security – Technology Liberation Front

Podcast: Should We Regulate AI?

Adam Thierer — Mon, 08 May 2023 12:15:12 +0000

It was my pleasure to recently join Matthew Lesh, Director of Public Policy and Communications for the London-based Institute of Economic Affairs (IEA), for the IEA podcast discussion, “Should We Regulate AI?” In our wide-ranging 30-minute conversation, we discuss how artificial intelligence policy is playing out across nations and I explained why I feel the UK has positioned itself smartly relative to the US & EU on AI policy. I argued that the UK approach encourages a better ‘innovation culture’ than the new US model being formulated by the Biden Administration.

We also went through some of the many concerns driving calls to regulate AI today, including: fears about job dislocations, privacy and security issues, national security and existential risks, and much more.

Additional reading:

Adam Thierer, “The Biden Administration’s Plan to Regulate AI without Waiting for Congress,” Medium, May 4, 2023.
Adam Thierer, “NEPA for Al? The Problem with Mandating Algorithmic Audits & Impact Assessments,” Medium, April 23, 2023.
Adam Thierer, “Flexible, Pro-Innovation Governance Strategies for Artificial Intelligence, R Street Institute Policy Study №283 (April 2023).
Adam Thierer, “A balanced AI governance vision for America,” The Hill, April 16, 2023.
Adam Thierer, Brent Orrell, & Chris Meserole, “Stop the AI Pause,” AEI Ideas, April 6, 2023.
Adam Thierer, “Getting AI Innovation Culture Right,” R Street Institute Policy Study №281 (March 2023).
Adam Thierer, “Can We Predict the Jobs and Skills Needed for the AI Era?,” R Street Institute Policy Study №278 (March 2023).
Adam Thierer, “U.S. Chamber AI Commission Report Offers Constructive Path Forward,” R Street Blog, March 9, 2023.
Adam Thierer, “What If Everything You’ve Heard about AI Policy is Wrong?” Medium, February 20, 2023.
Adam Thierer, “Policy Ramifications of the ChatGPT Moment: AI Ethics Meets Evasive Entrepreneurialism,” Medium, February 14, 2023.
Adam Thierer, “Mapping the AI Policy Landscape Circa 2023: Seven Major Fault Lines,” R Street Blog, February 9, 2023.
Adam Thierer, “Artificial Intelligence Primer: Definitions, Benefits & Policy Challenges,” Medium, December 2, 2022.
Neil Chilson & Adam Thierer, “The Coming Onslaught of ‘Algorithmic Fairness’ Regulations,” Regulatory Transparency Project of the Federalist Society, November 2, 2022.
Adam Thierer, “We Really Need To ‘Have a Conversation’ About AI … or Do We?” Discourse, October 6, 2022.

Event Video on Algorithmic Auditing and AI Impact Assessments

Adam Thierer — Wed, 13 Jul 2022 18:10:03 +0000

On July 12, I participated in a Bipartisan Policy Center event on “Civil Society Perspectives on Artificial Intelligence Impact Assessments.” It was an hour-long discussion moderated by Michele Nellenbach, Vice President of Strategic Initiatives at the Bipartisan Policy Center, and which also featured Miriam Vogel, President and CEO of EqualAI. We discussed the ins and outs of algorithmic auditing and impact assessments for artificial intelligence. This is one of the hottest topics in the field of AI governance today, with proposals multiplying rapidly in academic and public policy circles. Several governments are already considering mandating AI auditing and impact assessments.

You can watch the entire discussion here, and down below I have included some of my key talking points from the session. I am currently finishing up my next book, which is on how to craft a flexible governance framework for AI and algorithmic technologies. It includes a lengthy chapter on this issue and I also plan on eventually publishing a stand-alone study on this topic.

Upsides:

Algorithmic auditing and AI impact assessments represent an important step toward the professionalization of AI ethics.

Audits and impact assessments can help ensure organizations live up their promises as it pertains to “baking in” ethical best practices (on issues like safety, security, privacy, and non-discrimination).
Audits and impact assessments are already utilized in other fields to address safety practices, financial accountability, labor practices and human rights issues, supply chain practices, and various environmental concerns.
Internal auditing / Institute of Internal Auditors (IIA) efforts could expand to include AI risks
Eventually, more and more organizations will expand their internal auditing efforts to incorporate AI risks because it makes good business sense to stay on top of these issues and avoid liability, negative publicity, or other customer backlash.

Build on the IAPP model to help “professionalize” AI ethics in data-driven organizations

the International Association of Privacy Professionals (IAPP) trains and certifies privacy professionals through formal credentialing programs, supplemented by regular meetings, annual awards, and a variety of outreach and educational initiatives.
We should use similar model for AI and start by supplementing Chief Privacy Officers with Chief Ethical Officers.
This is how we formalize the ethical frameworks and best practices that have been formulated by various professional associations such as IEEE, ISO, ACM and others.

AI auditing and impact assessment process can be rooted in the voluntary risk assessment frameworks developed by OECD & NIST

OECD — Framework for the Classification of AI Systems with the twin goals of helping “to develop a common framework for reporting about AI incidents that facilitates global consistency and interoperability in incident reporting,” and advancing “related work on mitigation, compliance and enforcement along the AI system lifecycle, including as it pertains to corporate governance.”
NIST — AI Risk Management Framework “to better manage risks to individuals, organizations, and society associated with artificial intelligence.”
These frameworks being developed through a consensus-driven, open, transparent, and collaborative process. Not through top-down regulation.
Many AI developers and business groups have endorsed the use of such audits and assessments. BSA|The Software Alliance has said that, “By establishing a process for personnel to document key design choices and their underlying rationale, impact assessments enable organizations that develop or deploy high-risk AI to identify and mitigate risks that can emerge throughout a system’s lifecycle.”
Developers can still be held accountable for violations of certain ethical norms and bast practices both through private and potentially even through formal sanctions by consumer protection agencies (Federal Trade Commission / comparable state offices / by state AGs).

Independent AI auditing bodies are already being formulated and could play an important role in help to further professionalize AI ethics.

EqualAI / WEF — “Badge Program for Responsible AI Governance”
field of algorithmic consulting continues to expand (ex: O’Neil Risk Consulting)

Downsides:

Algorithmic audits and impact assessments are confronted with the same sort of definitional challenges that pervade AI more generally.

constitutes a harm or impact in any given context will often be a contentious matter.
Auditing algorithms is nothing like auditing an accounting ledger, where the numbers either add up or they don’t.
With algorithms there are no binary metrics that can quantify the correct amount of privacy, safety, or security in any given system.

Audits and impact assessments should not become a formal regulatory process

E.U. AI act will be a disaster for AI innovation and investment
Proposed U.S. Algorithmic Accountability Act of 2022 would require that developers perform impact assessments and file them with the Federal Trade Commission. A new Bureau of Technology would be created inside the agency to oversee the process.
If enforced through a rigid regulatory regime and another federal bureaucracy, compliance with algorithmic auditing mandates would likely become a convoluted, time-consuming bureaucratic process. That would likely slow the pace of AI development significantly.
Academic literature on AI auditing / impact assessment ignores potential costs; Mandatory auditing and assessments are treated as a sort of frictionless nirvana when we already know that such a process would entire significant costs.

The National Environmental Policy Act (NEPA) is a bad model for AI impact assessments.

Some AI scholars suggest that NEPA should be model for AI impact assessments / audits.
NEPA assessments were initially quite short (sometimes less than 10 pages), but today the average length of these statements is more than 600 pages and include appendices that average over 1,000 pages on top of that.
NEPA assessments take an average of 4.5 years to complete and that, between 2010 and 2017, there were four assessments that took at least 17 years to complete.
Many important public projects never get done or take far too long to complete at considerably higher expenditure than originally predicted.

Applying the NEPA model to algorithmic systems would mean that much AI innovation would grind to a halt in the face of lengthy delays, paperwork burdens, and considerable compliance costs.

would create a number of veto points that opponents of AI could use to stop much progress in the field. This is the “vetocracy” problem.
We cannot wait years or even months for bureaucracies to eventually getting around to formally signing off on audits or assessments, many of which would be obsolete before they were even done.

Many AI developers would likely look to innovate elsewhere if auditing or impact assessments became a bureaucratic and highly convoluted compliance nightmare like that.

“global innovation arbitrage” problem would kick in: Innovators and investors increasingly relocate to the jurisdictions where they are treated most hospitably.

Mandated algorithmic auditing could give rise to a final problem: Political meddling.

Both parties already accuse digital technology companies of manipulating their algorithms to censor their views.
Whichever party is in power at any given time could use the process to politicize terms like “safety,” “security,” and “non-discrimination” to nudge or even force private AI developers to alter their algorithms to satisfy the desires of partisan politicians or bureaucrats.
FCC abused its ambiguous authority to regulate “in the public interest” and indirectly censor broadcasters through intimidation via jawboning tactics and other “agency threats.” or “regulation by raised eyebrow”
There are potentially profound First Amendment issues in play with the regulation of algorithms that have not been explored here but which could become a major part of AI regulatory efforts going forward.

Summary:

Auditing and impact assessments can be a part of a more decentralized, polycentric governance framework.
Even in the absence of any sort of hard law mandates, algorithmic auditing and impact reviews represent an important way to encourage responsible AI development.
But we should be careful about mandating such things due to the many unanticipated cost and consequences of converting this into a top-down, bureaucratic regulatory regime.
The process should evolve gradually and organically, as it has in many other fields and sectors.

The Proper Governance Default for AI

Adam Thierer — Thu, 26 May 2022 20:15:21 +0000

[This is a draft of a section of a forthcoming study on “A Flexible Governance Framework for Artificial Intelligence,” which I hope to complete shortly. I welcome feedback. I have also cross-posted this essay at Medium.]

Debates about how to embed ethics and best practices into AI product design is where the question of public policy defaults becomes important. To the extent AI design becomes the subject of legal or regulatory decision-making, a choice must be made between two general approaches: the precautionary principle or the proactionary principle.[1] While there are many hybrid governance approaches in between these two poles, the crucial issue is whether the initial legal default for AI technologies will be set closer to the red light of the precautionary principle (i.e., permissioned innovation) or to the green light of the proactionary principle (i.e., (permissionless innovation). Each governance default will be discussed.

The Problem with the Precautionary Principle as the Policy Default for AI

The precautionary principle holds that innovations are to be curtailed or potentially even disallowed until the creators of those new technologies can prove that they will not cause any theoretical harms. The classic formulation of the precautionary principle can be found in the “Wingspan Statement,” which was formulated at an academic conference that took place at the Wingspread Conference Center in Wisconsin in 1998. It read: “Where an activity raises threats of harm to the environment or human health, precautionary measures should be taken even if some cause and effect relationships are not fully established scientifically.”[2] There have been many reformulations of the precautionary principle over time but, as legal scholar Cass Sunstein has noted, “in all of them, the animating idea is that regulators should take steps to protect against potential harms, even if causal chains are unclear and even if we do not know that those harms will come to fruition.”[3] Put simply, under almost all varieties of the precautionary principle, innovation is treated as “guilty until proven innocent.”^[4] We can also think of this as permissioned innovation.

The logic animating the precautionary principle reflects a well-intentioned desire to play it safe in the face of uncertainty. The problem lies in the way this instinct gets translated into law and regulation. Making the precautionary principle the public policy default for any given technology or sector has a strong bearing on how much innovation we can expect to flow from it. When trial-and-error experimentation is preemptively forbidden or discouraged by law, it can limit many of the positive outcomes that typically accompany efforts by people to be creative and entrepreneurial. This can, in turn, give rise to different risks for society in terms of forgone innovation, growth, and corresponding opportunities to improve human welfare in meaningful ways.

St. Thomas Aquinas once observed that if the sole goal of a captain were to preserve their ship, the captain would keep it in port forever. But that clearly is not the captain’s highest goal. Aquinas was making a simple but powerful point: There can be no reward without some effort and even some risk-taking. Ship captains brave the high seas because they are in search of a greater good, such as recognition, adventure, or income. Keeping ships in port forever would preserve their vessels, but at what cost?

Similarly, consider the wise words of Wilbur Wright, who pioneered human flight. Few people better understood the profound risks associated with entrepreneurial activities. After all, Wilbur and his brother were trying to figure out how to literally lift humans off the Earth. The dangers were real, but worth taking. “If you are looking for perfect safety,” Wright said, “you would do well to sit on a fence and watch the birds.” Humans would have never taken to the skies if the Wright brothers had not gotten off the fence and taken the risks they did. Risk-taking drives innovation and, over the long-haul, improves our well-being.^[5] Nothing ventured, nothing gained.

These lessons can be applied to public policy by considering what would happen if, in the name of safety, public officials told captains to never leave port or told aspiring pilots to never leave the ground. The opportunity cost of inaction can be hard to quantify, but it should be clear that if we organized our entire society around a rigid application of the precautionary principle, progress and prosperity would suffer.

Heavy-handed preemptive restraints on creative acts can have deleterious effects because they raise barriers to entry, increase compliance costs, and create more risk and uncertainty for entrepreneurs and investors. Thus, it is the unseen costs—primarily in the form of forgone innovation opportunities—that makes the precautionary principle so problematic as a policy default. This is why scientist Martin Rees speaks of “the hidden cost of saying no” that is associated with the precautionary principle.[6]

The precise way the precautionary principle leads to this result is that it derails the so-called learning curve by limiting opportunities to learn from trial-and-error experimentation with new and better ways of doing things.[7] The learning curve refers to the way that individuals, organizations, or industries are able to learn from their mistakes, improve their designs, enhance productivity, lower costs, and then offer superior products based on the resulting knowledge.[8] In his recent book, Where Is My Flying Car?, J. Storrs Hall documents how, over the last half century, “regulation clobbered the learning curve” for many important technologies in the U.S., especially nuclear, nanotech, and advanced aviation.[9] Hall shows how society was denied many important innovations due to endless foot-dragging or outright opposition to change from special interests, anti-innovation activists, and over-zealous bureaucrats.

In many cases, innovators don’t even know what they are up against because, as many scholars have noted, “the precautionary principle, in all of its forms, is fraught with vagueness and ambiguity.”[10] It creates confusion and fear about the wisdom of taking action in the face of uncertainty. Worst case thinking paralyzes regulators who aim to “play it safe” at all costs. The result is an endless snafu of red tape as layer upon layer of mandates build up and block progress. The result is what many scholars now decry as a culture of “vetocracy,” which describes the many veto points within modern political systems that hold back innovation, development and economic opportunity.[11] This endless accumulation of potential veto points in the policy process in the form of mandates and restrictions can greatly curtail innovation opportunities. “Like sediment in a harbor, law has steadily accumulated, mainly since the 1960s, until most productive activity requires slogging through a legal swamp,” says Philip K. Howard, chair of Common Good.[12] “Too much law,” he argues, “can have similar effects as too little law,” because:

People slow down, they become defensive, they don’t initiate projects because they are surrounded by legal risks and bureaucratic hurdles. They tiptoe through the day looking over their shoulders rather than driving forward on the power of their instincts. Instead of trial and error, they focus on avoiding error.[13]

This is exactly why it is important that policymakers not get too caught up in attempts to preemptively resolve every potential hypothetical worst case scenarios associated with AI technologies. The problem with that approach was succinctly summarized by the political scientist Aaron Wildavsky when he noted, “If you can do nothing without knowing first how it will turn out, you cannot do anything at all.”^[14] Or, as I have stated in a book on this topic, “living in constant fear of worst-case scenarios—and premising public policy on them—means that best-case scenarios will never come about.”[15]

This does not mean society should dismiss all concerns about the risks surrounding AI. Some technological risks do necessitate a degree of precautionary policy, but proportionality is crucial, notes Gabrielle Bauer, a Toronto-based medical writer. “Used too liberally,” she argues, “the precautionary principle can keep us stuck in a state of extreme risk-aversion, leading to cumbersome policies that weigh down our lives. To get to the good parts of life, we need to accept some risk.”[16] It is not enough to simply hypothesize that certain AI innovations might entail some risk. The critics need to prove it using risk analysis techniques that properly weigh both the potential costs and benefits.^[17] Moreover, when conducting such analyses, the full range of trade-offs associated with preemptive regulation must be evaluated. Again, where precautionary constraints might deny society life-enriching devices or services, those costs must be acknowledged.

Generally speaking, the most extreme precautionary controls should only be imposed when the potential harms in question are highly probable, tangible, immediate, irreversible, catastrophic, or directly threatening to life and limb in some fashion.^[18] In the context of AI and ML systems, it may be the case that such a test is satisfied already for law enforcement use of certain algorithmic profiling techniques. And that test is satisfied for so-called “killer robots,” or autonomous military technology.[19] These are often described as “existential risks.” The precautionary principle is the right default in these cases because it is abundantly clear how unrestricted use would have catastrophic consequences. For similar reasons, governments have long imposed comprehensive restrictions on certain types of weapons.[20] And although nuclear and chemical technologies have many important applications, their use must also be limited to some degree even outside of militaristic applications because they can pose grave danger if misused.

But the vast majority of AI-enabled technologies are not like this. Most innovations should not be treated the same a hand grenade or a ticking time bomb. In reality, most algorithmic failures will be more mundane and difficult to foresee in advance. By their very nature, algorithms are constantly evolving because programs and systems are being endlessly tweaked by designers to improve them. In his books on the evolution of engineering and systems design, Henry Petroski has noted that “the shortcomings of things are what drive their evolution.”[21] The normal state of things is “ubiquitous imperfection,” he notes, and it is precisely that reality that drives efforts to continuously innovate and iterate.[22]

Regulations rooted in the precautionary principle hope to preemptively find and address product imperfections before any harm comes from them. In reality, and as explained more below, it is only through ongoing experimentation that we find both the nature of failures and the knowledge to know how to correct them. As Petroski observes, “the history of engineering in general, may be told in its failures as well as in its triumphs. Success may be grand, but disappointment can often teach us more.”^[23] This is particularly true for complex algorithmic systems, where rapid-fire innovation and incessant iteration are the norm.

Importantly, the problem with precautionary regulation for AI is not just that it might be over-inclusive in seeking to regulate hypothetical problems that never develop. Precautionary regulation can also be under-inclusive by missing problematic behavior or harms that no one anticipated before the fact. Only experience and experimentation reveal certain problems.

In sum, we should not presume that there is a clear preemptive regulatory solution to every problem some people raise about AI, nor should we presume we can even accurately identify all such problems that might come about in the future. Moreover, some risks will never be eliminated entirely, meaning that risk mitigation is the wiser approach. This is why a more flexible bottom-up governance strategy focused on responsiveness and resiliency makes more sense than heavy-handed, top-down strategies that would only avoid risks by making future innovations extremely difficult if not impossible.

The “Proactionary Principle” is the Better Default for AI Policy

The previous section made it clear why the precautionary principle should generally not be used as our policy default if we hope to encourage the development of AI applications and services. What we need is a policy approach that:

objectively evaluates the concerns raised about AI systems and applications;
considers whether more flexible governance approaches might be available to address them; and,
does so without resorting to the precautionary principle as a first-order response.

The proactionary principle is the better general policy default for AI because it satisfies these three objectives.[24] Philosopher Max More defines the proactionary principle as the idea that policymakers should, “[p]rotect the freedom to innovate and progress while thinking and planning intelligently for collateral effects.”^[25] There are different names for this same concept, including the innovation principle, which Daniel Castro and Michael McLaughlin of the Information Technology and Innovation Foundation say represents the belief that “the vast majority of new innovations are beneficial and pose little risk, so government should encourage them.”^[26] Permissionless innovation is another name for the same idea. Permissionless innovation refers to the idea that experimentation with new technologies and business models should generally be permitted by default.^[27]

What binds these concepts together is the belief that innovation should generally be treated as innocent until proven guilty. There will be risks and failures, of course, but the permissionless innovation mindset views them as important learning experiences. These experiences are chances for individuals, organizations, and all of society to make constant improvements through incessant experimentation with new and better ways of doing things.[28] As Virginia Postrel argued in her 1998 book, The Future and Its Enemies, progress demands “a decentralized, evolutionary process” and mindset in which mistakes are not viewed as permanent disasters but instead as “the correctable by-products of experimentation.”^[29] “No one wants to learn by mistakes,” Petroski once noted, “but we cannot learn enough from successes to go beyond the state of the art.”^[30] Instead we must realize, as other scholars have observed, that “[s]uccess is the culmination of many failures”^[31] and understand “failure as the natural consequence of risk and complexity.”^[32]

This is why the default for public policy for AI innovation should, whenever possible, be more green lights than red ones to allow for the maximum amount of trial-and-error experimentation, which encourages ongoing learning.[33] “Experimentation matters,” observes Stefan H. Thomke of the Harvard Business School, “because it fuels the discovery and creation of knowledge and thereby leads to the development and improvement of products, processes, systems, and organizations.”^[34]

Obviously, risks and mistakes are “the very things regulators inherently want to avoid,”^[35] but “if innovators fear they will be punished for every mistake,” Daniel Castro and Alan McQuinn argue, “then they will be much less assertive in trying to develop the next new thing.”^[36] And for all the reasons already stated, that would represent the end of progress because it would foreclose the learning process that allows society to discover new, better, and safer ways of doing things. Technology author Kevin Kelly puts it this way:

technologies must be evaluated in action, by action. We test them in labs, we try them out in prototypes, we use them in pilot programs, we adapt our expectations, we monitor their alterations, we redefine their aims as they are modified, we retest them given actual behavior, we re-direct them to new jobs when we are not happy with their outcomes.[37]

In other words, the proactionary principle appreciates the benefits that flow from learning by doing. The goal is to continuously assess and prioritize risks from natural and human-made systems alike, and then formulate and reformulate our toolkit of possible responses to those risks using the most practical and effective solutions available. This should make it clear that the proactionary approach is not synonymous with anarchy. Various laws, government bodies, and especially the courts play an important role in protecting rights, health, and order. But policies need to be formulated such that innovators and innovation are given the benefit of the doubt and risks are analyzed and addressed in a more flexible fashion.

Some of the most effective ways to address potential AI risks already exist in the form of “soft law” and decentralized governance solution. These will be discussed at greater length below. But existing legal remedies include various common law solutions (torts, class actions, contract law, etc), recall authority possessed by many regulatory agencies, and various consumer protection policies. Ex post remedies are generally superior to ex ante prior restraints if we hope to maximize innovation opportunities. Ex ante regulatory defaults are too often set closer to the red light of the precautionary principle and then enforced through volumes of convoluted red tape.

This is what the World Economic Forum has referred to as a “regulate-and-forget” system of governance,[38] or what others call a “build-and-freeze model” or regulation.[39] In such technological governance regimes, older rules are almost never revisited, even after new social, economic, and technical realities render them obsolete or ineffective.[40] A 2017 survey of U.S. Code of Regulations by Deloitte consultants revealed that 68 percent of federal regulations have never been updated and that 17 percent have only been updated once.^[41] Public policies for complex and fast-moving technologies like AI cannot be set in stone and forgotten like that if America hopes to remain on the cutting edge of this sector.

Advocates of the proactionary principle look to counter this problem not by eliminating all laws or agencies, but by bringing them in line with flexible governance principles rooted in more decentralized approaches to policy concerns.[42] As many regulatory advocates suggest, it is important to embed or “bake in” various ethical best practices into AI systems to ensure that they benefit humanity. But this, too, is a process of ongoing learning and there are many ways to accomplish such goals without derailing important technological advances. What is often referred to as “value alignment” or “ethically-aligned design” is challenged by the fact that humans regularly disagree profoundly about many moral issues.[43] “Before we can put our values into machines, we have to figure out how to make our values clear and consistent,” says Harvard University psychologist Joshua D. Greene.[44]

The “Three Laws of Robotics” famously formulated decades ago by Isaac Asimov in his science fiction stories continue to be widely discussed today as a guide to embedding ethics into machines.[45] They read:

A robot may not injure a human being or, through inaction, allow a human being to come to harm.
A robot must obey orders given it by human beings except where such orders would conflict with the First Law.
A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws.

What is usually forgotten about these principles, as AI expert Melanie Mitchell reminds us, is the way Asimov, “often focused on the unintended consequences of programming ethical rules into robots,” and how he made it clear that, if applied too literally, “such a set of rules would inevitably fail.”[46]

This is why flexibility and humility are essential virtues when thinking about AI policy. The optimal governance regime for AI can be shaped by responsible innovation practices and embed important ethical principles by design without immediately defaulting to a rigid application of the precautionary principle.[47] In other words, an innovation policy regime rooted in the proactionary principle can also be infused with the same values that animate a precautionary principle-based system.[48] The difference is that the proactionary principle-based approach will look to achieve these goals in a more flexible fashion using a variety of experimental governance approaches and ex post legal enforcement options, while also encouraging still more innovation to solve problems past innovations may have caused.

To reiterate, not every AI risk is foreseeable, and many risks and harms are more amorphous or uncertain. In this sense, the wisest governance approach for AI was recently outlined by the National Institute of Standards and Technology (NIST) in its initial draft AI Risk Management Framework, which is a multistakeholder effort “to describe how the risks from AI-based systems differ from other domains and to encourage and equip many different stakeholders in AI to address those risks purposefully.”[49] NIST notes that the goal of the Framework is:

to be responsive to new risks as they emerge rather than enumerating all known risks in advance. This flexibility is particularly important where impacts are not easily foreseeable, and applications are evolving rapidly. While AI benefits and some AI risks are well-known, the AI community is only beginning to understand and classify incidents and scenarios that result in harm.[50]

This is a sensible framework for how to address AI risks because it makes it clear that it will be difficult to preemptively identify and address all potential AI risks. At the same time, there will be a continuing need to advance AI innovation while addressing AI-related harms. The key to striking that balance will be decentralized governance approaches and soft law techniques described below.

[Note: The subsequent sections of the study will detail how decentralized governance approaches and soft law techniques already are helping to address concerns about AI risks.]

Endnotes:

[1] Adam Thierer, Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom, 2nd ed. (Arlington, VA: Mercatus Center at George Mason University, 2016): 1-6, 23-38; Adam Thierer, Evasive Entrepreneurs & the Future of Governance (Washington, DC: Cato Institute, 2020): 48-54.

[2] “Wingspread Statement on the Precautionary Principle,” January 1998, https://www.gdrc.org/u-gov/precaution-3.html.

