I have published here before, including articles about the Federal Trade Commission’s recent Internet of Things report as well as my thoughts on how to craft a nonpartisan policy vision for the Internet of Things.

Finally, here’s a list of most of my recent work the Internet of Things and wearable technology policy issues for those interested in reading even more about the topic:

• law review article: “The Internet of Things and Wearable Technology Addressing Privacy and Security Concerns without Derailing Innovation,” November 2014.
• essay: “Don’t Hit the (Techno-)Panic Button on Connected Car Hacking & IoT Security,” February 10, 2015.
• essay: “Striking a Sensible Balance on the Internet of Things and Privacy,” January 16, 2015.
• essay: “Some Initial Thoughts on the FTC Internet of Things Report,” January 28, 2015.
• essay: “A Nonpartisan Policy Vision for the Internet of Things,” December 11, 2014.
• slide presentation: “Policy Issues Surrounding the Internet of Things & Wearable Technology,” September 12, 2014.
• essay: “CES 2014 Report: The Internet of Things Arrives, but Will Washington Welcome It?” January 8, 2014.
• essay: “The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2014.
• oped: “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
• agency filing: My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
• book: Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom, 2014.
• video: Cap Hill Briefing on Emerging Tech Policy Issues, June 2014.
• essay: “What’s at Stake with the FTC’s Internet of Things Workshop,” November 18, 2013.
• law review article: “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” September 16, 2014.

Yesterday, the Federal Trade Commission (FTC) released its long-awaited report on “The Internet of Things: Privacy and Security in a Connected World.” The 55-page report is the result of a lengthy staff exploration of the issue, which kicked off with an FTC workshop on the issue that was held on November 19, 2013.

I’m still digesting all the details in the report, but I thought I’d offer a few quick thoughts on some of the major findings and recommendations from it. As I’ve noted here before, I’ve made the Internet of Things my top priority over the past year and have penned several essays about it here, as well as in a big new white paper (“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation”) that will be published in the Richmond Journal of Law & Technology shortly. (Also, here’s a compendium of most of what I’ve done on the issue thus far.)

I’ll begin with a few general thoughts on the FTC’s report and its overall approach to the Internet of Things and then discuss a few specific issues that I believe deserve attention.

Big Picture, Part 1: Should Best Practices Be Voluntary or Mandatory?

Generally speaking, the FTC’s report contains a variety of “best practice” recommendations to get Internet of Things innovators to take steps to ensure greater privacy and security “by design” in their products. Most of those recommended best practices are sensible as general guidelines for innovators, but the really sticky question here continued to be this: When, if ever, should “best practices” become binding regulatory requirements?

The FTC does a bit of a dance when answering that question. Consider how, in the executive summary of the report, the Commission answers the question regarding the need for additional privacy and security regulation: “Commission staff agrees with those commenters who stated that there is great potential for innovation in this area, and that IoT-specific legislation at this stage would be premature.” But, just a few lines later, the agency (1) “reiterates the Commission’s previous recommendation for Congress to enact strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach;” and (2) “recommends that Congress enact broad-based (as opposed to IoT-specific) privacy legislation.”

Here and elsewhere, the agency repeatedly stresses that it is not seeking IoT-specific regulation; merely “broad-based” digital privacy and security legislation. The problem is that once you understand what the IoT is all about you come to realize that this largely represents a distinction without a difference. The Internet of Things is simply the extension of the Net into everything we own or come into contact with. Thus, this idea that the agency is not seeking IoT-specific rule sounds terrific until you realize that it is actually seeking something far more sweeping: greater regulation of all online / digital interactions. And because “the Internet” and “the Internet of Things” will eventually (if they are not already) be considered synonymous, this notion that the agency is not proposing technology-specific regulation is really quite silly.

Now, it remains unclear whether there exists any appetite on Capitol Hill for “comprehensive” legislation of any variety – although perhaps we’ll learn more about that possibility when the Senate Commerce Committee hosts a hearing on these issues on February 11. But at least thus far, “comprehensive” or “baseline” digital privacy and security bills have been non-starters.

