If you haven’t yet had the chance to check out the new Progress Forum, I encourage you to do so. It’s a discussion group for progress studies and all things related to it. The Forum is sponsored by The Roots of Progress. Even though the Forum is still in pre-launch phase, there are already many interesting threads worth checking out. I was my honor to contribute one of the first on the topic, “Where is ‘Progress Studies’ Going?” It’s an effort to sort through some of the questions and challenges facing the Progress Studies movement in terms of focus and philosophical grounding. I thought I would just reproduce the essay here, but I encourage you to jump over to the Progress Forum to engage in discussion about it, or the many other excellent discussions happening there on other issues.

________________

Where is “Progress Studies” Going? by Adam Thierer

What do we mean by “Progress Studies” and how can this field of study be advanced? I’ve been thinking about that question a lot since Patrick Collison and Tyler Cowen published their 2019 manifesto in  The Atlantic on why “We Need a New Science of Progress.” At present, there is no overarching “unified field theory” of what Progress Studies entails or what underpins it, and that may be holding up progress on Progress Studies. I recently attended an important conference on the “Moral Foundations of Progress Studies,” co-hosted by The Roots of Progress and the Salem Center at UT Austin, where I discovered that many others were grappling with these same issues.

While a broad range of people are interested in Progress Studies, their moral priors differ, sometimes significantly. For example, the UT Austin conference included scholars from diverse disciplines (philosophy, psychology, economics, political science, history, and others) whose thinking was rooted in different philosophical traditions (utilitarianism, effective altruism, individualism, and various hybrids). Everyone shared the goal of advancing human well-being, but participants had different conceptions of the moral foundations of well-being, and even some disagreement about what well-being meant in concrete terms. There were also differing perspectives about what the “studies” part of Progress Studies should entail. Specifically, does it include progress  advocacy, including the potential for specific policy recommendations?

Comprehension vs. Advocacy

Part of the confusion over the nature and goals of Progress Studies can be traced back to Collison and Cowen’s foundational essay. On one hand, their goal was progress  comprehension. “Progress itself is understudied,” Collison and Cowen argued. They lamented that “there is no broad-based intellectual movement focused on understanding the dynamics of progress.”

But Collison and Cowen went further. Their goal was not merely to inspire the development of a field of study that could give us a better understanding of the prerequisites of progress, but also to formulate a plan for advancing progress. They argued that “mere comprehension is not the goal,” and advocated for “the deeper goal of speeding it up.” They went on to say, “the implicit question is how scientists [and others]  should be acting” and that Progress Studies should be viewed as, “closer to medicine than biology: The goal is to treat, not merely to understand.” The presupposition here is that progress is important and that we need to take steps to get a lot more of it. Again, we can think of this part of Progress Studies as progress advocacy. And advocacy can entail both advocating for progress generally as well as specific types of policy advocacy.

This raises an interesting question we debated at the UT Austin conference: Can you study something and advocate for it at the same time? Some felt you really cannot separate them, while others believed that the broader questions about how progress has worked could be kept separate from any advocacy efforts. Of course, this same tension between comprehension and advocacy comes up in many other fields.

What Progress Studies Can Learn from STS

In this sense, Progress Studies might learn some important lessons by examining the older but loosely related field of Science and Technology Studies (STS). STS incorporates a wide variety of mostly “soft science” academic disciplines, such as law, philosophy, sociology, and anthropology. These scholars analyze the relationship between technology, society, culture, and politics.

One conclusion from studying STS is obvious: comprehension and advocacy frequently get blurred. Many of the STS scholars who engage in critical studies of the history of technology seamlessly transition into anti-technology advocates, even as many of them claim they are “just studying” the issues. As I’ve noted elsewhere:

When thinking about of technology, STS scholars commonly employ words like “anxiety,” “alienation,” “degradation,” and “discrimination.” Consequently, most of them suggest that the burden of proof lies squarely on scientists, engineers, and innovators to prove that their ideas and inventions will bring worth to society before they are deployed. In other words, STS scholars generally fall in the precautionary principle camp, and their policy prescriptions have grown increasingly radical over time.

Meanwhile, as I discussed in my latest book, many STS scholars describe themselves as “humanists” while implicitly suggesting that those who promote technological progress are somehow callous oafs who only care about the cold calculus of profit-seeking and creating shiny new gadgets we don’t need.

While some STS scholars continue to do important and largely objective work, many others routinely show their more radical leanings in books, essays, and social media posts. Most worrying is their newfound love of Luddism, as they spin revisionist histories of “Why Luddites Matter,” insisting that “There’s Nothing Wrong with Being a Luddite,” and that “I’m a Luddite. You Should Be One Too.” Neil Richards, a law professor and leading STS scholar declares bluntly on Twitter: “Less metaverse, less crypto, less disruptive innovation. More regulation, more ethics, more humanity.” In other words, public policy defaults should be set squarely to the Precautionary Principle and anyone opposed to that is unethical and anti-human. Taken to the extreme, STS scholars marry up this Luddite revisionism with the retrograde philosophy of “degrowth” and produce book chapters with titles like, “Methodological Luddism: A Concept for Tying Degrowth to the Assessment and Regulation of Technologies.”

The Progress Studies movement might consider framing its work as a response to the growing extremism of the STS movement. STS scholars have become so remarkably hostile to the very notion that science and technology are central to human advancement that the field might today better be labeled  Anti-Science & Technology Studies. Yet, these are the scholars that dominate many academic departments where students are learning about technological progress. Progress Studies scholars can push back against that radicalism and offer level-headed, empirical responses to it.

Ensuring A Big Tent 

To improve its chances of success, the Progress Studies movement should seek to broaden its appeal by avoiding a dogmatic party line on its moral foundations while ensuring that multiple disciplines and viewpoints are incorporated into it.

In terms of philosophical underpinnings, those interested in Progress Studies can take different approaches to the moral foundations of progress and human well-being. Many philosophers get frustrated when others fail to hammer out all the detailed nuances of the metaphysics, epistemology, and ethics of these matters. I understand that urge, but I’ve now spent over 30 years covering technology policy and have been constantly surprised about how many people can come together and agree on a broad set of principles about the importance of progress without sharing a common philosophical framework.

The same is true as it pertains to policy prescriptions. We need to ensure a “big tent” in this way, too. It is already the case that many people engaged in Progress Studies have very different perspectives on issues like intellectual property and industrial policy, for example. I have many friends on different sides of these issues. Importantly, there are not even clear sides on these issues but rather a very broad spectrum of viewpoints. Progress Studies scholars will likely always disagree on the finer points of both types of “IP” policy. Nonetheless, they can remain more unified in stressing the common goal of moving the needle on progress in a positive direction and highlighting the continuing importance of flexible experimentation with policies aimed at enhancing innovation and growth.

To the extent there is any litmus test for the Progress Studies movement, that’s it:  advancing opportunities for innovation and growth is paramount. Regardless of how one grounds their moral philosophy, or goes about constructing a theory of rights, many people can agree that granting humans the freedom to explore, experiment, and be entrepreneurial has important benefits for individuals, families, organizations, and entire nations. Openness to change is what unifies us. Stagnation and “steady state” thinking—and the Precautionary Principle-based policies that flow from such reasoning—are the enemy. 

Thus, the Progress Studies movement can focus on both studying progress and advancing it at the same time, even if some will devote more effort to one priority than the other. And we shouldn’t forget that these two objectives are reinforcing: Comprehension informs advocacy and vice-versa. Progress is a never-ending process of trial-and-error. It’s all about learning by doing. We try, we fail, we learn, and we try again. This is as true for the individuals attempting to make progress in the real-world as it is for scholars studying it and seeking to promote it.

Let us get on with this important work, regardless of what motivates us to do it.

This weekend, The Wall Street Journal ran my short letter to the editor entitled, “We Can Protect Children and Keep the Internet Free.” My letter was a response to columnist Peggy Noonan’s April 9 oped, “Can Anyone Tame Big Tech?” in which she proposed banning everyone under 18 from all social-media sites. She specifically singled out TikTok, Youtube, and Instagram and argued “You’re not allowed to drink at 14 or drive at 12; you can’t vote at 15. Isn’t there a public interest here?”

I briefly explained why Noonan’s proposal is neither practical nor sensible, noting how it:

would turn every kid into an instant criminal for seeking access to information and culture on the dominant medium of their generation. I wonder how she would have felt about adults proposing to ban all kids from listening to TV or radio during her youth. Let’s work to empower parents to help them guide their children’s digital experiences. Better online-safety and media-literacy efforts can prepare kids for a hyperconnected future. We can find workable solutions that wouldn’t usher in unprecedented government control of speech.

Let me elaborate just a bit because this was the focus of much of my writing a decade ago, including my book, Parental Controls & Online Child Protection: A Survey of Tools & Methods, which spanned several editions. Online child safety is a matter I take seriously and the concerns that Noonan raised in her oped have been heard repeatedly since the earliest days of the Internet. Regulatory efforts were immediately tried. They focused on restricting underage access to objectionable online content (as well as video games), but were immediately challenged and struck down as unconstitutionally overbroad restrictions on free speech and a violation of the First Amendment of the U.S. Constitution.

But practically speaking, most of these efforts were never going to work anyway. There was almost no way to bottle up all the content flowing in the modern information ecosystem without highly repressive regulation, and it was going to be nearly impossible to keep kids off the Internet altogether when it was the dominant communications and entertainment medium of their generation. The first instinct of every moral panic wave–from the waltz to comic books to rock or rap music to video games–has often been to take the easy way out by proposing sweeping bans on all access by kids to the content or platforms of their generation. It never works.

Nor should it. There is a huge amount of entirely beneficial speech, content, and communications that kids would be denied by such sweeping bans. That would make such ban highly counter-productive. But, again, usually such efforts just were not practically enforceable because kids are often better at the cat-and-mouse game than adults give them credit for. Moreover, imposing age limitations of speech or content are far more difficult than age-related bans on specific tangible products, like tobacco or other dangerous physical products.

Acknowledging these realities, most sensible people quickly move on from extreme proposals like flat bans of all kids using the popular media platforms and systems of the day. Over the past half century in the U.S., this has led to a flowering of more decentralized governance approach to kids and media that I have referred to as the “3E approach.” That stands for empowerment (of parents), education (of youth), and enforcement (of existing laws). The 3E approach includes a variety of mechanisms and approaches, including: self-regulatory codes, private content rating systems, a wide variety of different parental control technologies, and much more.

Over the past two decades, many multistakeholder initiatives and blue-ribbon commissions were created to address online safety issues in a holistic fashion. I summarized their conclusions in my 2009 report, “Five Online Safety Task Forces Agree: Education, Empowerment & Self-Regulation Are the Answer.” The crucial takeaway from all these task forces and commissions is that no silver-bullet solutions exist to hard problems. Child safety demands a vigilant but adaptive approach, rooted in a variety of best practices, educational approaches, and technological empowerment solutions to address various safety concerns. Digital literacy is particularly crucial to building wiser, more resilient kids and adults, who can work together to find constructive approaches to hard problems.

Importantly, our task here is never done. This is an ongoing and evolving process. Issues like underage access to pornography or violent content have been with us for a very long time and will never be completely “solved.” We must constantly work to improve existing online safety mechanisms while also devising new solutions for our rapidly evolving information ecosystem. Nothing should be off the table except the one solution that Noonan suggested in her essay. Just proposing outright bans on kids on social media or any other new media platform (VR will be next) is an unworkable and illogical response that we should dismiss fairly quickly. No matter how well-intentioned such proposals may be, moral panic-induced prohibitions on kids and media ultimately are not going to help them learn to live better, safer, and more enriching lives in the new media ecosystems of today or the future. We can do better.

In an amazing new MIT Technology Review piece, Antonio Regalado discusses how, “Some scientists are taking a DIY coronavirus vaccine, and nobody knows if it’s legal or if it works.” It is another powerful example of how “citizen-science” and medical self-experimentation (or “biohacking”) is increasingly being used to improve health outcomes, enhance human capabilities, or fight against deadly diseases like COVID. Regalado reports that:

Nearly 200 covid-19 vaccines are in development and some three dozen are at various stages of human testing. But in what appears to be the first “citizen science” vaccine initiative, Estep and at least 20 other researchers, technologists, or science enthusiasts, many connected to Harvard University and MIT, have volunteered as lab rats for a do-it-yourself inoculation against the coronavirus. They say it’s their only chance to become immune without waiting a year or more for a vaccine to be formally approved. Among those who’ve taken the DIY vaccine is George Church, the celebrity geneticist at Harvard University, who took two doses a week apart earlier this month. The doses were dropped in his mailbox and he mixed the ingredients himself.

Regalado notes that this is all happening despite legal and ethical questions:

By distributing directions and even supplies for a vaccine, though, the Radvac group is operating in a legal gray area. The US Food and Drug Administration (FDA) requires authorization to test novel drugs in the form of an investigational new drug approval. But the Radvac group did not ask the agency’s permission, nor did it get any ethics board to sign off on the plan.

Chapter 2 of my latest book (Evasive Entrepreneurs and the Future of Governance) features a discussion of DIY health efforts, citizen-science and biohacking. Average citizens are using new technological capabilities to address health needs, often beyond the confines of the law. Here’s the beginning of that discussion, which starts on p. 79 of the manuscript:

DIY health services and medical devices are on the rise thanks to the combined power of open-source software, 3D printers, cloud computing, and digital platforms that allow information sharing between individuals with specific health needs. Average citizens are using these new technologies to modify their bodies and abilities, often beyond the confines of the law. Welcome to the occasionally scary but oftentimes awe-inspiring world of biohacking. Biohackers are essentially “prosumers,” the term many used a decade ago to describe the way average citizens were taking advantage of new communications and computing technologies to become both producers and consumers of news, information, and entertainment. Pro-sumers evaded traditional industry norms and government regulations that had previously made it difficult for citizens to communicate freely. The same phenomenon is now shaking up the world of health and medicine as pro-sumers use new technological capabilities to take their health into their own hands and likely evade many traditional norms and regulations when doing so.

In other words, we can’t just put the genie back in the bottle with sweeping, repressive regulatory controls. Here’s an essay that Jordan Reimschisel and I wrote last year on “Biohacking, Democratized Medicine, and Health Policy” highlighting the many thorny policy issues in play here, as well as possible governance responses.

In another essay, Jordan and I argued that one of the most important and constructive policy responses would be stepped-up risk education and health literacy initiatives. We need constructive approaches to citizen-science and biohacking to make sure we address serious risks but simultaneously avoid blocking beneficial forms of health and medical innovation that our country desperately needs, especially at this time.

–Coauthored with Mercatus MA Fellow Jessie McBirney

Flat standardized test scores, low college completion rates, and rising student debt has led many to question the bachelor’s degree as the universal ticket to the middle class. Now, bureaucrats are turning to the job market for new ideas. The result is a renewed enthusiasm for Career and Technical Education (CTE), which aims to “prepare students for success in the workforce.” Every high school student stands to benefit from a fun, rigorous, skills-based class, but the latest reauthorization of the Carl D. Perkins Act, which governs CTE at the federal level, betrays a faulty economic theory behind the initiative.

Modern CTE is more than a rebranding of yesterday’s vocational programs, which earned a reputation as “dumping grounds” for struggling students and, unfortunately, minorities. Today, CTE classes aim to be academically rigorous and cover career pathways ranging from manufacturing to Information Technology and STEM (science, technology, engineering, and mathematics). Most high school CTE occurs at traditional public schools, where students take a few career-specific classes alongside their core requirements.

In addition to building skepticism toward “college for everyone,” researchers have identified a “skills gap” between what employers want and the skills job-seekers offer. STEM training is a particularly trendy solution. Trump recently signed a presidential memo expanding the National Science Foundation’s STEM education initiatives and Virginia established a STEM Education Commission last year. With its many pathways, local customizability, and promise of immediate income upon graduation, CTE feels like a practical answer for young people and the economy.

As recent changes to the Perkins Act suggest, “alignment” between CTE courses and labor markets is a growing concern. Now, programs applying for federal funds must conduct a “local needs assessment” to ensure their course offerings align with local labor markets. One recent study attempted an early measure of this alignment in several metropolitan areas. Findings are mixed, but the quest for alignment itself shows how hope in career training programs has exceeded good economic sense.

Consider some of the phrases found in states’ CTE mission statements:

“…to prepare students for in-demand, high-skilled, and high-waged jobs.” (MD)

“…relevant experiences leading to purposeful and economically viable careers.” (AZ)

“…meeting the commonwealth’s need for well-trained workers.” (VA)

The desire to parse out an economy and plan accordingly is not new, but there are limits to predicting in-demand skills and future jobs. Friedrich Hayek conceives of the market not as a math problem to deconstruct but as a “discovery procedure.” The market changes, rapidly and unexpectedly, based on information identified only along the way. It is the cumulative and dynamic result of thousands of individual plans coordinating through prices and wages. Thus, a central authority could never collect enough information to make accurate predictions about market outcomes. Aiming at a particular social or economic goal—such as fixing a list of gaps in the labor market—will likely fall short of another outcome we didn’t even consider.