[3] Cass R. Sunstein, Laws of Fear: Beyond the Precautionary Principle (Cambridge, UK: Cambridge University Press, 2005). (“The Precautionary Principle takes many forms. But in all of them, the animating idea is that regulators should take steps to protect against potential harms, even if causal chains are unclear and even if we do not know that those harms will come to fruition.”)

[4] Henk van den Belt, “Debating the Precautionary Principle: ‘Guilty until Proven Innocent’ or ‘Innocent until Proven Guilty’?” Plant Physiology 132 (2003): 1124.

[5] H.W. Lewis, Technological Risk (New York: WW. Norton & Co., 1990): x. (“The history of the human race would be dreary indeed if none of our forebears had ever been willing to accept risk in return for potential achievement.”)

[6] Martin Rees, On the Future: Prospects for Humanity (Princeton, NJ: Princeton University Press, 2018): 136.

[7] Adam Thierer, “Failing Better: What We Learn by Confronting Risk and Uncertainty,” in Sherzod Abdukadirov (ed.), Nudge Theory in Action: Behavioral Design in Policy and Markets (Palgrave Macmillan, 2016): 65-94.

[8] Adam Thierer, “How to Get the Future We Were Promised,” Discourse, January 18, 2022, https://www.discoursemagazine.com/culture-and-society/2022/01/18/how-to-get-the-future-we-were-promised.

[9] J. Storrs Hall, Where Is My Flying Car? (San Francisco: Stripe Press, 2021)

[10] Derek Turner and Lauren Hartzell Nichols, “The Lack of Clarity in the Precautionary Principle,” Environmental Values, Vol 13, No. 4 (2004): 449.

[11] William Rinehart, “Vetocracy, the Costs of Vetos and Inaction,” Center for Growth & Opportunity at Utah State University, March 24, 2022, https://www.thecgo.org/benchmark/vetocracy-the-costs-of-vetos-and-inaction; Adam Thierer, “Red Tape Reform is the Key to Building Again,” The Hill, April 28, 2022, https://thehill.com/opinion/finance/3470334-red-tape-reform-is-the-key-to-building-again.

[12] Philip K. Howard, “Radically Simplify Law,” Cato Institute, Cato Online Forum, http://www.cato.org/publications/cato-online-forum/radically-simplify-law.

[13] Ibid.

^[14] Aaron Wildavsky, Searching for Safety (New Brunswick, NJ: Transaction Publishers, 1989): 38.

[15] Thierer, Permissionless Innovation, at 2.

[16] Gabrielle Bauer, “Danger: Caution Ahead,” The New Atlantis, February 4, 2022, https://www.thenewatlantis.com/publications/danger-caution-ahead.

[17] Richard B. Belzer, “Risk Assessment, Safety Assessment, and the Estimation of Regulatory Benefits” (Mercatus Working Paper, Mercatus Center at George Mason University, Arlington, VA, 2012), 5, http://mercatus.org/publication/risk-assessment-safety-assessment-and-estimation-regulatory-benefits; John D. Graham and Jonathan Baert Wiener, eds. Risk vs. Risk: Tradeoffs in Protecting Health and the Environment, (Cambridge, MA: Harvard University Press, 1995).

[18] Thierer, Permissionless Innovation, at 33-8.

[19] Adam Satariano, Nick Cumming-Bruce and Rick Gladstone, “Killer Robots Aren’t Science Fiction. A Push to Ban Them Is Growing,” New York Times, December 17, 2021, https://www.nytimes.com/2021/12/17/world/robot-drone-ban.html.

[20] Adam Thierer, “Soft Law: The Reconciliation of Permissionless & Responsible Innovation,” in Adam Thierer, Evasive Entrepreneurs & the Future of Governance (Washington, DC: Cato Institute, 2020): 183-240, https://www.mercatus.org/publications/technology-and-innovation/soft-law-reconciliation-permissionless-responsible-innovation.

[21] Henry Petroski, The Evolution of Useful Things (New York: Vintage Books, 1994): 34.

[22] Ibid., 27,

[23] Henry Petroski, To Engineer is Human: The Role of Failure in Successful Design (New York: Vintage, 1992): 9.

[24] James Lawson, These Are the Droids You’re Looking For: An Optimistic Vision for Artificial Intelligence, Automation and the Future of Work (London: Adam Smith Institute, 2020): 86, https://www.adamsmith.org/research/these-are-the-droids-youre-looking-for.

[25] Max More, “The Proactionary Principle (March 2008),” Max More’s Strategic Philosophy, March 28, 2008, http://strategicphilosophy.blogspot.com/2008/03/proactionary-principle-march-2008.html.

[26] Daniel Castro & Michael McLaughlin, “Ten Ways the Precautionary Principle Undermines Progress in Artificial Intelligence,” Information Technology and Innovation Foundation, February 4, 2019, https://itif.org/publications/2019/02/04/ten-ways-precautionary-principle-undermines-progress-artificial-intelligence.

[27] Thierer, Permissionless Innovation.

[28] Thierer, “Failing Better.”

[29] Virginia Postrel, The Future and Its Enemies (New York: The Free Press, 1998): xiv.

[30] Henry Petroski, To Engineer is Human: The Role of Failure in Successful Design (New York: Vintage, 1992): 62.

[31] Kevin Ashton, How to Fly a Horse: The Secret History of Creation, Invention, and Discovery (New York: Doubleday, 2015): 67.

[32] Megan McArdle, The Up Side of Down: Why Failing Well is the Key to Success (New York: Viking, 2014), 214.

[33] F. A. Hayek, The Constitution of Liberty (London: Routledge, 1960, 1990): 81. (“Humiliating to human pride as it may be, we must recognize that the advance and even preservation of civilization are dependent upon a maximum of opportunity for accidents to happen.”)

[34] Stefan H. Thomke, Experimentation Matters: Unlocking the Potential of New Technologies for Innovation (Harvard Business Review Press, 2003), 1.

[35] Daniel Castro and Alan McQuinn, “How and When Regulators Should Intervene,” Information Technology and Innovation Foundation Reports, (February 2015): 2 http://www.itif.org/publications/how-and-when-regulators-should-intervene.

[36] Ibid.

[37] Kevin Kelly, “The Pro-Actionary Principle,” The Technium, November 11, 2008, https://kk.org/thetechnium/the-pro-actiona.

[38] World Economic Forum, Agile Regulation for the Fourth Industrial Revolution (Geneva: Switzerland: 2020): 4, https://www.weforum.org/projects/agile-regulation-for-the-fourth-industrial-revolution.

[39] Jordan Reimschisel and Adam Thierer, “’Build & Freeze’ Regulation Versus Iterative Innovation,” Plain Text, November 1, 2017, https://readplaintext.com/build-freeze-regulation-versus-iterative-innovation-8d5a8802e5da.

[40] Adam Thierer, “Spring Cleaning for the Regulatory State,” AIER, May 23, 2019, https://www.aier.org/article/spring-cleaning-for-the-regulatory-state.

[41] Daniel Byler, Beth Flores & Jason Lewris, “Using Advanced Analytics to Drive Regulatory Reform: Understanding Presidential Orders on Regulation Reform,” Deloitte, 2017, https://www2.deloitte.com/us/en/pages/public-sector/articles/advanced-analytics-federal-regulatory-reform.html.

[42] Adam Thierer, Governing Emerging Technology in an Age of Policy Fragmentation and Disequilibrium, American Enterprise Institute (April 2022), https://platforms.aei.org/can-the-knowledge-gap-between-regulators-and-innovators-be-narrowed.

[43] Brian Christian, The Alignment Problem: Machine Learning and Human Values (New York: W.W. Norton & Company, 2020).

[44] Joshua D. Greene, “Our Driverless Dilemma,” Science (June 2016): 1515.

[45] Susan Leigh Anderson, “Asimov’s ‘Three Laws of Robotics’ and Machine Metaethics,” AI and Society, Vol. 22, No. 4, (2008): 477-493.

[46] Melanie Mitchell, Artificial Intelligence: A Guide for Thinking Humans (New York: Farrar, Straus and Giroux, 2019): 126 [Kindle edition.]

[47] Thomas A. Hemphill, “The Innovation Governance Dilemma: Alternatives to the Precautionary Principle,” Technology in Society, Vol. 63 (2020): 6, https://ideas.repec.org/a/eee/teinso/v63y2020ics0160791x2030751x.html.

[48] Adam Thierer, “Are ‘Permissionless Innovation’ and ‘Responsible Innovation’ Compatible?” Technology Liberation Front, July 12, 2017, https://techliberation.com/2017/07/12/are-permissionless-innovation-and-responsible-innovation-compatible.

[49] The National Institute of Standards and Technology, “AI Risk Management Framework: Initial Draft,” (March 17, 2022): 1, https://www.nist.gov/itl/ai-risk-management-framework.

[50] Ibid., at 5.

New Jurimetrics Article: “Soft Law in U.S. ICT Sectors: Four Case Studies”

Adam Thierer — Mon, 01 Feb 2021 21:02:45 +0000

After a slight delay, Jurimetrics has finally published my latest law review article, “Soft Law in U.S. ICT Sectors: Four Case Studies.” It is part of a major symposium that Arizona State University (ASU) Law School put together on “Governing Emerging Technologies Through Soft Law: Lessons For Artificial Intelligence” for the journal. I was 1 of 4 scholars invited to pen foundational essays for this symposium. Jurimetrics is a official publication of the American Bar Association’s Section of Science & Technology Law.

This report was a major undertaking that involved dozens of interviews, extensive historic research, several events and presentations, and then numerous revisions before the final product was released. The final PDF version of the journal article is attached.

Here is the abstract:

Traditional hard law tools and processes are struggling to keep up with the rapid pace of innovation in many emerging technologies sectors. As a result, policymakers in the United States rely increasingly on less formal “soft law” governance mechanisms to address concerns surrounding many newer technologies. This Article explores four case studies from different information technology areas where soft law mechanisms have already been utilized to address governance concerns. These four sectoral case studies include domain name management, content oversight, privacy policy, and cybersecurity matters. After considering the various soft law mechanisms used to address those issues, the Article concludes with some general thoughts about the effectiveness of those approaches and what lessons those case studies might hold for the use of soft law in other emerging technology sectors and contexts.

Trump’s AI Framework & the Future of Emerging Tech Governance

Adam Thierer — Wed, 08 Jan 2020 20:04:57 +0000

This week, the Trump Administration proposed a new policy framework for artificial intelligence (AI) technologies that attempts to balance the need for continued innovation with a set of principles to address concerns about new AI services and applications. This represents an important moment in the history of emerging technology governance as it creates a policy vision for AI that is generally consistent with earlier innovation governance frameworks established by previous administrations.

Generally speaking, the Trump governance vision for AI encourages regulatory humility and patience in the face of an uncertain technological future. However, the framework also endorses a combination of “hard” and “soft” law mechanisms to address policy concerns that have already been raised about developing or predicted AI innovations.

AI promises to revolutionize almost every sector of the economy and can potentially benefit our lives in numerous ways. But AI applications also raise a number of policy concerns, specifically regarding safety or fairness. On the safety front, for example, some are concerned about the AI systems that control drones, driverless cars, robots, and other autonomous systems. When it comes to fairness considerations, critics worry about “bias” in algorithmic systems that could deny people jobs, loans, or health care, among other things.

These concerns deserve serious consideration and some level of policy guidance or else the public may never come to trust AI systems, especially if the worst of those fears materialize as AI technologies spread. But how policy is formulated and imposed matters profoundly. A heavy-handed, top-down regulatory regime could undermine AI’s potential to improve lives and strengthen the economy. Accordingly, a flexible governance framework is needed and the administration’s new guidelines for AI regulation do a reasonably good job striking that balance.

Background

Last February, the White House issued Executive Order 13859, on “Maintaining American Leadership in Artificial Intelligence.” The Order announced the creation of the “American AI Initiative,” an effort to “focus the resources of the Federal government to develop AI.” It prioritized investments in AI-focused research and development (R&D), building a workforce ready for the AI era, international engagement on AI priorities, and the establishment governance standards for AI systems to “help Federal regulatory agencies develop and maintain approaches for the safe and trustworthy creation and adoption of new AI technologies.”

Regarding that last objective, Order 13589 required the Office of Management and Budget (OMB) and the Office of Science and Technology Policy (OSTP) to develop a framework and set of principles for federal agencies to follow when considering the development of regulatory and non‑regulatory approaches for AI. Importantly, the Order also specified that the framework should seek to “advance American innovation” and “reduce barriers to the use of AI technologies in order to promote their innovative application while protecting civil liberties, privacy, American values, and United States economic and national security.”

That resulted in the memorandum sent to heads of federal departments and agencies this week entitled, “Guidance for Regulation of Artificial Intelligence Applications” (hereinafter AI Guidance). The draft version of the AI Guidance specifies that “federal agencies must avoid regulatory or non-regulatory actions that needlessly hamper AI innovation and growth.” More specifically:

“Agencies must avoid a precautionary approach that holds AI systems to such an impossibly high standard that society cannot enjoy their benefits. Where AI entails risk, agencies should consider the potential benefits and costs of employing AI, when compared to the systems AI has been designed to complement or replace.”

But the AI Guidance is certainly not a call for comprehensive deregulation or the abandonment of all AI federal oversight. The memorandum’s very title reflects an understanding that existing laws and agency rules will continue to play a role in guiding the development of AI, machine-learning, and autonomous systems.

Accordingly, and consistent with past executive orders and OMB regulatory guidance documents for federal agencies, the AI Guidance establishes a set of ten principles that agencies must take into consideration when considering AI policy:

Public trust in AI: Requiring that “the government’s regulatory and non-regulatory approaches to AI promote reliable, robust, and trustworthy AI applications, which will contribute to public trust in AI.”
Public participation: Agencies must provide “ample opportunities for the public to provide information and participate in all stages of the rulemaking process.”
Scientific integrity and information quality: Agencies should “leverage scientific and technical information and processes” to build trust and ensure data quality and transparency.
Risk assessment and management: Acknowledging that “all activities involve tradeoffs,” the AI Guidance requires that “a risk-based approach should be used to determine which risks are acceptable and which risks present the possibility of unacceptable harm, or harm that has expected costs greater than expected benefits.”
Benefits and costs: As part of those risk assessments, agencies must “carefully consider the full societal costs, benefits, and distributional effects before considering regulations related to the development and deployment of AI applications. Such consideration will include the potential benefits and costs of employing AI, when compared to the systems AI has been designed to complement or replace, whether implementing AI will change the type of errors created by the system, as well as comparison to the degree of risk tolerated in other existing ones.”
Flexibility: OMB encourages agencies to “pursue performance-based and flexible approaches that can adapt to rapid changes and updates to AI applications.”
Fairness and non-discrimination: Acknowledging that “in some instances, introduce real-world bias that produces discriminatory outcomes or decisions that undermine public trust and confidence in AI,” the AI Guidance requires agencies to consider “issues of fairness and non-discrimination with respect to outcomes and decisions produced by the AI application at issue.”
Disclosure and transparency: Agencies are encouraged to consider how greater “transparency and disclosure can increase public trust and confidence in AI applications.”
Safety and security: Agencies are required to “promote the development of AI systems that are safe, secure, and operate as intended, and encourage the consideration of safety and security issues throughout the AI design, development, deployment, and operation process.”
Interagency coordination: The guidance makes it clear that a “coherent and whole-of-government approach to AI oversight requires interagency coordination.”

Soft Law Ascends

Importantly, the AI Guidance also encourages agencies to be open to “non-regulatory approaches to AI” governance and specifies three particular models:

Sector-specific policy guidance or frameworks: OSTP writes that “agencies should consider using any existing statutory authority to issue non-regulatory policy statements, guidance, or testing and deployment frameworks, as a means of encouraging AI innovation in that sector.” The memorandum also notes that this can include “work done in collaboration with industry, such as development of playbooks and voluntary incentive frameworks.”
Pilot programs and experiments: The document encourages the use of “pilot programs that provide safe harbors for specific AI applications” which “could produce useful data to inform future rulemaking and non-regulatory approaches.”
Voluntary consensus standards: Before regulating, the AI Guidance encourages agencies to consider how voluntary consensus standards, assessment programs, and compliance programs might be used to address policy concerns.

These represent “soft law” approaches to technological governance and they are becoming all the rage in technology policy discussions today. Soft law mechanisms are informal, collaborative, and constantly evolving governance efforts. While not formerly binding like “hard law” rules and regulations, soft law efforts nonetheless create a set of expectations about sensible development and use of technologies. Soft law can include multistakeholder initiatives, best practices and standards, agency workshops and guidance documents, educational efforts, and much more.

Soft law has become the dominant governance approach for emerging technologies because it is often better able to address the “pacing problem,” which refers to the growing gap between the rate of technological innovation and policymakers’ ability to keep up with it. As I have previously noted, the pacing problem is “becoming the great equalizer in debates over technological governance because it forces governments to rethink their approach to the regulation of many sectors and technologies.”

Not only do traditional legislative and regulatory hard law systems struggle to keep up with fast-paced technological changes, but oftentimes those older mechanisms are just too rigid and unsuited for new sectors and developments. That is definitely the case for AI, which is multi-dimensional in nature and even defies easy definition. Soft law offers a more flexible, adaptive approach to learning on the fly and cobbling together principles and policies that can address new policy concerns as they develop in specific contexts, without derailing potentially important innovations.

Building on Past Governance Frameworks

In this sense, the Trump administration’s AI Guidance borrows from past policy frameworks by marrying up a desire to promote an exciting new set of emerging technologies alongside the need for reasonable but flexible oversight and governance mechanisms. At a high level, the AI Guidance builds on many of the same principles that motivated the Clinton administration’s Framework for Global Electronic Commerce, a statement of principles and policy objectives for the then-emerging Internet. The document, which was issued in July 1997, said that “governments should encourage industry self-regulation and private sector leadership where possible” and “avoid undue restrictions on electronic commerce.”

The Framework was a clean break from the top-down regulatory paradigm that had previously governed traditional communications and media technologies. Clinton’s Framework insisted that, to the extent government intervention was needed at all, “its aim should be to support and enforce a predictable, minimalist, consistent and simple legal environment for commerce.” The use of soft law and multistakeholder models was a key component of this vision, and those more flexible governance approaches were tapped by the subsequent administrations to address emerging tech policy concerns.

For example, the Obama administration considerably expanded the use of multistakeholder mechanisms and other soft law tools in response to the need of oversight of fast-moving technologies. The Obama administration had many different policy governance efforts underway for specific AI technologies and concerns, including workshops and multistakeholder efforts focused on the safety, security, and privacy-related issues surrounding “big data” systems, online advertising, connected cars, drones, and more.

Whereas the Obama administration was deeper in the weeds of the policy issues associated with specific AI and machine-learning applications, the Trump administration has sought to both build on those focused efforts while also stepping back to consider AI governance at the 30,000-foot level. In essence, the AI Guidance combines some of the aspirational elements found in the Clinton Framework alongside the Obama administration’s more targeted approach to consider specific policy concerns across many different sectors and technologies.

Trump’s AI Guidance adds an element of formality to this process regarding how federal agencies should address AI developments and formulate potential policy responses. It does so by counseling humility and even potential forbearance until all the facts are in. “Fostering innovation and growth through forbearing from new regulations may be appropriate,” the memorandum says. Agencies should consider new regulation only after they have reached the decision, in light of the foregoing section and other considerations, that Federal regulation is necessary.” Again, this is very much consistent with more general regulatory guidance issued by every administration since President Reagan was in office.

Flexible, Adaptive Governance is Key

The AI Guidance foreshadows the future of not only AI governance but the governance of many other emerging technologies. Hard law will continue to provide a backstop and have a role in guiding technological developments. Toward that end, efforts like the new AI Guidance are important because it represents an effort to “regulate the regulators” by placing some ground rules on how they go about applying old law to new developments.

But soft law governance is where the real action is at, both for AI and almost all emerging technologies today. The Trump AI Guidance reflects the extent to which soft law has become the dominant governance paradigm for modern tech sectors. As my colleagues Jennifer Huddleston and Trace Mitchell have noted, soft law is already effectively the law of the land for driverless cars, for example. After years of congressional wrangling over a federal autonomous vehicle regulatory framework—one that has widespread bipartisan support, no less—we still do not have a law on the books. Instead, the Department of Transportation has been cobbling together informal “rules of the road” through informal guidance documents that have been “versioned” as if they were computer software (i.e., Version 1.0, 2.0, 3.0). Version 4.0 of the DoT guidance for automated vehicles was just released this week.

That is the same approach that the National Institute of Standards and Technology (NIST) has taken with the privacy guidelines it developed. NIST’s Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is also versioned like software. And many other federal agencies, especially the Federal Trade Commission, have tapped a wide variety of soft law tools—such as agency workshops and workshop reports that recommended privacy best practices for various technologies. Meanwhile, the National Telecommunications and Information Administration (NTIA) has used multistakeholder processes to address privacy concerns surrounding a wide range of technologies, including drones and facial recognition. NIST, FTC, and NTIA have undertaken these informal governance efforts because, despite over a decade of debate, Congress still has not advanced comprehensive federal privacy legislation. For better or worse, soft law has filled that governance gap.

Addressing Likely Objections from Left & Right

Many people of varying ideological dispositions will object to the growing role of soft law as the primary governance tool for emerging technology policy. Some conservatives will cringe at the sound of giving regulators greater leeway to address amorphous policy concerns, fearing that it will result in unconstrained exercises of unaccountable, extra-constitutional power.

Some of those concerns are valid, but they fail to account for the fact that the prospects for agency downsizing or deregulation they prefer are extremely limited. Practically speaking, the administrative state isn’t going anywhere. In some cases, agencies can actually do some real good by encouraging innovators to think about how to “bake-in” sensible best practices to preemptively address concerns about the privacy, safety, security, and fairness of various AI systems. Better those concerns be addressed in more flexible, adaptive fashion than by a heavy-handed, overly-rigid regulatory approach. Soft law offers that possibility, even if legitimate concerns remain about agency accountability and transparency.

Many to the left of center will be critical of this governance approach as well, but on very different grounds. As Associated Press reporter Matt O’Brien notes, “the vagueness of the principles announced by the White House is unlikely to satisfy AI watchdogs who have warned of a lack of accountability as computer systems are deployed to take on human roles in high-risk social settings, such as mortgage lending or job recruitment.”

These concerns actually are addressed in several of the OSTP’s ten principles, including those which stress the need for fairness and non-discrimination, information quality, public participation, disclosure and transparency, and safety and security. Yet many on the left will claim these principles merely pay lip service to these values and that what is really needed is a full-blown regulatory regime and some sort of corresponding new federal AI agency, which would preemptively determine which AI technologies would be allowed into the wild.

Already, an Algorithmic Accountability Act was introduced in Congress last year that would ask the FTC to take a more active role in policing “inaccurate, unfair, biased, or discriminatory decisions impacting consumers” that may have resulted from “automated decision systems.” Meanwhile, some academics have called for the creation of a Federal Robotics Commission or a National Algorithmic Technology Safety Administration to preemptively oversee new AI developments.

The problem with overly-precautionary regulation of that sort could potentially unduly limit AI innovation and the many benefits it entails. There may be some AI applications that pose serious and immediate risks to humanity and which require preemptive restraints on their development and use. Autonomous military and law enforcement applications are the most obvious examples. But most AI applications do not rise to that same level of regulatory concern, and other governance approaches are required to balance the use and misuse of them. This is why a more open and flexible governance approach is needed. Moreover, the old regulatory system just cannot keep up anymore, and it is ill-suited to address most policy concerns in a timely or efficient fashion.

Cristie Ford, and advocate of greater regulatory oversight for fintech, notes in her latest book that the problem with “old-style Welfare State regulation” is that it is “a clumsy, blunt instrument for achieving regulatory objectives” due to its reliance upon “one-size-fits-all mandates, prohibitions, and penalties.” Ford acknowledges what many other regulatory advocates are reluctant to admit: public policies toward fast-paced technology sectors can no longer be governed effectively using the Analog Era’s top-down, command-and-control regulatory processes. Far too many federal agencies rely on a “build-and-freeze model” of regulation that puts rules in stone to deal with one sets of issues one day, but then either fails to eliminate them later when they become obsolete or to reform those rules to bring them in line with new social, economic, and technical realities.

If we hope to encourage continued innovation in sectors that could produce profoundly important, life-enriching technologies, America’s regulatory approach for AI and emerging technology needs to move away from “build-and-freeze” and toward “build-and-adapt.” Regulation is still needed, but the old regulatory toolkit is badly broken. For better or worse, soft law is going to fill the resulting governance gap, regardless of objections from some on the left or the right. Pragmatic policymaking is going to carry the day for emerging technology governance.

Conclusion

The Trump Administration AI Guidance represents a continuation and extension of this trend toward more flexible, adaptive governance approaches for emerging technologies. It offers a pragmatic vision that builds on the policies and paradigms of the past, while also encouraging fresh thinking about how best to balance the need for continued innovation alongside the various concerns about disruptive technological change.

There are many challenging issues that lie ahead and the new AI Guidance cannot provide bright-line answers to all the hypothetical questions that people want answered today. No one possesses a crystal ball that will allow them to forecast the technological future. Only ongoing trial-and-error experimentation and policy improvisation will allow us to find sensible solutions. A policy approach rooted in humility, flexibility, and forbearance will help ensure that America’s regulatory policies continue to promote both innovation and the public good.

Tech Policy, Unintended Consequences & the Failure of Good Intentions

Adam Thierer — Thu, 26 Sep 2019 19:09:20 +0000

by Andrea O’Sullivan & Adam Thierer

This essay originally appeared on The Bridge on September 25, 2019.

It is quickly becoming one of the iron laws of technology policy that by attempting to address one problem (like privacy, security, safety, or competition), policymakers often open up a different problem on another front. Trying to regulate to protect online safety, for example, might give rise to privacy concerns, or vice versa. Or taking steps to address online privacy through new regulations might create barriers to new entry, thus hurting online competition.

In a sense, this is simply a restatement of the law of unintended consequences. But it seems to be occurring with greater regularity in the technology policy today, and it serves as another good reminder why humility is essential when considering new regulations for fast-moving sectors.

Consider a few examples.