And that’s for good reason in my opinion: Such regulatory proposals could take us down the path that Europe charted in the late 1990s with onerous “data directives” and suffocating regulatory mandates for the IT / computing sector. The results of this experiment have been unambiguous, as I documented in congressional testimony in 2013. I noted there how America’s Internet sector came to be the envy of the world while it was hard to name any major Internet company from Europe. Whereas America embraced “permissionless innovation” and let creative minds develop one of the greatest success stories in modern history, the Europeans adopted a “Mother, May I” regulatory approach for the digital economy. America’s more flexible, light-touch regulatory regime leaves more room for competition and innovation compared to Europe’s top-down regime. Digital innovation suffered over there while it blossomed here.

That’s why we need to be careful about adopting the sort of “broad-based” regulatory regime that the FTC recommends in this and previous reports.

Big Picture, Part 2: Does the FTC Really Need More Authority?

Something else is going on in this report that has also been happening in all the FTC’s recent activity on digital privacy and security matters: The agency has been busy laying the groundwork for its own expansion.

In this latest report, for example, the FTC argues that

Although the Commission currently has authority to take action against some IoT-related practices, it cannot mandate certain basic privacy protections… The Commission has continued to recommend that Congress enact strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.

In other words, this agency wants more authority. And we are talking about sweeping authority here that would transcend its already sweeping authority to police “unfair and deceptive practices” under Section 5 of the FTC Act. Let’s be clear: It would be hard to craft a law that grants an agency more comprehensive and open-ended consumer protection authority than Section 5. The meaning of those terms — “unfairness” and “deception” — has always been a contentious matter, and at times the agency has abused its discretion by exploiting that ambiguity.

Nonetheless, Sec. 5 remains a powerful enforcement tool for the agency and one that has been wielded aggressively in recently years to police digital economy giants and small operators alike. Generally speaking, I’m alright with most Sec. 5 enforcement, especially since that sort of retrospective policing of unfair and deceptive practices is far less likely to disrupt permissionless innovation in the digital economy. That’s because it does not subject digital innovators to the sort of “Mother, May I” regulatory system that European entrepreneurs face. But an expansion of the FTC’s authority via more “comprehensive, baseline” privacy and security regulatory policies threatens to convert America’s more sensible bottom-up and responsive regulatory system into the sort of innovation-killing regime we see on the other side of the Atlantic.

Here’s the other thing we can’t forget when it comes to the question of what additional authority to give the FTC over privacy and security matters: The FTC is not the end of the enforcement story in America. Other enforcement mechanism exist, including: privacy torts, class action litigation, property and contract law, state enforcement agencies, and other targeted privacy statutes. I’ve summarized all these additional enforcement mechanisms in my recent law review article referenced above. (See section VI of the paper.)

FIPPS, Part 1: Notice & Choice vs. Use-Based Restrictions

Next, let’s drill down a bit and examine some of the specific privacy and security best practices that the agency discusses in its new IoT report.

The FTC report highlights how the IoT creates serious tensions for many traditional Fair Information Practice Principles (FIPPs). The FIPPs generally include: (1) notice, (2) choice, (3) purpose specification, (4) use limitation, and (5) data minimization. But the report is mostly focused on notice and choice as well as data minimization.

When it comes to notice and choice, the agency wants to keep hope alive that it will still be applicable in an IoT world. I’m sympathetic to this effort because it is quite sensible for all digital innovators to do their best to provide consumers with adequate notice about data collection practices and then give them sensible choices about it. Yet, like the agency, I agree that “offering notice and choice is challenging in the IoT because of the ubiquity of data collection and the practical obstacles to providing information without a user interface.”

The agency has a nuanced discussion of how context matters in providing notice and choice for IoT, but one can’t help but think that even they must realize that the game is over, to some extent. The increasing miniaturization of IoT devices and the ease with which they suck up data means that traditional approaches to notice and choice just aren’t going to work all that well going forward. It is almost impossible to envision how a rigid application of traditional notice and choice procedures would work in practice for the IoT.