For this reason, Hayek explains in his Constitution of Liberty, flourishing societies must be economically and politically free, and public education should be offered to the extent that it nurtures the independent citizens that a free society requires. Education oriented toward a particular vocational end shortchanges the student. Hayek explains:

“We are not educating people for a free society if we train technicians who expect to be ‘used,’ who are incapable of finding their proper niche themselves … All that a free society has to offer is an opportunity of searching for a suitable position, with all the attendant risk and uncertainty which such a search for a market for one’s gifts must involve.”

(Hayek 1960, 144-45).

Picking training goals for a student body is no guarantee of long term success, and may block even better outcomes. It is no accident that Hayek does not count increased earning potential or national economic strength among the reasons to publicly subsidize education. Instead, he favors general education and literacy for social cohesion and democratic participation. Rising wages for high-demand skills should entice students into sparse job markets without extra encouragement from school programs.

Hayek is not alone in his insistence that individuals are in the best position to choose and experiment with their professions. In The Wealth of Nations, Adam Smith recognizes,

“In  a society where things were left to follow their natural course, where there was perfect liberty, and where every man was perfectly free both to choose what occupation he thought proper, and to change it as often as he thought proper […] every man’s interest would prompt him to seek the advantageous, and to shun the disadvantageous employment.”

(Smith 1776, 151)

Rather than encourage programs to narrowly direct CTE training towards local “needs,” the federal government should focus on clearing barriers to entry into those professions. It can preempt state occupational licensing laws for opticians and interior designers, among other professions. States can follow the lead of Arizona and recognize out-of-state occupational licenses.

It is worth noting that CTE advocates are not attempting to plan the American economy one web-design class at a time. High schoolers earn only 12 percent of their credits from CTE, and some of the most prominent proponents recognize the challenges a changing economy poses. But the language we use will shape our goals over time. Requiring districts to consider “labor market alignment” in their annual CTE budgets is exactly the choosing between different kinds of education Hayek cautions against. Today’s alignment can be tomorrow’s stagnation.

This is not to deny the academic and personal benefits of taking CTE classes. Teenagers who do are more likely to graduate high school, to get a job, and to earn higher wages right away. Other studies suggest non-academic benefits like increased attendance. It makes intuitive sense that students would welcome non-traditional learning opportunities to break up their daily studies, and that their high school experience would be better for it. But by insisting CTE programs be training for certain job categories, we may be selling students short.

In a new essay for the Mercatus Bridge, I ask, “How Many Lives Are Lost Due to the Precautionary Principle?” The essay builds on two recent case studies of how the precautionary principle can result in unnecessary suffering and deaths. The first case study involves the Japanese government’s decision in 2011 to entirely abandon nuclear energy following the Fukushima Daiichi nuclear accident. The second involves Golden Rice, a form of rice that was genetically engineered to contain beta-carotene, which helps combat vitamin A deficiency. Anti-GMO resistance among environmental activists and regulatory officials held up the diffusion of this miracle food. New reports and books now document how these precautionary decisions diminished human welfare instead of improving it. I encourage you to jump over to the Bridge and read the entire story.

I concluded the essay by noting that, “It is time to reject the simplistic logic of the precautionary principle and move toward a more rational, balanced approach to the governance of technologies. Our lives and well-being depend upon it.” Some read that as a complete rejection of  all preemptive regulation. I certainly was not arguing that, so let me clarify a few things.

There are, of course, “hard” and “soft” variants of the precautionary principle (PP). In my new essay, I am mostly focused on the very hardest variety (of a prohibitionary nature). They are the most concerning because they completely foreclose all future experimentation with new and better ways of doing things. In a section of my last book entitled, “When Does Precaution Make Sense?” I noted that outright bans on new goods and services are justified when the risk being evaluated can be shown to be highly probably, tangible, immediate, irreversible, and potentially catastrophic in nature. [See this essay for more on this point, including that entire section of my book reprinted as an appendix.]

However, “existential” risks are open to interpretation and far rarer than some suggest. Governments justly restrict the possession of uranium and bazookas and such grounds, but it would be imprudent to ban the development of all new AI technologies on the theory that one day we might get a Terminator scenario if we don’t.

Softer PP varieties of a permitting nature (such as FAA and FDA permitting regimes) are somewhat easier to justify because they at least leave the door open for some innovation, albeit after significant delay. It is impossible in advance to determine exactly how many lives are saved or lost because of long regulatory review processes, but some new products (such as large aircraft or pharmaceuticals) obviously deserve greater scrutiny because of the potential for adverse and catastrophic outcomes without some degree of initial oversight.

However, taken to the extreme and applied in too rigid of a fashion, even softer varieties of the PP can result in unnecessary suffering and deaths. Slowing experiments with potentially new and better ways of doing things means we are stuck with a status quo that can be sub-optimal, even deadly in its own right.

All roads lead back to improved benefit-cost analysis, better risk modeling, constant retrospective review, and stepped-up risk education/communication efforts. But the over-zealous and unthinking application of the PP shuts down that process almost entirely and forecloses any sort of policy or market experimentation. Flexibility, adaptability, and humility in policymaking are crucial to avoid policy errors.

Toward that end, as I noted in my last law review article, newer “soft law” governance tools offer us the chance to craft superior governance frameworks for existing and emerging technologies. Multistakeholder processes, agency guidances, collaborative best practices, and various other informal governance mechanisms are often better suited to address fast-moving sectors and technologies. In my next book, I argue that this is even true for many “existential risk” scenarios that people fear today. Preemptive controls – including some of a precautionary nature – will still be needed in many circumstances. (Genetic editing will be one such candidate). But we must still guard against overreaction and excessive control of technologies that have the potential to fundamentally improve human well-being.

In sum, trial-and-error is valuable both in the marketplace and in government policymaking settings. The fundamental problem with the precautionary principle is that is ends all such trial-and-error experimentation, including within regulatory regimes themselves! Greater flexibility is needed to ensure that public policy can more accurately balance risk and benefits and improve human well-being as a result. But the precautionary principle will almost never achieve that. We need more open, adaptive, and entrepreneurial governance mechanisms to achieve superior public health outcomes.

My next book, due out in April 2020, does a deeper dive into these issues. Stay tuned for more.

[originally posted on Medium ]

Today is the anniversary of the day the machines took over.

Exactly twenty years ago today, on May 11, 1997, the great chess grandmaster Garry Kasparov became the first chess world champion to lose a match to a supercomputer. His battle with IBM’s “Deep Blue” was a highly-publicized media spectacle, and when he lost Game 6 of his match against the machine, it shocked the world.

At the time, Kasparov was bitter about the loss and even expressed suspicions about how Deep Blue’s team of human programmers and chess consultants might have tipped the match in favor of machine over man. Although he still wonders about how things went down behind the scenes during the match, Kasparov is no longer as sore as he once was about losing to Deep Blue. Instead, Kasparov has built on his experience that fateful week in 1997 and learned how he and others can benefit from it.

The result of this evolution in his thinking is Deep Thinking: Where Machine Intelligence Ends and Human Creativity Begins, a book which serves as a paean to human resiliency and our collective ability as a species to adapt in the face of technological disruption, no matter how turbulent.

Kasparov’s book serves as the perfect antidote to the prevailing gloom-and-doom narrative in modern writing about artificial intelligence (AI) and smart machines. His message is one of hope and rational optimism about future in which we won’t be racing against the machines but rather running alongside them and benefiting in the process.

Overcoming the Technopanic Mentality

There is certainly no shortage of books and articles being written today about AI, robotics, and intelligent machines. The tone of most of these tracts is extraordinarily pessimistic. Each page is usually dripping with dystopian dread and decrying a future in which humanity is essentially doomed.

As I noted in a recent essay about “The Growing AI Technopanic,” after reading through most of these books and articles, one is left to believe that in the future: “Either nefarious-minded robots enslave us or kill us, or AI systems treacherously trick us, or at a minimum turn our brains to mush.” These pessimistic perspectives are clearly on display within the realm of fiction, where every sci-fi book, movie, or TV show depicts humanity as certain losers in the proverbial “race” against machines. But such lugubrious lamentations are equally prevalent within the pages of many non-fiction books, academic papers, editorials, and journalistic articles.

Given the predominantly panicky narrative surrounding the age of smart machines, Kasparov’s Deep Thinking serves as a welcome breath of fresh air. The aim of his book is finding ways of “doing a smarter job of humans and machines working together” to improve well-being.

Chess fans will enjoy Kasparov’s overview of the history of the game as well as his discussion of how the development of computing and smart machines has been intermingled with chess for many decades now. They will also appreciate his detailed postmortem of his losing battle with Deep Blue, which makes up the meat of the middle of the book. But what is important about the book is the way Kasparov draws out lessons about how the game of chess and chess players themselves have adapted to the rise of smart machines over time — just as he had to following his historic loss to Deep Blue.

Kasparov begins by noting that the growing panic over machine-learning and AI is unwarranted, but in another sense entirely unsurprising. He correctly observes that, “doomsaying has always been a popular pastime when it comes to new technology” and that, “With every new encroachment of machines, the voices of panic and doubt are heard, and they are only getting louder today.”

Fears of sectoral disruptions and job displacements are nothing new, of course, and many of them have even proven legitimate, Kasparov notes. He discusses “a pattern that has repeated over and over for centuries,” in which humans initially scoffed at the idea of machines being able to compete with them. “Eventually we have had to concede that there is no physical labor that couldn’t be replicated, or mechanically surpassed.” That includes the game of chess, where smart machines are now superior to the world’s best players.

But that doesn’t mean we can or should stop the progression of machine intelligence, he says, because the history of humanity is fundamentally tied up with the never-ending process of technological improvements and the gradual assimilation of new tools into our lives, jobs, and economy. He argues:

“Every profession will eventually feel this pressure, and it must, or else it will mean humanity has ceased to make progress. We can either see these changes as a robotic hand closing around our necks or one that can lift us up higher than we can reach on our own, as has always been the case. Romanticizing the loss of jobs to technology is little better than complaining that antibiotics put too many grave diggers out of work.”

That is why it is essential, Kasparov argues, that we not waste time trying to avoid these changes altogether. He regards the very idea of it as an exercise in futility. “Fighting to thwart the impact of machine intelligence is like lobbying against electricity or rockets,” he says. Instead, he argues, we must look to adapt, and do so quickly.

Adaptation, Resiliency & Risk-Taking

In that sense, Kasparov suggests that there are lessons for us in the history of chess as well as from his own experience competing against Deep Blue. He notes that his match against IBM’s supercomputer, “was symbolic of how we are in a strange competition both with and against our creation in more ways every day.”

Instead of just throwing our hands up in the air in frustration, we must be willing to embrace the new and unknown — especially AI and machine-learning. “Each of us has a choice to make: to embrace these new challenges, or to resist them.” His consistent plea throughout the book is to not give into to our worst fears, but instead to embrace these new technological challenges with a willingness to try new ways of doing things. “No matter how many people are worried about jobs, or the social structure, or killer machines, we can never go back,” he concludes.

On that point, my favorite passage in his book comes early in a short chapter about the history of chess. Kasparov’s sagacious advice is worth quoting at length:

“The willingness to keep trying new things — different methods, uncomfortable tasks — when you are already an expert at something is what separates good from great. Focusing on your strengths is required for peak performance, but improving your weaknesses has the potential for the greatest gains. This is true for athletes, executives, and entire companies. Leaving your comfort zone involves risk, however, and when you are already doing well the temptation to stick with the status quo can be overwhelming, leading to stagnation.”

Societal attitudes toward risk-taking and disruption matter profoundly in this regard because “our perspective on disruption affects how well prepared for it we will be” for the future. Again, the lessons from the world of chess are clear: “How professional chess changed when computers and databases arrived is a useful metaphor for how new technology is adopted across industries and societies in general.” For modern chess players, “it was a matter of adapting to survive,” he argues. “Those who quickly mastered the new methods thrived; the few who didn’t mostly dropped down the rating lists.”

 

Disrupting Education

Kasparov is particularly concerned about how a deep underlying conservatism and resistance to experimentation has become a chronic problem within the traditional educational system. “The prevailing attitude is that education is too important to take risks. My response is that education is too important not to take risks,” he says.

He again returns to the world of chess and he speaks with excitement about the ways in which young chess prodigies are tapping computers and sophisticated programs to supplement their skill-building. They do this, Kasparov says, even though they often receive little encouragement from the older guard, who often still resist the new methods of learning. “We need to find out what works and the only way to do that is to experiment,” he argues. “The kids can handle it. They are already doing it on their own. It’s the adults who are afraid.”

He’s also bullish on the globalization of these trends and the way in which “technology will enable people from all over the world to become entrepreneurs, or scientists, or anything they want despite where they live.” Kasparov believes this is already happening within the global chess community as new computing technologies help players everywhere raise the level of their skills. “Kids are capable of learning far more, far faster, than tradition educational methods allow for,” he argues. “They are already doing it mostly on their own, living and playing in a far more complex environment than the one their parents grew up in.”

Problems Ahead

Kasparov isn’t blind to the potential problems associated with new technologies, including AI and algorithmic systems. The potential for privacy violations represents one of the major concerns related to our powerful new technological capabilities. “There are countless privacy issues to be negotiated anytime [personal] data is accessed, of course, and that trade-off will continue to be one of the main battlefields of the AI revolution.”

Kasparov says he is “glad privacy advocates are on the job, especially regarding the powers of the government,” yet he also senses that we are our own worst enemies because new digital technologies and AI-enabled systems “will continue to make the benefits of sharing our data practically irresistible.” “Utility always wins,” he argues, and even if one country seeks to clamp down on innovation, others will welcome it. “When the results come back and show that the economic and health benefits are tremendous, the floodgates will open everywhere.”

He is probably right. After all, as I have noted in recent essays, we increasingly live in a world where “global innovation arbitrage” — i.e., the increasingly frictionless movement of innovations to jurisdictions that provide a legal and regulatory environment more hospitable to entrepreneurial activity — is increasingly easy. We already know how challenging it is to control data flows in the age of the Internet, smartphones, and social media. But the combination of more sophisticated forms of machine-learning and the rise of innovation arbitrage opportunities means that formidable challenges lie ahead in terms of digital privacy and cybersecurity.

Other ethical issues will need to be worked out over time, but it is important not to imbue new AI technologies or automated systems with too much moral weight right out of the gates. “Our technology is not concerned about good or evil. It is agnostic,” Kasparov correctly notes. The real question, he says, is how we ourselves put our tools to use. “The ethics are in how we humans use it, not whether we should build it.”

Humility about the Future

Despite some concerns such as these, Kasparov is generally quite bullish about the future of humanity in an age of smart machines. Again, his core message is that, “going backwards isn’t an option” and that “it is almost always better to start looking for alternatives and how to advance the change into something better instead of trying to fight it and hold on to the dying status quo.”

He agrees with many other pundits that new skills and jobs will be needed going forward, but admits they aren’t always easy to plan for in advance. As Yogi Berra once famously said, “It’s tough to make predictions, especially about the future.” Indeed, as I pointed out in the most recent edition of my book Permissionless Innovation, when one looks back at official government labor market studies and forecasts from the 1970s and 1980s, you are struck by the way in which policymakers didn’t even have a vocabulary to describe the jobs and skills of the present. For example, you find no mention in past reports of some of today’s hottest jobs, such as software engineers and architects, UX designers, database scientists and administrators, and so on.

On one hand, therefore, pessimistic pundits and policymakers regularly underestimate the adaptability of workers and the evolution of new skills and professions. On the other hand, they make an equally egregious mistake when they overestimate the impact of technological change on many sectors and professions, or suggest that mass unemployment is just around the corner unless we slow automation down.

Just this week, the Information Technology and Innovation Foundation released a new report on the impact of technological disruption in the U.S. labor market from 1850 to present and decried the “false alarmism” often on display in debates about current and future skills and professions. “Labor market disruption is not abnormally high,” conclude authors Robert D. Atkinson and John Wu, but instead, “it’s occurring at its lowest rate since the Civil War.”

We’ve been through more turbulent labor market disruptions in the past and weathered the storm. Chances are we will do so again, so long as we embrace the potential for that change to improve our lives and economy in the long-term. “In fact,” conclude Atkinson and Wu, “the single biggest economic challenge facing advanced economies today is not too much labor market churn, but too little, and thus too little productivity growth.” This is consistent with Kasparov’s repeated call in Deep Thinking for us not to give in to our fears about a highly uncertain future but to instead embrace its potential. “Our machines will continue to make us healthier and richer as we use them wisely,” he says, while adding, “They will also make us smarter.”

Learning by Doing

What Kasparov is really doing throughout the book is making the case for building human and institutional resiliency through a constant willingness to experiment and learn through trial and error. It is certainly true that many of today’s skillsets, professions, and business models will be challenged by the rise of smarter machines and algorithmic learning. Defeatism in the face of that prospect, however, isn’t the answer; adaptation is.