Privacy vs security & competition

Many US states and the federal government are considering data privacy regulations in the vein of the European Union’s wide-reaching General Data Privacy Regulation (GDPR). But as early experiences with the GDPR and various state efforts can attest, regulations aimed at boosting consumer privacy can often butt against other security and competition concerns.

Consider how the GDPR can be abused to undermine user security—and ultimately (and ironically) privacy itself. At this year’s Black Hat computer security conference, one researcher recently explained how the GDPR’s “right of access” provision—which mandates that companies give users their personal data—can be exploited by malicious actors to steal personally identifiable information. If a hacker is convincing enough, he or she can use “social engineering” to pose as the target and coax companies to divulge the information. Without GDPR’s mandated reporting infrastructure, such an attack would be much harder.

Nor are malicious actors even necessary for the GDPR to undermine security. In 2018, a customer requested their Alexa voice recordings from Amazon. The company sent the data to the wrong person in an apparent case of human error. If mighty Amazon cannot rise to the challenge of error-free GDPR compliance, what hope do smaller outfits have?

Perhaps the biggest story about the GDPR, however, has been its malign effects on competition. After all, the law earned its nickname—the “Google Data Protection Regulation”—for a reason. Titans like Google and Facebook have dominated European ad tech market since the advent of the GDPR because they can shoulder compliance risks in a way that smaller vendors cannot. More ad money has flowed to Google’s coffers as a result.

But the GDPR applies to far more than just ad tech. Ventures as varied as publishing and virtual tabletop dice rollers have been forced to shutter their digital doors rather than risk the wrath of European data authorities.

Similar stories emanate from the US. Illinois’ biometric privacy law, which governs the use of technologies like facial recognition and fingerprint scanning, led to the prohibition of Google’s Arts and Culture app which matched user-submitted photos with a classical work of art. If Google can’t hack it in the Land of Lincoln, how could a potential Google-slayer be expected to do so?

These are just the stories we hear about. A prematurely thwarted venture is unlikely to have a platform to voice their compliance problems. What is clear is that the data privacy laws enacted so far have had predictable negative impacts on security and competition, and that ill-defined “privacy fundamentalism” too often drives ill-fitting policies.

Safety vs. free speech & competition

Content moderation at scale is extremely challenging, especially as it relates to efforts to address “hate speech” and extremist viewpoints. On the one hand, free speech activists argue that onerous private content moderation policies can limit debate and punish certain viewpoints, particularly if a platform is a public default for expression. On the other hand, social justice activists contend that lax private standards can fuel the proliferation of conspiracy theories, radicalization, and violent rhetoric.

Recently, President Trump and some conservative lawmakers have been clamoring for greater regulatory controls of social media platforms in the name of “fairness” and countering supposed anti-conservative bias. Sens. Josh Hawley (R-MO) and Ted Cruz (R-TX), for example, have introduced a bill that would require platforms to submit their content moderation policies to regular regulatory audits. If a platform is deemed to be not “politically neutral,” it will lose its liability protections under Section 230 of the Communications Decency Act.

This is reminiscent of the “fairness doctrine,” a long-standing Federal Communications Commission (FCC) policy that was a thinly-veiled attempt to influence the political content of broadcast programs. Conservatives rightly opposed such government involvement in content decisions in decades past, but with this new effort against technology platforms, many of them are repeating the mistakes of the past.

The history of the actual fairness doctrine serves as a cautionary tale here. Today the fairness doctrine is mostly remembered as an anti-conservative effort because of the attention paid to right-leaning talk radio. Former Kennedy administration official Bill Ruder admitted that their “massive strategy was to use the [fairness doctrine] to challenge and harass right-wing broadcasters, and hope that the challenges would be so costly to them that they would be inhibited and decide it was too costly to continue.”

But as testaments from previous broadcast leaders point out, the fairness doctrine was wielded against both “conservatives” and “liberals” depending on who was in power and what their objectives were. When the Nixon administration took office, they wielded the rule to muzzle broadcasters who criticized the White House. And the FCC also applied the doctrine against The Kingmen’s song “Louie Louie” for its suspiciously unintelligible lyrics.

The tension between policies to promote “safety” and government-protected rights to free speech can be literal, as well. Consider efforts to ban so-called “3-D printed guns.” Defense Distributed and other activists do not 3-D print and sell guns. Rather, they publish the schematics for others to print their own arms online. As with the encryption technologies we will discuss below, such code is probably First Amendment-protected speech, although the applications of the schematics may be considered “dual-use” (meaning with both civilian and military applications.) An outright ban on 3-D printed gun blueprints very clearly antagonizes the right to free speech in the US and could threaten innovation in other open source, peer-to-peer 3D-printed applications.

Safety vs. privacy & security

Efforts to promote “safety” can also too often backfire at the expense of privacy and security.

Perhaps the most dramatic and high-stakes illustration of this principle was the years-long legal drama that pitted law enforcement authorities against computer scientists in the so-called “Crypto Wars.” Although cryptographic technologies that conceal data for privacy or security have been around since the days of ancient Egypt—our own Founding Fathers are known to have communicated using ciphers—in the 20th century, they had mostly been limited to military and academic institutions.

The advent of public-key cryptography made these security techniques more accessible to the public for the first time. This was great news for information security: communications and devices could be made hardened to attacks, and people were given more privacy options. But law enforcement feared that criminals would use cryptography to cover their tracks. Thus, in the name of safety, law enforcement first tried banning cryptography as a dual use technology through munitions export controls. When that failed on First Amendment grounds, policymakers attempted to legislate “backdoors” into encryption protocols that would allow government access.

It is easy to see how outright bans or backdoors for encryption technologies could hurt privacy and security. Obviously, prohibiting the civilian use of a privacy and security technology limits privacy and security. But granting government access into encryption standards would ironically ultimately undermine safety as well. After all, if a government can get into an encryption standard, so might a malicious hacker. Although the “Crypto Wars” seemed settled in the 1990’s, these same debates have been cropping up again as more and more devices have default encryption technologies.

We can also think about mandated reporting requirements intended to promote public safety. Consider the “know your customer” rules imposed on financial institutions. To prevent ills like money laundering and financial fraud, banks and exchanges must keep detailed customer information on file. Yet this ostensibly “pro-safety” rule generates its own security and privacy risks. Banks must manage to responsibly store and protect this valuable customer data, lest their customers’ information get hacked and their identities stolen. This has sadly too often proven too tall an order, and third-party-managed personally identifiable information is exposed to outside parties all the time.

A similar problem arises with efforts to promote child safety online. Consider the debate over MySpace’s age verification efforts in the mid-2000s. Child safety advocates grew concerned over the risks facing children on new social media platforms. Young children lacking awareness of the dangers that could lurk online could unwittingly make friendships with predators posing as other children. So a movement grew to require these new platforms to verify age and identity with a government-provided identification card.

There were obvious technical problems. For starters, children that were young enough to fall under the age verification limit were unlikely to have a government-provided photo identification card. But beyond these simple administrative issues, there was the question of privacy and security. Could Myspace adequately protect the reams of sensitive data from outside breach? Might children actually be put more at danger should those items—which would likely include the children’s address—fall into the wrong hands? And should the government and social media platforms really be in the business of parenting to begin with? Might this actually create a “moral hazard” which leaves parents thinking that online spaces are safer than they actually are?

Tying it all together

In each of these instances, it probably seemed like there was no downside to newly proposed regulations. With time, however, the dynamic effects associated with those policies become evident, and often result in the opposite of what was intended, or the policies led to other problems that supporters did not originally envision.

The nineteenth-century French economic philosopher Frédéric Bastiat famously explained the importance of considering the many unforeseen, second-order effects of economic change and policy. Many pundits and policy analysts pay attention to only the first-order effects—what Bastiat called “the seen”—and ignore the subsequent and often “unseen” effects. Those unseen effects can have profound real-world consequences in the form of less technological innovation, diminished growth, fewer job opportunities, higher prices, diminished choices, and other costs.

Even when defenders of the failed interventions are forced to admit that their well-intentioned plans did not work out as planned, their response is typically of the we-can-do-better variety. The result is usually just more regulation as one intervention begs another and another. As the Austrian economist Ludwig von Mises taught us 70 years ago in his masterwork, Human Action:

“All varieties of interference with the market phenomena not only fail to achieve the ends aimed at by their authors and supporters, but bring about a state of affairs which—from the point of view of their authors’ and advocates’ valuations—is less desirable than the previous state affairs which they were designed to alter. If one wants to correct their manifest unsuitableness and preposterousness by supplementing the first acts of intervention with more and more of such acts, one must go farther and farther…”

The lesson is clear: paternalistic public policies may sound sensible on the surface, but as Milton Friedman taught us long ago, “One of the great mistakes is to judge policies and programs by their intentions rather than their results. We all know a famous road that is paved with good intentions.”

Emerging Tech Export Controls Run Amok

Adam Thierer — Wed, 28 Nov 2018 16:55:53 +0000

By Adam Thierer & Jennifer Huddleston Skees

“ He’s making a list and checking it twice. Gonna find out who’s naughty and nice .”

With the Christmas season approaching, apparently it’s not just Santa who is making a list. The Trump Administration has just asked whether a long list of emerging technologies are naughty or nice — as in whether they should be heavily regulated or allowed to be developed and traded freely.

If they land on the naughty list, these technologies could be subjected to complex export control regulations, which would limit research and development efforts in many emerging tech fields and inadvertently undermine U.S. innovation and competitiveness. Worse yet, it isn’t even clear there would be any national security benefit associated with such restrictions.

From Light-Touch to a Long List

Generally speaking, the Trump Administration has adopted a “light-touch” approach to the regulation of emerging technology and relied on more flexible “soft law” approaches to high-tech policy matters. That’s what makes the move to impose restrictions on the trade and usage of these emerging technologies somewhat counter-intuitive. On November 19, the Department of Commerce’s Bureau of Industry and Security launched a “ Review of Controls for Certain Emerging Technologies .” The notice seeks public comment on “criteria for identifying emerging technologies that are essential to U.S. national security, for example because they have potential conventional weapons, intelligence collection, weapons of mass destruction, or terrorist applications or could provide the United States with a qualitative military or intelligence advantage.”

The Commerce Department has long sought to control the use of such technologies through a combination of methods, including formal export controls. The process for establishing such controls was clumsily cobbled together over time, so Congress passed the Export Control Reform Act of 2018 (ECRA) to formalize these regulations. ECRA requires that the President formulate an interagency process to coordinate these rules with the goal of creating, “a regular and robust process to identify the emerging and other types of critical technologies of concern, as defined in United States foreign direct investment laws, and regulate their release to foreign persons as warranted regardless of the nature of the underlying transaction.” As part of this process, the Commerce Department is to create a list “of foreign persons and end-uses that are determined to be a threat to the national security and foreign policy of the United States . . . and to whom exports, reexports, and transfers of items are controlled.”

Sweeping Breadth

That is what prompted the Trump Administration’s recent Emerging Technologies notice, which includes is a remarkably sweeping list of technologies that the Commerce Department is considering for the exports controls list. The list has 14 major categories:

(1) Biotechnology

(2) Artificial intelligence

(3) Position, Navigation, and Timing (PNT) technology

(4) Microprocessor technology

(5) Advanced computing technology

(6) Data analytics technology

(7) Quantum information and sensing technology

(8) Logistics technology

(9) Additive manufacturing / 3D printing

(10) Robotics

(11) Brain-computer interfaces

(12) Hypersonics

(13) Advanced materials

(14) Advanced surveillance technologies

The Department’s 14-category list also includes over 40 itemized examples of specific applications. For example, the “artificial intelligence” category alone includes a list of 11 applied types of AI, from AI cloud technologies and chipsets to neural networks to speech and audio processing.

The breadth of this list is remarkable in that it touches almost every emerging technology sector imaginable. It might have been easier for the Commerce Department to simply list those emerging technologies that will not be subject to review for potential export controls. It is an “everything-but-the-kitchen-sink” approach to emerging technology policy oversight and regulation that could clearly have far reaching consequences beyond national security.

There are some obvious dangers with such an open-ended review and it is important to remember these technologies have many beneficial applications as well as any potential risks.

Threatening Beneficial Uses

First, the potential export regulations create the danger of negative spillover effects that could undermine beneficial uses of each technology listed . All of the technologies listed have already been used in many ways that benefit both consumers and businesses. Limitations on their export could limit their availability or prevent improvements due to concerns that such broad interpretations of restrictions could limit the market.

For example, the regulation of AI mentioned above would not only address concerns about how AI might be used in weapons, but could even undermine the export of technology that has become a part of our everyday lives such as Siri in iPhones and Amazon’s Alexa. While the department claims that it seeks to “avoid negatively impacting U.S. leadership in the science, technology, engineering, and manufacturing sectors,” it is unlikely that any but the most narrowly tailored rules could actually avoid having a negative impact on innovation in the named technologies .

The more general purpose a technology the more difficult it will be to control the potential impact on the beneficial uses of the technology as well as the negative impacts. In fact, in some cases such as AI and robotics it can even be difficult to define what the technology is, because it is typically the applications and not the technology more generally that is being discussed and regulated. In many cases, the anti-export regulations would or could at least signal to entrepreneurial innovators that their time is better spent on other technologies or that their work should be taken elsewhere and risks the U.S. falling behind other countries in these important innovative areas.

Undermining International Competitiveness

Second, the inquiry could undermine U.S. competitiveness by encouraging more offshoring in a world of innovation arbitrage opportunities . With our increasingly connected global economy and specifically the more mobile nature of many emerging technologies, it is becoming easier for innovators who find themselves subjected to onerous regulations in one country to move their research and development efforts to another. This is sometimes referred to as “ innovation arbitrage .”

While the U.S. remains a leader in attracting innovators, this scenario has already played out several times. For example, Amazon moved its drone testing program to the UK rather than test in the US due in large part to FAA regulations regarding drones. Similarly, 23andme also initially took its direct-to-consumer genetic testing abroad after the FDA threatened to shut down their product.

Heavily regulating the export of general applications of these technologies could actually backfire and encourage innovators to take their research to countries like China where they do not face such regulations. R. David Edelman, the director of the Project on Technology, the Economy, and National Security at MIT, has noted that while the inquiry might be “intended to help US companies be more competitive,” the reality is that “it would almost certainly give Chinese companies that don’t face those same restrictions a sizable advantage in the playing field.”

Moreover, if export controls undermine domestic innovation and competitiveness in this fashion and benefit developers in other countries, it means the U.S. will have less of a say over the ethical development of many important technologies. Bloomberg contributor Noah Smith observes that , when it comes to the global race for hegemony in genetic sciences, China is poised to take the lead. “If the U.S. shies away from developing genetic-engineering technology, these riches will flow to China, or to whatever other countries seize the technological edge,” he notes. That would be problematic not just from a competitive perspective, but also from an ethical perspective, because America would have less of a say in guiding the development of these important but controversial technologies. “Dystopian outcomes are also less likely with the U.S. at the helm,” Smith believes.

Limiting or Ending Technologies Consumers Already Enjoy

Third, the inquiry could pose a threat to everyday consumer technologies that are already widely distributed . The most interesting thing about the technologies listed in the notice is that many of them have moved well beyond the “emerging” phrase of development. They are already out in the wild and being used by people every day.

For example, among the AI technologies listed in the notice are “speech and audio processing (e.g., speech recognition and production)” as well as, “natural language processing (e.g., machine translation).” We already enjoy a great many services such as those today, including Siri and Alexa. Meanwhile, there are technologies already on the market that help disabled and autistic children communicate and interact with their peers using AI and robotics.

For example, the KASPAR robot helps children with such disabilities learn social skills to interact with their peers and teach conversational skills. Similarly, technology that translates apparently nonverbal sounds and other methods of communication into speech via apps and other technology with various voices that others can understand could be subject to development ending regulations or be unable to help children in other countries if the proposed export restrictions are phrased too broadly. Not only might new restrictions limit the development of new technologies, it could even limit or eliminate those that we have already embraced and improved the lives of many.

Risk to Research & Open-Source Efforts

Fourth, the expansion of export controls for many of the technologies listed in the inquiry opens the door to widespread policing of open source coding and communications , but offers no explanation of how that would even work. A large number of the technologies on the Commerce Department list have both commercial and non-commercial applications. Innovation scholars use terms like “ free innovation ” and “social entrepreneurialism” to describe innovative efforts that are undertaken by individuals or groups of people to pursue a broader array of social goals or values beyond just profit-seeking.

A prominent example of social entrepreneurs engaging in free innovation involves the use of 3D printers and open source designs to voluntarily create prosthetics for children with limb deficiencies. What happens to collaborative, non-commercial innovations like that if export controls are suddenly imposed on additive manufacturing technologies by the Department of Commerce? If one participant is based outside the US, is that sufficient to subject such collaboration to export controls? What, exactly, would be subjected to controls? The 3D printers? The open source blueprints? The website hosting such information? It is difficult to imagine how such regulation would work in practice but it is easy to imagine the effect it would have if pursued: It would create a massive chilling effect on many beneficial forms of innovation and simultaneously threaten freedom of speech and academic research.

This same problem could play out in many other technology fields listed in the Commerce Department notice, including: robotics, speech recognition, biotechnology, and genetic engineering, among many others often engage in open and cross-border collaboration for open source development. Free innovation and social entrepreneurialism are expanding rapidly in these and other emerging technology arenas. Thus, export control regulation can no longer hinge on going after “deep-pocketed” corporations looking to sell physical systems. To be truly effective, regulations will need to cover bottom-up, “grassroots” innovation. But that move will have profound ramifications for the freedom to freely tinker with or even freely research important technologies and technological processes.

Dubious National Security Benefits

There’s a final danger associated with this effort: it might not help advance America’s national security objectives , and could even hinder them.

To the extent that ECRA and this new Department of Commerce effort lead to heightened scrutiny for the many dozens of technologies identified, it could undermine research and development efforts in many of those fields. It could do so directly (by formally limiting or forbidding domestic R&D efforts) or indirectly (by incentivizing many domestic emerging tech innovators to move their operations offshore, or discouraging foreign developers from setting up shop here). Not only would such actions risk the US losing its lead in innovation, it could actually result in such regulations backfiring from a national security perspective.

At the end of the day, the problem here is that Congress is failing to clearly identify what is “essential to the national security of the United States.” ECRA just passes the buck on that thorny question to the Commerce Department for a laundry list of emerging technologies. By soliciting public input, the best hope here is that experts in these various emerging technology sectors will step forward and identify the trade-offs associated with inclusion of most of these technologies on the export controls list. Hopefully, the list would then be narrowed the much smaller class of applied technologies that have a very real, immediate, and clearly catastrophic potential for harm to the national security interests of the nation. That would have been the better way to begin this process, but Congress and the Administration have instead adopted the opposite approach here and now we must hope that they are willing to significantly pare back the list of technologies even being considered for inclusion.

Back to the Crypto Wars?

In a sense, this debate was foreshadowed by the debate in the late 1990s over export controls for encryption technologies. As encryption emerged , law enforcement and national security agencies were concerned about its potential use by bad actors to hide or destroy evidence or information by using encrypted devices or services and sought to require backdoors to be able to access encrypted data and to restrict the export of certain types of encryption and certain encrypted devices. Such requirements, as the Information Technology & Innovation Foundation’s Daniel Castro and Alan McQuinn pointed out, would actually reduce the security of everyday Americans to cyber attacks, negatively impact U.S. businesses’ global competitiveness, and reduce the competitiveness and innovation of the technology sector not only in encryption but in related fields as well.

Luckily, many of these concerns were avoided and encryption restrictions have been narrowly tailored. Recent tensions between the FBI and tech companies like Apple illustrate that this debate is far from settled. Now it seems that the Commerce Department’s proposed restrictions could create the same vulnerabilities more broadly for a great number of emerging technologies.

“Soft Law” & Next Steps

In some ways this move to regulate technologies via export restrictions shows the dark side of the growing trend of “soft law.” Soft law, as we discuss in more detail in our forthcoming paper , includes regulatory actions such as guidance documents, working groups, sandboxing, and many other informal regulatory mechanisms. Such mechanisms are often used to regulate emerging technologies in the absence of formal actions or because the traditional policymaking apparatus cannot keep pace with the rapid evolution of technology. In many cases soft law has been used to accelerate technological development that otherwise might have been limited by traditional hard law.

But where soft law thrives in the vacuum left by a lack of formal delegation and regulation, this inaction also poses risks. Agencies like the Commerce Department could extend amorphous powers over emerging technologies without the expertise to fully understand the way such regulations might negatively affect beneficial technological developments, which are typically hard to predict in advance.

A smarter approach to export controls for emerging technologies begins with a rational assessment of:

a more robust evaluation of what really constitutes a tangible, immediate, irreversible, and catastrophic harm to the national security interests of the United States;
the practicality of proposed controls for any emerging technologies considered for inclusion on the list;
the wisdom of placing technologies on the list which already have been developed or marketed overseas (or appear poised to be); and,
the potential unintended consequences that any new export controls might have on the innovative potential of American creators and companies, the future of research in important sectors, the free flow of knowledge regarding peaceful applications, and the competitive standing of the United States relative to other countries.
whether catastrophic concerns about emerging technologies might be better addressed through multilateral accords or agreements aimed at achieving global consensus regarding inappropriate use and applications (as has been done in chemical weapon treaties and nuclear non-proliferation efforts).

Several specific technologies may still qualify for inclusion on the export controls list after such an evaluation, but it will start with a more limited approach and then expand as necessary. Such an approach assumes that in general purpose technology is not a threat until proven otherwise. By inverting the process in this fashion, the Administration wouldn’t be treating every emerging technology under the sun as guilty until proven innocent; innovations would be allowed to flourish naturally until the potential for harm is well-documented.

Unfortunately, the Commerce Department’s proposed approach does just the opposite and risks minimizing the benefits of these emerging technologies while doing little to advance national security interests in a meaningful way.

new Mercatus paper on “Public Policy for Virtual and Augmented Reality”

Adam Thierer — Mon, 25 Sep 2017 17:26:15 +0000

The Mercatus Center at George Mason University has just released a new paper on,”Permissionless Innovation and Immersive Technology: Public Policy for Virtual and Augmented Reality,” which I co-authored with Jonathan Camp. This 53-page paper can be downloaded via the Mercatus website, SSRN or Research Gate.

Here is the abstract for the paper:

Immersive technologies such as augmented reality, virtual reality, and mixed reality are finally taking off. As these technologies become more widespread, concerns will likely develop about their disruptive social and economic effects. This paper addresses such policy concerns and contrasts two different visions for governing immersive tech going forward. The paper makes the case for permissionless innovation, or the general freedom to innovate without prior constraint, as the optimal policy default to maximize the benefits associated with immersive technologies. The alternative vision — the so-called precautionary principle — would be an inappropriate policy default because it would greatly limit the potential for beneficial applications and uses of these new technologies to emerge rapidly. Public policy for immersive technology should not be based on hypothetical worst-case scenarios. Rather, policymakers should wait to see which concerns or harms emerge and then devise ex post solutions as needed.

To better explain why precautionary controls on these emerging technologies would be such a mistake, Camp and I provide an inventory of the many VR, AR, and mixed reality applications that are already on the market–or soon could be–and which could provide society with profound benefits. A few examples include:

Education and museums. Immersing users in virtual environments allows Google’s Expedition Pioneer Program to provide 360-degree video tours of famous landmarks and ruins, and museums are already using AR technology to provide interactive content.
Worker training and systems monitoring. VR industrial simulators such as ForgeFX are being used to train workers to master a variety of complex tasks, while AR systems can be leveraged to help farmers with crop management from afar.
Healthcare. CT scans and MRIs are being converted into 3-D models to perform surgery that was once thought impossible, and the world’s first VR medical training facility opened in London in November of 2016.
Engineering. Virtual modeling technology is being combined with VR to allow touring of unbuilt vehicles and buildings, lowering the costs of construction and design.
Military. The military has used VR for combat simulations, medic training, flight simulators, vehicle simulators, and even the treatment of PTSD.

And that just scratches the surface of some of the many exciting applications out there. The virtual sky is the limit with immersive tech — so long, that is, as we don’t derail these life-enriching technologies with misguided, fear-based public policy restrictions. Please read the paper for more details.

DOT’s Driverless Cars Guidance: Will “Agency Threats” Rule the Future?

Adam Thierer — Tue, 20 Sep 2016 21:12:15 +0000

Today, the U.S. Department of Transportation released its eagerly-awaited “Federal Automated Vehicles Policy.” There’s a lot to like about the guidance document, beginning with the agency’s genuine embrace of the potential for highly automated vehicles (HAVs) to revolutionize this sector and save thousands of lives annually in the process.

It is important we get HAV policy right, the DOT notes, because, “35,092 people died on U.S. roadways in 2015 alone” and “94 percent of crashes can be tied to a human choice or error.” (p. 5) HAVs could help us reverse that trend and save thousands of lives and billions in economic costs annually. The agency also documents many other benefits associated with HAVs, such as increasing personal mobility, reducing traffic and pollution, and cutting infrastructure costs.

I will not attempt here to comment on every specific recommendation or guideline suggested in the new DOT guidance document. I could nit-pick about some of the specific recommended guidelines, but I think many of the guidelines are quite reasonable, whether they are related to safety, security, privacy, or state regulatory issues. Other issues need to be addressed and CEI’s Marc Scribner does a nice job documenting some of them is his response to the new guidelines.

Instead of discussing those specific issues today, I want to ask a more fundamental and far-reaching question which I have been writing about in recent papers and essays: Is this guidance or regulation? And what does the use of informal guidance mechanisms like these signal for the future of technological governance more generally?

When Is “Voluntary” Really Mandatory?

The surreal thing about DOT’s new driverless car guidance is how the agency repeatedly stresses it “is not mandatory” and that the guidelines are voluntary in nature but then — often in the same paragraph or sentence — the agency hints how it might convert those recommendations into regulations in the near future. Consider this paragraph on pg. 11 of the DOT’s new guidance document:

The Agency expects to pursue follow-on actions to this Guidance, such as performing additional research in areas such as benefits assessment, human factors, cybersecurity, performance metrics, objective testing, and others as they are identified in the future. As discussed, DOT further intends to hold public workshops and obtain public comment on this Guidance and the other elements of the Policy. This Guidance highlights important areas that manufacturers and other entities designing HAV systems should be considering and addressing as they design, test, and deploy HAVs. This Guidance is not mandatory. NHTSA may consider, in the future, proposing to make some elements of this Guidance mandatory and binding through future regulatory actions. This Guidance is not intended for States to codify as legal requirements for the development, design, manufacture, testing, and operation of automated vehicles. Additional next steps are outlined at the end of this Guidance. [emphasis added.]