Relatedly, as I wrote here last week, the Future of Privacy Forum (FPF) recently released a new white paper entitled, “A Practical Privacy Paradigm for Wearables,” that notes how FIPPs “are a valuable set of high-level guidelines for promoting privacy, [but] given the nature of the technologies involved, traditional implementations of the FIPPs may not always be practical as the Internet of Things matures.” That’s particularly true of the notice and choice FIPPS.

But the FTC isn’t quite ready to throw in the towel and make the complete move toward “use-based restrictions,” as many academics have. (Note: I have lengthy discussion of this migration toward use-based restrictions in my law review article in section IV.D.). Use-based restrictions would focus on specific uses of data that are particularly sensitive and for which there is widespread agreement they should be limited or disallowed altogether. But use-based restrictions are, ironically, controversial from both the perspective of industry and privacy advocates (albeit for different reasons, obviously).

The FTC doesn’t really know where to go next with use-based restrictions. The agency says that, on one hand, “has incorporated certain elements of the use-based model into its approach” to enforcement in the past. On the other hand, the agency says it has concerns “about adopting a pure use-based model for the Internet of Things,” since it may not go far enough in addressing the growth of more widespread data collection, especially of more sensitive information.

In sum, the agency appears to be keeping the door open on this front and hoping that a best-of-all-worlds solution miraculously emerges that extends both notice and choice and use-based limitations as the IoT expands. But the agency’s new report doesn’t give us any sort of blueprint for how that might work, and that’s likely for good reason: because it probably won’t work at that well in practice and there will be serious costs in terms of lost innovation if they try to force unworkable solutions on this rapidly evolving marketplace.

FIPPS, Part 2: Data Minimization

The biggest policy fight that is likely to come out of this report involves the agency’s push for data minimization. The report recommends that, to minimize the risks associated with excessive data collection:

companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data. However, recognizing the need to balance future, beneficial uses of data with privacy protection, staff’s recommendation on data minimization is a flexible one that gives companies many options. They can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or deidentify the data they collect. If a company determines that none of these options will fulfill its business goals, it can seek consumers’ consent for collecting additional, unexpected categories of data…

This is an unsurprising recommendation in light of the fact that, in previous major speeches on the issue, FTC Chairwoman Edith Ramirez argued that, “information that is not collected in the first place can’t be misused,” and that:

The indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the off chance that it might prove useful is not consistent with privacy best practices. And remember, not all data is created equally. Just as there is low quality iron ore and coal, there is low quality, unreliable data. And old data is of little value.

In my forthcoming law review article, I discussed the problem with such reasoning at length and note:

if Chairwoman Ramirez’s approach to a preemptive data use “commandment” were enshrined into a law that said, “Thou shall not collect and hold onto personal information unnecessary to an identified purpose.” Such a precautionary limitation would certainly satisfy her desire to avoid hypothetical worst-case outcomes because, as she noted, “information that is not collected in the first place can’t be misused,” but it is equally true that information that is never collected may never lead to serendipitous data discoveries or new products and services that could offer consumers concrete benefits. “The socially beneficial uses of data made possible by data analytics are often not immediately evident to data subjects at the time of data collection,” notes Ken Wasch, president of the Software & Information Industry Association. If academics and lawmakers succeed in imposing such precautionary rules on the development of IoT and wearable technologies, many important innovations may never see the light of day.

FTC Commissioner Josh Wright issued a dissenting statement to the report that lambasted the staff for not conducting more robust cost-benefit analysis of the new proposed restrictions, and specifically cited how problematic the agency’s approach to data minimization was. “[S]taff merely acknowledges it would potentially curtail innovative uses of data. . . [w]ithout providing any sense of the magnitude of the costs to consumers of foregoing this innovation or of the benefits to consumers of data minimization,” he says. Similarly, in her separate statement, FTC Commissioner Maureen K. Ohlhausen worried about the report’s overly precautionary approach on data minimization when noting that, “without examining costs or benefits, [the staff report] encourages companies to delete valuable data — primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive,” she concludes.

Regardless, the battle lines have been drawn by the FTC staff report as the agency has made it clear that it will be stepping up its efforts to get IoT innovators to significantly slow or scale back their data collection efforts. It will be very interesting to see how the agency enforces that vision going forward and how it impacts innovation in this space. All I know is that the agency has not conducted a serious evaluation here of the trade-offs associated with such restrictions. I penned another law review article last year offering “A Framework for Benefit-Cost Analysis in Digital Privacy Debates” that they could use to begin that process if they wanted to get serious about it.