Boston University economist James Bessen wrote about this process in his new book, Learning by Doing. Bessen argued that periods of profound technological change require a willingness by workers, businesses, and other institutions to adjust to new marketplace realities. For progress to occur, large numbers of ordinary workers must acquire new knowledge and skills. However, “that is a slow and difficult process, and history suggests that it often requires social changes supported by accommodating institutions and culture,” Bessen notes.

Luckily, history also suggests that we have been through this process many times before and can get through it again — and raise the standard of living for workers and average citizens alike over the long-run. The crucial part of that process is a general willingness to continue to experiment with new ways of doing things — i.e., learning by doing — and understanding that new skills and professions will emerge from all that process.

That is essentially the same point Kasparov makes in Deep Thinking. As he summarized in a new podcast conversation with Tyler Cowen:

“There will be redistribution of jobs. Many jobs today — like drone operators or 3D printer managers or social media managers — they didn’t exist 10 years ago, 15 years ago. No doubt in 10, 15 years, there will be many jobs, maybe the best-paid jobs, that don’t exist today, and we don’t even know how these jobs will look. I think that’s natural. All we have to do is realize that this process is inevitable, and we have to prepare us mentally, but also to have some sort of safety cushions to help people that will have great difficulty in adjusting.”

What about more specific public policy solutions? Considering the unclear future that lies ahead, flexibility and plenty of policy experimentation will be crucial to finding and unlocking new methods that could help us cope and adapt in the new world. “The problem comes when the government is inhibiting innovation with overregulation and short-sighted policy,” Kasparov says. Trade wars and restrictive immigration policies won’t help matters either, he argues, because they “will limit America’s ability to attract the best and brightest minds.” Hopefully the Trump Administration is listening to his advice in this regard.

AI skeptics and other technology critics will lament Kasparov’s lack of greater detail and the absence of a more precise blueprint for helping workers and institutions navigate an uncertain future. But, again, the entire point of Kasparov’s book is that there is enormous value in the very act of confronting those new challenges, learning through trial-and-error(including the many accompanying failures), and “muddling through” over time.

Much like looking out over the chessboard and pondering the wisdom of our next move, we cannot be frozen into inaction because of fear. We must be willing to make that next move. And then another, and another. And then we must learn from our experiences, and especially our mistakes, if we hope to prosper. “To keep ahead of the machines, we must not try to slow them down because that slows us down as well,” Kasparov concludes in his closing chapter. “We must speed them up. We must give them, and ourselves, plenty of room to grow. We must go forward, outward, and upward.”

Wise advice from the greatest of all grandmasters.

In theory, the Food & Drug Administration (FDA) exists to save lives and improve health outcomes. All too often, however, that goal is hindered by the agency’s highly bureaucratic, top-down, command-and-control orientation toward drug and medical device approval.

Today’s case in point involves families of children with diabetes, many of whom are increasingly frustrated with the FDA’s foot-dragging when it comes to approval of medical devices that could help their kids. Writing today in The Wall Street Journal, Kate Linebaugh discusses how “Tech-Savvy Families Use Home-Built Diabetes Device” to help their kids when FDA regulations limit the availability of commercial options. She documents how families of diabetic children are taking matters into their own hands and creating their own home-crafted insulin pumps, which can automatically dose the proper amount of proper amount of the hormone in response to their child’s blood-sugar levels. Families are building, calibrating, and troubleshooting these devices on their own. And the movement is growing. Linebaugh reports that:

More than 50 people have soldered, tinkered and written software to make such devices for themselves or their children. The systems—known in the industry as artificial pancreases or closed loop systems—have been studied for decades, but improvements to sensor technology for real-time glucose monitoring have made them possible. The Food and Drug Administration has made approving such devices a priority and several companies are working on them. But the yearslong process of commercial development and regulatory approval is longer than many patients want, and some are technologically savvy enough to do it on their own.

Linebaugh notes that this particular home-built medical project (known as OpenAPS), was created by Dana Lewis, a 27-year-old with Type 1 diabetes in Seattle. Linebaugh says that:

Ms. Lewis began using the system in December 2014 as a sort of self-experiment. After months of tweeting about it, she attracted others who wanted what she had. The only restriction of the project is users have to put the system together on their own. Ms. Lewis and other users offer advice, but it is each one’s responsibility to know how to troubleshoot. A Bay Area cardiologist is teaching himself software programming to build one for his 1-year-old daughter who was diagnosed in March.

In essence, these individuals and families are engaging in a variant of the sort of decentralized “biohacking” that is becoming increasingly prevalent in society today. As I discussed in a recent law review article, biohacking refers to the efforts of average citizens (often working together in a decentralized fashion) to enhance various human capabilities. This can include implanting things inside one’s body or using external devices to supplement one’s abilities or to address health-related issues.

I documented other examples of this trend in my essays on average citizens making 3D-printed prosthetics (The Right to Try, 3D Printing, the Costs of Technological Control & the Future of the FDA) as well as retainers (“In a World Where Kids Can 3D-Print Their Own Retainers, What Should Regulators Do?”) As “software eats the world” and allows for this sort of democratized medical self-experimentation, more and more citizens are likely going to be engaging in biohacking. In the process, they will often be doing an end-around the FDA and its complex maze of regulatory restrictions on health innovation.

Stated more provocatively, thanks to new technological capabilities and networking platforms, the public may increasingly enjoy a de facto “right to try” for many new medical devices and treatments. Technological innovation will decentralize and democratize medical decisions even when the legal status of such actions is unclear or even flatly illegal.

But is a world of increasingly decentralized, democratized, and such highly personalized medicine actually safe? Well, all risk is relative and as I discussed extensively in my recent book and other work on innovation policy, sometimes the greatest risk of all is the refusal to take any risk to begin with. If you disallow or limit efforts to engage in certain risky endeavours, ultimately, you could end up doing more harm because there can be no reward without a corresponding amount of risk-taking. It is only through constant trial and error experimentation that we find new and better ways of doing things. That is particularly true as it pertains to life-enriching or even life-saving medical treatments. While the FDA likes to think that its hyper-cautious approach to medical drug and device approval ultimately saves lives, in the aggregate, we have no idea how many lives are actually being lost (or how much pain and suffering is occurring) due to FDA prohibitions on our freedom to experiment with new products and services.

One of the parents Linebaugh interviewed for her story made the following remark: “Diabetes is dangerous anyway. Insulin is dangerous. I think what we are doing is actually improving that and lowering the risk.” That is exactly right. This father understands the reality of risk trade-offs. There are certainly risks associated with what these families are doing for their children. But these families also have a very palpable sense of the opposite problem: There is a profound and immediate risk of doing nothing and waiting for the FDA to finally get around to approving the devices that their children need  right now.

All this raises another interesting policy question: Why is it legal for these parents to engage in this sort of medical self-experimentation–experimentation on their children, no less!–while it remains flatly illegal for any commercial operator to offer similar products that could help these families? Many modern regulatory regimes accord differential treatment to commercial activities. Non-commercial versions of some activities are left alone, but as soon as commercial opportunities arise, policymakers seek to apply regulation.

Does this sort of commercial vs. non-commercial regulatory asymmetry make any sense? As far as I can tell, this regulatory distinction is mostly rooted in the fact that deep-pocked commercial operators make easier targets for regulators to go after when compared to harassing average citizens.  Going after average citizens would be bad PR and a serious legal hassle as well because issues pertaining to personal autonomy or parental rights would likely be raised both in the court of public opinion and courts of law.

Regardless, let’s not kid ourselves into thinking that this regulatory distinction is rooted in safety considerations. After all, it is almost certainly the case that those commercial medical innovators are likely building safer products, made by medical professionals with years of experience. Moreover, commercial operators are more likely to carry insurance to address any problems that may develop, and they possess strong reputational incentives to be good market actors. Commercial operators have to maintain brand loyalty to earn new or repeat business, or perhaps just to avoid stiff legal liability that non-commercial operators might not face. 

In any event, one thing should be abundantly clear: If the FDA doesn’t change its ways, we can expect an increasing number of citizens to begin pursuing medical treatments outside the boundaries of the law (and potentially outside the realm of common sense). Many people want a right to try new devices and therapies, and in our modern networked world, they are increasingly going to get it whether regulators like it or not.

Lawmakers in Congress need to exercise better oversight of rogue agencies like the FDA, which face no serious penalties for the sort of endless regulatory foot-dragging that threatens public welfare. If the agency was required by Congress to improve its drug and device approval process, then perhaps fewer Americans would be forced to take matters into their own hands to begin with. Down below, I’ve included a few reports suggesting how we might get this much-needed reform process started.

Additional reading from Mercatus Center scholars:

• white paper: “US Medical Devices: Choices and Consequences,” by Richard Williams, Robert Graboyes & Adam Thierer
• white paper: “The Proper Role of the FDA for the 21st Century,” by Joseph V. Gulfo, Jason Briggeman, Ethan Roberts
• white paper: “How Productive Is the FDA’s Devices Program?” by Richard Williams, Jason Briggeman, Ethan Roberts
• special report: “From Fortress to Frontier: How Innovation Can Save Health Care,” by Robert Graboyes
• blog post: “The Right to Try, 3D Printing, the Costs of Technological Control & the Future of the FDA,” by Adam Thierer
• blog post: “In a World Where Kids Can 3D-Print Their Own Retainers, What Should Regulators Do?” by Adam Thierer

Wallach’s latest book is entitled, A Dangerous Master: How to Keep Technology from Slipping beyond Our Control. And, as I’ve noted here recently, the greatly expanded second edition of my latest book, Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom, has just been released.

Of all the books of technological criticism or skepticism that I’ve read in recent years—and I have read stacks of them!— A Dangerous Master is by far the most thoughtful and interesting. I have grown accustomed to major works of technological criticism being caustic, angry affairs. Most of them are just dripping with dystopian dread and a sense of utter exasperation and outright disgust at the pace of modern technological change.

Although he is certainly concerned about a wide variety of modern technologies—drones, robotics, nanotech, and more—Wallach isn’t a purveyor of the politics of panic. There are some moments in the book when he resorts to some hyperbolic rhetoric, such as when he frets about an impending “techstorm” and the potential, as the book’s title suggests, for technology to become a “dangerous master” of humanity. For the most part, however, his approach is deeper and more dispassionate than what is found in the leading tracts of other modern techno-critics.

Many Questions, Few Clear Answers

Wallach does a particularly good job framing the major questions about emerging technologies and their effect on society. “Navigating the future of technological possibilities is a hazardous venture,” he observes. “It begins with learning to ask the right questions—questions that reveal the pitfalls of inaction, and more importantly, the passageways available for plotting a course to a safe harbor.” (p. 7) Wallach then embarks on a 260+ page inquiry that bombards the reader with an astonishing litany of questions about the wisdom of various forms of technological innovation—both large and small. While I wasn’t about to start an exact count, I would say that the number of questions Wallach poses in the book runs well into the hundreds. In fact, many paragraphs of the book are nothing but an endless string of questions.

Thus, if there is a primary weakness with A Dangerous Master, it’s that Wallach spends so much time formulating such a long list of smart and nuanced questions that some readers may come away disappointed when they do not find equally satisfying answers. On the other hand, the lack of clear answers is also completely understandable because, as Wallach notes, there really are no simple answers to most of these questions.

Just Slow Down!

Moving on to substance, let me make clear where Wallach and I generally see eye-to-eye and where we part ways.

Generally speaking, we agree about the need to come up with better “soft governance” systems for emerging technologies, which might include multistakeholder process, developer codes of conduct, sectoral self-regulation, sensible liability rules, and so on. (More on those strategies in a moment.)

But while we both believe it is wise to consider how we might “bake-in” better ethics and norms into the process of technological development, Wallach seems much more inclined than me to expect that we will be able to pre-ordain (or potentially require?) all this happens before much of this experimentation and innovation actually moves forward. Wallach opens by asking:

Determining when to bow to the judgment of experts and whether to intervene in the deployment of a new technology is certainly not easy. How can government leaders or informed citizens effectively discern which fields of research are truly promising and which pose serious risks? Do we have the intelligence and means to mitigate the serious risks that can be anticipated? How should we prepare for unanticipated risks? (p. 6)

Again, many good questions here! But this really gets to the primary difference between Wallach’s preferred approach and my own: I tend to believe that many of these things can only be worked out through ongoing trial and error, the constant reformulation of the various norms that govern the process of innovation, and the development of sensible ex post solutions to some of the most difficult problems posed by turbulent technological change.

By contrast, Wallach’s generally attitude toward technological evolution is probably best summarized by the phrases: “Slow down!” and, “Let’s have a conversation about it first!” As he puts it in his own words: “Slowing down the accelerating adoption of technology should be done as a responsible means to ensure basic human safety and to support broadly shared values.” (p. 13)

But I tend to believe that it’s not always possible to preemptively determine which innovations to slow down, or even how to determine what those “shared values” are that will help us make this determination. More importantly, I worry that there are very serious potential risks and unintended consequences associated with slowing down many forms of technological innovation, which could improve human welfare in important ways. There can be no prosperity, after all, without a certain degree of risk-taking and disruption.

Getting Out Ahead of the Pacing Problem

Yet, what concerns Wallach most is the much-discussed issue from the field of the philosophy of technology, the so-called “pacing problem.” Wallach concisely defines the pacing problem as “the gap between the introduction of a new technology and the establishment of laws, regulations, and oversight mechanisms for shaping its safe development.” (p. 251) “There has always been a pacing problem,” he notes, but he is concerned that technological innovation—especially highly disruptive and potentially uncontrollable forms of innovation—is now accelerating at an absolutely unprecedented pace.

(Just as an aside for all the philosophy nerds out there…  Such a rigid belief in the “pacing problem” represents a techno-deterministic viewpoint that is, ironically, sometimes shared by technological skeptics like Wallach as well as technological optimists like Larry Downes and even many in the middle of this debate, like Vivek Wadhwa. See, for example, The Laws of Disruption by Downes and “Laws and Ethics Can’t Keep Pace with Technology” by Wadhwa. Although these scholars approach technology ethics and politics quite differently, they all seem to believe that the pace of modern technological change is so relentless as to almost be an unstoppable force of nature. I guess the moral of the story is that, to some extent, we’re all technological determinists now!)

Despite his repeated assertions that modern technologies are accelerating at such a potentially uncontrollable pace, Wallach nonetheless hopes we can achieve some semblance of control over emerging technologies before they reach a critical “inflection point.” In the study of history and science, an inflection point generally represents a moment when a situation and trend suddenly changes in a significant way and things begin moving rapidly in a new direction. These inflections points can sometimes develop quite abruptly, ushering in major changes by creating new social, economic, or political paradigms. As it relates to technology in particular, inflection points can refer to the moment with a particular technology achieves critical mass in terms of adoption or, more generally, to the time when that technology begins to profoundly transform the way individuals and institutions act.

Another related concept that Wallach discusses is the so-called “Collingridge dilemma,” which refers to the notion that it is difficult to put the genie back in the bottle once a given technology has reached a critical mass of public adoption or acceptance. The concept is named after David Collingridge, who wrote about this in his 1980 book, The Social Control of Technology. “The social consequences of a technology cannot be predicated early in the life of the technology,” Collingridge argued. “By the time undesirable consequences are discovered, however, the technology is often so much part of the whole economics and social fabric that its control is extremely difficult.”

On “Having a Discussion” & Coming Up with “a Broad Plan”

These related concepts of inflection points and the Collingridge dilemma constitute the operational baseline of Wallach’s worldview. “In weighing speedy development against long-term risks, speedy development wins,” he worries. “This is particularly true when the risks are uncertain and the perceived benefits great.” (p. 85)

Consequently, throughout his book, Wallach pleads with us to take what I will call Technological Time Outs. He says we need to pause at times so that we can have “a full public discussion” (p. 13) and make sure there is a “broad plan in place to manage our deployment of new technologies” (p. 19) to make sure that innovation happens only at “a humanly manageable pace” (p. 261) “to fortify the safety of people affected by unpredictable disruptions.” (p. 262) Wallach’s call for Technological Time Outs is rooted in his belief that “the accelerating pace [of modern technological innovation] undermines the quality of each of our lives.” (p. 263)

That is Wallach’s weakest assertion in the book and he doesn’t really offer much evidence to prove that the velocity of modern technological is hurting us rather than helping us, as many of us believe. Rather, he treats it as a widely accepted truism that necessitates some sort of collective effort to slow things down if the proverbial genie is about to exit the bottle, or to make sure those genies don’t get out of their bottles without a lot of preemptive planning regarding how they are to be released into the world. In the following passage on pg. 72, Wallach very succinctly summarizes his approach recommended throughout A Dangerous Master:

this book will champion the need for more upstream governance: more control over the way that potentially harmful technologies are developed or introduced into the larger society. Upstream management is certainly better than introducing regulations downstream, after a technology is deeply entrenched or something major has already gone wrong. Yet, even when we can access risks, there remain difficulties in recognizing when or determining how much control should be introduced. When does being precautionary make sense, and when is precaution an over-reaction to the risks? (p. 72)

Those who have read my Permissionless Innovation book will recall that I open by framing innovation policy debates in almost exactly the same way as Wallach suggests in that last line above. I argue in the first lines of my book that:

The central fault line in innovation policy debates today can be thought of as ‘the permission question.’  The permission question asks: Must the creators of new technologies seek the blessing of public officials before they develop and deploy their innovations? How that question is answered depends on the disposition one adopts toward new inventions and risk-taking, more generally.  Two conflicting attitudes are evident. One disposition is known as the ‘precautionary principle.’ Generally speaking, it refers to the belief that new innovations should be curtailed or disallowed until their developers can prove that they will not cause any harm to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions. The other vision can be labeled ‘permissionless innovation.’ It refers to the notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if any develop, can be addressed later.