The agency continues on to request that “manufacturers and other entities voluntarily provide reports regarding how the Guidance has been followed,” but then notes how “[t]his reporting process may be refined and made mandatory through a future rulemaking.” (p. 15)

And so it goes throughout the DOT’s new “guidance” document. With one breath the DOT suggests that everything is informal and voluntary; with the next it suggests that some form of regulation could be right around the proverbial corner.

Agency Threats Are the Future of Technological Governance

What’s going on here? In essence, DOT’s driverless car guidance is another example of how “soft law” and “agency threats” are becoming the dominant governance models for fast-paced emerging technology.

As noted by Tim Wu, a proponent of such regimes, these agency threats can include “warning letters, official speeches, interpretations, and private meetings with regulated parties.” “Soft law” simply refers to any sort of informal governance mechanism that agencies might seek to use to influence private decision-making or in this case the future course of technological innovation.

The problem with agency threats, as my former Mercatus Center colleague Jerry Brito pointed out in a 2014 law review article, is that they are fundamentally undemocratic and represent a betrayal of the rule of law. The use of “threat regimes,” Brito argued, “places undue power in the hands of regulators unconstrained by predictable procedures.” Such regimes breed uncertainty by leaving decisions up to the whim of regulators who will be unconstrained by administrative procedures, legal precedents, and strict timetables. “[B]ecause it has no limiting principle,” Brito concluded, the agency threats model “leaves the regulatory process without much meaning” and “would obviously be ripe for abuse.”

The danger exists that we are witnessing gradual mission creep as the DOT’s “guidance” process slowly moves from being a truly voluntary self-certification process to something more akin to a pre-market approval process. Every “informal” request that DOT makes — even when those requests are just presented in the form of vague questions — opens the door to greater technocratic meddling in the innovation process by federal bureaucrats.

Coping with the Pacing Problem

Why are agencies like the DOT adopting this new playbook? In a nutshell, it comes down to the realization on their part that the “pacing problem” is now an undeniable fact of life.

I discussed the pacing problem at length in my recent review of Wendell Wallach’s important new book, A Dangerous Master: How to Keep Technology from Slipping beyond Our Control. Wallach nicely defined the pacing problem as “the gap between the introduction of a new technology and the establishment of laws, regulations, and oversight mechanisms for shaping its safe development.” “There has always been a pacing problem,” Wallach noted, but like other philosophers, he believes that modern technological innovation is occurring at an unprecedented pace, making it harder than ever to “govern” it using traditional legal and regulatory mechanisms.

Which is exactly why the DOT and whole lot of other agencies are now defaulting to soft law and agencies threat models as their old regimes struggle to keep up with the pace of modern technological innovation. As the DOT put it in its new guidance document: “The speed with which HAVs are advancing, combined with the complexity and novelty of these innovations, threatens to outpace the Agency’s conventional regulatory processes and capabilities.” (p. 8) More specifically, the agency notes that:

The remarkable speed with which increasingly complex HAVs are evolving challenges DOT to take new approaches that ensure these technologies are safely introduced (i.e., do not introduce significant new safety risks), provide safety benefits today, and achieve their full safety potential in the future. To meet this challenge, we must rapidly build our expertise and knowledge to keep pace with developments, expand our regulatory capability, and increase our speed of execution. (p. 6)

Rarely has any agency been quite so blunt about how it is racing to get ahead of the pacing problem before it completely loses control of the future course of technological innovation.

But the DOT is hardly alone in its increased reliance on soft law governance mechanisms. In fact, I’m in the early research stages of a new paper about what soft law and agency threat models mean for the future of emerging technology and its governance. In that paper, I hope to document how many different agencies (FAA, FDA, FTC, FCC, NTIA, & DOT among others) are using some variant of soft law model to informally regulate the growing universe of emerging technologies out there today (commercial drones, connected medical devices, the Internet of Things, 3D printing, immersive technology, the sharing economy, driverless cars, and more.)

If nothing else, I would like to devise a taxonomy of soft law/agency threat models and then discuss the upsides and downsides of those models. If anyone has recommendations for additional reading on this topic, please let me know. The best thing I have seen on the issue is a 2013 book of collected essays on Innovative Governance Models for Emerging Technologies, edited by Gary E. Marchant, Kenneth W. Abbott and Braden Allenby. I’m surprised more hasn’t been written about this in law reviews or political science journals.

What Does It Mean for Innovation? And Accountable Government?

So, what does all this mean for the future of driverless cars, autonomous systems, and other emerging technologies? I think it’s both good and bad news.

The good news — at least from the perspective of those of us who want to see innovators freed up to experiment more without prior restraint — is that the technological genie is increasingly out of the bottle. Technology regulators are at an impasse and they know it. Their old regulatory regimes are doomed to always be one step behind the action. Thus, a lot of technological innovation is going to be happening before any blessing has been given to engage in those experiments.

The bad news is that the regulatory regimes of the future will become almost hopelessly arbitrary in terms of their contours and enforcement ceiling. Basically, in our new world of soft law and agency threats, you can tear up the Administrative Procedures Act and throw it out the window. When regulatory agencies act in the future, they will do so in a sort of extra-legal Twilight Zone, where things are not always as they seem. Agencies will increasingly act like nagging nannies, constantly pressuring innovators to behave themselves. And sometimes that nagging will work, and sometimes it will even improve consumer welfare at the margin! It will work sometimes precisely because government still wields a mighty big hammer and no innovator wants to be nailed to the ground in the courts, or the court of public opinion for that matter. Thus, many — not all, but many — of those innovators will go along with whatever agencies like DOT suggests as “best practices” even if those guidelines are horribly misguided or have no force of law whatsoever. And because agencies know that many (perhaps most) innovators will fall in line with whatever “best practices” or “codes of conduct” that they concoct, it will reinforce the legitimacy of this model and become the new method of imposing their will on current or emerging technology sectors.

Again, agency threats won’t always work because some innovators will continue to engage in rough forms of “technological civil disobedience” and just ignore a lot of these informal guidelines and agency threats. Agencies will push back and seek to make an example of specific innovators (especially the ones with deep pockets) in order to send a message to every other innovator out there that they better fall in line or else!

But what that “or else!” moment or action looks like remains completely unclear. The problem with soft law is that, by its very nature, it is completely open-ended and fundamentally arbitrary. It is really just “ non-law law.” That’s the “legal regime” that will “govern” the emerging technologies of the present and the future.

Isn’t Soft Law Better Than the Alternative?

Now, here’s the funny thing about this messy, arbitrary, unaccountable world of soft law and agency threats: It is probably a hell of lot better than the old world we used to live in!

The old analog era regulatory systems were very top-down and command-and-control in orientation. These traditional regimes were driven by the desire of regulators to enforce policy priorities by imposing prior restraints on innovation and then selectively passing out permission slips to get around those rules.

As I noted in my latest book, the problem with those traditional regulatory systems is that they “tend to be overly rigid, bureaucratic, inflexible, and slow to adapt to new realities. They focus on preemptive remedies that aim to predict the future, and future hypothetical problems that may not ever come about. Worse yet, administrative regulation generally preempts or prohibits the beneficial experiments that yield new and better ways of doing things.” (Permissionless Innovation, p. 120)

For all the reasons I outlined in my book and other papers on these topics, “permissionless innovation” remains the superior policy default compared to precautionary principle-based prior restraints. But I am not so naïve as to expect that permissionless innovation will prevail in the policy world all of the time. Moreover, I am not one of those technological determinists who goes around saying that technology is an unstoppable force that relentlessly drives history, regardless of what policymakers say. I am more of a soft determinist who believes that technology often can be a major driver of history, but not without a significant shaping from other social, cultural, economic, and political forces.

Thus, as much as I worry about the new “soft law/agency threats” regime being arbitrary, unaccountable, and innovation-threatening, I know that the ideal of permissionless innovation will only rarely be our default policy regime. But I also don’t think we are going back the old regulatory regimes of the past and we absolutely wouldn’t want to anyway in light of the deleterious impacts those regimes had on innovation in practice.

The best bet for those of us who care about the freedom to innovate is to make sure that these soft law governance mechanisms have some oversight from Congress (unlikely) and the Courts (more likely) when agencies push too far with informal agency threats. Better yet, we can hope that the pace of technological change continues to accelerate and pressures agencies to only intervene to address the most pressing problems and then largely leaves the rest of the field wide open for continued experimentation with new and better ways of doing things.

But make no doubt about it, as today’s DOT guidance document for driverless cars makes clear, “agency threats” will increasingly shape the future of emerging technologies whether we like it or not.

Tech Policy Threat Matrix

Adam Thierer — Thu, 24 Sep 2015 15:52:56 +0000

On the whiteboard that hangs in my office, I have a giant matrix of technology policy issues and the various policy “threat vectors” that might end up driving regulation of particular technologies or sectors. Along with my colleagues at the Mercatus Center’s Technology Policy Program, we constantly revise this list of policy priorities and simultaneously make an (obviously quite subjective) attempt to put some weights on the potential policy severity associated with each threat of intervention. The matrix looks like this: [Sorry about the small fonts. You can click on the image to make it easier to see.]

I use 5 general policy concerns when considering the likelihood of regulatory intervention in any given area. Those policy concerns are:

privacy (reputation issues, fear of “profiling” & “discrimination,” amorphous psychological / cognitive harms);
safety (health & physical safety or, alternatively, child safety and speech / cultural concerns);
security (hacking, cybersecurity, law enforcement issues);
economic disruption (automation, job dislocation, sectoral disruptions); and,
intellectual property (copyright and patent issues).

I realize that some of these five categories could be sub-divided and refined. I also understand that these five groupings may not encapsulate the full range of potential policy issues out there, but I’ve tried to avoid having too many categories to keep this as conceptually tidy as is possible. However, I might need to add a separate category for civil rights and disabilities-related policy issues eventually. Likewise, “psychological considerations” might deserve its own category because they do not necessarily perfectly fit into either the privacy or safety buckets right now, even though that’s where I have them currently. For example, some privacy activists call for regulation of “big data” and large databases based on fears about how all that data collection makes people feel about themselves. I consider that a privacy-related concern now, but you could imagine that being in a separate category. Meanwhile, there’s long been calls to regulate various types of media content (music, movies, video games, online porn, etc) based on the psychological impact they have on children. Those “media effects” theories have always been considered a child safety issue, which is where I currently have them slotted, but they could probably be its own category that also included concerns about distraction and addiction (which could come to haunt VR technologies in the future).

Anyway, my colleagues and I use this current matrix to help us determine what we should be paying more attention to and what sort of scholarly outputs are needed to address regulatory threats on each front. Generally speaking, this is the portfolio of issues I try to stay on top of full-time at Mercatus as part of our ongoing “Permissionless Innovation” project.

Several people who have seen that matrix in my office tell me I should do something more with it, but I’m not really sure what that something would be. In any event, I thought it might make sense to post it here to give others a feel for the current set of emerging tech policy issues that interest us at Mercatus. I will try to upload new versions of the matrix as that giant whiteboard in my office morphs over time and the list of technologies and regulatory threats changes or grows.

Incidentally, I am often asked to explain the relative weights I’ve assigned to each potential regulatory threat, so I will try to justify some of those rankings here briefly. (Again, it’s all quite subjective and I’m always open to hearing the case for tweaking the rankings.)

Big Data / Online Marketing / the Internet of Things (IoT): Privacy is the #1 policy threat for these sectors. From a public policy perspective, what unifies these technologies is a growing concern about how expanding private sector data collection efforts could affect our privacy or reputations. We’ve already seen a flurry of legislative and regulatory activity here in the U.S. aimed at placing restrictions on data collection or use. And it goes without saying that other countries, especially in Europe, already impose a wide variety of controls on data collection in the name of privacy protection. There also exists a variety of closely-related security concerns here. But the rise of IoT technologies have introduced safety concerns into the mix in a major way, too. That’s especially true because of the large number of Big Data services and IoT devices that are health and medical related. Taken together, this is the issue set I spend the majority of my time covering because the privacy and security implications of a data-driven economy already occupies the attention of countless regulatory activists and public policymakers across the globe. I think that will continue to be the case for many years to come.
Robotics: Safety concerns tend to be the biggest driver of calls for regulation of robotic and autonomous technology. For example, new laws and regulations are already being proposed for driverless cars based on fears about the hacking of connected vehicles. And commercial drones attract policy attention based on safety-related concerns such as whether a drone could strike an airplane, or even just fall on our heads. Proposals have been floated to mandate the equivalent of DRM for drones, which would force drone innovators to embed federally-approved technological controls into their systems designating where they are allowed to fly. Even if most of these concerns are overstated or are currently being dealt with, we can expect more safety-related policy proposals for robotic tech in coming years. Economic concerns would be a close second here due to the increasing worry that robots will eat all our jobs. At least so far, however, that concern has tended to be more of an academic nature rather than a public policy consideration. And it remains unclear what the policy prescription would be in this regard without becoming a neo-Luddite, “smash-the-machines” sort of proposal. That could change in coming years, however. It all depends on the labor market situation over time. Meanwhile, academics are floating the idea of a Federal Robotics Commission to provide greater policy “expertise” in the form of yet another technocratic Beltway bureaucracy.
Additive manufacturing / 3D printing: Safety is probably the #1 concern here, although depending on what type of 3D-printed object we are talking about, it could be the case that intellectual property concerns will be a bigger driver of calls for regulatory intervention. A lot of the policy-related concerns around 3D printing today are being driven by worries over things like 3D-printed guns. That’s mostly a safety concern, of course. But it we are talking about the replication of branded commercial objects (3D-printed toys or other things, for example), then IP tends to be the bigger concern. The question of product liability also looms large here and it remains unclear how claims might be sorted out when there are fewer large, deep-pocketed intermediaries to go after in a world of decentralized production. Hopefully, those liability norms will be left to the courts and common law to sort out over time, but I wouldn’t be surprised to see more calls for preemptive legislative interventions here in both directions: i.e., some will call legislators to impose greater liability on certain parties while others will push to immunize intermediaries from punishing forms of liability for the downstream actions of others (like a Sec. 230 norm for 3D printing).
Medical tech innovation: It goes without saying that traditional safety concerns will drive policy for advanced medical technologies, just as they have for earlier drugs, devices, and treatments. As software continues to “eat the world” and invade the world of health and medicine, regulators are increasingly going to be trying to figure out how to pigeonhole new technologies into old regulatory constructs. That’s why I have been watching how the FDA continues to deal with 3D-printed prosthetics and mobile medical apps on our smartphones. Eventually, the continuing decentralized democratization of 3D printing (driven by rapidly falling costs) will collide with old medical device regulatory realities and a century’s worth of FDA command-and-control style regulation. Oh my, what a fight that will be! And then chemical printers will become more widespread and this issue will get even more intense. The policy fight here is even more interesting because of all the thorny ethical issues pertaining to the rise of embeddable technology, biohacking, and genome innovation. I have a feeling that my policy portfolio will shift rapidly in this direction in coming years as the modern info-tech revolution spreads to the world of medicine and health. I already have two new papers coming out on these issues in the next few weeks.
Sharing economy: Economic disruption is clearly the big policy issue here. Specifically, many policymakers and incumbent industries aren’t very happy about new entrants coming into their sectors and offering consumers services without strictly complying with traditional regulations. But safety issues often pop up in these debates when regulators or advocates claim we can’t trust sharing economy operators. What’s particularly interesting about this space is how these policy battles are playing out at almost every level of government: federal, state, local, and international. At least thus far, sharing economy innovators tend to be winning most of those battles. But the fight continues.
Crypto & Bitcoin: I think safety would probably be the biggest issue here, in the sense that policymakers fear a world of unregulated crypto and decentralized blockchain applications are a world in which the “bad guys” will be able to use those technologies to harm the public in some fashion. We’ve heard this all before, of course, but (going all the way back to the Clipper Chip wars) you can always bank on law enforcement officials resorting to Chicken Little claims about terrorists and child predators thriving in a world of unregulated crypto. In many ways, this is the most important of all these policy fights because if the government can regulate crypto and blockchain technologies, it severely undermines the fabric of almost all the other technologies and platforms discussed herein. This is why the current debate over government-mandated “backdoors” is so important; it has profound ramifications for every other tech regulation debate that follows.
Immersive Tech (VR and augmented reality): This is an amorphous and evolving area that I am getting increasingly interested in, but the policy issues here have yet to come into clear focus. However, when Google Glass was launched, there was a brief technopanic of sorts over its privacy and security ramifications. Those concerns have subsided a bit as Google Glass has seemingly faded away (probably because of its high price point more than because of its privacy concerns), but I suspect that future iterations of augmented reality technologies will raise similar concerns. That will especially be true as more sophisticated biometric (and facial recognition) capabilities are integrated into them. Academics are already wondering how to enforce “notice and consent” privacy norms and rules in a world where everyone is wearing miniature body cams and heads-up displays in their sunglasses. I’m not sure it’s even possible, but that debate will continue and include all sorts of calls for technological controls. OK, that’s augmented reality, but what about virtual reality technologies? I think safety concerns could drive some policy proposals as critics grow concerned about the psychological implications of people (especially kids) spending more and more time in immersive virtual worlds. In that sense, we might see a replay of the earlier debate over violent video games and/or video game addition. But it remains to be seen.

Incidentally, I use this matrix and provide more context to it in my big presentation on “Permissionless Innovation & the Clash of Visions over Emerging Technologies.” [It’s embedded below.] And I discuss most of these issues in more detail in my book, Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom. I am in the process of finishing up the second edition of that book and will be expanding the case studies about the issues discussed above. Finally, I discussed many of these policy threats during my recent appearance on the Andreessen Horowitz podcast.

Update 10/2/15: For another take on various new technology trends and the potential policy issues they raise, check out this report from the World Economic Forum, Deep Shift: Technology Tipping Points and Societal Impact. The WEF report identifies 21 technology “shifts” and then groups them into six “mega-trend” categories. Almost all these issues are on my matrix above, but the WEF report provides some nice additional context on why each technology trend will be so disruptive.

“Permissionless Innovation” & the Clash of Visions over Emerging Technologies from Adam Thierer

New Filing & Working Paper on the Regulation of the Sharing Economy

Adam Thierer — Tue, 26 May 2015 17:41:04 +0000

Along with colleagues at the Mercatus Center at George Mason University, I am releasing two major new reports today dealing with the regulation of the sharing economy. The first report is a 20-page filing to the Federal Trade Commission that we are submitting to the agency for its upcoming June 9th workshop on “The “Sharing” Economy: Issues Facing Platforms, Participants, and Regulators.” We have been invited to participate in that event and I will be speaking on the fourth panel of the workshop. The filing I am submitting today for that workshop was co-authored with my Mercatus colleagues Christopher Koopman and Matt Mitchell.

The second report we are releasing today is a new 47-page working paper entitled, “How the Internet, the Sharing Economy, and Reputational Feedback Mechanisms Solve the ‘Lemons Problem.'” This study was co-authored with my Mercatus colleagues Christopher Koopman, Anne Hobson, and Chris Kuiper.

I will summarize each report briefly here.

In our new filing to the FTC, we address the five questions the Commission set forth in its workshop annoucement. Those five questions are as follows:

How can state and local regulators meet legitimate regulatory goals (such as protecting consumers, and promoting public health and safety) in connection with their oversight of sharing economy platforms and business models, without also restraining competition or hindering innovation?
How have sharing economy platforms affected competition, innovation, consumer choice, and platform participants in the sectors in which they operate? How might they in the future?
What consumer protection issues—including privacy and data security, online reviews and disclosures, and claims about earnings and costs—do these platforms raise, and who is responsible for addressing these issues?
What particular concerns or issues do sharing economy transactions raise regarding the protection of platform participants? What responsibility does a sharing economy platform bear for consumer injury arising from transactions undertaken through the platform?
How effective are reputation systems and other trust mechanisms, such as the vetting of sellers, insurance coverage, or complaint procedures, in encouraging consumers and suppliers to do business on sharing economy platforms?

We provide detailed answers to each of these questions as well as one additional major question that was not posed by the Commission in its workshop notice but which is, no doubt, on the minds of many at the agency and outside it: What should the FTC do about state and local barriers to entry and innovation that might be thwarting the growth of the sharing economy? (I blogged about that issue here a couple of weeks ago and our filing includes that discussion.)

Please take a look at our filing for detailed answers to each of these questions. (Incidentally, our filing is an extension of an earlier working paper that Koopman, Mitchell, and I released late last year on “The Sharing Economy and Consumer Protection Regulation: The Case for Policy Change.”) But, to briefly highlight the thrust of our argument, here’s a passage from our new filing:

As the debate surrounding the sharing economy moves forward, policymakers must keep in mind that merely because regulations were once justified on the grounds of consumer protection does not mean they accomplished those goals or that they are still needed today. Even well-intentioned policies must be judged against real-world evidence. Unfortunately, the evidence shows that many traditional consumer protection regulations hurt consumers; in the words of New York Attorney General Eric Schneiderman, they are often “cumbersome, and some are just plain protectionist.” Markets, competition, reputational systems, and ongoing innovation often solve problems better than regulation when they are given a chance to do so. There are two reasons for this. First, market imperfections create powerful profit opportunities for entrepreneurs who are able to find ways to correct them. Second, regulatory solutions too often undermine competition and lock in inefficient business models.

We continue on to explain exactly why that is the case, while also offering some constructive solutions to other issues that are on the minds of regulators.

Meanwhile, the new working paper we are releasing today provides much greater detail on the fifth of the five questions the FTC posed in its workshop notice regarding reputation systems and other trust mechanisms. Here is the abstract from the paper:

This paper argues that the sharing economy—through the use of the Internet and real time reputational feedback mechanisms—is providing a solution to the lemons problem that many regulators have spent decades attempting to overcome. Section I provides an overview of the sharing economy and traces its rapid growth. Section II revisits the lemons theory as well as the various regulatory solutions proposed to deal with the problem of asymmetric information. Section III discusses the relationship between reputation and trust and analyzes how reputational incentives affect commercial interactions. Section IV discusses how information asymmetries were addressed in the pre-Internet era. It also discusses how the evolution of both the Internet and information systems (especially the reputational feedback mechanisms of the sharing economy) addresses the lemons problem. Section V explains how these new realities affect public policy and concludes that asymmetric information is not a legitimate rationale for policy intervention in light of technological changes. We also argue that continued use of this rationale to regulate in the name of consumer protection might, in fact, make consumers worse off. This has ramifications for the current debate over regulation of the sharing economy.

We believe that our research makes it clear “how the sharing economy relies upon—and has helped spur the growth of—sophisticated reputational feedback mechanisms that facilitate online trust and commerce, overcoming many of the information asymmetries that seemed intractable… just a generation ago. In combination with online review services and other information-sharing technologies enabled by the Internet,” we conclude, “these reputational tools can help create more effective, and largely self-regulating, markets that provide more information to more individuals than ever before.”

We look forward to continuing engagement with officials at the FTC and other policymakers at the federal, state, and even international level on these issues. We hope our research will help legislators and regulators find sensible ways to adjust policy for the sharing economy so as not to derail the sort of “permissionless innovation” that has thus far powered this exciting sector and produced the many pro-consumer benefits flowing from it. Check out our filing and new paper for more details.

Autonomous Vehicles Under Attack: Cyber Dashboard Standards and Class Action Lawsuits

Ryan Hagemann — Sat, 14 Mar 2015 13:06:08 +0000

In a recent Senate Commerce Committee hearing on the Internet of Things, Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) “announced legislation that would direct the National highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) to establish federal standards to secure our cars and protect drivers’ privacy.” Spurred by a recent report from his office (Tracking and Hacking: Security and Privacy Gaps Put American Drivers at Risk) Markey argued that Americans “need the equivalent of seat belts and airbags to keep drivers and their information safe in the 21^st century.”

Among the many conclusions reached in the report, it says, “nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” This comes across as a tad tautological given that everything from smartphones and computers to large-scale power grids are prone to being hacked, yet the Markey-Blumenthal proposal would enforce a separate set of government-approved, and regulated, standards for privacy and security, displayed on every vehicle in the form of a “Cyber Dashboard” decal.

Leaving aside the irony of legislators attempting to dictate privacy standards, especially in the post-Snowden world, it would behoove legislators like Markey and Blumenthal to take a closer look at just what it is they are proposing and ask whether such a law is indeed necessary to protect consumers. For security in particular, there may be concerns that require redress, but if one looks at the report, it becomes apparent that it lacks a very important feature:: no specific examples of real car hacking are mentioned. The only examples illustrated in the report are described in brief detail:

An application was developed by a third party and released for Android devices that could integrate with a vehicle through the Bluetooth connection. A security analysis did not indicate any ability to introduce malicious code or steal data, but the manufacturer had the app removed from the Google Play store as a precautionary measure.

Great! The company solved the problem. What about the other instance cited in the report?

Some individuals have attempted to reprogram the onboard computers of vehicles to increase engine horsepower or torque through the use of “performance chips”. Some of these devices plug into the mandated onboard diagnostic port or directly into the under-the-hood electronics system.

So the only two examples of “car hacking” described in the Markey report are essentially duds. The first is a non-issue, since the company (1) determined there was little security risk involved and (2) removed the item from the market anyways, just to be sure. The second is, in a sense, hacking, but it is individual car owners doing it to their own cars. Neither of these cases appears to be sufficient grounds for imposing a set of arbitrary and, in many cases, capriciously anti-innovation approaches to privacy and data security in cars.

In the wake of the report’s release, this past Tuesday, March 10, General Motors, Toyota, and Ford were all hit with a nationwide class action lawsuit, alleging that the companies concealed “dangers posed by a lack of electronic security in a vast swath of vehicles.” Specifically, the lawsuit is aimed at the presence of controller area network (CAN) buses, which act as data hubs between the various electronic systems in a car. These systems are, indeed, susceptible to hacking, but no more than any personal computer that is connected to the Internet.