The Problem with the “Regulation Builds Trust” Argument

One of the interesting things about this and previous FTC reports on privacy and security matters is how often the agency premises the case for expanded regulation on “building trust.” The argument goes something like this (as found on page 51 of the new IoT report): “Staff believes such legislation will help build trust in new technologies that rely on consumer data, such as the IoT. Consumers are more likely to buy connected devices if they feel that their information is adequately protected.”

This is one of those commonly-heard claims that sounds so straight-forward and intuitive that few dare question it. But there are problems with the logic of the “we-need-regulation-to-build-trust-and boost adoption” arguments we often hear in debates over digital privacy.

First, the agency bases its argument mostly on polling data. “Surveys also show that consumers are more likely to trust companies that provide them with transparency and choices,” the report says. Well, of course surveys say that! It’s only logical that consumers will say this, just as they will always say they value privacy and security more generally when asked. You might as well ask people if they love their mothers!

But what consumers claim to care about and what they actually do in the real-world are often two very different things. In the real-world, people balance privacy and security alongside many other values, including choice, convenience, cost, and more. This leads to the so-called “privacy paradox,” or the problem of many people saying one thing and doing quite another when it comes to privacy matters. Put simply, people take some risks — including some privacy and security risks — in order to reap other rewards or benefits. (See this essay for more on the problem with most privacy polls.)

Second, online activity and the Internet of Things are both growing like gangbusters despite the privacy and security concerns that the FTC raises. Virtually every metric I’ve looked at that track IoT activity show astonishing growth and product adoption, and projections by all the major consultancies that have studied this consistently predict the continued rapid growth of IoT activity. Now, how can this be the case if, as the FTC claims, we’ll only see the IoT really take off after we get more regulation aimed at bolstering consumer trust? Of course, the agency might argue that the IoT will grow at an even faster clip than it is right now, but there is no way to prove one way or the other. In any event, the agency cannot possible claim that the IoT isn’t already growing at a very healthy clip — indeed, a lot of the hand-wringing the staff engages in throughout the report is premised precisely on the fact that the IoT is exploding faster that our ability to keep up with it!! In reality, it seems far more likely that cost and complexity are the bigger impediments to faster IoT adoption, just as cost and complexity have always been the factors weighing most heavily on the adoption of other digital technologies.

Third, let’s say that the FTC is correct – and it is – when it says that a certain amount of trust is needed in terms of IoT privacy and security before consumers are willing to use more of these devices and services in their everyday lives. Does the agency imagine that IoT innovators don’t know that? Are markets and consumers completely irrational? The FTC says on page 44 of the report that, “If a company decides that a particular data use is beneficial and consumers disagree with that decision, this may erode consumer trust.” Well, if such a mismatch does exist, then the assumption should be that consumers can and will push back, or seek out new and better options. And other companies should be able to sense the market opportunity here to offer a more privacy-centric offering for those consumers who demand it in order to win their trust and business.

Finally, and perhaps most obviously, the problem with the argument that increased regulation will help IoT adoption is that it ignores how the regulations put in place to achieve greater “trust” might become so onerous or costly in practice that there won’t be as many innovations for us to adopt to begin with! Again, regulation — even very well-intentioned regulation — has costs and trade-offs.

In any event, if the agency is going to premise the case for expanded privacy regulation on this notion, they are going to have to do far more to make their case besides simply asserting it.

Once Again, No Appreciation of the Potential for Societal Adaptation

Let’s briefly shift to a subject that isn’t discussed in the FTC’s new IoT report at all.

Regular readers may get tired of me making this point, but I feel it is worth stressing again: Major reports and statements by public policymakers about rapidly-evolving emerging technologies are always initially prone to stress panic over patience. Rarely are public officials willing to step-back, take a deep breath, and consider how a resilient citizenry might adapt to new technologies as they gradually assimilate new tools into their lives.