So, by contrasting these passages, you can see what I am setting up here is a clash of visions between what appears to be Wallach’s precautionary principle-based approach versus my own permissionless innovation-focused worldview.

How Much Formal Precaution?

But that would be a tad bit too simplistic because just a few paragraphs after Wallach makes the statement just above about “upstream management” being superior to ex post solutions formulated “after a technology is deeply entrenched,” Wallach begins slowly backing away from an overly-rigid approach to precautionary principle-based governance of technological processes and systems.

He admits, for example, that “precautionary measures in the form of regulations and governmental oversight can slow the development of research whose overall society impact will be beneficial,” (p. 26) and that can “be costly” and “slow innovation.” For countries, Wallach admits, this can have real consequences because “Countries with more stringent precautionary policies are at a competitive disadvantage to being the first to introduce a new tool or process.” (p. 74)

So, he’s willing to admit that what we might call a hard precautionary principle usually won’t be sensible or effective in practice, but he is far more open to soft precaution. But this is where real problems begin to develop with Wallach’s approach, and it presents us with a chance to turn the tables on him a bit and begin posing some serious questions about his vision for governing technology.

Much of what follows below are my miscellaneous ramblings about the current state of the intellectual dialogue about tech ethics and technological control efforts. I have discussed these issues at greater length in my new book as well as a series of essays here in past years, most notably: “On the Line between Technology Ethics vs. Technology Policy; “What Does It Mean to “Have a Conversation” about a New Technology?”; and, “Making Sure the “Trolley Problem” Doesn’t Derail Life-Saving Innovation.”

As I’ve argued in those and other essays, my biggest problem with modern technological criticism is that specifics are in scandalously short supply in this field! Indeed, I often find the lack of details in this arena to be utterly exasperating. Most modern technological criticism follows a simple formula:

TECHNOLOGY –>> POTENTIAL PROBLEMS –>> DO SOMETHING!

But almost all the details come in the discussion about the nature of the technology in question and the apparent many problems associated with it. Far, far less thought goes into the “DO SOMETHING!” part of the critics’ work. One reason for that is probably self-evident: There are no easy solutions. Wallach admits as much at many junctures throughout the book. But that doesn’t excuse the need for the critics to give us a more concrete blueprint for identifying and then potentially rectifying the supposed problems.

Of course, the other reason that many critics are short of specifics is because what they really mean when they quip how much we need to “have a conversation” about a new disruptive technology is that we need to have a conversation about stopping that technology.

Where Shall We Draw the Line between Hard and Soft Law?

But this is what I found most peculiar about Wallach’s book: He never really gives us a good standard by which to determine when we should look to hard governance (traditional top-down regulation) versus soft governance (more informal, bottom-up and non-regulatory approaches).

On one hand, he very much wants society to exercise greatly restraint and precaution when it comes to many of the technologies he and others worry about today. Again, he’s particularly concerned about the potential runaway development and use of drones, genetic editing, nanotech, robotics, and artificial intelligence. For at least one class of robotics—autonomous military robots—Wallach does call for immediate policy action in the form of an Executive Order to ban “killer” autonomous systems. (Incidentally, there’s also a major effort underway called the “Campaign to Stop Killer Robots” that aims to make such a ban part of international law through a multinational treaty.)

But Wallach also acknowledges the many trade-offs associated with efforts to preemptively controls on robotics and other technology. Perhaps for that reason, Wallach doesn’t develop a clear test for when the Precautionary Principle should be applied to new forms of innovation.

Clearly there are times when it is appropriate, although I believe it is only in an extremely narrow subset of cases. In the 2 ^nd Edition of my Permissionless Innovation book, I tried to offer a rough framework for when formal precautionary regulation (i.e., highly-restrictive policy defaults are necessary, such as operational restrictions, licensing requirements, research limitations, or even formal bans) might be necessary. I do not want to interrupt the flow of this review of Wallach’s book too much, so I have decided to just cut-and-paste that portion of Chapter 3 of my book (“When Does Precaution Make Sense?”) down below as an appendix to this essay.

The key takeaway of that passage from my book is that all of us who study innovation policy and the philosophy of technology—Wallach, myself, the whole darn movement—have done a remarkably poor job being specific about precisely when formal policy precaution is warranted. What is the test? All too often, we get lazy and apply what we might call an “I-Know-It-When-I-See-It” standard. Consider the possession of bazookas, tanks, and uranium. Almost all of us would agree that citizens should not be allowed to possess or use such things. Why? Well, it seems obvious, right? They just shouldn’t! But what is the exact standard we use to make that determination.

In coming years, I plan on spending a lot more time articulating a better test by which Precautionary Principle-based policies could be reasonably applied. Those who know me may be taken aback by what I just said. After all, I’ve spend many years explaining why Precautionary Principle-based thinking threatens human prosperity and should be rejected in the vast majority of cases. But that doesn’t excuse the lack of a serious and detailed exploration of the exact standard by which we determine when we should impose some limits on technological innovation.

Generally speaking, while I strongly believe that “permissionless innovation” should remain the policy default for most technologies, there certainly exists some scenarios where the threat of harm associated with a new innovation might be highly probable, tangible, immediate, irreversible, and catastrophic in nature. If so, that could qualify it for at least a light version of the Precautionary Principle. In a future paper or book chapter I’m just now starting to research, I hope to fuller develop those qualifiers and formulate a more robust test around them.

I would have very much liked to see Wallach articulate and defend a test of his own for when formal precaution would make sense. And, by extension, when should we default to soft precaution, or soft law and informal governance mechanisms for emerging technologies.

We turn to that issue next.

Toward Soft Governance & the Engineering of Better Technological Ethics

Even though Wallach doesn’t provide us with a test for determining when precaution makes sense or when we should instead default to soft governance, he does a much better job explaining the various models of soft law or informal governance that might help us deal with the potential negative ramifications of highly disruptive forms of technological change.

What Wallach proposes, in essence, is that we bake a dose of precautionary directly into the innovation process through a wide variety of informal governance/oversight mechanisms. “By embedding shared values in the very design of new tools and techniques, engineers improve the prospect of a positive outcome,” he claims. “The upstream embedding of shared values during the design process can ease the need for major course adjustments when it’s often too late.” (p. 261)

Wallach’s favored instrument of soft governance is what he refers to as “Governance Coordinating Committees” (GCCs). These Committees would coordinate “the separate initiatives by the various government agencies, advocacy groups, and representatives of industry” who would serve as “issue managers for the comprehensive oversight of each field of research.” (p. 250) He elaborates and details the function of GCCs as follows:

These committees, led by accomplished elders who have already achieved wide respect, are meant to work together with all the interested stakeholders to monitor technological development and formulate solutions to perceived problems. Rather than overlap with or function as a regulatory body, the committee would work together with existing institutions. (p. 250-51)

Wallach discussed the GCC idea in much greater detail in a 2013 book chapter he penned with Gary E. Marchant for a collected volume of essays on Innovative Governance Models for Emerging Technologies. (I highly recommend you pick up that book if you can afford it! Many terrific essays in that book on these issues.) In their chapter, Marchant and Wallach specify some of the soft law mechanisms we might use to instill a bit of precaution preemptively. These mechanisms include: “codes of conduct, statements of principles, partnership programs, voluntary programs and standards, certification programs and private industry initiatives.”

If done properly, GCCs could provide exactly the sort of wise counsel and smart recommendations that Wallach desires. In my book and many law review articles on various disruptive technologies, I have endorsed many of the ideas and strategies Wallach identifies. I’ve also stressed the importance of many other mechanisms, such as education and empowerment-based strategies that could help the public learn to cope with new innovations or use them appropriately. In addition, I’ve highlighted the many flexible, adaptive ex post remedies that can help when things go wrong. Those mechanisms include common law remedies such as product defects law, various torts, contract law, property law, and even class action lawsuits. Finally, I have written extensively about the very active role played by the Federal Trade Commission (FTC) and other consumer protection agencies, which have broad discretion to police “unfair and deceptive practices” by innovators.

Moreover, we already have a quasi-GCC model developing today with the so-called “multistakeholder governance” model that is often used in both informal and formal ways to handle many emerging technology policy issues.  The Department of Commerce (the National Telecommunications and Information Administration in particular) and the FTC have already developed many industry codes of conduct and best practices for technologies such as biometrics, big data, the Internet of Things, online advertising, and much more. Those agencies and others (such as the FDA and FAA) are continuing to investigate other codes or guidelines for things like advanced medical devices and drones, respectively. Meanwhile, I’ve heard other policymakers and academics float the idea of “digital ombudsmen,” “data ethicists,” and “private IRBs” (institutional review boards) as other potential soft law solutions that technology companies might consider. Perhaps going forward, many tech firms will have Chief Ethical Officers just as many of them today have Chief Privacy Officers or Chief Security Officers.

In other words, there’s already a lot of “soft law” activities going on in this space. And I haven’t even begun an inventory of the many other bodies or groups that already exist in each sector today that has set forth their own industry self-regulatory codes, but they exist in almost every field that Wallach worries about.

So, I’m not sure how much his GCC idea will add to this existing mix, but I would not be opposed to them playing the sort of coordinating “issue manager” role he describes. But I still have many questions about GCC’s, including:

• How many of them are needed and how we will know which one is the definitive GCC for each sector or technology?
• If they are overly formal in character and dominated by the most vociferous opponents of any particular technology, a real danger exists that a GCC could end up granting a small cabal a “heckler’s veto” over particular forms of innovation.
• Alternatively, the possibility of “regulatory capture” could be a problem for some GCCs if incumbent companies come to dominate their membership.
• Even if everything went fairly smoothly and the GCCs produced balanced reports and recommendations, future developers might wonder if and why they are to be bound by older guidelines.
• And if those future developers choose not to play by the same set of guidelines, what’s the penalty for non-compliance?
• And how are such guidelines enforced in a world where what I’ve called “global innovation arbitrage” is an increasing reality?

Challenging Questions for Both Hard and Soft Law

To summarize, whether we are speaking of “hard” or “soft” law approaches to technological governance, I am just not nearly as optimistic as Wallach seems to be that we will be able to find consensus on these three things:

(1) what constitutes “harm” in many of these circumstances;

(2) which “shared values” should prevail when “society” debates the shaping of ethics or guiding norms for emerging technologies but has highly contradictory opinions about those values (consider online privacy as a good example, where many people enjoy hyper-sharing while other demand hyper-privacy); and,

(3) that we can create a legitimate “governing body” (or bodies) that will be responsible for formulating these guidelines in a fair way without completely derailing the benefits of innovation in new fields and also remaining relevant for very long.

Nonetheless, as he and others have suggested, the benefit of adopting a soft law/informal governance approach to these issues is that it at least seeks to address these questions in more flexible and adaptive fashion. As I noted in my book, traditional regulatory systems “tend to be overly rigid, bureaucratic, inflexible, and slow to adapt to new realities. They focus on preemptive remedies that aim to predict the future, and future hypothetical problems that may not ever come about. Worse yet, administrative regulation generally preempts or prohibits the beneficial experiments that yield new and better ways of doing things.” ( Permissionless Innovation, p. 120)

So, despite the questions I have raised here, I welcome the more flexible soft law approach that Wallach sets forth in his book. I think it represents a far more constructive way forward when compared to the opposite “top-down” or “command-and-control” regulatory systems of the past. But I very much want to make sure that even these new and more flexible soft law approaches leave plenty of breathing room for ongoing trial-and-error experimentation with new technologies and systems.

Conclusion

In closing, I want to reiterate that not only did I appreciate the excellent questions raised by Wendell Wallach in A Dangerous Master, but I take them very seriously. When I sat down to revise and expand my Permissionless Innovation book last year, I decided to include this warning from Wallach in my revised preface: “The promoters of new technologies need to speak directly to the disquiet over the trajectory of emerging fields of research. They should not ignore, avoid, or superficially dampen criticism to protect scientific research.” (p. 28–9)

As I noted, in response to Wallach: “I take this charge seriously, as should others who herald the benefits of permissionless innovation as the optimal default for technology policy. We must be willing to take on the hard questions raised by critics and then also offer constructive strategies for dealing with a world of turbulent technological change.”

Serious questions deserve serious answers. Of course, sometimes those posing those questions fail to provide many answers of their own! Perhaps it is because they believe the questions answer themselves. Other times, it’s because they are willing to admit that easy answers to these questions typically prove quite elusive. In Wallach’s case, I believe it’s more the latter.

To wrap up, I’ll just reiterated that both Wallach and I share a common desire to find solutions to the hard questions about technological innovation. But the crucial question that probably separates his worldview and my own is this: Whether we are talking about hard or soft governance, how much faith should we place in preemptive planning vs. ongoing trial and error experimentation to solve technological challenges? Wallach is more inclined to believe we can divine these things with the sagacious foresight of “accomplished elders” and technocratic “issue managers,” who will help us slow things down until we figure out how to properly ease a new technology into society (if at all). But I believe that the only way we will find many of the answers we are searching for is by allowing still more experimentation with the very technologies that he and others seek to control the development of. We humans are outstanding problem-solvers and have the uncanny ability among all mammals to adapt to changing circumstances. We roll with the punches, learn from them, and become more resilient in the process. As I noted in my 2014 essay, “Muddling Through: How We Learn to Cope with Technological Change”:

we modern pragmatic optimists must continuously point to the unappreciated but unambiguous benefits of technological innovation and dynamic change. But we should also continue to remind the skeptics of the amazing adaptability of the human species in the face of adversity. [. . .] Humans have consistently responded to technological change in creative, and sometimes completely unexpected ways. There’s no reason to think we can’t get through modern technological disruptions using similar coping and adaptation strategies.

Will the technologies that Wallach fears bring about a “techstorm” that overwhelms our culture, our economy, and even our very humanity? It’s certainly possible, and we should continue to seriously discuss the issues that he and other skeptics raise about our expanding technological capabilities and the potential for many of them to do great harm. Because some of them truly could.

But it is equally plausible—in fact, some of us would say, highly probable—that instead of overwhelming us, we learn how to bend these new technological capabilities to our will and make them work for our collective benefit. Instead of technology becoming “a dangerous master,” we will instead make it our helpful servant, just as we have so many times before.

APPENDIX: When Does Precaution Make Sense?

[excerpt from chapter 3 of Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom. Footnotes omitted. See book for all references.]

But aren’t there times when a certain degree of precautionary policymaking makes good sense? Indeed, there are, and it is important to not dismiss every argument in favor of precautionary principle–based policymaking, even though it should not be the default policy rule in debates over technological innovation.

The challenge of determining when precautionary policies make sense comes down to weighing the (often limited) evidence about any given technology and its impact and then deciding whether the potential downsides of unrestricted use are so potentially catastrophic that trial-and-error experimentation simply cannot be allowed to continue. There certainly are some circumstances when such a precautionary rule might make sense. Governments restrict the possession of uranium and bazookas, to name just two obvious examples.

Generally speaking, permissionless innovation should remain the norm in the vast majority of cases, but there will be some scenarios where the threat of tangible, immediate, irreversible, catastrophic harm associated with new innovations could require at least a light version of the precautionary principle to be applied.  In these cases, we might be better suited to think about when an “anti-catastrophe principle” is needed, which narrows the scope of the precautionary principle and focuses it more appropriately on the most unambiguously worst-case scenarios that meet those criteria.

But most cases don’t fall into this category. Instead, we generally allow innovators and consumers to freely experiment with technologies, and even engage in risky behaviors, unless a compelling case can be made that precautionary regulation is absolutely necessary.  How is the determination made regarding when precaution makes sense? This is where the role of benefit-cost analysis (BCA) and regulatory impact analysis is essential to getting policy right.  BCA represents an effort to formally identify the tradeoffs associated with regulatory proposals and, to the maximum extent feasible, quantify those benefits and costs.  BCA generally cautions against preemptive, precautionary regulation unless all other options have been exhausted—thus allowing trial-and-error experimentation and “learning by doing” to continue. (The mechanics of BCA are discussed in more detail in section VII.)