The trouble with this lawsuit, brought by the Stanley Law Group, is that it has not cited any specific harms that have occurred as a result of this “defect” (as a side note, saying a computer being susceptible to hacking constitutes a defect in design is the equivalent of saying an airplane that is susceptible to lightning strikes is fundamentally defective). Rather, the plaintiffs argue that “[w]e shouldn’t need to wait for a hacker or terrorist to prove exactly how dangerous this is before requiring car makers to fix the defect.”

As Adam Thierer and I pointed out in our 2014 paper, Removing Roadblocks to Intelligent Vehicles and Driverless Cars:

Manufacturers have powerful reputational incentives at stake here, which will encourage them to continuously improve the security of their systems. Companies like Chrysler and Ford are already looking into improving their telematics systems to better compartmentalize the ability of hackers to gain access to a car’s controller-area-network bus. Engineers are also working to solve security vulnerabilities by utilizing two-way data-verification schemes (the same systems at work when purchasing items online with a credit card), routing software installs and updates through remote servers to check and double-check for malware, adopting of routine security protocols like encrypting files with digital signatures, and other experimental treatments. (pg. 40-41)

It’s always easy to see the potential for abuse and harm with any new emerging technology, but optimism and fortitude in the face of the uncertain is what helps society, and individuals, grow and progress. Car hacking, while certainly a viable concern, is not so ubiquitous that it necessitates a heavy-handed regulatory approach. Rather, we should permit various standards to emerge and attempt to deal with possible harms. In this way, we can experiment to properly determine what approaches work and what do not. Federal standards imposed from on high assume that firms and individuals are not capable of working through these murky issues. We should be a bit more optimistic about the human capacity for ingenuity and adaptability.

To end on something of a more optimistic note, Tom Vanderbilt of Wired magazine gives keen insight into the reality of regulating based on hypothetical scenarios:

Every scenario you can spin out of computer error – what if the car drives the wrong way – already exists in analog form, in abundance. Yes, computer-guidance systems and the rest will require advances in technology, not to mention redundancy and higher standards of performance, but at least these are all feasible, and capable of quantifiable improvement. On the other hand, we’ll always have lousy drivers.

Additional Reading

Law review article: “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” September 17, 2014.
“Don’t Hit the (Techno-)Panic Button on Connected Car Hacking & IoT Security,” February 10, 2015.
“Don’t Slam the Brakes on Smart Cars,” December 1, 2014.
“Intelligent Vehicles Could Save Lives,” November 25, 2014.
Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)

Initial Thoughts on Obama Administration’s “Privacy Bill of Rights” Proposal

Adam Thierer — Fri, 27 Feb 2015 21:28:30 +0000

The Obama Administration has just released a draft “Consumer Privacy Bill of Rights Act of 2015.” Generally speaking, the bill aims to translate fair information practice principles (FIPPs) — which have traditionally been flexible and voluntary guidelines — into a formal set of industry best practices that would be federally enforced on private sector digital innovators. This includes federally-mandated Privacy Review Boards, approved by the Federal Trade Commission, the agency that will be primarily responsible for enforcing the new regulatory regime.

Many of the principles found in the Administration’s draft proposal are quite sensible as best practices, but the danger here is that they could soon be converted into a heavy-handed, bureaucratized regulatory regime for America’s highly innovative, data-driven economy.

No matter how well-intentioned this proposal may be, it is vital to recognize that restrictions on data collection could negatively impact innovation, consumer choice, and the competitiveness of America’s digital economy.

Online privacy and security is vitally important, but we should look to use alternative and less costly approaches to protecting privacy and security that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.

That is why flexible data collection and use policies and evolving best practices will ultimately serve consumers better than one-size-fits all, top-down regulatory edicts. Instead of imposing these FIPPs in a rigid regulatory fashion, privacy and security best practices will need to evolve gradually to new marketplace realities and be applied in a more organic and flexible fashion, often outside the realm of public policy.

Regulatory approaches, like the Obama Administration’s latest proposal, will instead impose significant costs on consumers and the economy. Data is the fuel that powers our information economy. Privacy-related mandates that curtail the use of data to better target or personalize new services could raise costs for consumers. There is no free lunch. Something has to pay for all the wonderful free sites and services we enjoy today. If data can’t be used to cross-subsidize those services, prices will go up.

Data regulations could also indirectly cost consumers by diminishing the abundance of content and culture now supported by the data-driven economy. In other words, even if prices and paywalls don’t go up, quantity or quality could suffer if data collection is restricted.

Data regulations could also hurt the competitiveness of domestic markets and the global competitive advantage that America’s tech sector has in this space. That regulatory burden would fall hardest on smaller operators and new start-ups. Today’s “app economy” has given countless small innovators a chance to compete on even footing with the biggest players. Burdensome data collection restrictions could short-circuit the engine that drives entrepreneurial innovation among mom-and-pop companies if ad dollars get consolidated in the hands of only the larger companies that can afford to comply with new rules.

We don’t want to go down the path the European Union charted in the 1990s with heavy-handed data directives. That suffocated high-tech entrepreneurialism and innovation there. America’s Internet sector came to be the envy of the world because our more flexible, light-touch regulatory regime leaves more breathing room for competition and innovation compared to Europe’s top-down regime. We should not abandon that approach now.

Finally, the Obama Administration’s proposal deals exclusively with private sector data collection and has nothing to say about government surveillance activities. The Administration would be wise to channel its energies into that far more significant privacy problem first.

Additional Reading from Adam Thierer of the Mercatus Center

Law Review Articles:

“The Pursuit of Privacy in a World Where Information Control is Failing,” Harvard Journal of Law and Public Policy, Vol. 36, No. 2, (2013).
“A Framework for Benefit-Cost Analysis in Digital Privacy Debates,” George Mason Law Review, Vol. 20, No. 4, (2013).
“Privacy Law’s Precautionary Principle Problem,” Maine Law Review, Vol. 66, No. 2 (2014).
“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation,” Richmond Journal of Law and Technology, Vol. 21 (2015).
“Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” Minnesota Journal of Law, Science & Technology, Vol. 14, No. 1, (2013).

Testimony / Filings

Testimony before the Senate Commerce Committee on the Internet of Things, February 11, 2015.
Testimony before the Senate Commerce Committee on Privacy, Data Collection & Do Not Track, April 24, 2013.
Filing to the Federal Trade Commission on Privacy & Security Implications of the Internet of Things, May 31, 2013.
Filing to the Federal Trade Commission on Protecting Consumer Privacy in an Era of Rapid Change, February 22, 2011.

My Testimony for Senate Internet of Things Hearing

Adam Thierer — Wed, 11 Feb 2015 14:31:34 +0000

This morning at 9:45, the Senate Committee on Commerce, Science, and Transportation is holding a full committee hearing entitled, “The Connected World: Examining the Internet of Things.” According to the Committee press release, the hearing “will focus on how devices — from home heating systems controlled by users online, to wearable devices that track health and activity with the help of Internet-based analytics — will be made smarter and more dynamic through Internet technologies. Government agencies like the Federal Trade Commission, however, are already considering possible changes to the law that could have the unintended consequence of slowing innovation.”

It is my pleasure to have been invited to testify at this hearing. I’ve long had an interest in the policy issues surrounding the Internet of Things. All my relevant research products can be found online here, including my latest law review article, “The Internet of Things and Wearable Technology Addressing Privacy and Security Concerns without Derailing Innovation.“

My testimony, which can be found on the Mercatus Center website here, begins by highlighting the three general conclusions of my work:

First, the Internet of Things offers compelling benefits to consumers, companies, and our country’s national competitiveness that will only be achieved by adopting a flexible policy regime for this fast-moving space.
Second, while there are formidable privacy and security challenges associated with the Internet of Things, top-down or one-size-fits-all regulation will limit innovative opportunities.
Third, with those first two points in mind, we should seek alternative and less costly approaches to protecting privacy and security that rely on education, empowerment, and targeted enforcement of existing legal mechanisms. Long-term privacy and security protection requires a multifaceted approach incorporating many flexible solutions.

I continue on to elaborate on each point and then conclude my testimony on a note of optimism:

we should also never forget that, no matter how disruptive these new technologies may be in the short term, we humans have an extraordinary ability to adapt to technological change and bounce back from adversity. That same resilience will be true for the Internet of Things. We should remain patient and continue to embrace permissionless innovation to ensure that the Internet of Things thrives and American consumers and companies continue to be global leaders in the digital economy.

My testimony also includes 7 appendices offering more detail for those interested. Two of those appendices focus on defining the parameters of the Internet of Things as then documenting the projected economic impact associated with this rapidly-growing market. The other appendices reproduce essays I have published here before, including articles about the Federal Trade Commission’s recent Internet of Things report as well as my thoughts on how to craft a nonpartisan policy vision for the Internet of Things.

Finally, here’s a list of most of my recent work the Internet of Things and wearable technology policy issues for those interested in reading even more about the topic:

law review article: “The Internet of Things and Wearable Technology Addressing Privacy and Security Concerns without Derailing Innovation,” November 2014.
essay: “Don’t Hit the (Techno-)Panic Button on Connected Car Hacking & IoT Security,” February 10, 2015.
essay: “Striking a Sensible Balance on the Internet of Things and Privacy,” January 16, 2015.
essay: “Some Initial Thoughts on the FTC Internet of Things Report,” January 28, 2015.
essay: “A Nonpartisan Policy Vision for the Internet of Things,” December 11, 2014.
slide presentation: “Policy Issues Surrounding the Internet of Things & Wearable Technology,” September 12, 2014.
essay: “CES 2014 Report: The Internet of Things Arrives, but Will Washington Welcome It?” January 8, 2014.
essay: “The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2014.
oped: “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
agency filing: My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
book: Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom, 2014.
video: Cap Hill Briefing on Emerging Tech Policy Issues, June 2014.
essay: “What’s at Stake with the FTC’s Internet of Things Workshop,” November 18, 2013.
law review article: “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” September 16, 2014.

Don’t Hit the (Techno-)Panic Button on Connected Car Hacking & IoT Security

Adam Thierer — Tue, 10 Feb 2015 20:15:02 +0000

On Sunday night, 60 Minutes aired a feature with the ominous title, “Nobody’s Safe on the Internet,” that focused on connected car hacking and Internet of Things (IoT) device security. It was followed yesterday morning by the release of a new report from the office of Senator Edward J. Markey (D-Mass) called Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, which focused on connected car security and privacy issues. Employing more than a bit of techno-panic flare, these reports basically suggest that we’re all doomed.

On 60 Minutes, we meet former game developer turned Department of Defense “cyber warrior” Dan (“call me DARPA Dan”) Kaufman–and learn his fears of the future: “Today, all the devices that are on the Internet [and] the ‘Internet of Things’ are fundamentally insecure. There is no real security going on. Connected homes could be hacked and taken over.”

60 Minutes reporter Lesley Stahl, for her part, is aghast. “So if somebody got into my refrigerator,” she ventures, “through the internet, then they would be able to get into everything, right?” Replies DARPA Dan, “Yeah, that’s the fear.” Prankish hackers could make your milk go bad, or hack into your garage door opener, or even your car.

This segues to a humorous segment wherein Stahl takes a networked car for a spin. DARPA Dan and his multiple research teams have been hard at work remotely programming this vehicle for years. A “hacker” on DARPA Dan’s team proceeded to torment poor Lesley with automatic windshield wiping, rude and random beeps, and other hijinks. “Oh my word!” exclaims Stahl.

Never mind that we are told that the “hackers” who “hacked” into this car had been directly working on its systems for years—a luxury scarcely available to the shadowy malicious hackers about whom DARPA Dan and his team so hoped to frighten us. The careful setup, editing, and Lesley Stahl’s squeals made for convincing theater.

Then there’s the Markey report. On the surface, the findings appear grim. For instance, we are warned that “Nearly 100% of cars on the market include wireless technologies that could pose vulnerabilities to hacking or privacy intrusions.” Nearly 100%? We’re practically naked out there! But digging through the report, we learn that the basis for this claim is that most of the 16 manufacturers surveyed responded that 100% of their vehicles are equipped with wireless entry points (WEPs)—like Bluetooth, Wi-Fi, navigation, and anti-theft features. Because these features “could pose vulnerabilities,” they are listed as a threat—one that lurks in nearly 100% of the cars on the market, at that.

Much of the report is similarly panicky and sometimes humorous (complaint #3: “many manufacturers did not seem to understand the questions posed by Senator Markey.”) The report concludes that the “alarmingly inconsistent and incomplete state of industry security and privacy practice,” warrants recommendations that federal regulators — led by the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) — “promulgate new standards that will protect the data, security and privacy of drivers in the modern age of increasingly connected vehicles.”

Take a Deep Breath

As we face an uncertain future full of rapidly-evolving technologies, it’s only natural that some might feel a little anxiety about how these new machines and devices operate. Despite the exaggerated and sometimes silly nature of techno-panic reports like these, they reflect many people’s real and understandable concerns about new technologies.

But the problem with these reports is that they embody a “panic-first” approach to digital security and privacy issues. It is certainly true that our cars are become rolling computers, complete with an arsenal of sensors and networking technologies, and the rise of the Internet of Things means almost everything we own or come into contact with will possess networking capabilities. Consequently, just as our current generation of computing and communications technologies are vulnerable to some forms of hacking, it is likely that our cars and IoT devices will be as well.

But don’t you think that automakers and IoT developers know that? Are we really to believe that journalists, congressmen, and DARPA Dan have a greater incentive to understand these issues than the manufacturers whose companies and livelihoods are on the line? And wouldn’t these manufacturers only take on these risks if consumer demand and expected value supported them? Watching the 60 Minutes spot and reading through the Markey report, one is led to think that innovators in this space are completely oblivious to these threats, simply don’t care enough to address them, and don’t have any plans in motion. But that is lunacy.

No Mention of Liability?

To begin, neither report even mentions the possibility of massive liability for future hacking attacks on connected cars or IoT devices. That is amazing considering how the auto industry already attracts an absolutely astonishing amount of litigation activity. (Ambulance-chasing is a full-time legal profession, after all.) Thus, to the extent that some automakers don’t want to talk about everything they are doing to address security issues, it’s likely because they are still figuring out how to address the various vulnerabilities out there without attracting the attention of either enterprising hackers or trial lawyers.

Nonetheless, contrary to the absurd statement by Mr. Kaufman that “There is no real security going on” for connected cars or the Internet of Things, the reality is that these are issues that developers are actively studying and trying to address. Manufacturers of connected devices know that: (1) nobody wants to own or use devices that are fundamentally insecure or dangerous; and (2) if they sell such devices to the public, they are in for a world of hurt once the trial lawyers see the first headlines about it.

It also still quite unclear how big the threat is here. Writing over at Forbes yesterday, Doug Newcomb notes that “the threat of car hacking has largely been overblown by the media – there’s been only one case of a malicious car hack, and that was an inside job by a disgruntled former car dealer employee. But it’s a surefire way to get the attention of the public and policymakers,” he correctly observes. Newcomb also interviewed Damon McCoy, an assistant professor of computer science at George Mason University and a car security researcher, who noted that car hacking hasn’t become prevalent and that “Given the [monetary] motivation of most hackers, the chance of [automotive hacking] is very low.”

Security is a Dynamic, Evolving Process

Regardless, the notion that we can just clean this whole device security situation up with a single set of federal standards, as the Markey report suggests, is appealing but fanciful. “Security threats are constantly changing and can never be holistically accounted for through even the most sophisticated flowcharts,” observed my Mercatus Center colleagues Eli Dourado and Andrea Castillo in their recent white paper on “Why the Cybersecurity Framework Will Make Us Less Secure.” “By prioritizing a set of rigid, centrally designed standards, policymakers are neglecting potent threats that are not yet on their radar,” Dourado and Castillo note elsewhere.

We are at the beginning of a long process. There is no final destination when it comes to security; it’s a never-ending process of devising and refining policies to address vulnerabilities on the fly. The complex problem of cybersecurity readiness requires dynamic solutions that properly align incentives, improve communication and collaboration, and encourage good personal and organizational stewardship of connected systems. Implementing the brittle bureaucratic standards that Markey and others propose could have the tragic unintended consequence of rendering our devices even less secure.

Standards Are Developing Rapidly

Meanwhile, the auto industry has already come up with privacy standards that go above and beyond what most other digital innovators apply to their own products today. Here are the Auto Alliance’s “Consumer Privacy Protection Principles: Privacy Principles for Vehicle Technologies and Services,” which 23 major automobile manufacturers agreed to abide by. And, according to a press release yesterday, “automakers are currently working to establish an Information Sharing Analysis Center (or “Auto-ISAC”) for sharing vehicle cybersecurity information among industry stakeholders.”

Again, progress continues and standards are evolving. This needs to be a flexible, evolutionary process, instead of a static, top-down, one-size-fits-all bureaucratic political proceeding.

We can’t set down security and privacy standards in stone for fast-moving technologies like these for another reason, and one I am constantly stressing in my work on “Why Permissionless Innovation Matters.” If we spend all our time worrying about hypothetical worst-case scenarios — and basing our policy interventions on a parade of hypothetical horribles — then we run the risk that best-case scenarios will never come about. As analysts at the Center for Data Innovation correctly argue, policymakers should only intervene to address specific, demonstrated harms. “Attempting to erect precautionary regulatory barriers for purely speculative concerns is not only unproductive, but it can discourage future beneficial applications of the Internet of Things.” And the same is true for connected cars.

Trade-Offs Matter

Technopanic indulgence isn’t always merely silly or annoying—it can be deadly.

“During the four deadliest wars the United States fought in the 20th century, 39 percent more Americans were dying in motor vehicles” than on the battlefield. So writes Washington Post reporter Matt McFarland in a powerful new post today. The ongoing toll associated with human error behind the wheel is falling but remains absolutely staggering, with almost 100 people losing their lives and almost 6,500 people injured every day.

We must never fail to appreciate the trade-offs at work when we are pondering precautionary regulation. Ryan Hagemann and I wrote about these issues in our recent Mercatus Center working paper, “Removing Roadblocks to Intelligent Vehicles and Driverless Cars.” That paper, which has been accepted for publication in a forthcoming edition of the Wake Forest Journal of Law & Policy, outlines the many benefits of autonomous or semi-autonomous systems and discusses the potential cost of delaying their widespread adoption.

When it comes to the various security, privacy, and ethical considerations related to intelligent vehicles, Hagemann and I argue that they “need to be evaluated against the backdrop of the current state of affairs, in which tens of thousands of people die each year in auto-related accidents due to human error.” We continue on later in the paper:

Autonomous vehicles are unlikely to create 100 percent safe, crash-free roadways, but if they significantly decrease the number of people killed or injured as a result of human error, then we can comfortably suggest that the implications of the technology, as a whole, are a boon to society. The ethical underpinnings of what makes for good software design and computer-generated responses are a difficult and philosophically robust space for discussion. Given the abstract nature of the intersection of ethics and robotics, a more detailed consideration and analysis of this space must be left for future research. Important work is currently being done on this subject. But those ethical considerations must not derail ongoing experimentation with intelligent-vehicle technology, which could save many lives and have many other benefits, as already noted. Only through ongoing experimentation and feedback mechanisms can we expect to see constant improvement in how autonomous vehicles respond in these situations to further minimize the potential for accidents and harms. (p. 42-3)

As I noted here in another recent essay, “anything we can do to reduce it significantly is something we need to be pursuing with great vigor, even while we continue to sort through some of those challenging ethical issues associated with automated systems and algorithms.”

No Mention of Alternative Solutions

Finally, it is troubling that neither the 60 Minutes segment nor the Markey report spend any time on alternative solutions to these problems. In my forthcoming law review article, “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation,” I devote the second half of the 90-page paper to constructive solutions to the sort of complex challenges raised in the 60 Minutes segment and the Markey report.

Many of the solutions I discuss in that paper — such as education and awareness-building efforts, empowerment solutions, the development of new social norms, and so on – aren’t even touched on by the reports. That’s a real shame because those methods could go a long way toward helping to alleviate many of the issues the reports identify.

We need a better public dialogue than this about the future of connected cars and Internet of Things security. Political scare tactics and techno-panic journalism are not going to help make the world a safer place. In fact, by whipping up a panic and potentially discouraging innovation, reports such as these can actually serve to prevent critical, life-saving technologies that could change society for the better.

Additional Reading

Making Sure the “Trolley Problem” Doesn’t Derail Life-Saving Innovation, January 15, 2015.
Muddling Through: How We Learn to Cope with Technological Change, June 30, 2014
Law review article: “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” September 17, 2014.
Law review article: “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation.”
Ongoing blog series: Moral Panics & Technopanics
Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)
Slide Presentation: Policy Issues Surrounding the Internet of Things & Wearable Technology, September 12, 2014
[Video] Cap Hill Briefing on Emerging Tech Policy Issues (June 2014)
The Growing Conflict of Visions over the Internet of Things & Privacy, January 14, 2012
Can We Adapt to the Internet of Things? IAPP Privacy Perspectives, June 19, 2013
My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013

Some Initial Thoughts on the FTC Internet of Things Report

Adam Thierer — Wed, 28 Jan 2015 14:54:30 +0000

Yesterday, the Federal Trade Commission (FTC) released its long-awaited report on “The Internet of Things: Privacy and Security in a Connected World.” The 55-page report is the result of a lengthy staff exploration of the issue, which kicked off with an FTC workshop on the issue that was held on November 19, 2013.

I’m still digesting all the details in the report, but I thought I’d offer a few quick thoughts on some of the major findings and recommendations from it. As I’ve noted here before, I’ve made the Internet of Things my top priority over the past year and have penned several essays about it here, as well as in a big new white paper (“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation”) that will be published in the Richmond Journal of Law & Technology shortly. (Also, here’s a compendium of most of what I’ve done on the issue thus far.)

I’ll begin with a few general thoughts on the FTC’s report and its overall approach to the Internet of Things and then discuss a few specific issues that I believe deserve attention.

Big Picture, Part 1: Should Best Practices Be Voluntary or Mandatory?

Generally speaking, the FTC’s report contains a variety of “best practice” recommendations to get Internet of Things innovators to take steps to ensure greater privacy and security “by design” in their products. Most of those recommended best practices are sensible as general guidelines for innovators, but the really sticky question here continued to be this: When, if ever, should “best practices” become binding regulatory requirements?

The FTC does a bit of a dance when answering that question. Consider how, in the executive summary of the report, the Commission answers the question regarding the need for additional privacy and security regulation: “Commission staff agrees with those commenters who stated that there is great potential for innovation in this area, and that IoT-specific legislation at this stage would be premature.” But, just a few lines later, the agency (1) “reiterates the Commission’s previous recommendation for Congress to enact strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach;” and (2) “recommends that Congress enact broad-based (as opposed to IoT-specific) privacy legislation.”

Here and elsewhere, the agency repeatedly stresses that it is not seeking IoT-specific regulation; merely “broad-based” digital privacy and security legislation. The problem is that once you understand what the IoT is all about you come to realize that this largely represents a distinction without a difference. The Internet of Things is simply the extension of the Net into everything we own or come into contact with. Thus, this idea that the agency is not seeking IoT-specific rule sounds terrific until you realize that it is actually seeking something far more sweeping: greater regulation of all online / digital interactions. And because “the Internet” and “the Internet of Things” will eventually (if they are not already) be considered synonymous, this notion that the agency is not proposing technology-specific regulation is really quite silly.

Now, it remains unclear whether there exists any appetite on Capitol Hill for “comprehensive” legislation of any variety – although perhaps we’ll learn more about that possibility when the Senate Commerce Committee hosts a hearing on these issues on February 11. But at least thus far, “comprehensive” or “baseline” digital privacy and security bills have been non-starters.

And that’s for good reason in my opinion: Such regulatory proposals could take us down the path that Europe charted in the late 1990s with onerous “data directives” and suffocating regulatory mandates for the IT / computing sector. The results of this experiment have been unambiguous, as I documented in congressional testimony in 2013. I noted there how America’s Internet sector came to be the envy of the world while it was hard to name any major Internet company from Europe. Whereas America embraced “permissionless innovation” and let creative minds develop one of the greatest success stories in modern history, the Europeans adopted a “Mother, May I” regulatory approach for the digital economy. America’s more flexible, light-touch regulatory regime leaves more room for competition and innovation compared to Europe’s top-down regime. Digital innovation suffered over there while it blossomed here.

That’s why we need to be careful about adopting the sort of “broad-based” regulatory regime that the FTC recommends in this and previous reports.

Big Picture, Part 2: Does the FTC Really Need More Authority?

Something else is going on in this report that has also been happening in all the FTC’s recent activity on digital privacy and security matters: The agency has been busy laying the groundwork for its own expansion.

In this latest report, for example, the FTC argues that

Although the Commission currently has authority to take action against some IoT-related practices, it cannot mandate certain basic privacy protections… The Commission has continued to recommend that Congress enact strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.

In other words, this agency wants more authority. And we are talking about sweeping authority here that would transcend its already sweeping authority to police “unfair and deceptive practices” under Section 5 of the FTC Act. Let’s be clear: It would be hard to craft a law that grants an agency more comprehensive and open-ended consumer protection authority than Section 5. The meaning of those terms — “unfairness” and “deception” — has always been a contentious matter, and at times the agency has abused its discretion by exploiting that ambiguity.

Nonetheless, Sec. 5 remains a powerful enforcement tool for the agency and one that has been wielded aggressively in recently years to police digital economy giants and small operators alike. Generally speaking, I’m alright with most Sec. 5 enforcement, especially since that sort of retrospective policing of unfair and deceptive practices is far less likely to disrupt permissionless innovation in the digital economy. That’s because it does not subject digital innovators to the sort of “Mother, May I” regulatory system that European entrepreneurs face. But an expansion of the FTC’s authority via more “comprehensive, baseline” privacy and security regulatory policies threatens to convert America’s more sensible bottom-up and responsive regulatory system into the sort of innovation-killing regime we see on the other side of the Atlantic.

Here’s the other thing we can’t forget when it comes to the question of what additional authority to give the FTC over privacy and security matters: The FTC is not the end of the enforcement story in America. Other enforcement mechanism exist, including: privacy torts, class action litigation, property and contract law, state enforcement agencies, and other targeted privacy statutes. I’ve summarized all these additional enforcement mechanisms in my recent law review article referenced above. (See section VI of the paper.)