That is really sad, when you think about it, since humans have again and again proven capable of responding to technological change in creative ways by adopting new personal and social norms. I won’t belabor the point because I’ve already written volumes on this issue elsewhere. I tried to condense all my work into a single essay entitled, “Muddling Through: How We Learn to Cope with Technological Change.” Here’s the key takeaway:

humans have exhibited the uncanny ability to adapt to changes in their environment, bounce back from adversity, and learn to be resilient over time. A great deal of wisdom is born of experience, including experiences that involve risk and the possibility of occasional mistakes and failures while both developing new technologies and learning how to live with them. I believe it wise to continue to be open to new forms of innovation and technological change, not only because it provides breathing space for future entrepreneurialism and invention, but also because it provides an opportunity to see how societal attitudes toward new technologies evolve — and to learn from it. More often than not, I argue, citizens have found ways to adapt to technological change by employing a variety of coping mechanisms, new norms, or other creative fixes.

Again, you almost never hear regulators or lawmakers discuss this process of individual and social adaptation even though they must know there is something to it. One explanation is that every generation has their own techno-boogeymen and lose faith in the ability of humanity to adapt to it.

To believe that we humans are resilient, adaptable creatures should not be read as being indifferent to the significant privacy and security challenges associated with any of the new technologies in our lives today, including IoT technologies. Overly-exuberant techno-optimists are often too quick to adopt a “Just-Get-Over-It!” attitude in response to the privacy and security concerns raised by others. But it is equally unforgivable for those who are worried about those same concerns to utterly ignore the reality of human adaptation to new technologies realities.

Why are Educational Approaches Merely an Afterthought?

One final thing that troubled me about the FTC report was the way consumer and business education is mostly an afterthought. This is one of the most important roles that the FTC can and should play in terms of explaining potential privacy and security vulnerabilities to the general public and product developers alike.

Alas, the agency devotes so much ink to the more legalistic questions about how to address these issues, that all we end up with in the report is this one paragraph on consumer and business education:

Consumers should understand how to get more information about the privacy of their IoT devices, how to secure their home networks that connect to IoT devices, and how to use any available privacy settings. Businesses, and in particular small businesses, would benefit from additional information about how to reasonably secure IoT devices. The Commission staff will develop new consumer and business education materials in this area.

I applaud that language, and I very much hope that the agency is serious about plowing more effort and resources into developing new consumer and business education materials in this area. But I’m a bit shocked that the FTC report didn’t even bother mentioning the excellent material already available on the “On Guard Online” website it helped created with a dozen other federal agencies. Worse yet, the agency failed to highlight the many other privacy education and “digital citizenship” efforts that are underway today to help on this front. I discuss those efforts in more detail in the closing section of my recent law review article.

I hope that the agency spends a little more time working on the development of new consumer and business education materials in this area instead of trying to figure out how to craft a quasi-regulatory regime for the Internet of Things. As I noted last year in this Maine Law Review article, that would be a far more productive use of the agency’s expertise and resources. I argued there that “policymakers can draw important lessons from the debate over how best to protect children from objectionable online content” and apply them to debates about digital privacy. Specifically, after a decade of searching for legalistic solutions to online safety concerns — and convening a half-dozen blue ribbon task forces to study the issue — we finally saw a rough consensus emerge that no single “silver-bullet” technological solutions or legal quick-fixes would work and that, ultimately, education and empowerment represented the better use of our time and resources. What was true for child safety is equally true for privacy and security for the Internet of Things.

It’s a shame the FTC staff squandered the opportunity it had with this new report to highlight all the good that could be done by getting more serious about focusing first on those alternative, bottom-up, less costly, and less controversial solutions to these challenging problems. One day we’ll all wake up and realize that we spent a lost decade debating legalistic solutions that were either technically unworkable or politically impossible. Just imagine if all the smart people who were spending all their time and energy on those approaches right now were instead busy devising and pushing educational and empowerment-based solutions instead!

One day we’ll get there. Sadly, if the FTC report is any indication, that day is still a ways off.