This is not the end of the evaluation, however. Policymakers also need to consider the complexities associated with traditional regulatory remedies in a world where technological control is increasingly challenging and quite costly. It is not feasible to throw unlimited resources at every problem, because society’s resources are finite.  We must balance risk probabilities and carefully weigh the likelihood that any given intervention has a chance of creating positive change in a cost-effective fashion.  And it is also essential to take into account the potential unintended consequences and long-term costs of any given solution because, as Harvard law professor Cass Sunstein notes, “it makes no sense to take steps to avert catastrophe if those very steps would create catastrophic risks of their own.”  “The precautionary principle rests upon an illusion that actions have no consequences beyond their intended ends,” observes Frank B. Cross of the University of Texas. But “there is no such thing as a risk-free lunch. Efforts to eliminate any given risk will create some new risks,” he says.

Oftentimes, after working through all these considerations about whether to regulate new technologies or technological processes, the best solution will be to do nothing because, as noted throughout this book, we should never underestimate the amazing ingenuity and resiliency of humans to find creative solutions to the problems posed by technological change.  (Section V discusses the importance of individual and social adaptation and resiliency in greater detail.) Other times we might find that, while some solutions are needed to address the potential risks associated with new technologies, nonregulatory alternatives are also available and should be given a chance before top-down precautionary regulations are imposed. (Section VII considers those alternative solutions in more detail.)

Finally, it is again essential to reiterate that we are talking here about the dangers of precautionary thinking as a public policy prerogative—that is, precautionary regulations that are mandated and enforced by government officials. By contrast, precautionary steps may be far more wise when undertaken in a more decentralized manner by individuals, families, businesses, groups, and other organizations. In other words, as I have noted elsewhere in much longer articles on the topic, “there is a different choice architecture at work when risk is managed in a localized manner as opposed to a society-wide fashion,” and risk-mitigation strategies that might make a great deal of sense for individuals, households, or organizations, might not be nearly as effective if imposed on the entire population as a legal or regulatory directive.

Finally, at times, more morally significant issues may exist that demand an even more exhaustive exploration of the impact of technological change on humanity. Perhaps the most notable examples arise in the field of advance medical treatments and biotechnology. Genetic experimentation and human cloning, for example, raise profound questions about altering human nature or abilities as well as the relationship between generations.

The case for policy prudence in these matters is easier to make because we are quite literally talking about the future of what it means to be human.  Controversies have raged for decades over the question of when life begins and how it should end. But these debates will be greatly magnified and extended in coming years to include equally thorny philosophical questions.  Should parents be allowed to use advanced genetic technologies to select the specific attributes they desire in their children? Or should parents at least be able to take advantage of genetic screening and genome modification technologies that ensure their children won’t suffer from specific diseases or ailments once born?

Outside the realm of technologically enhanced procreation, profound questions are already being raised about the sort of technological enhancements adults might make to their own bodies. How much of the human body can be replaced with robotic or bionic technologies before we cease to be human and become cyborgs?  As another example, “biohacking”—efforts by average citizens working together to enhance various human capabilities, typically by experimenting on their own bodies —could become more prevalent in coming years.  Collaborative forums, such as Biohack.Me, already exist where individuals can share information and collaborate on various projects of this sort.  Advocates of such amateur biohacking sometimes refer to themselves as “grinders,” which Ben Popper of the Verge defines as “homebrew biohackers [who are] obsessed with the idea of human enhancement [and] who are looking for new ways to put machines into their bodies.”

These technologies and capabilities will raise thorny ethical and legal issues as they advance. Ethically, they will raise questions of what it means to be human and the limits of what people should be allowed to do to their own bodies. In the field of law, they will challenge existing health and safety regulations imposed by the FDA and other government bodies.

Again, most innovation policy debates—including most of the technologies discussed throughout this book—do not involve such morally weighty questions. In the abstract, of course, philosophers might argue that every debate about technological innovation has an impact on the future of humanity and “what it means to be human.” But few have much of a direct influence on that question, and even fewer involve the sort of potentially immediate, irreversible, or catastrophic outcomes that should concern policymakers.

In most cases, therefore, we should let trial-and-error experimentation continue because “experimentation is part and parcel of innovation” and the key to social learning and economic prosperity.  If we froze all forms of technological innovation in place while we sorted through every possible outcome, no progress would ever occur. “Experimentation matters,” notes Harvard Business School professor Stefan H. Thomke, “because it fuels the discovery and creation of knowledge and thereby leads to the development and improvement of products, processes, systems, and organizations.”

Of course, ongoing experimentation with new technologies always entails certain risks and potential downsides, but the central argument of this book is that (a) the upsides of technological innovation almost always outweigh those downsides and that (b) humans have proven remarkably resilient in the face of uncertain, ever-changing futures.

In sum, when it comes to managing or coping with the risks associated with technological change, flexibility and patience is essential. One size most certainly does not fit all. And one-size-fits-all approaches to regulating technological risk are particularly misguided when the benefits associated with technological change are so profound. Indeed, “[t]echnology is widely considered the main source of economic progress”; therefore, nothing could be more important for raising long-term living standards than creating a policy environment conducive to ongoing technological change and the freedom to innovate.

Consider this recent  Washington Post headline: “A College Kid Spends $60 to Straighten His Own Teeth. What Could Possibly Go Wrong?” Matt McFarland of the Post reports that, “A college student has received a wealth of interest in his dental work after publishing an account of straightening his own teeth for $60.” The student at the New Jersey Institute of Technology, “had no dentistry experience when he decided to create plastic aligners to improve his smile,” but was able to use a 3D printer and laser scanner on campus to accomplish the job. “After publishing before-and-after pictures of his teeth this month, [the student] has received hundreds of requests from strangers, asking him to straighten their teeth.”

McFarland cites many medical professionals who are horrified at the prospect of patients taking their health decisions into own hands and engaging in practices that could be dangerous to themselves and others. Some of the licensed practitioners cited in the story come across as just being bitter losers as they face the potential for the widespread disintermediation of their profession. After all, they currently charge thousands of dollars for various dental procedures and equipment. Thanks to technological innovations, however, those costs could soon plummet, which could significantly undercut their healthy margins on dental services and equipment. On the other hand, these professionals have a fair point about untrained citizens doing their own dental work or giving others the ability to do so. Things certainly could go horribly wrong.

This is another interesting case study related to the subject of a forthcoming Mercatus paper as well as an upcoming law review article on 3D printing of mine, both of which pose the following question: What happens when radically decentralized technological innovation (such as 3D printing) gives people a de facto “right to try” new medicines and medical devices? In one sense, decentralized, democratized innovation of this sort presents us with an exciting new world of possibilities. On the other hand, we know that when average citizens take their health into their own hands, the results could be disastrous. The question is, what do want policymakers to do about it? Ban 3D printers? Restrict the distribution of 3D printed blueprints freely shared online? Try to license average users? Or regulate the materials used to make these medical devices?

For the reasons I suggest in my forthcoming paper, none of these options are likely to work very well in practice. It will  prove too complex and costly to employ top-down, command-and-control regulation in a world of such decentralized innovation. Moreover, many people will also find it highly offensive if the government takes steps to limit their personal autonomy and ability to self-treat themselves at a much lower cost than our currently health care system typically demands for similar treatments. The example in McFarland’s story is quite powerful in that regard because, as it makes clear, even young kids could be engaging in this sort of innovation and self-experimentation, at greatly reduced cost to themselves or their families. Again, this is both wonderful and a little bit scary.

The best hope, I argue in my forthcoming papers, lies in improved risk education. The goal should be to help create a more fully-informed citizenry that is empowered with more and better information about relative risk trade-offs. The Food & Drug Administration already engages in various product labeling efforts as well as public education campaigns and strategies. But this has always been a secondary mission for the agency, which has instead focused on trying to preemptively guarantee the safety and efficacy of drugs and devices. And much of the “education” the FDA does is basically explaining to companies and the public how to comply with its voluminous body of regulation.

This is going to have to change, and change quickly. Going forward, the FDA will likely have to reorient its focus in this way to cope with the rapidly evolving universe of not just mobile medical apps and 3D-printed technologies, but also all the wearable technologies that are part of the larger Internet of Things. For example, the FDA recently released a guidance document for “Management of Cybersecurity in Medical Devices,” encouraging innovators and other stakeholders to address security vulnerability in a collaborative, flexible fashion.  This same model could be applied to 3D printing and many other new technologies. As I continue on to note in my forthcoming paper:

Guidance documents should be crafted that suggest various best practices for developers as well as risk education and communication messaging for the general public. The downside of such guidance documents, however, is that they leave unanswered the question of exactly what regulatory authority the agency might bring to bear against companies who are found to violate the “voluntary” principles or best practices in the documents. On the other hand, those guidance documents are usually superior to the alternative path of overly-rigid, top-down, preemptive controls on innovation. Congress should monitor the FDA’s use of such guidance documents closely to ensure that the agency does not abuse its broad regulatory discretion through arbitrary guidance actions.

My forthcoming papers also suggests that other non-governmental bodies will need to play a more active role in this risk education process and help explain safe and sensible uses of new technologies to the public, especially kids. And product developers will need to step-up their “safety-by-design” efforts to try to make sure that the products they release into the wild are as safe as possible. Of course, as with other general purpose technologies (like computers and smartphones), there is only so much that can be done preemptively to make sure devices like 3D printers are “safe and secure” out of the box. The reality is that, the more open and generative a new technology or platform, the harder it is to preemptively design it in such a way to foresee and limit all its uses–for better or for worse.

We live in exciting times, but serious risks exist when radical technological decentralization places tools and capabilities in the hands of average citizens. The goal of public policy should  not be to retard the development or distribution of all these wonderful new tools, but instead to redouble efforts to education citizens about proper and improper uses of them.

Yesterday, the Federal Trade Commission (FTC) released its long-awaited report on “The Internet of Things: Privacy and Security in a Connected World.” The 55-page report is the result of a lengthy staff exploration of the issue, which kicked off with an FTC workshop on the issue that was held on November 19, 2013.

I’m still digesting all the details in the report, but I thought I’d offer a few quick thoughts on some of the major findings and recommendations from it. As I’ve noted here before, I’ve made the Internet of Things my top priority over the past year and have penned several essays about it here, as well as in a big new white paper (“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation”) that will be published in the Richmond Journal of Law & Technology shortly. (Also, here’s a compendium of most of what I’ve done on the issue thus far.)

I’ll begin with a few general thoughts on the FTC’s report and its overall approach to the Internet of Things and then discuss a few specific issues that I believe deserve attention.

Big Picture, Part 1: Should Best Practices Be Voluntary or Mandatory?

Generally speaking, the FTC’s report contains a variety of “best practice” recommendations to get Internet of Things innovators to take steps to ensure greater privacy and security “by design” in their products. Most of those recommended best practices are sensible as general guidelines for innovators, but the really sticky question here continued to be this: When, if ever, should “best practices” become binding regulatory requirements?

The FTC does a bit of a dance when answering that question. Consider how, in the executive summary of the report, the Commission answers the question regarding the need for additional privacy and security regulation: “Commission staff agrees with those commenters who stated that there is great potential for innovation in this area, and that IoT-specific legislation at this stage would be premature.” But, just a few lines later, the agency (1) “reiterates the Commission’s previous recommendation for Congress to enact strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach;” and (2) “recommends that Congress enact broad-based (as opposed to IoT-specific) privacy legislation.”

Here and elsewhere, the agency repeatedly stresses that it is not seeking IoT-specific regulation; merely “broad-based” digital privacy and security legislation. The problem is that once you understand what the IoT is all about you come to realize that this largely represents a distinction without a difference. The Internet of Things is simply the extension of the Net into everything we own or come into contact with. Thus, this idea that the agency is not seeking IoT-specific rule sounds terrific until you realize that it is actually seeking something far more sweeping: greater regulation of all online / digital interactions. And because “the Internet” and “the Internet of Things” will eventually (if they are not already) be considered synonymous, this notion that the agency is not proposing technology-specific regulation is really quite silly.

Now, it remains unclear whether there exists any appetite on Capitol Hill for “comprehensive” legislation of any variety – although perhaps we’ll learn more about that possibility when the Senate Commerce Committee hosts a hearing on these issues on February 11. But at least thus far, “comprehensive” or “baseline” digital privacy and security bills have been non-starters.

And that’s for good reason in my opinion: Such regulatory proposals could take us down the path that Europe charted in the late 1990s with onerous “data directives” and suffocating regulatory mandates for the IT / computing sector. The results of this experiment have been unambiguous, as I documented in congressional testimony in 2013. I noted there how America’s Internet sector came to be the envy of the world while it was hard to name any major Internet company from Europe. Whereas America embraced “permissionless innovation” and let creative minds develop one of the greatest success stories in modern history, the Europeans adopted a “Mother, May I” regulatory approach for the digital economy. America’s more flexible, light-touch regulatory regime leaves more room for competition and innovation compared to Europe’s top-down regime. Digital innovation suffered over there while it blossomed here.

That’s why we need to be careful about adopting the sort of “broad-based” regulatory regime that the FTC recommends in this and previous reports.

Big Picture, Part 2: Does the FTC Really Need More Authority?

Something else is going on in this report that has also been happening in all the FTC’s recent activity on digital privacy and security matters: The agency has been busy laying the groundwork for its own expansion.

In this latest report, for example, the FTC argues that

Although the Commission currently has authority to take action against some IoT-related practices, it cannot mandate certain basic privacy protections… The Commission has continued to recommend that Congress enact strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.

In other words, this agency wants more authority. And we are talking about sweeping authority here that would transcend its already sweeping authority to police “unfair and deceptive practices” under Section 5 of the FTC Act. Let’s be clear: It would be hard to craft a law that grants an agency more comprehensive and open-ended consumer protection authority than Section 5. The meaning of those terms — “unfairness” and “deception” — has always been a contentious matter, and at times the agency has abused its discretion by exploiting that ambiguity.

Nonetheless, Sec. 5 remains a powerful enforcement tool for the agency and one that has been wielded aggressively in recently years to police digital economy giants and small operators alike. Generally speaking, I’m alright with most Sec. 5 enforcement, especially since that sort of retrospective policing of unfair and deceptive practices is far less likely to disrupt permissionless innovation in the digital economy. That’s because it does not subject digital innovators to the sort of “Mother, May I” regulatory system that European entrepreneurs face. But an expansion of the FTC’s authority via more “comprehensive, baseline” privacy and security regulatory policies threatens to convert America’s more sensible bottom-up and responsive regulatory system into the sort of innovation-killing regime we see on the other side of the Atlantic.

Here’s the other thing we can’t forget when it comes to the question of what additional authority to give the FTC over privacy and security matters: The FTC is not the end of the enforcement story in America. Other enforcement mechanism exist, including: privacy torts, class action litigation, property and contract law, state enforcement agencies, and other targeted privacy statutes. I’ve summarized all these additional enforcement mechanisms in my recent law review article referenced above. (See section VI of the paper.)

FIPPS, Part 1: Notice & Choice vs. Use-Based Restrictions

Next, let’s drill down a bit and examine some of the specific privacy and security best practices that the agency discusses in its new IoT report.

The FTC report highlights how the IoT creates serious tensions for many traditional Fair Information Practice Principles (FIPPs). The FIPPs generally include: (1) notice, (2) choice, (3) purpose specification, (4) use limitation, and (5) data minimization. But the report is mostly focused on notice and choice as well as data minimization.

When it comes to notice and choice, the agency wants to keep hope alive that it will still be applicable in an IoT world. I’m sympathetic to this effort because it is quite sensible for all digital innovators to do their best to provide consumers with adequate notice about data collection practices and then give them sensible choices about it. Yet, like the agency, I agree that “offering notice and choice is challenging in the IoT because of the ubiquity of data collection and the practical obstacles to providing information without a user interface.”

The agency has a nuanced discussion of how context matters in providing notice and choice for IoT, but one can’t help but think that even they must realize that the game is over, to some extent. The increasing miniaturization of IoT devices and the ease with which they suck up data means that traditional approaches to notice and choice just aren’t going to work all that well going forward. It is almost impossible to envision how a rigid application of traditional notice and choice procedures would work in practice for the IoT.

Relatedly, as I wrote here last week, the Future of Privacy Forum (FPF) recently released a new white paper entitled, “A Practical Privacy Paradigm for Wearables,” that notes how FIPPs “are a valuable set of high-level guidelines for promoting privacy, [but] given the nature of the technologies involved, traditional implementations of the FIPPs may not always be practical as the Internet of Things matures.” That’s particularly true of the notice and choice FIPPS.

But the FTC isn’t quite ready to throw in the towel and make the complete move toward “use-based restrictions,” as many academics have. (Note: I have lengthy discussion of this migration toward use-based restrictions in my law review article in section IV.D.). Use-based restrictions would focus on specific uses of data that are particularly sensitive and for which there is widespread agreement they should be limited or disallowed altogether. But use-based restrictions are, ironically, controversial from both the perspective of industry and privacy advocates (albeit for different reasons, obviously).