FIPPS, Part 1: Notice & Choice vs. Use-Based Restrictions

Next, let’s drill down a bit and examine some of the specific privacy and security best practices that the agency discusses in its new IoT report.

The FTC report highlights how the IoT creates serious tensions for many traditional Fair Information Practice Principles (FIPPs). The FIPPs generally include: (1) notice, (2) choice, (3) purpose specification, (4) use limitation, and (5) data minimization. But the report is mostly focused on notice and choice as well as data minimization.

When it comes to notice and choice, the agency wants to keep hope alive that it will still be applicable in an IoT world. I’m sympathetic to this effort because it is quite sensible for all digital innovators to do their best to provide consumers with adequate notice about data collection practices and then give them sensible choices about it. Yet, like the agency, I agree that “offering notice and choice is challenging in the IoT because of the ubiquity of data collection and the practical obstacles to providing information without a user interface.”

The agency has a nuanced discussion of how context matters in providing notice and choice for IoT, but one can’t help but think that even they must realize that the game is over, to some extent. The increasing miniaturization of IoT devices and the ease with which they suck up data means that traditional approaches to notice and choice just aren’t going to work all that well going forward. It is almost impossible to envision how a rigid application of traditional notice and choice procedures would work in practice for the IoT.

Relatedly, as I wrote here last week, the Future of Privacy Forum (FPF) recently released a new white paper entitled, “A Practical Privacy Paradigm for Wearables,” that notes how FIPPs “are a valuable set of high-level guidelines for promoting privacy, [but] given the nature of the technologies involved, traditional implementations of the FIPPs may not always be practical as the Internet of Things matures.” That’s particularly true of the notice and choice FIPPS.

But the FTC isn’t quite ready to throw in the towel and make the complete move toward “use-based restrictions,” as many academics have. (Note: I have lengthy discussion of this migration toward use-based restrictions in my law review article in section IV.D.). Use-based restrictions would focus on specific uses of data that are particularly sensitive and for which there is widespread agreement they should be limited or disallowed altogether. But use-based restrictions are, ironically, controversial from both the perspective of industry and privacy advocates (albeit for different reasons, obviously).

The FTC doesn’t really know where to go next with use-based restrictions. The agency says that, on one hand, “has incorporated certain elements of the use-based model into its approach” to enforcement in the past. On the other hand, the agency says it has concerns “about adopting a pure use-based model for the Internet of Things,” since it may not go far enough in addressing the growth of more widespread data collection, especially of more sensitive information.

In sum, the agency appears to be keeping the door open on this front and hoping that a best-of-all-worlds solution miraculously emerges that extends both notice and choice and use-based limitations as the IoT expands. But the agency’s new report doesn’t give us any sort of blueprint for how that might work, and that’s likely for good reason: because it probably won’t work at that well in practice and there will be serious costs in terms of lost innovation if they try to force unworkable solutions on this rapidly evolving marketplace.

FIPPS, Part 2: Data Minimization

The biggest policy fight that is likely to come out of this report involves the agency’s push for data minimization. The report recommends that, to minimize the risks associated with excessive data collection:

companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data. However, recognizing the need to balance future, beneficial uses of data with privacy protection, staff’s recommendation on data minimization is a flexible one that gives companies many options. They can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or deidentify the data they collect. If a company determines that none of these options will fulfill its business goals, it can seek consumers’ consent for collecting additional, unexpected categories of data…

This is an unsurprising recommendation in light of the fact that, in previous major speeches on the issue, FTC Chairwoman Edith Ramirez argued that, “information that is not collected in the first place can’t be misused,” and that:

The indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the off chance that it might prove useful is not consistent with privacy best practices. And remember, not all data is created equally. Just as there is low quality iron ore and coal, there is low quality, unreliable data. And old data is of little value.

In my forthcoming law review article, I discussed the problem with such reasoning at length and note:

if Chairwoman Ramirez’s approach to a preemptive data use “commandment” were enshrined into a law that said, “Thou shall not collect and hold onto personal information unnecessary to an identified purpose.” Such a precautionary limitation would certainly satisfy her desire to avoid hypothetical worst-case outcomes because, as she noted, “information that is not collected in the first place can’t be misused,” but it is equally true that information that is never collected may never lead to serendipitous data discoveries or new products and services that could offer consumers concrete benefits. “The socially beneficial uses of data made possible by data analytics are often not immediately evident to data subjects at the time of data collection,” notes Ken Wasch, president of the Software & Information Industry Association. If academics and lawmakers succeed in imposing such precautionary rules on the development of IoT and wearable technologies, many important innovations may never see the light of day.

FTC Commissioner Josh Wright issued a dissenting statement to the report that lambasted the staff for not conducting more robust cost-benefit analysis of the new proposed restrictions, and specifically cited how problematic the agency’s approach to data minimization was. “[S]taff merely acknowledges it would potentially curtail innovative uses of data. . . [w]ithout providing any sense of the magnitude of the costs to consumers of foregoing this innovation or of the benefits to consumers of data minimization,” he says. Similarly, in her separate statement, FTC Commissioner Maureen K. Ohlhausen worried about the report’s overly precautionary approach on data minimization when noting that, “without examining costs or benefits, [the staff report] encourages companies to delete valuable data — primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive,” she concludes.

Regardless, the battle lines have been drawn by the FTC staff report as the agency has made it clear that it will be stepping up its efforts to get IoT innovators to significantly slow or scale back their data collection efforts. It will be very interesting to see how the agency enforces that vision going forward and how it impacts innovation in this space. All I know is that the agency has not conducted a serious evaluation here of the trade-offs associated with such restrictions. I penned another law review article last year offering “A Framework for Benefit-Cost Analysis in Digital Privacy Debates” that they could use to begin that process if they wanted to get serious about it.

The Problem with the “Regulation Builds Trust” Argument

One of the interesting things about this and previous FTC reports on privacy and security matters is how often the agency premises the case for expanded regulation on “building trust.” The argument goes something like this (as found on page 51 of the new IoT report): “Staff believes such legislation will help build trust in new technologies that rely on consumer data, such as the IoT. Consumers are more likely to buy connected devices if they feel that their information is adequately protected.”

This is one of those commonly-heard claims that sounds so straight-forward and intuitive that few dare question it. But there are problems with the logic of the “we-need-regulation-to-build-trust-and boost adoption” arguments we often hear in debates over digital privacy.

First, the agency bases its argument mostly on polling data. “Surveys also show that consumers are more likely to trust companies that provide them with transparency and choices,” the report says. Well, of course surveys say that! It’s only logical that consumers will say this, just as they will always say they value privacy and security more generally when asked. You might as well ask people if they love their mothers!

But what consumers claim to care about and what they actually do in the real-world are often two very different things. In the real-world, people balance privacy and security alongside many other values, including choice, convenience, cost, and more. This leads to the so-called “privacy paradox,” or the problem of many people saying one thing and doing quite another when it comes to privacy matters. Put simply, people take some risks — including some privacy and security risks — in order to reap other rewards or benefits. (See this essay for more on the problem with most privacy polls.)

Second, online activity and the Internet of Things are both growing like gangbusters despite the privacy and security concerns that the FTC raises. Virtually every metric I’ve looked at that track IoT activity show astonishing growth and product adoption, and projections by all the major consultancies that have studied this consistently predict the continued rapid growth of IoT activity. Now, how can this be the case if, as the FTC claims, we’ll only see the IoT really take off after we get more regulation aimed at bolstering consumer trust? Of course, the agency might argue that the IoT will grow at an even faster clip than it is right now, but there is no way to prove one way or the other. In any event, the agency cannot possible claim that the IoT isn’t already growing at a very healthy clip — indeed, a lot of the hand-wringing the staff engages in throughout the report is premised precisely on the fact that the IoT is exploding faster that our ability to keep up with it!! In reality, it seems far more likely that cost and complexity are the bigger impediments to faster IoT adoption, just as cost and complexity have always been the factors weighing most heavily on the adoption of other digital technologies.

Third, let’s say that the FTC is correct – and it is – when it says that a certain amount of trust is needed in terms of IoT privacy and security before consumers are willing to use more of these devices and services in their everyday lives. Does the agency imagine that IoT innovators don’t know that? Are markets and consumers completely irrational? The FTC says on page 44 of the report that, “If a company decides that a particular data use is beneficial and consumers disagree with that decision, this may erode consumer trust.” Well, if such a mismatch does exist, then the assumption should be that consumers can and will push back, or seek out new and better options. And other companies should be able to sense the market opportunity here to offer a more privacy-centric offering for those consumers who demand it in order to win their trust and business.

Finally, and perhaps most obviously, the problem with the argument that increased regulation will help IoT adoption is that it ignores how the regulations put in place to achieve greater “trust” might become so onerous or costly in practice that there won’t be as many innovations for us to adopt to begin with! Again, regulation — even very well-intentioned regulation — has costs and trade-offs.

In any event, if the agency is going to premise the case for expanded privacy regulation on this notion, they are going to have to do far more to make their case besides simply asserting it.

Once Again, No Appreciation of the Potential for Societal Adaptation

Let’s briefly shift to a subject that isn’t discussed in the FTC’s new IoT report at all.

Regular readers may get tired of me making this point, but I feel it is worth stressing again: Major reports and statements by public policymakers about rapidly-evolving emerging technologies are always initially prone to stress panic over patience. Rarely are public officials willing to step-back, take a deep breath, and consider how a resilient citizenry might adapt to new technologies as they gradually assimilate new tools into their lives.

That is really sad, when you think about it, since humans have again and again proven capable of responding to technological change in creative ways by adopting new personal and social norms. I won’t belabor the point because I’ve already written volumes on this issue elsewhere. I tried to condense all my work into a single essay entitled, “Muddling Through: How We Learn to Cope with Technological Change.” Here’s the key takeaway:

humans have exhibited the uncanny ability to adapt to changes in their environment, bounce back from adversity, and learn to be resilient over time. A great deal of wisdom is born of experience, including experiences that involve risk and the possibility of occasional mistakes and failures while both developing new technologies and learning how to live with them. I believe it wise to continue to be open to new forms of innovation and technological change, not only because it provides breathing space for future entrepreneurialism and invention, but also because it provides an opportunity to see how societal attitudes toward new technologies evolve — and to learn from it. More often than not, I argue, citizens have found ways to adapt to technological change by employing a variety of coping mechanisms, new norms, or other creative fixes.

Again, you almost never hear regulators or lawmakers discuss this process of individual and social adaptation even though they must know there is something to it. One explanation is that every generation has their own techno-boogeymen and lose faith in the ability of humanity to adapt to it.

To believe that we humans are resilient, adaptable creatures should not be read as being indifferent to the significant privacy and security challenges associated with any of the new technologies in our lives today, including IoT technologies. Overly-exuberant techno-optimists are often too quick to adopt a “Just-Get-Over-It!” attitude in response to the privacy and security concerns raised by others. But it is equally unforgivable for those who are worried about those same concerns to utterly ignore the reality of human adaptation to new technologies realities.

Why are Educational Approaches Merely an Afterthought?

One final thing that troubled me about the FTC report was the way consumer and business education is mostly an afterthought. This is one of the most important roles that the FTC can and should play in terms of explaining potential privacy and security vulnerabilities to the general public and product developers alike.

Alas, the agency devotes so much ink to the more legalistic questions about how to address these issues, that all we end up with in the report is this one paragraph on consumer and business education:

Consumers should understand how to get more information about the privacy of their IoT devices, how to secure their home networks that connect to IoT devices, and how to use any available privacy settings. Businesses, and in particular small businesses, would benefit from additional information about how to reasonably secure IoT devices. The Commission staff will develop new consumer and business education materials in this area.

I applaud that language, and I very much hope that the agency is serious about plowing more effort and resources into developing new consumer and business education materials in this area. But I’m a bit shocked that the FTC report didn’t even bother mentioning the excellent material already available on the “On Guard Online” website it helped created with a dozen other federal agencies. Worse yet, the agency failed to highlight the many other privacy education and “digital citizenship” efforts that are underway today to help on this front. I discuss those efforts in more detail in the closing section of my recent law review article.

I hope that the agency spends a little more time working on the development of new consumer and business education materials in this area instead of trying to figure out how to craft a quasi-regulatory regime for the Internet of Things. As I noted last year in this Maine Law Review article, that would be a far more productive use of the agency’s expertise and resources. I argued there that “policymakers can draw important lessons from the debate over how best to protect children from objectionable online content” and apply them to debates about digital privacy. Specifically, after a decade of searching for legalistic solutions to online safety concerns — and convening a half-dozen blue ribbon task forces to study the issue — we finally saw a rough consensus emerge that no single “silver-bullet” technological solutions or legal quick-fixes would work and that, ultimately, education and empowerment represented the better use of our time and resources. What was true for child safety is equally true for privacy and security for the Internet of Things.

It’s a shame the FTC staff squandered the opportunity it had with this new report to highlight all the good that could be done by getting more serious about focusing first on those alternative, bottom-up, less costly, and less controversial solutions to these challenging problems. One day we’ll all wake up and realize that we spent a lost decade debating legalistic solutions that were either technically unworkable or politically impossible. Just imagine if all the smart people who were spending all their time and energy on those approaches right now were instead busy devising and pushing educational and empowerment-based solutions instead!

One day we’ll get there. Sadly, if the FTC report is any indication, that day is still a ways off.

Striking a Sensible Balance on the Internet of Things and Privacy

Adam Thierer — Fri, 16 Jan 2015 21:08:39 +0000

This week, the Future of Privacy Forum (FPF) released a new white paper entitled, “A Practical Privacy Paradigm for Wearables,” which I believe can help us find policy consensus regarding the privacy and security concerns associated with the Internet of Things (IoT) and wearable technologies. I’ve been monitoring IoT policy developments closely and I recently published a big working paper (“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation”) that will appear shortly in the Richmond Journal of Law & Technology. I have also penned several other essays on IoT issues. So, I will be relating the FPF report to some of my own work.

The new FPF report, which was penned by Christopher Wolf, Jules Polonetsky, and Kelsey Finch, aims to accomplish the same goal I had in my own recent paper: sketching out constructive and practical solutions to the privacy and security issues associated with the IoT and wearable tech so as not to discourage the amazing, life-enriching innovations that could flow from this space. Flexibility is the key, they argue. “Premature regulation at an early stage in wearable technological development may freeze or warp the technology before it achieves its potential, and may not be able to account for technologies still to come,” the authors note. “Given that some uses are inherently more sensitive than others, and that there may be many new uses still to come, flexibility will be critical going forward.” (p. 3)

That flexible approach is at the heart of how the FPF authors want to see Fair Information Practice Principles (FIPPs) applied in this space. The FIPPs generally include: (1) notice, (2) choice, (3) purpose specification, (4) use limitation, and (5) data minimization. The FPF authors correctly note that,

The FIPPs do not establish specific rules prescribing how organizations should provide privacy protections in all contexts, but rather provide high-level guidelines. Over time, as technologies and the global privacy context have changed, the FIPPs have been presented in different ways with different emphases. Accordingly, we urge policymakers to enable the adaptation of these fundamental principles in ways that reflect technological and market developments. (p. 4)

They continue on to explain how each of the FIPPS can provide a certain degree of general guidance for the IoT and wearable tech, but also caution that: “A rigid application of the FIPPs could inhibit these technologies from even functioning, and while privacy protections remain essential, a degree of flexibility will be key to ensuring the Internet of Things can develop in ways that best help consumer needs and desires.” (p. 4) And throughout the report, the FPF authors stress the need for the FIPPS to be “practically applied” and they nicely explain how the appropriate application of any particular one of the FIPPS “will depend on the circumstances.” For those reasons, they conclude by saying, “we urge policymakers to adopt a forward-thinking, flexible application of the FIPPs.” (p. 11)

The approach that Wolf, Polonetsky, and Finch set forth in this new FPF report is very much consistent with the policy framework I sketched out in my forthcoming law review article. “The need for flexibility and adaptability will be paramount if innovation is to continue in this space,” I argued. In essence, best practices need to remain just that: best practices — not fixed, static, top-down regulatory edicts. As I noted:

Regardless of whether they will be enforced internally by firms or by ex post FTC enforcement actions, best practices must not become a heavy-handed, quasi-regulatory straitjacket. A focus on security and privacy by design does not mean those are the only values and design principles that developers should focus on when innovating. Cost, convenience, choice, and usability are all important values too. In fact, many consumers will prioritize those values over privacy and security — even as activists, academics, and policymakers simultaneously suggest that more should be done to address privacy and security concerns. Finally, best practices for privacy and security issues will need to evolve as social acceptance of various technologies and business practices evolve. For example, had “privacy by design” been interpreted strictly when wireless geolocation capabilities were first being developed, these technologies might have been shunned because of the privacy concerns they raised. With time, however, geolocation technologies have become a better understood and more widely accepted capability that consumers have come to expect will be embedded in many of their digital devices. Those geolocation capabilities enable services that consumers now take for granted, such as instantaneous mapping services and real-time traffic updates. This is why flexibility is crucial when interpreting the privacy and security best practices.

The only thing I think that was missing from the FPF report was a broader discussion of other constructive privacy and security solutions that involve education, etiquette, and empowerment-based solutions. I would have also liked to have seen some discussion of how other existing legal mechanisms — privacy torts, contractual enforcement mechanisms, property rights, state “peeping Tom” law, and existing privacy statutes — might cover some of the hard cases that could develop on this front. I discuss those and other “bottom-up” solutions in Section IV of my law review article and note that they can contribute to the sort of “layered” approach we need to address privacy and security concerns for the IoT and wearable tech.

In any event, I encourage everyone to check out the new Future of Privacy Forum report as well as the many excellent best practice guidelines they have put together to help innovators adopt sensible privacy and security best practices. FPF has done some great work on this front.

Additional Reading

essay: “A Nonpartisan Policy Vision for the Internet of Things,” December 11, 2014.
slide presentation: “Policy Issues Surrounding the Internet of Things & Wearable Technology,” September 12, 2014.
law review article: “The Internet of Things and Wearable Technology Addressing Privacy and Security Concerns without Derailing Innovation,” November 2014.
essay: “CES 2014 Report: The Internet of Things Arrives, but Will Washington Welcome It?” January 8, 2014.
essay: “The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2014.
oped: “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
agency filing: My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
book: Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom, 2014.
video: Cap Hill Briefing on Emerging Tech Policy Issues, June 2014.
essay: “What’s at Stake with the FTC’s Internet of Things Workshop,” November 18, 2013.
law review article: “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” September 16, 2014.

Dispatches from CES 2015 on Privacy Implications of New Technologies

Adam Thierer — Thu, 15 Jan 2015 19:22:30 +0000

Over at the International Association of Privacy Professionals (IAPP) Privacy Perspectives blog, I have two “Dispatches from CES 2015” up. (#1 & #2) While I was out in Vegas for the big show, I had a chance to speak on a panel entitled, “Privacy and the IoT: Navigating Policy Issues.” (Video can be found here. It’s the second one on the video playlist.) Federal Trade Commission (FTC) Chairwoman Edith Ramirez kicked off that session and stressed some of the concerns she and others share about the Internet of Things and wearable technologies in terms of the privacy and security issues they raise.

Before and after our panel discussion, I had a chance to walk the show floor and take a look at the amazing array of new gadgets and services that will soon hitting the market. A huge percentage of the show floor space was dedicated to IoT technologies, and wearable tech in particular. But the show also featured many other amazing technologies that promise to bring consumers a wealth of new benefits in coming years. Of course, many of those technologies will also raise privacy and security concerns, as I noted in my two essays for IAPP. The first of my dispatches focuses primarily on the Internet of Things and wearable technologies that I saw at CES. In my second dispatch, I discuss the privacy and security implications of the increasing miniaturization of cameras, drone technologies, and various robotic technologies (especially personal care robots).

I open the first column by noting that “as I was walking the floor at this year’s massive CES 2015 tech extravaganza, I couldn’t help but think of the heartburn that privacy professionals and advocates will face in coming years.” And I close the second dispatch by concluding that, “The world of technology is changing rapidly and so, too, must the role of the privacy professional. The technologies on display at this year’s CES 2015 make it clear that a whole new class of concerns are emerging that will require IAPP members to broaden their issue set and find constructive solutions to the many challenges ahead.” Jump over to the Privacy Perspectives blog to read more.

My Writing on Internet of Things (Thus Far)

Adam Thierer — Mon, 05 Jan 2015 16:55:41 +0000

I’ve spent much of the past year studying the potential public policy ramifications associated with the rise of the Internet of Things (IoT). As I was preparing some notes for my Jan. 6th panel discussing on “Privacy and the IoT: Navigating Policy Issues” at this year’s 2015 CES show, I went back and collected all my writing on IoT issues so that I would have everything in one place. Thus, down below I have listed most of what I’ve done over the past year or so. Most of this writing is focused on the privacy and security implications of the Internet of Things, and wearable technologies in particular.

I plan to stay on top of these issues in 2015 and beyond because, as I noted when I spoke on a previous CES panel on these issues, the Internet of Things finds itself at the center of what we might think of a perfect storm of public policy concerns: Privacy, safety, security, intellectual property, economic / labor disruptions, automation concerns, wireless spectrum issues, technical standards, and more. When a new technology raises one or two of these policy concerns, innovators in those sectors can expect some interest and inquiries from lawmakers or regulators. But when a new technology potentially touches all of these issues, then it means innovators in that space can expect an avalanche of attention and a potential world of regulatory trouble. Moreover, it sets the stage for a grand “clash of visions” about the future of IoT technologies that will continue to intensify in coming months and years.

That’s why I’ll be monitoring developments closely in this field going forward. For now, here’s what I’ve done on this issue as I prepare to head out to Las Vegas for another CES extravaganza that promises to showcase so many exciting IoT technologies.

essay: “A Nonpartisan Policy Vision for the Internet of Things,” December 11, 2014.
slide presentation: “Policy Issues Surrounding the Internet of Things & Wearable Technology,” September 12, 2014.
law review article: “The Internet of Things and Wearable Technology Addressing Privacy and Security Concerns without Derailing Innovation,” November 2014.
essay: “CES 2014 Report: The Internet of Things Arrives, but Will Washington Welcome It?” January 8, 2014.
essay: “The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2014.
oped: “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
agency filing: My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
book: Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom, 2014.
video: Cap Hill Briefing on Emerging Tech Policy Issues, June 2014.
essay: “What’s at Stake with the FTC’s Internet of Things Workshop,” November 18, 2013.
law review article: “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” September 16, 2014.

Internet of Things & Wearable Technology: Unlocking the Next Wave of Data-Driven Innovation from Adam Thierer

Nominees for The Best & Worst Tech Policy Essays of 2014

Adam Thierer — Mon, 15 Dec 2014 19:34:54 +0000

Over the course of the year, I collect some of my favorite (and least favorite) tech policy essays and put them together in an end-of-year blog post so I will remember notable essays in the future. (Here’s my list from 2013.) Here are some of the best tech policy essays I read in 2014 (in chronological order).

Joel Mokyr – “The Next Age of Invention,” City Journal, Winter 2014. (An absolutely beautiful refutation of the technological pessimism that haunts our age. Mokry concludes by noting that, “technology will continue to develop and change human life and society at a rate that may well dwarf even the dazzling developments of the twentieth century. Not everyone will like the disruptions that this progress will bring. The concern that what we gain as consumers, viewers, patients, and citizens, we may lose as workers is fair. The fear that this progress will create problems that no one can envisage is equally realistic. Yet technological progress still beats the alternatives; we cannot do without it.” Mokyr followed it up with a terrific August 8 Wall Street Journal oped, “What Today’s Economic Gloomsayers Are Missing.“)
Michael Moynihan – “ Can a Tweet Put You in Prison? It Certainly Will in the UK ,” The Daily Beast , January 23, 2014. (Great essay on the right and wrong way to fight online hate. Here’s the kicker: “There is a presumption that ugly ideas are contagious and if the already overburdened police force could only disinfect the Internet, racism would dissipate. This is arrant nonsense.”)
Hanni Fakhoury – “ The U.S. Crackdown on Hackers Is Our New War on Drugs,” Wired , January 23, 2014. (“We shouldn’t let the government’s fear of computers justify disproportionate punishment. . . . It’s time for the government to learn from its failed 20th century experiment over-punishing drugs and start making sensible decisions about high-tech punishment in the 21st century.”)
Carole Cadwalladr – “Meet Cody Wilson, Creator of the 3D-gun, Anarchist, Libertarian,” Guardian/Observer, February 8, 2014. (Entertaining profile of one of the modern digital age’s most fascinating characters. “There are enough headlines out there which ask: Is Cody Wilson a terrorist? Though my favourite is the one that asks: ‘Cody Wilson: troll, genius, patriot, provocateur, anarchist, attention whore, gun nut or Second Amendment champion.’ Though it could have added, ‘Or b) all of the above?'”)