Seems like everywhere I turn someone is gushing about their new Droid phone, including my TLF colleagues Berin Szoka, Braden Cox, and Ryan Radia, who all had great fun rubbing their new toys in my nose over the past couple of days. And why not, it’s a very cool little device.  It makes my HTC Touch seems positively archaic in some ways, and it’s only a year old.  Apparently, 100,000 people already picked up a Droid in just its first weekend on the market.

But here’s the first thing that pops in my mind every time I see someone showing off their new Droid: How can a device like this even exist when America’s leading cyberlaw experts have been telling us that the whole digital world is increasingly going to hell because of “closed” devices, proprietary code, and managed networks?  I’m speaking, of course, about the lamentations of Harvard professors Lawrence Lessig, Jonathan Zittrain, and their many disciples.  As faithful readers will recall, I have relentlessly hammered this crew for their unwarranted cyber-Chicken Little-ism and hyper techno-pessimism. (See my many battles with Zittrain [1, 2, 3, 4, 5, 6 + video] and my 2-part debate with Lessig earlier this year).

“Left to itself,” Lessig warned in Code, “cyberspace will become a perfect tool of control.”  He went on to forecast a dystopian future in which nefarious corporate schemers would quash our digital liberties unless benevolent public philosopher kings stepped in to save our poor souls. Code was the Old Testament of cyber-collectivism. The New Testament arrived last year with Zittrain’s The Future of the Internet and How to Stop It. In it, we hear the grim prediction that “sterile and tethered” digital technologies and networks will triumph over the more “open and generative” devices and systems of the past.  The iPhone and TiVo are cast as villains in Zittrain’s drama since they apparently represent the latest manifestations of Lessig’s “perfect control” paranoia.

Apple’s “Angel of Death”

How completely out-of-control has this thinking gotten?  Well, here’s David Weinberger — another Harvard Berkman Center worrywart — talking about that supposed satanic font of all evil, the Apple AppStore:

The AppStore is the seductive angel of death for computing. It enables Apple to keep quality up and, more important, to keep support costs down. But a computer that can’t be programmed except by its manufacturer (or with the permission of its manufacturer) isn’t a real computer. The success of the AppStore is a gloomy, scary harbinger. From controlling the apps that can go on its mobile phone, it’s a short step for Apple to decide to control the apps that can go on its rumored slate/netbook device. And since so much of the future of computing will occur on mobiles and netbooks, this portends a serious de-generation of computing, as predicted by Jonathan Zittrain in The Future of the Internet and How to Stop It.

The “angel of death”? A “gloomy, scary harbinger”? Wow, who knew!  In Weinberger’s world, Apple is guilty of the heinous crime of “keep[ing] quality up and, more important, [keeping] support costs down.”  OH MY GOD, how dare they.  Somebody make them stop!  No, seriously, how silly is all this? It’s like those Republicans who, in their zeal to do anything to defeat health care nationalization, decide it’s OK to make up spooky stories about “death panels” hidden deep inside congressional bills.

I find Weinberger’s claim that “a serious de-generation of computing” is looming because of the iPhone to be especially ridiculous. It’s the same sort of rubbish Lessig was spewing in Code when he predicted that AOL’s walled garden model was going to take over the entire cyber-world and ensure “perfect control,” just one of the many things Lessig got wrong in the book.  And it’s the same silliness we see at work in Zittrain’s work when he claims that we’re doomed to live in a world of closed “sterile and tethered” digital technologies and networks. Similarly, last year, Public Knowledge analyst Alex Curtis managed to reach the zenith of this rhetorical insanity when he likened the Apple App Store to an Orwellian Big Brother that was bringing us a “1984 kind of total control.”  You know, because Apple is forcing us all to own iPhones and locking us into re-education camps.  Right.

I Fart, Therefore I Am (Generative)

Which brings me back to the Droid.  If all these dour predictions about the death of digital generativity and the rise of closed networks and walled gardens were true, how in the world does a phone with an open source operating system and a completely open applications process for developers even exist? (Android devices like the Droid don’t require users to rely exclusively on the Android Marketplace for apps; you can run other apps if you like).