The FTC doesn’t really know where to go next with use-based restrictions. The agency says that, on one hand, “has incorporated certain elements of the use-based model into its approach” to enforcement in the past. On the other hand, the agency says it has concerns “about adopting a pure use-based model for the Internet of Things,” since it may not go far enough in addressing the growth of more widespread data collection, especially of more sensitive information.

In sum, the agency appears to be keeping the door open on this front and hoping that a best-of-all-worlds solution miraculously emerges that extends both notice and choice and use-based limitations as the IoT expands. But the agency’s new report doesn’t give us any sort of blueprint for how that might work, and that’s likely for good reason: because it probably won’t work at that well in practice and there will be serious costs in terms of lost innovation if they try to force unworkable solutions on this rapidly evolving marketplace.

FIPPS, Part 2: Data Minimization

The biggest policy fight that is likely to come out of this report involves the agency’s push for data minimization. The report recommends that, to minimize the risks associated with excessive data collection:

companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data. However, recognizing the need to balance future, beneficial uses of data with privacy protection, staff’s recommendation on data minimization is a flexible one that gives companies many options. They can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or deidentify the data they collect. If a company determines that none of these options will fulfill its business goals, it can seek consumers’ consent for collecting additional, unexpected categories of data…

This is an unsurprising recommendation in light of the fact that, in previous major speeches on the issue, FTC Chairwoman Edith Ramirez argued that, “information that is not collected in the first place can’t be misused,” and that:

The indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the off chance that it might prove useful is not consistent with privacy best practices. And remember, not all data is created equally. Just as there is low quality iron ore and coal, there is low quality, unreliable data. And old data is of little value.

In my forthcoming law review article, I discussed the problem with such reasoning at length and note:

if Chairwoman Ramirez’s approach to a preemptive data use “commandment” were enshrined into a law that said, “Thou shall not collect and hold onto personal information unnecessary to an identified purpose.” Such a precautionary limitation would certainly satisfy her desire to avoid hypothetical worst-case outcomes because, as she noted, “information that is not collected in the first place can’t be misused,” but it is equally true that information that is never collected may never lead to serendipitous data discoveries or new products and services that could offer consumers concrete benefits. “The socially beneficial uses of data made possible by data analytics are often not immediately evident to data subjects at the time of data collection,” notes Ken Wasch, president of the Software & Information Industry Association. If academics and lawmakers succeed in imposing such precautionary rules on the development of IoT and wearable technologies, many important innovations may never see the light of day.

FTC Commissioner Josh Wright issued a dissenting statement to the report that lambasted the staff for not conducting more robust cost-benefit analysis of the new proposed restrictions, and specifically cited how problematic the agency’s approach to data minimization was. “[S]taff merely acknowledges it would potentially curtail innovative uses of data. . . [w]ithout providing any sense of the magnitude of the costs to consumers of foregoing this innovation or of the benefits to consumers of data minimization,” he says. Similarly, in her separate statement, FTC Commissioner Maureen K. Ohlhausen worried about the report’s overly precautionary approach on data minimization when noting that, “without examining costs or benefits, [the staff report] encourages companies to delete valuable data — primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive,” she concludes.

Regardless, the battle lines have been drawn by the FTC staff report as the agency has made it clear that it will be stepping up its efforts to get IoT innovators to significantly slow or scale back their data collection efforts. It will be very interesting to see how the agency enforces that vision going forward and how it impacts innovation in this space. All I know is that the agency has not conducted a serious evaluation here of the trade-offs associated with such restrictions. I penned another law review article last year offering “A Framework for Benefit-Cost Analysis in Digital Privacy Debates” that they could use to begin that process if they wanted to get serious about it.

The Problem with the “Regulation Builds Trust” Argument

One of the interesting things about this and previous FTC reports on privacy and security matters is how often the agency premises the case for expanded regulation on “building trust.” The argument goes something like this (as found on page 51 of the new IoT report): “Staff believes such legislation will help build trust in new technologies that rely on consumer data, such as the IoT. Consumers are more likely to buy connected devices if they feel that their information is adequately protected.”

This is one of those commonly-heard claims that sounds so straight-forward and intuitive that few dare question it. But there are problems with the logic of the “we-need-regulation-to-build-trust-and boost adoption” arguments we often hear in debates over digital privacy.

First, the agency bases its argument mostly on polling data. “Surveys also show that consumers are more likely to trust companies that provide them with transparency and choices,” the report says. Well, of course surveys say that! It’s only logical that consumers will say this, just as they will always say they value privacy and security more generally when asked. You might as well ask people if they love their mothers!

But what consumers claim to care about and what they actually do in the real-world are often two very different things. In the real-world, people balance privacy and security alongside many other values, including choice, convenience, cost, and more. This leads to the so-called “privacy paradox,” or the problem of many people saying one thing and doing quite another when it comes to privacy matters. Put simply, people take some risks — including some privacy and security risks — in order to reap other rewards or benefits. (See this essay for more on the problem with most privacy polls.)

Second, online activity and the Internet of Things are both growing like gangbusters despite the privacy and security concerns that the FTC raises. Virtually every metric I’ve looked at that track IoT activity show astonishing growth and product adoption, and projections by all the major consultancies that have studied this consistently predict the continued rapid growth of IoT activity. Now, how can this be the case if, as the FTC claims, we’ll only see the IoT really take off after we get more regulation aimed at bolstering consumer trust? Of course, the agency might argue that the IoT will grow at an even faster clip than it is right now, but there is no way to prove one way or the other. In any event, the agency cannot possible claim that the IoT isn’t already growing at a very healthy clip — indeed, a lot of the hand-wringing the staff engages in throughout the report is premised precisely on the fact that the IoT is exploding faster that our ability to keep up with it!! In reality, it seems far more likely that cost and complexity are the bigger impediments to faster IoT adoption, just as cost and complexity have always been the factors weighing most heavily on the adoption of other digital technologies.

Third, let’s say that the FTC is correct – and it is – when it says that a certain amount of trust is needed in terms of IoT privacy and security before consumers are willing to use more of these devices and services in their everyday lives. Does the agency imagine that IoT innovators don’t know that? Are markets and consumers completely irrational? The FTC says on page 44 of the report that, “If a company decides that a particular data use is beneficial and consumers disagree with that decision, this may erode consumer trust.” Well, if such a mismatch does exist, then the assumption should be that consumers can and will push back, or seek out new and better options. And other companies should be able to sense the market opportunity here to offer a more privacy-centric offering for those consumers who demand it in order to win their trust and business.

Finally, and perhaps most obviously, the problem with the argument that increased regulation will help IoT adoption is that it ignores how the regulations put in place to achieve greater “trust” might become so onerous or costly in practice that there won’t be as many innovations for us to adopt to begin with! Again, regulation — even very well-intentioned regulation — has costs and trade-offs.

In any event, if the agency is going to premise the case for expanded privacy regulation on this notion, they are going to have to do far more to make their case besides simply asserting it.

Once Again, No Appreciation of the Potential for Societal Adaptation

Let’s briefly shift to a subject that isn’t discussed in the FTC’s new IoT report at all.

Regular readers may get tired of me making this point, but I feel it is worth stressing again: Major reports and statements by public policymakers about rapidly-evolving emerging technologies are always initially prone to stress panic over patience. Rarely are public officials willing to step-back, take a deep breath, and consider how a resilient citizenry might adapt to new technologies as they gradually assimilate new tools into their lives.

That is really sad, when you think about it, since humans have again and again proven capable of responding to technological change in creative ways by adopting new personal and social norms. I won’t belabor the point because I’ve already written volumes on this issue elsewhere. I tried to condense all my work into a single essay entitled, “Muddling Through: How We Learn to Cope with Technological Change.” Here’s the key takeaway:

humans have exhibited the uncanny ability to adapt to changes in their environment, bounce back from adversity, and learn to be resilient over time. A great deal of wisdom is born of experience, including experiences that involve risk and the possibility of occasional mistakes and failures while both developing new technologies and learning how to live with them. I believe it wise to continue to be open to new forms of innovation and technological change, not only because it provides breathing space for future entrepreneurialism and invention, but also because it provides an opportunity to see how societal attitudes toward new technologies evolve — and to learn from it. More often than not, I argue, citizens have found ways to adapt to technological change by employing a variety of coping mechanisms, new norms, or other creative fixes.

Again, you almost never hear regulators or lawmakers discuss this process of individual and social adaptation even though they must know there is something to it. One explanation is that every generation has their own techno-boogeymen and lose faith in the ability of humanity to adapt to it.

To believe that we humans are resilient, adaptable creatures should not be read as being indifferent to the significant privacy and security challenges associated with any of the new technologies in our lives today, including IoT technologies. Overly-exuberant techno-optimists are often too quick to adopt a “Just-Get-Over-It!” attitude in response to the privacy and security concerns raised by others. But it is equally unforgivable for those who are worried about those same concerns to utterly ignore the reality of human adaptation to new technologies realities.

Why are Educational Approaches Merely an Afterthought?

One final thing that troubled me about the FTC report was the way consumer and business education is mostly an afterthought. This is one of the most important roles that the FTC can and should play in terms of explaining potential privacy and security vulnerabilities to the general public and product developers alike.

Alas, the agency devotes so much ink to the more legalistic questions about how to address these issues, that all we end up with in the report is this one paragraph on consumer and business education:

Consumers should understand how to get more information about the privacy of their IoT devices, how to secure their home networks that connect to IoT devices, and how to use any available privacy settings. Businesses, and in particular small businesses, would benefit from additional information about how to reasonably secure IoT devices. The Commission staff will develop new consumer and business education materials in this area.

I applaud that language, and I very much hope that the agency is serious about plowing more effort and resources into developing new consumer and business education materials in this area. But I’m a bit shocked that the FTC report didn’t even bother mentioning the excellent material already available on the “On Guard Online” website it helped created with a dozen other federal agencies. Worse yet, the agency failed to highlight the many other privacy education and “digital citizenship” efforts that are underway today to help on this front. I discuss those efforts in more detail in the closing section of my recent law review article.

I hope that the agency spends a little more time working on the development of new consumer and business education materials in this area instead of trying to figure out how to craft a quasi-regulatory regime for the Internet of Things. As I noted last year in this Maine Law Review article, that would be a far more productive use of the agency’s expertise and resources. I argued there that “policymakers can draw important lessons from the debate over how best to protect children from objectionable online content” and apply them to debates about digital privacy. Specifically, after a decade of searching for legalistic solutions to online safety concerns — and convening a half-dozen blue ribbon task forces to study the issue — we finally saw a rough consensus emerge that no single “silver-bullet” technological solutions or legal quick-fixes would work and that, ultimately, education and empowerment represented the better use of our time and resources. What was true for child safety is equally true for privacy and security for the Internet of Things.

It’s a shame the FTC staff squandered the opportunity it had with this new report to highlight all the good that could be done by getting more serious about focusing first on those alternative, bottom-up, less costly, and less controversial solutions to these challenging problems. One day we’ll all wake up and realize that we spent a lost decade debating legalistic solutions that were either technically unworkable or politically impossible. Just imagine if all the smart people who were spending all their time and energy on those approaches right now were instead busy devising and pushing educational and empowerment-based solutions instead!

One day we’ll get there. Sadly, if the FTC report is any indication, that day is still a ways off.

The Mercatus Center at George Mason University has just released my latest working paper, “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation.” The “Internet of Things” (IoT) generally refers to “smart” devices that are connected to both the Internet and other devices. Wearable technologies are IoT devices that are worn somewhere on the body and which gather data about us for various purposes. These technologies promise to usher in the next wave of Internet-enabled services and data-driven innovation. Basically, the Internet will be “baked in” to almost everything that consumers own and come into contact with.

Some critics are worried about the privacy and security implications of the Internet of Things and wearable technology, however, and are proposing regulation to address these concerns. In my new 93-page article, I explain why preemptive, top-down regulation would derail the many life-enriching innovations that could come from these new IoT technologies. Building on a recent book of mine, I argue that “permissionless innovation,” which allows new technology to flourish and develop in a relatively unabated fashion, is the superior approach to the Internet of Things.

As I note in the paper and my earlier book, if we spend all our time living in fear of the worst-case scenarios — and basing public policies on them — then best-case scenarios can never come about. As the old saying goes: nothing ventured, nothing gained. Precautionary principle-based regulation paralyzes progress and must be avoided.  We instead need to find constructive, “bottom-up” solutions to the privacy and security risks accompanying these new IoT technologies instead of top-down controls that would limit the development of life-enriching IoT innovations.

The better alternative is to deal with concerns creatively as they develop, using a balanced, layered approach  involving many different solutions, including: educational efforts, technological empowerment tools, social norms, public and watchdog pressure, industry best practices and self-regulation, transparency, torts and products liability law, and targeted enforcement of existing legal standards as needed.

Generally speaking, patience, humility, and forbearance by policymakers is crucial to allowing greater innovation and consumer choice in this arena. Importantly, policymakers should not forget that societal and individual adaptation will play a role here, just as it has during so many other turbulent technological transformations.

This article can be downloaded on my Mercatus Center page, on SSRN, or at Research Gate. I am hoping to find a law or policy journal interested in publishing this paper soon. If you with a journal and are interested, please contact me. [UPDATE 12/3/14: This paper has been accepted for publication in the Richmond Journal of Law & Technology, Vol. 21, Issue 6 (2015).]

Finally, if you are interested in this topic, you might want to flip through these slides I prepared for a presentation on this topic that I made at the Federal Communications Commission in September:

On Thursday, it was my great pleasure to present a draft of my forthcoming paper, “The Internet of Things & Wearable Technology: Addressing Privacy & Security Concerns without Derailing Innovation,” at a conference that took place at the Federal Communications Commission on “Regulating the Evolving Broadband Ecosystem.” The 3-day event was co-sponsored by the American Enterprise Institute and the University of Nebraska College of Law.

The 65-page working paper I presented is still going through final peer review and copyediting, but I posted a very rough first draft on SSRN for conference participants. I expect the paper to be released as a Mercatus Center working paper in October and then I hope to find a home for it in a law review. I will post the final version once it is released. [UPDATE:The final version of this working paper was released on November 19, 2014.]

In the meantime, however, I thought I would post the 46 slides I presented at the conference, which offer an overview of the nature of the Internet of Things and wearable technology, the potential economic opportunities that exist in this space, and the various privacy and security challenges that could hold this technological revolution back. I also outlined some constructive solutions to those concerns. I plan to be very active on these issues in coming months.

Additional Reading

• “The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2012
• “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
• My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
• Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)
• [Video] Cap Hill Briefing on Emerging Tech Policy Issues (June 2014)

My latest law review article is entitled, “Privacy Law’s Precautionary Principle Problem,” and it appears in Vol. 66, No. 2 of the Maine Law Review. You can download the article on my Mercatus Center page, on the Maine Law Review website, or via SSRN. Here’s the abstract for the article:

Privacy law today faces two interrelated problems. The first is an information control problem. Like so many other fields of modern cyberlaw—intellectual property, online safety, cybersecurity, etc.—privacy law is being challenged by intractable Information Age realities. Specifically, it is easier than ever before for information to circulate freely and harder than ever to bottle it up once it is released.

This has not slowed efforts to fashion new rules aimed at bottling up those information flows. If anything, the pace of privacy-related regulatory proposals has been steadily increasing in recent years even as these information control challenges multiply.

This has led to privacy law’s second major problem: the precautionary principle problem. The precautionary principle generally holds that new innovations should be curbed or even forbidden until they are proven safe. Fashioning privacy rules based on precautionary principle reasoning necessitates prophylactic regulation that makes new forms of digital innovation guilty until proven innocent.

This puts privacy law on a collision course with the general freedom to innovate that has thus far powered the Internet revolution, and privacy law threatens to limit innovations consumers have come to expect or even raise prices for services consumers currently receive free of charge. As a result, even if new regulations are pursued or imposed, there will likely be formidable push-back not just from affected industries but also from their consumers.

In light of both these information control and precautionary principle problems, new approaches to privacy protection are necessary. We need to invert the process of how we go about protecting privacy by focusing more on practical “bottom-up” solutions—education, empowerment, public and media pressure, social norms and etiquette, industry self-regulation and best practices, and an enhanced role for privacy professionals within organizations—instead of “top-down” legalistic solutions and regulatory techno-fixes. Resources expended on top-down regulatory pursuits should instead be put into bottom-up efforts to help citizens better prepare for an uncertain future.

In this regard, policymakers can draw important lessons from the debate over how best to protect children from objectionable online content. In a sense, there is nothing new under the sun; the current debate over privacy protection has many parallels with earlier debates about how best to protect online child safety. Most notably, just as top-down regulatory constraints came to be viewed as constitutionally-suspect and economically inefficient, and also highly unlikely to even be workable in the long-run for protecting online child safety, the same will likely be true for most privacy related regulatory enactments.

This article sketches out some general lessons from those online safety debates and discusses their implications for privacy policy going forward.