Michael Sacasas – “What Are We Talking About When We Talk About Technology?” February 14, 2014, and “Traditions of Technological Criticism,” February 15, 2014. (Sacasas continues his discussion of differing conceptions of the term “technology.” In the process, he surveys a wide swath of technology theorists & critics and then offers a rough taxonomy grouping them in various ways. Terrifically interesting. Note: I used Michael’s posts as the launching point for a blog post of my own on, “Defining ‘Technology.'”)
Glenn Garvin – “TV’s Deregulated Golden Age: Why so few critics understand what made HBO possible,” Reason, February 2014. (Garvin explains how freedom to innovate was the key ingredient in unleashing the modern Golden Age of television. I love the opening lines: “For decades, no art form was more meticulously regulated by the government than television. For decades, no art form was more relentlessly bashed by its critics. Amazingly, nobody ever seems to make a connection between these two facts.” So damn true.)
Antonis Polemitis – “Bitcoin Series 19: Bizarre Shadowy Paper-Based Payment System Being Rolled Out Worldwide,” Ledra Capital blog, February 17, 2014. (An absolutely epic satire of the Bitcoin technopanic. Hugely entertaining.)
Eli Dourado – “Why the Left Doesn’t Have to Hate Innovation,” The Umlaut, April 2, 2014. (A sharp response to an Evgeny Morozov rant about innovation policy.)
John Villasenor – “The Future Of Innovation: Five Things We Can Learn From Bitcoin,” Forbes, May 12, 2014. (Offers “five things that the growth of cryptocurrencies can teach us about the future of innovation.”)
Marc Andreesen – “This is Probably a Good Time to Say That I Don’t Believe Robots Will Eat All the Jobs…,” Andreessen Horowitz blog, June 13, 2014. (Andreessen single-handedly revolutionized Twitter posting style in 2014 with his “Twitterstorm” format of essentially blogging via multi-part tweets. His mini-manifestos are powerful stuff, and none were better than this one, which he thankfully transcribed and posted to his firm’s blog. In it, he lays out the optimistic case for robotic automation and the many benefits he believes it will bring to society.)
Adam Thierer – “Muddling Through: How We Learn to Cope with Technological Change,” Medium, June 30, 2014. (Is it wrong to put one of my own essays on this list. Probably! But I am quite proud of this one and, if nothing else, I hope it offers others a good reading list on the topic. Specifically, the essay surveys the extensive writing on “heaven” and “hell” scenarios about the impact of technological change on society.)
Peter W. Singer & Allan Friedman, “The 5 Biggest Cybersecurity Myths, Debunked,” Wired, July 2, 2014. (Singer & Friedman inject some much-needed sanity back into the techno-panicky debates over cybersecurity and “cyberwar.”)
Daniel Akst, “What Can We Learn From Past Anxiety Over Automation?” Wilson Quarterly, Summer 2014. (A nice look back at a century’s worth of hand-wringing over the looming threat of automation and job-displacement.)
Clive Thompson, “How a 1974 sci-fi novel for teens eerily predicted the rise of personal drones,” Medium, September 5, 2014. (Probably my favorite essay of the year since Clive manages to combine lessons from one my favorite childhood books along with my current fascination with “precautionary principle” thinking. Splendid writing, as always, from Thompson.)
Jason Feifer, “The Internet is Not Harming You. Here’s What’s Harmful: Fearmongering about the Internet,” Fast Company, November 2014. (“Falsely romanticizing the past allows us to think that we stand at a threshold as some last vestige of better, tech-disconnected humans. The truth is that as culture evolves our priorities change as well.”)
Adam Elkus – “Don’t Fear Artificial Intelligence,” Slate, October 31, 2014. (Elkus pushes back against what he regards as the growing technopanic over artificial intelligence.)
Steven Johnson – “We’re living the dream; we just don’t realize it,” CNN, November 28, 2014. (“Americans enjoy longer, healthier lives in more stable families and communities than we did 20 years ago. But other than the crime trends, these facts are rarely reported or shared via word-of-mouth channels.”)
Blake Ross – “Uber.gov: It’s Time to Let the Government Drive,” Medium, December 2, 2014. (A fun tongue-and-cheek piece about just how badly Las Vegas, Nevada — like many other governments — have mangled their “consumer protection” mandate when it comes to transportation services.)

And my nominees for Worst Tech Policy Essays of 2014 go to:

Evgeny Morozov – “Stunt the Growth” (As the old saying goes, you can’t put lipstick on a pig, but preeminent techno-crank Evgeny Morozov certainly tries his darnedest to dress up Ludditism and make it sexy in this elitist rant endorsing a “degrowth” movement for the world of information technology.)
Anthony Weiner – “Here’s What Tesla And The Other Silicon Valley ‘Disruptors’ Don’t Get About Politics” (An astonishing defense of cronyist and protectionist state laws that harm consumer welfare. In essence, Weiner says that disruptive entrepreneurs should just shut up on get on with the business of playing ball with politicians and regulators. Don’t rock the boat, you damn innovators!)
Richard Eskow – “Let’s nationalize Amazon and Google: Publicly funded technology built Big Tech” (Yes, some people still think converting tech companies into public utilities is a good idea. Do I really need to explain why that’s such a bad idea? OK, well I did in this 62-page paper!)

A Nonpartisan Policy Vision for the Internet of Things

Adam Thierer — Thu, 11 Dec 2014 20:07:11 +0000

What sort of public policy vision should govern the Internet of Things? I’ve spent a lot of time thinking about that question in essays here over the past year, as well as in a new white paper (“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation”) that will be published in the Richmond Journal of Law & Technology early next year.

But I recently heard three policymakers articulate their recommended vision for the Internet of Things (IoT) and I found their approach so inspiring that I wanted to discuss it here in the hopes that it will become the foundation for future policy in this arena.

Last Thursday, it was my pleasure to attend a Center for Data Innovation (CDI) event on “How Can Policymakers Help Build the Internet of Things?” As the title implied, the goal of the event was to discuss how to achieve the vision of a more fully-connected world and, more specifically, how public policymakers can help facilitate that objective. It was a terrific event with many excellent panel discussions and keynote addresses.

Two of those keynotes were delivered by Senators Deb Fischer (R-Neb.) and Kelly Ayotte (R-N.H.). Below I will offer some highlights from their remarks and then relate them to the vision set forth by Federal Trade Commission (FTC) Commissioner Maureen K. Ohlhausen in some of her recent speeches. I will conclude by discussing how the Ayotte-Fischer-Ohlhausen vision can be seen as the logical extension of the Clinton Administration’s excellent 1997 Framework for Global Electronic Commerce, which proposed a similar policy paradigm for the Internet more generally. This shows how crafting policy for the IoT can and should be a nonpartisan affair.

Sen. Deb Fischer

In her opening remarks at the CDI event last week, Sen. Deb Fischer explained how “the Internet of Things can be a game changer for the U.S. economy and for the American consumer.” “It gives people more information and better tools to analyze data to make more informed choices,” she noted.

After outlining some of the potential benefits associated with the Internet of Things, Sen. Fischer continued on to explain why it is essential we get public policy incentives right first if we hope to unlock the full potential of these new technologies. Specifically, she argued that:

In order for Americans to receive the maximum benefits from increased connectivity, there are two things the government must avoid. First, policymakers can’t bury their heads in the sand and pretend this technological revolution isn’t happening only to wake up years down the road and try to micromanage a fast-changing, dynamic industry. Second, the federal government must also avoid regulation just for the sake of regulation. We need thoughtful, pragmatic responses and narrow solutions to any policy issues that arise. For too long, the only “strategy” in Washington policy-making has been to react to crisis after crisis. We should dive into what this means for U.S. global competitiveness, consumer welfare, and economic opportunity before the public policy challenges overwhelm us, before legislative and executive branches of government – or foreign governments – react without all the facts.

Fischer concluded by noting that, “it’s entirely appropriate for the U.S. government to think about how to modernize its regulatory frameworks, consolidate, renovate, and overhaul obsolete rules. We’re destined to lose to the Chinese or others if the Internet of Things is governed in the United States by rules that pre-date the VCR.”

Sen. Kelly Ayotte

Like Sen. Fischer, Ayotte similarly stressed the many economic opportunities associated with IoT technologies for both consumers and producers alike. [Note: Sen. Ayotte did not publish her remarks on her website, but you can watch her speech from the CDI event beginning around the 17-minute mark of the event video.]

Ayotte also noted that IoT is going to be a major topic for the Senate Commerce Committee and that there will be an upcoming hearing on the issue. She said that the role of the Committee will be to ensure that the various agencies looking into IoT issues are not issuing “conflicting regulatory directives” and “that what is being done makes sense and allows for future innovation that we can’t even anticipate right now.” Among the agencies she cited that are currently looking into IoT issues: FTC (privacy & security), FDA (medical device apps), FCC (wireless issues), FAA (commercial drones), NHTSA (intelligent vehicle technology), NTIA (multistakeholder privacy reviews), as well as state lawmakers and regulatory agencies.

Sen. Ayotte then explained what sort of policy framework America needed to adopt to ensure that the full potential of the Internet of Things could be realized. She framed the choice lawmakers are confronted with as follows:

we as policymakers we can either create an environment that allows that to continue to grow, or one that thwarts that. To stay on the cutting edge, we need to make sure that our regulatory environment is conducive to fostering innovation.” […] “we’re living in the Dark Ages in the ways the some of the regulations have been framed. Companies must be properly incentivized to invest in the future, and government shouldn’t be a deterrent to innovation and job-creation.

Ayotte also stressed that “technology continues to evolve so rapidly there is no one-size-fits-all regulatory approach” that can work for a dynamic environment like this. “If legislation drives technology, the technology will be outdated almost instantly,” and “that is why humility is so important,” she concluded.

The better approach, she argued was to let technology evolve freely in a “permissionless” fashion and then see what problems developed and then address them accordingly. “[A] top-down, preemptive approach is never the best policy” and will only serve to stifle innovation, she argued. “If all regulators looked with some humility at how technology is used and whether we need to regulate or not to regulate, I think innovation would stand to benefit.”

FTC Commissioner Maureen K. Ohlhausen

Fischer and Ayotte’s remarks reflect a vision for the Internet of Things that FTC Commissioner Maureen K. Ohlhausen has articulated in recent months. In fact, Sen. Ayotte specifically cited Ohlhausen in her remarks.

Ohlhausen has actually delivered several excellent speeches on these issues and has become one of the leading public policy thought leaders on the Internet of Things in the United States today. One of her first major speeches on these issues was her October 2013 address entitled, “The Internet of Things and the FTC: Does Innovation Require Intervention?” In that speech, Ohlhausen noted that, “The success of the Internet has in large part been driven by the freedom to experiment with different business models, the best of which have survived and thrived, even in the face of initial unfamiliarity and unease about the impact on consumers and competitors.”

She also issued a wise word of caution to her fellow regulators:

It is . . . vital that government officials, like myself, approach new technologies with a dose of regulatory humility, by working hard to educate ourselves and others about the innovation, understand its effects on consumers and the marketplace, identify benefits and likely harms, and, if harms do arise, consider whether existing laws and regulations are sufficient to address them, before assuming that new rules are required.

In this and other speeches, Ohlhausen has highlighted the various other remedies that already exist when things do go wrong, including FTC enforcement of “unfair and deceptive practices,” common law solutions (torts and class actions), private self-regulation and best practices, social pressure, and so on. (Note: Inspired by Ohlhausen’s approach, I devoted the final section of my big law review article on IoT issues to a deeper exploration of all those “bottom-up” solutions to privacy and security concerns surrounding the IoT and wearable tech.)

The Clinton Administration Vision

These three women have articulated what I regard as the ideal vision for fostering the growth of the Internet of Things. It should be noted, however, that their framework is really just an extension of the Clinton Administration’s outstanding vision for the Internet more generally.

In the 1997 Framework for Global Electronic Commerce, the Clinton Administration outlined its approach toward the Internet and the emerging digital economy. As I’ve noted many times before, the Framework was a succinct and bold market-oriented vision for cyberspace governance that recommended reliance upon civil society, contractual negotiations, voluntary agreements, and ongoing marketplace experiments to solve information age problems. Specifically, it stated that “the private sector should lead [and] the Internet should develop as a market driven arena not a regulated industry.” “[G]overnments should encourage industry self-regulation and private sector leadership where possible” and “avoid undue restrictions on electronic commerce.”

Sen. Ayotte specifically cited those Clinton principles in her speech and said, “I think those words, given twenty years ago at the infancy of the Internet, are today even more relevant as we look at the challenges and the issues that we continue to face as regulators and policymakers.”

I completely agree. This is exactly the sort of vision that we need to keep innovation moving forward to benefit consumers and the economy, and this also illustrates how IoT policy can be a nonpartisan effort.

Why does this matter so much? As I noted in this recent essay, thanks to the Clinton Administration’s bold vision for the Internet:

This policy disposition resulted in an unambiguous green light for a rising generation of creative minds who were eager to explore this new frontier for commerce and communications. . . . The result of this freedom to experiment was an outpouring of innovation. America’s info-tech sectors thrived thanks to permissionless innovation, and they still do today. An annual Booz & Company report on the world’s most innovative companies revealed that 9 of the top 10 most innovative companies are based in the U.S. and that most of them are involved in computing, software, and digital technology.

In other words, America got policy right before and we can get policy right again to ensure we are again global innovation leaders. Patience, flexibility, and forbearance are the key policy virtues that nurture an environment conducive to entrepreneurial creativity, economic progress, and greater consumer choice.

Other policymakers should endorse the vision originally sketched out by the Clinton Administration and now so eloquently embraced and extended by Sen. Fischer, Sen. Ayotte, and Commissioner Ohlhausen. This is the path forward if we hope to realize the full potential of the Internet of Things.

Internet of Things & Wearable Technology: Unlocking the Next Wave of Data-Driven Innovation from Adam Thierer

New Paper on Privacy & Security Implications of the Internet of Things & Wearable Technology

Adam Thierer — Fri, 21 Nov 2014 15:23:31 +0000

The Mercatus Center at George Mason University has just released my latest working paper, “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation.” The “Internet of Things” (IoT) generally refers to “smart” devices that are connected to both the Internet and other devices. Wearable technologies are IoT devices that are worn somewhere on the body and which gather data about us for various purposes. These technologies promise to usher in the next wave of Internet-enabled services and data-driven innovation. Basically, the Internet will be “baked in” to almost everything that consumers own and come into contact with.

Some critics are worried about the privacy and security implications of the Internet of Things and wearable technology, however, and are proposing regulation to address these concerns. In my new 93-page article, I explain why preemptive, top-down regulation would derail the many life-enriching innovations that could come from these new IoT technologies. Building on a recent book of mine, I argue that “permissionless innovation,” which allows new technology to flourish and develop in a relatively unabated fashion, is the superior approach to the Internet of Things.

As I note in the paper and my earlier book, if we spend all our time living in fear of the worst-case scenarios — and basing public policies on them — then best-case scenarios can never come about. As the old saying goes: nothing ventured, nothing gained. Precautionary principle-based regulation paralyzes progress and must be avoided. We instead need to find constructive, “bottom-up” solutions to the privacy and security risks accompanying these new IoT technologies instead of top-down controls that would limit the development of life-enriching IoT innovations.

The better alternative is to deal with concerns creatively as they develop, using a balanced, layered approach involving many different solutions, including: educational efforts, technological empowerment tools, social norms, public and watchdog pressure, industry best practices and self-regulation, transparency, torts and products liability law, and targeted enforcement of existing legal standards as needed.

Generally speaking, patience, humility, and forbearance by policymakers is crucial to allowing greater innovation and consumer choice in this arena. Importantly, policymakers should not forget that societal and individual adaptation will play a role here, just as it has during so many other turbulent technological transformations.

This article can be downloaded on my Mercatus Center page, on SSRN, or at Research Gate. I am hoping to find a law or policy journal interested in publishing this paper soon. If you with a journal and are interested, please contact me. [UPDATE 12/3/14: This paper has been accepted for publication in the Richmond Journal of Law & Technology, Vol. 21, Issue 6 (2015).]

Finally, if you are interested in this topic, you might want to flip through these slides I prepared for a presentation on this topic that I made at the Federal Communications Commission in September:

Internet of Things & Wearable Technology: Unlocking the Next Wave of Data-Driven Innovation from Adam Thierer

Additional reading:

“The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2012
“Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)
[Video] Cap Hill Briefing on Emerging Tech Policy Issues (June 2014)
“Why Permissionless Innovation Matters” (4/24/14),
“How We Learn to Cope with Technological Change” (6/30/14)
“Problems with Precautionary Principle-Minded Tech Regulation & a Federal Robotics Commission” (9/22/14)

Driverless Cars, Privacy & Security: Event Video & Talking Points

Adam Thierer — Mon, 20 Oct 2014 19:23:01 +0000

Last week, it was my pleasure to speak at a Cato Institute event on “The End of Transit and the Beginning of the New Mobility: Policy Implications of Self-Driving Cars.” I followed Cato Institute Senior Fellow Randal O’Toole and Marc Scribner, a Research Fellow at the Competitive Enterprise Institute. They provided a broad and quite excellent overview of all the major issues at play in the debate over driverless cars. I highly recommend you read the excellent papers that Randal and Marc have published on these issues.

My role on the panel was to do a deeper dive into the privacy and security implications of not just the autonomous vehicles of our future, but also the intelligent vehicle technologies of the present. I discussed these issues in greater detail in my recent Mercatus Center working paper, “Removing Roadblocks to Intelligent Vehicles and Driverless Cars,” which was co-authored with Ryan Hagemann. (That article will appear in a forthcoming edition of the Wake Forest Journal of Law & Policy.) I’ve embedded the video of the event down below (my remarks begin at the 38:15 mark) as well as my speaking notes. Again, please consult the longer paper for details.

The privacy & security implications of self-driving cars are already driving public policy concerns because of the amount of data they collect. Here are a few things we should keep in mind as we consider new regulations for these technologies:

1) Security & privacy are relative concepts with amorphous boundaries

Not everyone affixes the same value on security & privacy; very subjective
Some people are hyper-cautious about security or hyper-sensitive about their privacy; others are risk-takers or are just somewhat indifferent (or pragmatic) about these things

2) Security & privacy norms can and often do evolve very rapidly over time

With highly disruptive technologies, we tend to panic first but then when move to a new plateau with new ethical and legal baselines
[I’ve written about this in my recent law review articles on about privacy and security]
The familiar cycle at work: initial resistance, gradual adaptation, eventual assimilation
This was true for the first cars a century ago; true today as well

3) For almost every perceived privacy or security harm, there is a corresponding consumer benefit that may outweigh the feared harm

We see this reality at work with the broader Internet & we will see it at work with intelligent vehicles
Ex: Compare vehicle telematics to locational tracking technologies for smartphones
In both contexts, locational tracking raises rather obvious privacy considerations
But has many benefits and could not exist without them (traffic)
“tracking” concerns may dissipate for cars like smartphones (but not evaporate!)

4) As it pertains to intelligent vehicle technologies, today’s security & privacy concerns are not the same as yesterdays and they will not be the same as tomorrow’s either.

Today’s “intelligent vehicle” technology privacy issues may be more concerning that tomorrow’s for fully autonomous vehicles
today’s on-baord EDRs & telematics may cause more privacy concerns for us as drivers than tomorrow’s technologies
ex: concerns about tailored insurance & automated law enforcement

That may lead to some privacy concerns in the short-term (or fears of “discrimination”)
BUT… What happens when cars are no longer a final good but merely a service for hire? (i.e., What happens when we combine Sharing Economy w/ self-driving cars?)
Car of future = robotic chauffeur (like Uber + Zip Car)
Old privacy concerns will evolve rapidly; security likely to become bigger concern

5) Any security & privacy solutions must take these realities into account in order to be successful and those solutions must also accommodate the need to balance many different values and interests simultaneously.

There are no silver bullet solutions to privacy & security problems
+ it will be difficult for law to keep up with pace of innovations
Therefore, We need a flexible, “layered approach” with many different solutions

we need “simple rules for a complex world” (Richard Epstein)

Contracts / enforce Terms of Service
Common law / torts / products liability
see excellent new Brookings paper by John Villasenor: “when confronted with new, often complex, questions involving products liability, courts have generally gotten things right. . . . Products liability law has been highly adaptive to the many new technologies that have emerged in recent decades, and it will be quite capable of adapting to emerging autonomous vehicle technologies as the need arises.”

liability norms & insurance standards will evolve rapidly as cars move from final good to service
“least-cost avoider” implications (the more you know, the more responsible you become)

Privacy & Security “by design” (“Baking-in” best practices)

Data collection minimization
Limit sharing w 3^rd parties
Transparency about all data collection and use practices
Clear consent for new uses

see Future of Privacy Forum best practices for intelligent vehicle tech providers
this is already happening (GAO report noted 10 smart car tech makers already doing so)

Hopefully some firms compete on privacy & exceed these standards for those who want it
And hopefully privacy & security advocates develop tools to better safeguard these values, again for those who want more protection

Query: But shouldn’t there be some minimal standards? Federal or state regulation?

Things moving too quick; hard for law to keep pace w/o limiting innovation opportunities
The flexible approach and methods I just listed are better suited to evolve with the cases and controversies that pop up along the way

it is better to utilize a “wait and see” strategy & see if serious & persistent problems develop that require regulatory remedies; but don’t lead with preemptive, precautionary controls
“permissionless innovation” should remain our default policy position

Ongoing experimentation should be permitted not just with technology in general, but also with privacy and security solutions and standards
In sum… avoid One Size Fits All solutions

6) Special consideration should be paid to government actions that affect user privacy

Whereas many of the privacy and security concerns involving private data collection can be handled using the methods discussed previously, governmental data collection raises different issues
Private entities cannot fine, tax, or imprison us since they lack the coercive powers governments possess.
Moreover, although it is possible to ignore or refuse to be a part of various private services, the same is not true for governments, whose grasp cannot be evaded.
Thus, special protections are needed for law enforcement agencies and officials as it pertains to these technologies.
When government seeks access to privately-held data collected from these technologies, strong constitutional and statutory protections should apply.
We need stronger 4th Amendment constraints
Courts should revisit the “third-party doctrine,” which holds that an individual sacrifices their Fourth Amendment interest in their personal information when they divulges it to a third party, even if that party has promised to safeguard that data.

Slide Presentation: Policy Issues Surrounding the Internet of Things & Wearable Technology

Adam Thierer — Fri, 12 Sep 2014 16:04:09 +0000

On Thursday, it was my great pleasure to present a draft of my forthcoming paper, “The Internet of Things & Wearable Technology: Addressing Privacy & Security Concerns without Derailing Innovation,” at a conference that took place at the Federal Communications Commission on “Regulating the Evolving Broadband Ecosystem.” The 3-day event was co-sponsored by the American Enterprise Institute and the University of Nebraska College of Law.

The 65-page working paper I presented is still going through final peer review and copyediting, but I posted a very rough first draft on SSRN for conference participants. I expect the paper to be released as a Mercatus Center working paper in October and then I hope to find a home for it in a law review. I will post the final version once it is released. [UPDATE:The final version of this working paper was released on November 19, 2014.]

In the meantime, however, I thought I would post the 46 slides I presented at the conference, which offer an overview of the nature of the Internet of Things and wearable technology, the potential economic opportunities that exist in this space, and the various privacy and security challenges that could hold this technological revolution back. I also outlined some constructive solutions to those concerns. I plan to be very active on these issues in coming months.

Internet of Things & Wearable Technology: Unlocking the Next Wave of Data-Driven Innovation from Adam Thierer

Additional Reading

“The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2012
“Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)
[Video] Cap Hill Briefing on Emerging Tech Policy Issues (June 2014)

New Law Review Article: “Privacy Law’s Precautionary Principle Problem”

Adam Thierer — Mon, 16 Jun 2014 17:50:30 +0000

My latest law review article is entitled, “Privacy Law’s Precautionary Principle Problem,” and it appears in Vol. 66, No. 2 of the Maine Law Review. You can download the article on my Mercatus Center page, on the Maine Law Review website, or via SSRN. Here’s the abstract for the article:

Privacy law today faces two interrelated problems. The first is an information control problem. Like so many other fields of modern cyberlaw—intellectual property, online safety, cybersecurity, etc.—privacy law is being challenged by intractable Information Age realities. Specifically, it is easier than ever before for information to circulate freely and harder than ever to bottle it up once it is released.

This has not slowed efforts to fashion new rules aimed at bottling up those information flows. If anything, the pace of privacy-related regulatory proposals has been steadily increasing in recent years even as these information control challenges multiply.

This has led to privacy law’s second major problem: the precautionary principle problem. The precautionary principle generally holds that new innovations should be curbed or even forbidden until they are proven safe. Fashioning privacy rules based on precautionary principle reasoning necessitates prophylactic regulation that makes new forms of digital innovation guilty until proven innocent.

This puts privacy law on a collision course with the general freedom to innovate that has thus far powered the Internet revolution, and privacy law threatens to limit innovations consumers have come to expect or even raise prices for services consumers currently receive free of charge. As a result, even if new regulations are pursued or imposed, there will likely be formidable push-back not just from affected industries but also from their consumers.

In light of both these information control and precautionary principle problems, new approaches to privacy protection are necessary. We need to invert the process of how we go about protecting privacy by focusing more on practical “bottom-up” solutions—education, empowerment, public and media pressure, social norms and etiquette, industry self-regulation and best practices, and an enhanced role for privacy professionals within organizations—instead of “top-down” legalistic solutions and regulatory techno-fixes. Resources expended on top-down regulatory pursuits should instead be put into bottom-up efforts to help citizens better prepare for an uncertain future.

In this regard, policymakers can draw important lessons from the debate over how best to protect children from objectionable online content. In a sense, there is nothing new under the sun; the current debate over privacy protection has many parallels with earlier debates about how best to protect online child safety. Most notably, just as top-down regulatory constraints came to be viewed as constitutionally-suspect and economically inefficient, and also highly unlikely to even be workable in the long-run for protecting online child safety, the same will likely be true for most privacy related regulatory enactments.

This article sketches out some general lessons from those online safety debates and discusses their implications for privacy policy going forward.

Read the full article here [PDF].

Related Material:

Book: Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom
Law review article: “The Pursuit of Privacy in a World Where Information Control Is Failing,” Harvard Journal of Law & Public Policy, 36 (2013): 409–55.
Law review article: “A Framework for Benefit-Cost Analysis in Digital Privacy Debates,” George Mason University Law Review, 20, no. 4 (Summer 2013): 1055–105.
Law review article: “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” Minnesota Journal of Law, Science & Technology, 14 (2013): 309–86.

Adam Thierer – Privacy Law’s Precautionary Problem (Maine Law Review, 2014) by Adam Thierer

video: Cap Hill Briefing on Emerging Tech Policy Issues

Adam Thierer — Thu, 12 Jun 2014 15:53:33 +0000

I recently did a presentation for Capitol Hill staffers about emerging technology policy issues (driverless cars, the “Internet of Things,” wearable tech, private drones, “biohacking,” etc) and the various policy issues they would give rise to (privacy, safety, security, economic disruptions, etc.). The talk is derived from my new little book on “Permissionless Innovation,” but in coming months I will be releasing big papers on each of the topics discussed here.

Additional Reading:

Technology Policy: A Look Ahead by Jerry Brito, Eli Dourado, and Adam Thierer
Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom by Adam Thierer
Why Permissionless Innovation Matters: Why does economic growth occur in some societies & not in others? by Adam Thierer
Where is the innovation in health care? by Veronique De Rugy

New Book Release: “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom”

Adam Thierer — Tue, 25 Mar 2014 15:06:28 +0000

I am pleased to announce the release of my latest book, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom.” It’s a short manifesto (just under 100 pages) that condenses — and attempts to make more accessible — arguments that I have developed in various law review articles, working papers, and blog posts over the past few years. I have two goals with this book.