Moreover, it’s not just that a remarkably innovative and generative device like the Droid gets widespread release and praise, it’s the fact that there are countless other mobile devices and applications on the market today much like it. On the Zittrainian “generative-vs.-sterile appliance” spectrum, the range of mobile devices just continues to grow and grow in both directions. You can decide exactly what type of device you want.  But here’s the more important point: How much of a difference does it even make how “open” these phones and app stores are?  You’ve got more “closed” systems like Apple’s iPhone and Palm’s Pre on one end of the spectrum and then more “open” systems like the Droid and even many Windows Mobile devices on the other end, but do these competing models really result in many difference in terms of functionality and innovation?  The reality is this: tons of innovation is occurring across all of these devices and platforms regardless of how “open” or “closed” they may be.

For example, when I go to Handango, a terrific mobile application marketplace, and search for “all apps” available for my HTC Touch (which runs a Windows Mobile OS), my senses are assaulted with 6,677 choices.  It’s all a bit overwhelming.  Luckily, a quick search can get me right to the important applications I really need — like the “Pocket Fart” app.  Folks, let me tell you, no “generative” device is worth its salt without a good farting application.  I don’t care how bad of a mood my kids are in, when I fire up a fart app, it puts an instant smile on their faces!

But hey, guess what… that “angel of death,” the iPhone Store, offers fart apps, too!  Dozens and dozens of fart apps, in fact.  In terms of Zittrainian generativity, the iPhone is positively fart-tastic. Just check out that video below. And in addition to those dozens of flatulence apps, the Apple AppStore has another 100,000 apps available for downloading, making it the largest applications store in the world. And back in September, Apple announced that more than two billion apps had been downloaded from the App Store in its short existence. That’s Billion with a “B”.  Does this sound like it “portends a serious de-generation of computing” as Weinberger suggests?  Incidentally, if he’s so frightened that Steve Jobs is the Grim Reaper incarnate he can always go find another phone. Seriously, Steve Jobs doesn’t force anybody to buy one of these expensive toys.

If the iPhone is Good Enough for Zittrain, Why Isn’t It Fine for the Rest of Us?

Incidentally, despite all the fear and loathing about Steve Jobs and the iPhone that one finds in Future of the Internet, I was very entertained to discover that Jonathan Zittrain is an iPhone user himself!  I used some shameless McCarthyite tactics during our debate at New America Foundation last year — “Are you now, or have you ever been, an iPhone user!” — to publicly out him. [Go to the 55:00 minute mark of the video to see.]  But my point to him that day was a serious one: If you so fear the death of generativity because of that little demonic device, than why carry one in your coat pocket?  Why not use a device that lets you break all the rules because it essentially has no rules?  There are multiple open source mobile operating systems and a thriving community of “homebrew” developers. Go spend a few minutes at PCC Geeks or Howard’s Forums and see what I mean.

But the Berkman boys don’t seem content with all that.  And I wouldn’t usually give a damn about the lunacy of these hyper-pessimistic prognostications from the Harvard crew if it was all just harmless cyber-sourpuss ramblings from the ivory tower geeks with too much time on their hands.  But the problem is that these people want regulators to take steps to correct these supposed “code failures,” as Lessig calls them.  Zittrain calls for “API neutrality” in his book, which would force net neutrality-like mandates on digital devices. And in a New York Times editorial this summer entitled “Lost in the Cloud,” he made it clear that cloud neutrality regulation was next on the list. [Others are joining that call.] I’ve got a serious problem with that, as I detailed extensively in earlier essays (here and here), and Berin Szoka and I have discussed how these escalating neutrality wars are bound to lead to the digital equivalent of “mutually assured destruction” within the tech community before it’s all over.

Finally, when the Berkman gang, which is the most respected cyberlaw shop in the land, go around casting these debates with terms like “evil” applications and “angels of death,” then I have a serious problem because the game you are playing becomes hazardous to the health of the digital economy.  This poisons the public policy debate by using absurd moralistic rhetoric about something as fundamentally agnostic as digital platforms and protocols.  These things are neither good nor evil; they are just choices.  They represent different ways of promoting innovation.  And we should be happy that our current digital marketplace is offering us a rich mosaic of business models and options that can fill almost any need and fit almost any picky user’s desires.  If that ain’t progress, I don’t what is.