Read the full article here [PDF].

Related Material:

• Book: Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom
• Law review article: “The Pursuit of Privacy in a World Where Information Control Is Failing,” Harvard Journal of Law & Public Policy, 36 (2013): 409–55.
• Law review article: “A Framework for Benefit-Cost Analysis in Digital Privacy Debates,” George Mason University Law Review, 20, no. 4 (Summer 2013): 1055–105.
• Law review article: “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” Minnesota Journal of Law, Science & Technology, 14 (2013): 309–86.

Adam Thierer – Privacy Law’s Precautionary Problem (Maine Law Review, 2014) by Adam Thierer

Patrick Byrne, CEO of Overstock.com, discusses how Overstock.com became one of the first online retail stores to accept Bitcoin. Byrne provides insight into how Bitcoin lowers transaction costs, making it beneficial to both retailers and consumers, and how governments are attempting to limit access to Bitcoin. Byrne also discusses his project DeepCapture.com, which raises awareness for market manipulation and naked short selling, as well as his philanthropic work and support for education reform.

Download

Related Links

• For Overstock CEO, Bitcoin Isn’t Just A Publicity Stunt, Forbes
• Meet Patrick Byrne: Bitcoin Messiah, CEO of Overstock, Scourge of Wall Street, Wired
• UBS, in Theory, a Conspiracy to Naked Short “Tens of Millions” of Shares, Deepcapture

Last week, it was my great pleasure to be invited on NPR’s “On Point with Tom Ashbrook,” to debate Jeffrey Rosen, a leading privacy scholar and the president and chief executive of the National Constitution Center. In an editorial in the previous Sunday’s New York Times (“Madison’s Privacy Blind Spot”), Rosen proposed “constitutional amendment to prohibit unreasonable searches and seizures of our persons and electronic effects, whether by the government or by private corporations like Google and AT&T.” He said his proposed amendment would limit “outrageous and unreasonable” collection practices and would even disallow consumers from sharing their personal information with private actors even if they saw an advantage in doing so.

I responded to Rosen’s proposal in an essay posted on the IAPP  Privacy Perspectives blog, “Do We Need A Constitutional Amendment Restricting Private-Sector Data Collection?” In my essay, I argued that there are several legal, economic, and practical problems with Rosen’s proposal. You can head over to the IAPP blog to read my entire response but the gist of it is that “a constitutional amendment [governing private data collection] would be too sweeping in effect and that better alternatives exist to deal with the privacy concerns he identifies.” There are very good reasons we treat public and private actors differently under the law and there “are all far more practical and less-restrictive steps that can be taken without resorting to the sort of constitutional sledgehammer that Jeff Rosen favors. We can protect privacy without rewriting the Constitution or upending the information economy,” I concluded.

But I wanted to elaborate on one particular thing I found particularly interesting about Rosen’s comments when we were on NPR together. During the show, Rosen kept stressing how we needed to adopt a more European construction of privacy as “dignity rights” and he even said his proposed privacy amendment would even disallow individuals from surrendering their private data or their privacy because he viewed these rights as “unalienable.” In other words, from Rosen’s perspective, privacy pretty much trumps  everything, even if you want to trade it off against other values. 

Privacy Paternalism?

I’ve been seeing more and more privacy advocates and scholars adopt this attitude, including Anita Allen, Julie Cohen, Siva Vaidhyanathan, and others. Allen, for example, says that privacy is such a “foundational” human right that it some cases the law should override individual choice when consumers act against their own privacy interests. Cohen and Vaidhyanathan make similar arguments in their recent books. Vaidhyanathan claims that consumers are being tricked by the “smokescreen” of “free” online services and “freedom of choice.” Although he admits that no one is forced to use online services and that consumers are also able to opt-out of most of services or data collection practices, he argues that “such choices mean very little” because “the design of the system rigs it in favor of the interests of the company and against the interests of users.” “Celebrating freedom and user autonomy is one of the great rhetorical ploys of the global information economy,” he says.“We are conditioned to believe that having more choices–empty though they may be–is the very essence of human freedom. But meaningful freedom implies real control over the conditions of one’s life.” These are the sort of arguments I increasingly hear made by privacy scholars when claiming that consumers simply can’t be left free to make choices for themselves in this regard.  In an interesting recent article in the Harvard Law Review , privacy scholar  Daniel Solove notes that what binds these thinkers and their work together is, in essence, a sort of privacy paternalism. The point of most modern privacy advocacy has been to better empower consumers to make privacy decisions for themselves. But, Solove notes, “t he implication [of these privacy scholar’s work] is that the law must override individual consent in certain instances.” Yet, if that choice is taken away from us by law, Solove notes, then privacy regulation, “risks becoming too paternalistic. Regulation that sidesteps consent denies people the freedom to make choices,” Solove argues.

Jeff Rosen now appears to be adopting the sort of approach Solove identifies by claiming that privacy is an “unalienable right” such that it cannot be traded away for other things. By making that choice for us, Rosen’s proposed amendment would, therefore, suffer from that same sort of privacy paternalism Solove identifies. In a forthcoming law review aritcle that will appear in the  Maine Law Review, I identify some of the problems associated with privacy paternalism. Most obviously, these scholars should keep in mind that not everyone shares the same privacy values as they do and that many of us will voluntarily trade some of our data for the innovative information services and devices that we desire. If imposed in the form of legal sanctions, privacy paternalism would open the door to almost boundless controls on the activities of both producers and consumers of digital services, potentially limiting future innovations in this space.

For example, when we were on  NPR together, Rosen mentioned wireless geolocation technology as a potential source of serious privacy harm, although he did not make it clear whether he wanted it stopped entirely or what. If used improperly, wireless geolocation technology certainly can raise serious privacy concerns. But wireless geolocation technology is also what powers the mapping and traffic services that most of us now take for granted. Many of us expect — no, we demand — that our digital devices be able to give us real-time mapping and traffic notification capabilities. And most of us are willing to make the minor privacy trade-off associated with sharing our location constantly in exchange for the right to receive these services, which are also provided to us free of charge.

So, what would Rosen’s proposed amendment have to say about this trade-off? Would these wireless geolocation technologies be banned altogether, even if consumers desire them? It isn’t really clear at this point because he hasn’t offered us many details about his proposal. But, to the extent it would preempt these technological capabilities on the grounds that our locational privacy is somehow in unalienable right, then that seems like a fairly paternalistic approach to policy and it it would seem to confirm Thomas Lenard and Paul Rubin’s claim that “many of the privacy advocates and writers on the subject do not trust the consumers for whom they purport to advocate.”

Such paternalism is particularly problematic in this case since privacy is such a highly subjective value and one that evolves over time. As Solove notes, “the correct choices regarding privacy and data use are not always clear. For example, although extensive self-exposure can have disastrous consequences, many people use social media successfully and productively.” Privacy norms and ethics are changing faster than ever today. One day’s “creepy” tool or service is often the next day’s “killer app.”

Balancing Values; Considering Costs

As I will discuss in my forthcoming  Maine Law Review article and I also discussed in my recent George Mason University Law Review  article, at least here in the United States, consumer protection standards have traditionally depended on a clear showing of actual, not prospective or hypothetical, harm. In some cases, when the potential harm associated with a particular practice or technology is extreme in character and poses a direct threat to physical well-being, law has preempted the general presumption that ongoing experimentation and innovation should be allowed by default. But these are extremely rare scenarios, at least as it pertains to privacy concerns under American law, and they mostly involved health and safety measures aimed at preemptively avoiding catastrophic harm to individual or environmental well-being. In the vast majority of other cases, our culture has not accepted that paternalistic idea that law must “save us from ourselves” (i.e., our own irrationality or mistakes). As Solove notes in his recent essay, “People make decisions all the time that are not in their best interests. People relinquish rights and take bad risks, and the law often does not stop them.” Sometimes privacy advocates also ignore the costs of preemptive policy action and don’t bother conducting a serious review of the potential costs of their regulatory proposals. As a result, preemptive policy action is almost always the preferred remedy to any alleged harm. “By limiting or conditioning the collection of information, regulators can limit market manipulation at the activity level,” Ryan Calo argues in a recent paper. “We could imagine the government fashioning a rule — perhaps inadvisable for other reasons―that limits the collection of information about consumers in order to reduce asymmetries of information.” [*Clarification: In a comment down below and a subsequent Twitter exchange, Ryan clarifies that he ultimately does not come down in favor of such a rule, preferring instead to find various other incentives to solve these problems. I thank him for this clarification — and definitely welcome it! — although I found his position somewhat murky after debating him personally on these issues recently. Nonetheless, I apologize if I mischaracterized his position in any way here.]

Unfortunately, Professor Calo does not fully consider the corresponding cost of such regulatory proposals in calling for the enactment of such a rule. If preemptive regulation slowed or ended certain information practices, it could stifle the provision of new and better services that consumers demand, as I have noted elsewhere. It might also trump other choices or values that consumers care about. While privacy is obviously an incredibly important value, we cannot assume that it is the only value, or the most important value, at stake here. Consumers also care about having access to a constantly growing array of innovative goods and services, and they also care about getting those goods and services at a reasonable price.

Moving from “Rights Talk” to Practical Privacy Solutions

This is the point in the essay where some readers are getting pretty frustrated with me and thinking I am some sort of nihilist who doesn’t give a damn about privacy. I assure you that nothing is further from the truth and that I care very deeply about privacy.

But if you really care about expanding the horizons of privacy protection in our modern world, at some point you have to accept that all the “rights talk” and top-down enforcement efforts in the world are not necessarily going to help as much as you wish they would. The same thing is true for online safety, digital security, and IP protection efforts: No matter how much you might wish the opposite was true, information control is just really, really hard. Legal and regulatory approaches to bottling up information flows will inevitably be several steps behind cutting-edge technological developments. (I’ve discussed these issues in several essays here, including: “Privacy as an Information Control Regime: The Challenges Ahead,” “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges,” and “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed.”)

That doesn’t mean we should surrender in our efforts to identify more concrete privacy harms, but we should recognize that it will always be a hugely contentious matter and that a great many people will gladly trade away their privacy in a way that others will consider outrageous. In a free society, we must allow them to do so if they derive greater utility from other things. A paternalistic approach based on a sort of privacy fundamentalism will deny them the right to make that choice for themselves. And, practically speaking, no matter how much some might think that privacy values are “unalienable,” the reality is that there will be no way to stop many others from making different choices and relinquishing their privacy all the time.

Educating and empowering citizens is the better way to address this issue. We can try to teach them to make better privacy choices and treat their information, and information about others, with far greater care. We should also work to provide citizens more tools to help accomplish those goals. And if the problem is “information asymmetry” or some general lack of awareness about certain data collection and use practices, then let’s work even harder to make sure consumers are aware of those practices and what they can do about them.

It’s all part of the media literacy and digital citizenship agenda that we need to be investing much more of time and resources into. I outlined that approach in much more detail in this law review article. We need diverse tools and strategies for a diverse citizenry. We need to be talking to both consumers and developers about smarter data hygiene and sensible digital ethics. We need more transparency. We need more privacy privacy professionals working inside organizations to craft sensible data collection and use policies. And so on. Only by working to change attitudes about privacy, online “Netiquette,” and more ethical data use, can we really start to make a dent in this problem.

If nothing else, we must understand the limitations of information control in such highly context-specific harm scenarios. Prof. Rosen might want to ask himself how long it would take to even get his proposed constitutional amendment in place and what the chances are such a movement would even been successful. But, again, and far more importantly, Prof. Rosen and advocates of similar regulatory approaches should remember that their values are not shared by everyone and that, in a free society, a value as inherently subjective as privacy is likely to remain a hugely contentious, every-changing matter, especially when elevated to the level of constitutional rights talk. We need practical solutions to our privacy problems, not pie-in-the-sky Hail Mary schemes that are unlikely to go anywhere and, even if they did, would end up being too heavy-handed and potentially override individual autonomy in the process.

With each booth I pass and presentation I listen to at the 2014 International Consumer Electronics Show (CES), it becomes increasingly evident that the “Internet of Things” era has arrived. In just a few short years, the Internet of Things (IoT) has gone from industry buzzword to marketplace reality. Countless new IoT devices are on display throughout the halls of the Las Vegas Convention Center this week, including various wearable technologies, smart appliances, remote monitoring services, autonomous vehicles, and much more.

This isn’t vaporware; these are devices or services that are already on the market or will launch shortly. Some will fail, of course, just as many other earlier technologies on display at past CES shows didn’t pan out. But many of these IoT technologies will succeed, driven by growing consumer demand for highly personalized, ubiquitous, and instantaneous services.

But will policymakers let the Internet of Things revolution continue or will they stop it dead in its tracks? Interestingly, not too many people out here in Vegas at the CES seem all that worried about the latter outcome. Indeed, what I find most striking about the conversation out here at CES this week versus the one about IoT that has been taking place in Washington over the past year is that there is a large and growing disconnect between consumers and policymakers about what the Internet of Things means for the future.

When every device has a sensor, a chip, and some sort of networking capability, amazing opportunities become available to consumers. And that’s what has them so excited and ready to embrace these new technologies. But those same capabilities are exactly what raise the blood pressure of many policymakers and policy activists who fear the safety, security, or privacy-related problems that might creep up in a world filled with such technologies.

But at least so far, most consumers don’t seem to share the same worries. Instead, they are too busy shouting “More, More, More!” IoT technologies have generated enormous interest and every projection I’ve seen so far shows that explosive growth can be expected across all classes of devices. ABI Research estimates that there are more than ten billion wirelessly connected devices in the market today and more than thirty billion devices expected by 2020. Last year Cisco projected that by 2020 thirty-seven billion intelligent things will be connected and communicating but has now apparently revised that estimate upward to 40 or 50 billion. Thus, we are well on the way to a world where “everyone and everything will be connected to the network.”

Yet, it remains unclear what the IoT public policy landscape will look like in coming years and what disposition lawmakers and regulators will adopt toward these new amazing new technologies. Two distinct policy disposition are clashing over what approach should govern the future of innovation in this space.

I discussed this tension during a CES panel this morning on “The Internet of Things and the Home of the Future.” It featured outstanding opening remarks by FTC Commissioner Maureen K. Ohlhausen, who made the case for regulatory humility and focusing on how these new technologies can empower individuals in important new ways. “The Internet has evolved in one generation from a network of electronically interlinked research facilities in the United States to one of the most dynamic forces in the global economy, in the process reshaping entire industries and even changing the way we interact on a personal level,” she noted. “And the Internet of Things offers the promise of even greater progress ahead for consumers and competition.” I strongly encourage you to read Commissioner Ohlhausen’s entire speech. It is terrific and sets exactly the right tone for these discussions.

After Commissioner Ohlhausen spoke, we had a panel discussion that was expertly moderated by tech policy guru Larry Downes and which included remarks from Robert M. McDowell (Hudson Institute), Jeff  Hagins, (Smart Things), Robert Pepper (Cisco), Marc Rogers (Lookout), and me.

When I spoke, I described the future of the Internet of Things as a grand battle of two alternative worldviews: the “precautionary principle” and “permissionless innovation.” The “precautionary principle” refers to the belief that new innovations should be curtailed or disallowed until their developers can prove that they will not cause any harms to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions. The other worldview, “permissionless innovation,” refers to the notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if they develop at all, can be addressed later.

I’ll soon be releasing a new eBook about this conflict of visions. The book will be called, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom” and it should be out in the next few weeks. In it, I will explain how precautionary principle thinking is increasingly creeping into modern information technology policy discussions, explain how that is dangerous and must be rejected, and argue that policymakers should instead unapologetically embrace and defend the permissionless innovation vision — not just for the Internet but also for all new classes of networked technologies and platforms.

This intellectual tension is already evident in debates over the Internet of Things. While we are still very early in this debate, we can expect rising calls for preemptive regulatory controls on IoT technologies based on various safety, security, and especially privacy rationales.  If the precautionary principle mentality wins out and trumps the permissionless innovation ethos that has already powered the first wave of the digital revolution, it will have profound ramifications.

As I’ll note in my forthcoming eBook, preserving and extending the permissionless innovation ethos to the Internet of Things is not about “protecting corporate profits” or assisting any particular technology, industry sector, or set of innovators. Rather, preserving an environment in which permissionless innovation can flourish is about ensuring that individuals as both citizens and consumers continue to enjoy the myriad benefits that accompany an open, innovative information ecosystem. More profoundly, this general freedom to innovate is essential for powering the next great wave of industrial innovation and rejuvenating our dynamic, high-growth economy. Even more profoundly, this is about preserving social and economic freedom more generally while rejecting the central-planning mentality and methods that throughout history have stifled human progress and prosperity.