First, I attempt to show how the central fault line in almost all modern technology policy debates revolves around “the permission question,” which asks: Must the creators of new technologies seek the blessing of public officials before they develop and deploy their innovations? How that question is answered depends on the disposition one adopts toward new inventions. Two conflicting attitudes are evident.

One disposition is known as the “precautionary principle.” Generally speaking, it refers to the belief that new innovations should be curtailed or disallowed until their developers can prove that they will not cause any harms to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions.

The other vision can be labeled “permissionless innovation.” It refers to the notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if they develop at all, can be addressed later.

I argue that we are witnessing a grand clash of visions between these two mindsets today in almost all major technology policy discussions today.

The second major objective of the book, as is made clear by the title, is to make a forceful case in favor of the latter disposition of “permissionless innovation.” I argue that policymakers should unapologetically embrace and defend the permissionless innovation ethos — not just for the Internet but also for all new classes of networked technologies and platforms. Some of the specific case studies discussed in the book include: the “Internet of Things” and wearable technologies, smart cars and autonomous vehicles, commercial drones, 3D printing, and various other new technologies that are just now emerging.

I explain how precautionary principle thinking is increasingly creeping into policy discussions about these technologies. The urge to regulate preemptively in these sectors is driven by a variety of safety, security, and privacy concerns, which are discussed throughout the book. Many of these concerns are valid and deserve serious consideration. However, I argue that if precautionary-minded regulatory solutions are adopted in a preemptive attempt to head-off these concerns, the consequences will be profoundly deleterious.

The central lesson of the booklet is this: Living in constant fear of hypothetical worst-case scenarios — and premising public policy upon them — means that best-case scenarios will never come about. When public policy is shaped by precautionary principle reasoning, it poses a serious threat to technological progress, economic entrepreneurialism, social adaptation, and long-run prosperity.

Again, that doesn’t mean we should ignore the various problems created by these highly disruptive technologies. But how we address these concerns matters greatly. If and when problems develop, there are many less burdensome ways to address them than through preemptive technological controls. The best solutions to complex social problems are almost always organic and “bottom-up” in nature. Luckily, there exists a wide variety of constructive approaches that can be tapped to address or alleviate concerns associated with new innovations. These include:

education and empowerment efforts (including media literacy, digital citizenship efforts);
social pressure from activists, academics, and the press and the public more generally.
voluntary self-regulation and adoption of best practices (including privacy and security “by design” efforts); and,
increased transparency and awareness-building efforts to enhance consumer knowledge about how new technologies work.

Such solutions are almost always superior to top-down, command-and-control regulatory edits and bureaucratic schemes of a “Mother, May I?” (i.e., permissioned) nature. The problem with “top-down” traditional regulatory systems is that they often tend to be overly-rigid, bureaucratic, inflexible, and slow to adapt to new realities. They focus on preemptive remedies that aim to predict the future, and future hypothetical problems that may not ever come about. Worse yet, administrative regulation generally preempts or prohibits the beneficial experiments that yield new and better ways of doing things. It raises the cost of starting or running a business or non-business venture, and generally discourages activities that benefit society.

To the extent that other public policies are needed to guide technological developments, simple legal principles are greatly preferable to technology-specific, micro-managed regulatory regimes. Again, ex ante (preemptive and precautionary) regulation is often highly inefficient, even dangerous. To the extent that any corrective legal action is needed to address harms, ex post measures, especially via the common law (torts, class actions, etc.), are typically superior. And the Federal Trade Commission will, of course, continue to play a backstop here by utilizing the broad consumer protection powers it possesses under Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” In recent years, the FTC has already brought and settled many cases involving its Section 5 authority to address identity theft and data security matters. If still more is needed, enhanced disclosure and transparency requirements would certainly be superior to outright bans on new forms of experimentation or other forms of heavy-handed technological controls.

In the end, however, I argue that, to the maximum extent possible, our default position toward new forms of technological innovation must remain: “innovation allowed.” That is especially the case because, more often than not, citizens find ways to adapt to technological change by employing a variety of coping mechanisms, new norms, or other creative fixes. We should have a little more faith in the ability of humanity to adapt to the challenges new innovations create for our culture and economy. We have done it countless times before. We are creative, resilient creatures. That’s why I remain so optimistic about our collective ability to confront the challenges posed by these new technologies and prosper in the process.

If you’re interested in taking a look, you can find a free PDF of the book at the Mercatus Center website or you can find out how to order it from there as an eBook. Hardcopies are also available. I’ll be doing more blogging about the book in coming weeks and months. The debate between the “permissionless innovation” and “precautionary principle” worldviews is just getting started and it promises to touch every tech policy debate going forward.

Related Essays :

“The Growing Conflict of Visions over the Internet of Things & Privacy,” Technology Liberation Front, January 14, 2014.
“CES 2014 Report: The Internet of Things Arrives, but Will Washington Welcome It?” Technology Liberation Front, January 8, 2014.
“Who Really Believes in ‘Permissionless Innovation’?” Technology Liberation Front, March 4, 2013.
“What Does It Mean to ‘Have a Conversation’ about a New Technology?” Technology Liberation Front, May 23, 2013.
“On the Line between Technology Ethics vs. Technology Policy,” Technology Liberation Front, August 1, 2013.
“Planning for Hypothetical Horribles in Tech Policy Debates,” Technology Liberation Front, August 6, 2013.
“Edith Ramirez’s ‘Big Data’ Speech: Privacy Concerns Prompt Precautionary Principle Thinking,” Technology Liberation Front, August 29, 2013.
“When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed,” Technology Liberation Front, April 29, 2011.
“Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges,” Technology Liberation Front, April 10, 2012.
“Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013.
“Why Do We Always Sell the Next Generation Short?” Forbes, January 8, 2012.
“The Six Things That Drive ‘Technopanics,’” Forbes, March 4, 2012.

The Growing Conflict of Visions over the Internet of Things & Privacy

Adam Thierer — Tue, 14 Jan 2014 20:32:44 +0000

When Google announced it was acquiring digital thermostat company Nest yesterday, it set off another round of privacy and security-related technopanic talk on Twitter and elsewhere. Fear and loathing seemed to be the order of the day. It seems that each new product launch or business announcement in the “Internet of Things” space is destined to set off another round of Chicken Little hand-wringing. We are typically told that the digital sky will soon fall on our collective heads unless we act preemptively to somehow head-off some sort of pending privacy or security apocalypse.

Meanwhile, however, a whole heck of lot of people are demanding more and more of these technologies, and American entrepreneurs are already engaged in heated competition with European and Asian rivals to be at the forefront of the next round Internet innovation to satisfy those consumer demands. So, how is this going to play out?

This gets to what becoming the defining policy issue of our time, not just for the Internet but for technology policy more generally: To what extent should the creators of new technologies seek the blessing of public officials before they develop and deploy their innovations? We can think of this as “the permission question” and it is creating a massive rift between those who desire more preemptive, precautionary safeguards for a variety of reasons (safety, security, privacy, copyright, etc.) and those of us who continue to believe that permissionless innovation should be the guiding ethos of our age. The chasm between these two worldviews is only going to deepen in coming years as the pace of innovation around new technologies (the Internet of Things, wearable tech, driverless cars, 3D printing, commercial drones, etc) continues to accelerate.

Sarah Kessler of Fast Company was kind enough to call me last night and ask for some general comments about Google buying Nest and she also sought out the comments of Marc Rotenberg of EPIC about privacy in the Internet of Things era more generally. Our comments provide a useful example of the divide between these two worldviews and foreshadow debates to come:

With an estimated 50 billion connected objects coming online by 2050, some see good reason to put policies in place that regulate the new categories of data they will collect about the people who use those products. “The basic problem with the Internet of Things, unless privacy safeguards are established up front, is that users will lose control over the data they generate,” Marc Rotenberg, the president of the Electronic Privacy Information Center, told Fast Company in an email. Others see the emerging category as a perfect reason to block omnibus attempts to regulate user data. “If we spend all of our time living in fear of hypothetical worst-case scenarios, then the best-case scenarios will never come about,” says Adam Thierer, a Senior Research Fellow at George Mason University’s Mercatus Center. “That’s the nature of how innovation works. You have to allow for risks and experimentation, and even accidents and failures, if you want to get progress.”

Last week, I wrote about this conflict of visions in my dispatch from the CES show and this topic is also the focus of my forthcoming eBook, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom.” To reiterate what I already said, my book will describe the future of the Internet of Things and all technology policy as a grand battle the “precautionary principle” and “permissionless innovation.” The “precautionary principle” refers to the belief that new innovations should be curtailed or disallowed until their developers can prove that they will not cause any harms to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions. The other worldview, “permissionless innovation,” refers to the notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if they develop at all, can be addressed later.

While those adhering to the precautionary principle mindset tend to favor “top-down” legalistic approaches to solving those potential problems that might creep up, those of us who favor the premissionless innovation approach favor “bottom-up” solutions that evolve over time but do not interrupt the ongoing experimentation and innovation that consumers demand. What does a “bottom-up” approach mean in practice? Education and empowerment, social pressure, societal norms, voluntary self-regulation, and targeted enforcement of existing legal norms (especially through the common law) are almost always superior to top-down, command-and-control regulatory edits and bureaucratic schemes of a “Mother, May I” (i.e., permissioned) nature.

We really should not underestimate the power of norms and public pressure to “regulate” in this regard, perhaps even better than law, which tends to be too slow-moving to make much of a difference. In my book I spend a great deal of time talking about how other technological innovations have been shaped by social norms, public pressure, and press attention. That same will be true for the Internet of Things and various new technologies I discuss in my book. Others will gradually adapt to the new technological realities and integrate these new devices and services into their lives over time.

Perhaps, then, it will be the case that if Google does something particularly bone-headed with Nest that a public backlash will ensue. Or maybe some consumers will just reject Nest and look for other options, which is apparently what Rotenberg is doing according to the Fast Company article. Of course, as I noted in concluding the interview, others may act quite differently and accept Nest and other new Internet of Things technologies, even if there are some privacy or security downsides. As I told Sarah Kessler, while I was visiting the consumer electronics show last week, I heard it was freezing back here in DC. If I would have had Nest in my house, perhaps Google Now could have alerted me to the dangerously low temps in my house and suggested that I raise the temp remotely before my pipes froze. As I noted to Kessler:

“Would that have been creepy?” he says. “To me it would have been helpful. So for everything that people regard as a negative, I can usually find a positive. And if there’s that balance there, then it should be left to individuals to decide for themselves how to decide that balance.”

Finally, since I often get accused of being some sort of nihilist in these debates, I want to make it clear that ethics should influence all these discussions, but I prefer that we not impose ethics in a heavy-handed, inflexible way through preemptive, proscriptive regulatory controls. It makes more sense to wait and see how things play out before regulating to address harms, once we figure out which ones are real. (See the second and third essays listed below for more on ethics and technological innovation.) But we absolutely need to be engaging in robust societal discussions about digital ethics, digital citizenship, privacy and security by design, and sensible online etiquette. I’ve spent a lifetime writing about the power of that approach in the context of online child safety and I think it is equally applicable for privacy and security-related matters. In particular, we need to talk to our kids and our future technologists and innovators about smarter digital habits that respect the safety, security, and privacy of others. Those conversations can help us chart a more sensible path forward without sacrificing the many benefits that accompany the ongoing technological revolution we are blessed to be experiencing today.

Additional Reading:

“Who Really Believes in ‘Permissionless Innovation’?” Technology Liberation Front, March 4, 2013.
“What Does It Mean to ‘Have a Conversation’ about a New Technology?” Technology Liberation Front, May 23, 2013.
“On the Line between Technology Ethics vs. Technology Policy,” Technology Liberation Front, August 1, 2013.
“Planning for Hypothetical Horribles in Tech Policy Debates,” Technology Liberation Front, August 6, 2013.
“Edith Ramirez’s ‘Big Data’ Speech: Privacy Concerns Prompt Precautionary Principle Thinking,” Technology Liberation Front, August 29, 2013.
“When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed,” Technology Liberation Front, April 29, 2011.
“Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges,” Technology Liberation Front, April 10, 2012.
“Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013.
“Why Do We Always Sell the Next Generation Short?” Forbes, January 8, 2012.
“The Six Things That Drive ‘Technopanics,’” Forbes, March 4, 2012.

CES 2014 Report: The Internet of Things Arrives, but Will Washington Welcome It?

Adam Thierer — Wed, 08 Jan 2014 21:15:26 +0000

With each booth I pass and presentation I listen to at the 2014 International Consumer Electronics Show (CES), it becomes increasingly evident that the “Internet of Things” era has arrived. In just a few short years, the Internet of Things (IoT) has gone from industry buzzword to marketplace reality. Countless new IoT devices are on display throughout the halls of the Las Vegas Convention Center this week, including various wearable technologies, smart appliances, remote monitoring services, autonomous vehicles, and much more.

This isn’t vaporware; these are devices or services that are already on the market or will launch shortly. Some will fail, of course, just as many other earlier technologies on display at past CES shows didn’t pan out. But many of these IoT technologies will succeed, driven by growing consumer demand for highly personalized, ubiquitous, and instantaneous services.

But will policymakers let the Internet of Things revolution continue or will they stop it dead in its tracks? Interestingly, not too many people out here in Vegas at the CES seem all that worried about the latter outcome. Indeed, what I find most striking about the conversation out here at CES this week versus the one about IoT that has been taking place in Washington over the past year is that there is a large and growing disconnect between consumers and policymakers about what the Internet of Things means for the future.

When every device has a sensor, a chip, and some sort of networking capability, amazing opportunities become available to consumers. And that’s what has them so excited and ready to embrace these new technologies. But those same capabilities are exactly what raise the blood pressure of many policymakers and policy activists who fear the safety, security, or privacy-related problems that might creep up in a world filled with such technologies.

But at least so far, most consumers don’t seem to share the same worries. Instead, they are too busy shouting “More, More, More!” IoT technologies have generated enormous interest and every projection I’ve seen so far shows that explosive growth can be expected across all classes of devices. ABI Research estimates that there are more than ten billion wirelessly connected devices in the market today and more than thirty billion devices expected by 2020. Last year Cisco projected that by 2020 thirty-seven billion intelligent things will be connected and communicating but has now apparently revised that estimate upward to 40 or 50 billion. Thus, we are well on the way to a world where “everyone and everything will be connected to the network.”

Yet, it remains unclear what the IoT public policy landscape will look like in coming years and what disposition lawmakers and regulators will adopt toward these new amazing new technologies. Two distinct policy disposition are clashing over what approach should govern the future of innovation in this space.

I discussed this tension during a CES panel this morning on “The Internet of Things and the Home of the Future.” It featured outstanding opening remarks by FTC Commissioner Maureen K. Ohlhausen, who made the case for regulatory humility and focusing on how these new technologies can empower individuals in important new ways. “The Internet has evolved in one generation from a network of electronically interlinked research facilities in the United States to one of the most dynamic forces in the global economy, in the process reshaping entire industries and even changing the way we interact on a personal level,” she noted. “And the Internet of Things offers the promise of even greater progress ahead for consumers and competition.” I strongly encourage you to read Commissioner Ohlhausen’s entire speech. It is terrific and sets exactly the right tone for these discussions.

After Commissioner Ohlhausen spoke, we had a panel discussion that was expertly moderated by tech policy guru Larry Downes and which included remarks from Robert M. McDowell (Hudson Institute), Jeff Hagins, (Smart Things), Robert Pepper (Cisco), Marc Rogers (Lookout), and me.

When I spoke, I described the future of the Internet of Things as a grand battle of two alternative worldviews: the “precautionary principle” and “permissionless innovation.” The “precautionary principle” refers to the belief that new innovations should be curtailed or disallowed until their developers can prove that they will not cause any harms to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions. The other worldview, “permissionless innovation,” refers to the notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if they develop at all, can be addressed later.

I’ll soon be releasing a new eBook about this conflict of visions. The book will be called, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom” and it should be out in the next few weeks. In it, I will explain how precautionary principle thinking is increasingly creeping into modern information technology policy discussions, explain how that is dangerous and must be rejected, and argue that policymakers should instead unapologetically embrace and defend the permissionless innovation vision — not just for the Internet but also for all new classes of networked technologies and platforms.

This intellectual tension is already evident in debates over the Internet of Things. While we are still very early in this debate, we can expect rising calls for preemptive regulatory controls on IoT technologies based on various safety, security, and especially privacy rationales. If the precautionary principle mentality wins out and trumps the permissionless innovation ethos that has already powered the first wave of the digital revolution, it will have profound ramifications.

As I’ll note in my forthcoming eBook, preserving and extending the permissionless innovation ethos to the Internet of Things is not about “protecting corporate profits” or assisting any particular technology, industry sector, or set of innovators. Rather, preserving an environment in which permissionless innovation can flourish is about ensuring that individuals as both citizens and consumers continue to enjoy the myriad benefits that accompany an open, innovative information ecosystem. More profoundly, this general freedom to innovate is essential for powering the next great wave of industrial innovation and rejuvenating our dynamic, high-growth economy. Even more profoundly, this is about preserving social and economic freedom more generally while rejecting the central-planning mentality and methods that throughout history have stifled human progress and prosperity.

Safety, security, and privacy problems will continue to persist, of course, and we should work to find practical, “bottom-up” solutions to them. As I detail in my eBook, education and empowerment, social pressure, societal norms, voluntary self-regulation, transparency efforts, and targeted enforcement of existing legal norms (especially through the common law) are almost always superior to “top-down,” command-and-control regulatory edits and bureaucratic schemes of a “Mother, May I” (i.e., permissioned) nature. Preemptive technological controls of that sort would limit new innovation in this space and sacrifice the many benefits that will flow to consumers from continued experimentation.

Those who advocate precautionary regulatory approaches to the Internet of Things should think through to consequences of preemptively prohibiting technological innovation and realize that not everyone shares their same values, especially pertaining to privacy, which is a highly subjective concept that is often difficult to legislate around. We should instead find ways work with together to seek out those practical, bottom-up solutions that will help individuals, institutions, and society learn how to better cope with technological change over time. Using this approach, we can embrace our dynamic future together without doing permanent damage to our innovative minds and economy.

What’s at Stake with the FTC’s Internet of Things Workshop

Adam Thierer — Tue, 19 Nov 2013 01:57:13 +0000

Tomorrow, the Federal Trade Commission (FTC) will host an all-day workshop entitled, “Internet of Things: Privacy and Security in a Connected World.” [Detailed agenda here.] According to the FTC: “The workshop will focus on privacy and security issues related to increased connectivity for consumers, both in the home (including home automation, smart home appliances and connected devices), and when consumers are on the move (including health and fitness devices, personal devices, and cars).”

Where is the FTC heading on this front? This Politico story by Erin Mershon from last week offers some possible ideas. Yet, it still remains unclear whether this is just another inquiry into an exciting set of new technologies or if it is, as I worried in my recent comments to the FTC on this matter, “the beginning of a regulatory regime for a new set of information technologies that are still in their infancy.”

First, for those not familiar with the “Internet of Things,” this short new report from Daniel Castro & Jordan Misra of the Center for Data Innovation offers a good definition:

The “Internet of Things” refers to the concept that the Internet is no longer just a global network for people to communicate with one another using computers, but it is also a platform or devices to communicate electronically with the world around them. The result is a world that is alive with information as data flows from one device to another and is shared and reused for a multitude of purposes. Harnessing the potential of all of this data for economic and social good will be one of the primary challenges and opportunities of the coming decades.

The report continues on to offer a wide range of examples of new products and services that could fulfill this promise.

What I find somewhat worrying about the FTC’s sudden interest in the Internet of Things is that it opens to the door for some regulatory-minded critics to encourage preemptive controls on this exciting new wave of digital age innovation, based almost entirely on hypothetical worst-case scenarios they have conjured up. And plenty of those boogeyman scenarios are floating around already because the Internet of Things has created a potential perfect storm of four major information policy concerns: online safety, privacy, security, and even intellectual property issues. You can find concerned critics from each of those quarters already wringing their hands about what the Internet of Things means for their pet issues.

This is why in both my filing to the agency and in an upcoming eBook, I discuss the danger of letting “precautionary principle” reasoning trump the alternative paradigm of “permissionless innovation.” As I’ve explained here before as well in this longer law review article, the precautionary principle generally holds that, because a given new technology could pose some theoretical danger or risk in the future, public policies should control or limit the development of such innovations until their creators can prove that they won’t cause any harms.

The problem with letting such precautionary thinking guide policy is that it poses a serious threat to technological progress, economic entrepreneurialism, and human prosperity. Under an information policy regime guided at every turn by a precautionary principle, technological innovation would be impossible because of fear of the unknown; hypothetical worst-case scenarios would trump all other considerations. Social learning and economic opportunities become far less likely, perhaps even impossible, under such a regime. In practical terms, it means fewer services, lower quality goods, higher prices, diminished economic growth, and a decline in the overall standard of living.

For these reasons, to the maximum extent possible, the default position toward new forms of technological innovation should be innovation allowed. This policy norm is better captured in the well-known Internet ideal of “permissionless innovation,” or the general freedom to experiment and learn through trial-and-error experimentation.

Which leads back to the FTC workshop tomorrow. Which path will the agency head down? If the recent comments of FTC Chairwoman Edith Ramirez are any indication, there is certainly a healthy appetite for precautionary principle policymaking, at least as it pertains to “big data.” As I noted here in a critique of one of her recent speeches, Chairwoman Ramirez has offered “a rather succinct articulation of precautionary principle thinking as applied to modern data collection practices.”

She worried that “‘big data’ leads to the indiscriminate collection of personal information,” and that “the indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the offchance that it might prove useful is not consistent with privacy best practices,” she continued, and she went on to argue that “Information that is not collected in the first place can’t be misused” and then suggests a parade of horribles that will befall if such data collection is allowed at all. So, it would not be surprising to see her extend that sort of precautionary reasoning to the Internet of Things since all those fears would apply equally to it.

A better approach can be found in some remarks delivered by Ramirez’s fellow FTC Commissioner Maureen K. Ohlhausen. In an important speech last month entitled, “The Internet of Things and the FTC: Does Innovation Require Intervention?” Ohlhausen noted that, “The success of the Internet has in large part been driven by the freedom to experiment with different business models, the best of which have survived and thrived, even in the face of initial unfamiliarity and unease about the impact on consumers and competitors.” This reflects Ohlhausen’s general embrace of permissionless innovation reasoning and a rejection of the precautionary principle mindset articulated by FTC Chairwoman Ramirez.

More importantly, in her speech, Commissioner Ohlhausen went on to highlight another crucial point about why the precautionary mindset is dangerous when enshrined into laws or regulations. Put simply, many elites and regulatory advocates ignore regulator irrationality or regulatory ignorance. That is, they spend so much time focused on the supposed irrationality of consumers and their openness to persuasion or “manipulation” that they ignore the more concerning problem of the irrationality or ignorance of those who (incorrectly) believe they are always in the best position to solve every complex problem. Regulators simply do not possess the requisite knowledge to perfectly plan for every conceivable outcome. This is particularly true for information technology markets, which generally evolve much more rapidly than other sectors, and especially more rapidly that law itself.

That insight leads Ohlhausen to issue a wise word of caution to her fellow regulators:

It is [] vital that government officials, like myself, approach new technologies with a dose of regulatory humility, by working hard to educate ourselves and others about the innovation, understand its effects on consumers and the marketplace, identify benefits and likely harms, and, if harms do arise, consider whether existing laws and regulations are sufficient to address them, before assuming that new rules are required.

That is absolutely right and this again makes it clears how Commissioner Ohlhausen’s approach to technological innovation is consistent with the permissionless innovation approach while Chairwoman Ramirez’s is based on precautionary principle thinking. This conflict of visions dominates almost all policy debates over new technology today, even if it is not always on such vivid display as it is in this case.

This also makes it abundantly clear just what is at stake as the FTC embarks on its exploration of the Internet of Things. Will we continue to embrace and defend the philosophy that made America’s digital economy the envy of the world (i.e., “permissionless innovation”), or will we be paralyzed by fear of the unknown and hypothetical worst-case scenarios. As I have said here many times before, living in constant fear of such worst-case scenarios — and premising public policy upon them — means that best-cast scenarios will never come about.

So, stay tuned. The fight over the Internet of Things promises to be one of the most important public policy battles in the technology policy arena for many years to come.

This issue will be the focus of my forthcoming eBook, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom,” but until that is released, here are a few other recommended readings on the topic:

Blog posts:

“Who Really Believes in ‘Permissionless Innovation’?” Technology Liberation Front, March 4, 2013.
“What Does It Mean to ‘Have a Conversation’ about a New Technology?” Technology Liberation Front, May 23, 2013.
“Planning for Hypothetical Horribles in Tech Policy Debates,” Technology Liberation Front, August 6, 2013.
“On the Line between Technology Ethics vs. Technology Policy,” Technology Liberation Front, August 1, 2013.
“Edith Ramirez’s ‘Big Data’ Speech: Privacy Concerns Prompt Precautionary Principle Thinking,” Technology Liberation Front, August 29, 2013.
“When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed,” Technology Liberation Front, April 29, 2011.
“Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges,” Technology Liberation Front, April 10, 2012.
“Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013.

Testimony / Filings:

Senate Testimony on Privacy, Data Collection & Do Not Track, April 24, 2013
Comments of the Mercatus Center to the FTC in Privacy & Security Implications of the Internet of Things, May 31, 2013.
Comments of the Mercatus Center to FAA on commercial domestic drones (with Jerry Brito and Eli Dourado) , April 23, 2013.

Journal articles & book chapters:

“Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” Minnesota Journal of Law, Science & Technology, Vol. 14, (2013): 309-386.
“The Pursuit of Privacy in a World Where Information Control Is Failing,” Harvard Journal of Law & Public Policy, Vol. 36, (2013): 409-455.
“A Framework for Benefit-Cost Analysis in Digital Privacy Debates ,” George Mason University Law Review, Vol. 20, No. 4 (Summer 2013): 1055-1105.