Safety, security, and privacy problems will continue to persist, of course, and we should work to find practical, “bottom-up” solutions to them. As I detail in my eBook, education and empowerment, social pressure, societal norms, voluntary self-regulation, transparency efforts, and targeted enforcement of existing legal norms (especially through the common law) are almost always superior to “top-down,” command-and-control regulatory edits and bureaucratic schemes of a “Mother, May I” (i.e., permissioned) nature. Preemptive technological controls of that sort would limit new innovation in this space and sacrifice the many benefits that will flow to consumers from continued experimentation.

Those who advocate precautionary regulatory approaches to the Internet of Things should think through to consequences of preemptively prohibiting technological innovation and realize that not everyone shares their same values, especially pertaining to privacy, which is a highly subjective concept that is often difficult to legislate around. We should instead find ways work with together to seek out those practical, bottom-up solutions that will help individuals, institutions, and society learn how to better cope with technological change over time. Using this approach, we can embrace our dynamic future together without doing permanent damage to our innovative minds and economy.

I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)

This is the second of two complimentary law review articles I am releasing this year dealing with privacy policy. The first, “The Pursuit of Privacy in a World Where Information Control is Failing,” was published in Vol. 36 of the Harvard Journal of Law & Public Policy this Spring. (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals.

However, precisely because those benefits and costs remain so remarkably subjective and contentious, I argue that we should look to employ less-restrictive solutions — education and awareness efforts, empowerment tools, alternative enforcement mechanisms, etc. — before resorting to potentially costly and cumbersome legal and regulatory regimes that could disrupt the digital economy and the efficient provision of services that consumers desire. This model has worked fairly effectively in the online safety context and can be applied to digital privacy concerns as well.

The article is organized as follows. Part I examines the use of BCA by federal agencies to assess the utility of government regulations. Part II considers how BCA can be applied to online privacy regulation and the challenges federal officials face when determining the potential benefits of regulation. Part III then elaborates on the cost considerations and other trade-offs that regulators face when evaluating the impact of privacy-related regulations. Part IV discusses alternative measures that can be taken by government regulators when attempting to address online safety and privacy concerns. This article concludes that policymakers must consider BCA when proposing new rules but also recognize the utility of alternative remedies such as education and awareness campaigns, to address consumer concerns about online safety and privacy.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and my Mercatus author page.

A Framework for Benefit-Cost Analysis in Digital Privacy Debates by Adam Thierer

Last month, it was my great pleasure to serve as a “provocateur” at the IAPP’s (Int’l Assoc. of Privacy Professionals) annual “Navigate” conference. The event brought together a diverse audience and set of speakers from across the globe to discuss how to deal with the various privacy concerns associated with current and emerging technologies.

My remarks focused on a theme I have developed here for years: There are no simple, silver-bullet solutions to complex problems such as online safety, security, and privacy. Instead, only a “layered” approach incorporating many different solutions–education, media literacy, digital citizenship, evolving society norms, self-regulation, and targeted enforcement of existing legal standards–can really help us solve these problems. Even then, new challenges will present themselves as technology continues to evolve and evade traditional controls, solutions, or norms. It’s a never-ending game, and that’s why education  must be our first-order solution. It better prepares us for an uncertain future. (I explained this approach in far more detail in this law review article.)

Anyway, if you’re interested in an 11-minute video of me saying all that, here ya go. Also, down below I have listed several of the recent essays, papers, and law review articles I have done on this issue.

Some of My Recent Essays on Privacy & Data Collection

Testimony / Filings:

• Senate Testimony on Privacy, Data Collection & Do Not Track – April 24, 2013
• Comments of the Mercatus Center to the FTC in Privacy & Security Implications of the Internet of Things
• Mercatus filing to FAA on commercial domestic drones

Law Review Articles:

• “The Pursuit of Privacy in a World Where Information Control is Failing” – Harvard Journal of Law & Public Policy
• “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle” – Minnesota Journal of Law, Science & Technology
• “A Framework for Benefit-Cost Analysis in Digital Privacy Debates” – George Mason University Law Review

Blog posts:

• A Better, Simpler Narrative for U.S. Privacy Policy – March 19, 2013
• On the Pursuit of Happiness… and Privacy – March 31, 2013
• Let’s Not Place All Our Eggs in the Do Not Track Basket (IAPP Privacy perspectives blog)
•  Can We Adapt to the Internet of Things? – June 19, 2013 (IAPP Privacy perspectives blog)
• Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy? – Feb. 20, 2011
• Two Paradoxes of Privacy Regulation – Aug. 25, 2010
• Privacy as an Information Control Regime: The Challenges Ahead – Nov. 13, 2010
• When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed – Apr. 29, 2011
• Lessons from the Gmail Privacy Scare of 2004 – March 25, 2011
• Who Really Believes in “Permissionless Innovation”? – March 4, 2013
• The Problem of Proportionality in Debates about Online Privacy and Child Safety – Nov. 28, 2009
• Obama Admin’s “Let’s-Be-Europe” Approach to Privacy Will Undermine U.S. Competitiveness– Jan. 5, 2011

This afternoon, Berin Szoka asked me to participate in a TechFreedom conference on “COPPA: Past, Present & Future of Children’s Privacy & Media.” [CSPAN video is here.] It was a in-depth, 3-hour, 2-panel discussion of the Federal Trade Commission’s recent revisions to the rules issued under the 1998 Children’s Online Privacy Protection Act (COPPA).

While most of the other panelists were focused on the devilish details about how COPPA works in practice (or at least should work in practice), I decided to ask a more provocative question to really shake up the discussion: What are we going to do when COPPA fails?

My notes for the event follow down below. I didn’t have time to put them into a smooth narrative, so please pardon the bullet points.

COPPA will fail in the long-run for two reasons:

(1)    With COPPA, the FTC is engaged in a technological arms race that it cannot win.

• COPPA was formulated for a Web 1.0 world of static websites with limited interactivity. In that environment is worked reasonably well, although it certainly imposed costs on site developers and affected market structure.
• As we moved into a Web 2.0 world of interactive social media in the mid to late-2000s, however, the rule has been strained by marketplace new realities. COPPA’s drafters never really envisioned sites like Facebook, Twitter, etc.
• In our current environment—let’s call it the Web 2.5 world—we have added mobile geolocation and social discovery to the mix and that is straining COPPA to the breaking point.
• But we are about to enter the Web 3.0 world of the “Internet of Things;” a sensor-based world in which the communication technology will literally be woven into the clothes we wear and all the devices we use.
  • Cisco has estimated that by 2020, 37 billion devices will be linked together and communicating.
  • It will be almost impossible for COPPA to keep up with the explosion of these technologies because everything in our lives and our children’s lives will be interconnected, communicating, and collecting data.
  • Information will be ubiquitously collected simply by nature of the technology itself.
  • The entire Web 3.0 world will be one of comprehensive passive information collection.
  • So, notions like “collection”, “directed at children” and “personal information” will be become impossible to enforce absence a flat-out ban on the technologies themselves

(2)    COPPA will also fail because of the simple reality that the more complicated and costly this regulatory regime becomes, the more likely it is that that both kids and parents will ignore it or seek to actively evade it.

• The actual monetary cost of any online service may obviously be one thing parents and kids seek to avoid.
• But the bigger cost is the mental hassle associated with delayed gratification.
  • When people demand certain services, they want them now. And they will get them even when law gets in the way. And sometimes they value the utility / functionality that those services provide more than they value privacy.
  • A 2011 Harvard-Berkeley study pointed out the evasion is already rampant and that many parents are facilitating that result by encouraging their kids to lie about their ages online.
    • This problem will only increase in the Internet of Things era as kids and parents come to expect all their devices to be communicating at all times and retaining data for them.

So, what are we going to do about? How do we prepare for the post-COPPA world that’s coming?

• We shouldn’t just throw up our hands in defeat.
• But we must accept the technological and practical challenges associated with regulation and seek out alternative approaches.
• Best solution, therefore, is: Education, media literacy, and digital citizenship
  • We need to do a much better job educating both kids and adults about sensible online interactions.
  • We need to talk to our kids and each other about being more savvy, sensible, respectful, and resilient media consumers and digital citizens.
  • In encouraging our kids and fellow Netizens to be good “digital citizens,” we must stress smarter online hygiene (sensible personal data use) and better “Netiquette” (proper behavior toward others), which can further both online safety and digital privacy goals.
  • More generally, as part of these digital literacy and citizenship efforts, we must do more  to explain the potential perils of over-sharing information about ourselves and others while simultaneously encouraging consumers to delete unnecessary online information occasionally and cover their digital footprints in other ways.
  • These education and literacy efforts are also important because they help us adapt to new technological changes by employing a variety of coping mechanisms or new social norms. These efforts and lessons should start at a young age and continue on well into adulthood through other means, such as awareness campaigns and public service announcements.

Additional Reading:

• The Unintended Consequences of Well-Intentioned Privacy Regulation
• Thoughts on Latest FTC COPPA Rule Revisions & Online Child Safety / Privacy
• Joint CDT-PFF-EFF Comments on FTC’s COPPA Review & the Dangers of COPPA Expansion
• What We Didn’t Hear at Yesterday’s FTC COPPA Workshop
• COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, by Berin Szoka & Adam Thierer

Today over at the International Association of Privacy Professionals (IAPP) Daily Dashboard blog, I have a guest post entitled, “Let’s Not Place All Our Eggs in the Do Not Track Basket.” The essay builds on my Senate Commerce Committee testimony last week by arguing that:

If there’s one lesson I’ve learned in twenty-one years of covering information technology policy, it’s that there are no simple silver-bullet solutions to complex issues like online safety, hate speech, spam, cybersecurity, data breaches or digital privacy. Problems such as these demand a layered, multifaceted approach that incorporates many solutions, the first among these being education and awareness-based efforts.

I continue on to explain why that means we should be cautious about placing too much faith in privacy techno-fixes like Do Not Track, which won’t likely be any more successful than past silver bullet efforts. (Note: Justin Brookman of CDT will be offering a counterpoint to my essay next week on the IAPP blog. I look forward to seeing what he has to say. He also testified alongside me in the Senate last week.)

By the way, for those of you not familiar with the IAPP, it is “the largest and most comprehensive global information privacy community and resource, helping practitioners develop and advance their careers and organizations manage and protect their data. More than just a professional association, the IAPP provides a home for privacy professionals around the world to gather, share experiences and enrich their knowledge.” In my opinion, the IAPP is doing amazing work and deserves the attention of anyone who cares about the future of privacy and privacy policy. I strongly recommend you check out their excellent site and explore all the important resources they provide and other things they do.

Anyway, if you are interested in the issues discussed in my IAPP guest post, you might also want to check out some of the related essays down below the fold:

Additional Reading:

• Senate testimony of Adam Thierer on Do Not Track standard – Apr. 24, 2013
• A Better, Simpler Narrative for U.S. Privacy Policy – March 19, 2013
• On the Pursuit of Happiness… and Privacy – March 31, 2013 (condensed from Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing”)
• Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy? – Feb. 20, 2011
• Two Paradoxes of Privacy Regulation – Aug. 25, 2010
• Privacy as an Information Control Regime: The Challenges Ahead – Nov. 13, 2010
• When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed – Apr. 29, 2011

Alex Tabarrok, author of the ebook Launching The Innovation Renaissance: A New Path to Bring Smart Ideas to Market Fast discusses America’s declining growth rate in total factor productivity, what this means for the future of innovation, and what can be done to improve the situation.

Accroding to Tabarrok, patents, which were designed to promote the progress of science and the useful arts, have instead become weapons in a war for competitive advantage with innovation as collateral damage. College, once a foundation for innovation, has been oversold. And regulations, passed with the best of intentions, have spread like kudzu and now impede progress to everyone’s detriment. Tabarrok outs forth simple reforms in each of these areas and also explains the role immigration plays in innovation and national productivity.

Download

Related Links

• Launching The Innovation Renaissance: A New Path to Bring Smart Ideas to Market Fast, Tabarrok
• VIDEO: Innovations in Most Fields Are Not Patented, Tabarrok
• VIDEO: End Software Patents, Tabarrok
• Patent Policy on the Back of a Napkin, Tabarrok

Today I’ll be testifying at a Senate Commerce Committee hearing on online privacy and commercial data collection issues. In my remarks, I make three primary points:

1. First, no matter how well-intentioned, restrictions on data collection could negatively impact the competitiveness of America’s digital economy, as well as consumer choice.
2. Second, it is unwise to place too much faith in any single, silver-bullet solution to privacy, including “Do Not Track,” because such schemes are easily evaded or defeated and often fail to live up to their billing.
3. Finally, with those two points in mind, we should look to alternative and less costly approaches to protecting privacy that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.

The testimony also contains 4 appendices elaborating on some of these themes.

Down below, I’ve embedded my testimony, a list of 10 recent essays I’ve penned on these topics, and a video in which I explain “How I Think about Privacy” (which was taped last summer at an event up at the University of Maine’s Center for Law and Innovation). Finally, the best summary of my work on these issues can be found in this recent Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing.” (This is the first of two complimentary law review articles I will be releasing this year dealing with privacy policy. The second, which will be published early this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.”)

Testimony of Adam D. Thierer before the Senate Committee on Commerce, Science & Transportation hearing…

Some of My Recent Essays on Privacy & Data Collection

1. A Better, Simpler Narrative for U.S. Privacy Policy – March 19, 2013
2. On the Pursuit of Happiness… and Privacy – March 31, 2013 (condensed from Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing”)
3. Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy? – Feb. 20, 2011
4. Two Paradoxes of Privacy Regulation – Aug. 25, 2010
5. Privacy as an Information Control Regime: The Challenges Ahead – Nov. 13, 2010
6. When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed – Apr. 29, 2011
7. Lessons from the Gmail Privacy Scare of 2004 – March 25, 2011
8. Who Really Believes in “Permissionless Innovation”? – March 4, 2013 (condensed from Minnesota Journal of Law, Science & Technology law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle”)
9. The Problem of Proportionality in Debates about Online Privacy and Child Safety – Nov. 28, 2009
10. Obama Admin’s “Let’s-Be-Europe” Approach to Privacy Will Undermine U.S. Competitiveness– Jan. 5, 2011

Last week on his personal blog, Peter Fleischer, Global Privacy Counsel for Google, posted an interesting essay entitled “We Need a Better, Simpler Narrative of US Privacy Laws.” Fleischer says that Europe has done a better job marketing its privacy regime to the world than the United States and argues that “The US has to figure out how to explain its privacy laws on the global stage” since “Europe is convincing many countries around the world to implement privacy laws that follow the European model.” He notes that “in the last year alone, a dozen countries in Latin America and Asia have adopted euro-style privacy laws [while] not a single country, anywhere, has followed the US model.” Fleischer argues that this has ramifications for long-term trade policy and global Internet regulation more generally.

I found this essay very interesting because I deal with some of these issues in my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing” (Harvard Journal of Law & Public Policy, vol. 36, no. 2, Spring 2013). In the article, I suggest that the U.S. does have a unique privacy regime and it is one that is very similar in character to the regime that governs online child safety issues. Whether we are talking about online safety or digital privacy, the defining characteristics of the U.S. regime are that it is bottom-up, evolutionary, education-based, empowerment-focused, and resiliency-centered. It focuses on responding to safety and privacy harms after exhausting other alternatives, including market responses and the evolution of societal norms.

The EU regime, by contrast, is more top-down in character and takes a more static, inflexible view of privacy rights. It tries to impose a one-size-fits-all model on a diverse citizenry and it attempts to do so through heavy-handed data directives and ongoing “agency threats.” It is a regime that makes more sweeping pronouncements about rights and harms and generally recommends a “precautionary principle” approach to technological change in which digital innovation is more “permissioned.”

Put simply, the U.S. regime is reactive in character while the E.U. regime is more preemptive.  The U.S. system focuses on responding to safety and privacy problems using a more diverse toolbox of solutions, some of which are governmental in character while others are based on evolving social and market norms and responses. To be clear, law does enter the picture here in the U.S., but it does so in a very different way than it does in the E.U.  Fleischer actually explains that point quite nicely in his essay:

[W]hat is the US model?  People in the privacy profession know that the US has a dense “patchwork” model of privacy laws: every individual US State has numerous privacy laws, the Federal government has numerous sectoral laws, and numerous other “non-privacy” laws, like consumer protection laws, are regularly invoked in privacy matters.  Regulators in many corners of government, ranging from State attorneys general, to the Federal Trade Commission, and armies of class action lawyers inspect every privacy issue for possible actions.

Indeed, in my new law review article, I summarize the litany of cases the FTC has brought recently on the data security and privacy front using its authority under Section 5 of the Federal Trade Commission Act to police “unfair and deceptive” practices. State AGs are active on this front as well, and there is plenty of class action activity every time there’s a privacy or data security screw-up.

Meanwhile, public officials continue to work collaboratively with privacy advocates, corporations, and educators to develop better education and awareness-building efforts, including “best practices” on safety, security, and privacy issues.

For more details on this U.S. model, please consult pages 436-454 of my article, in which I provide a comprehensive overview of what I refer to as America’s “3-E Approach” to dealing with online safety and digital privacy concerns. The “3-Es” refer to education, empowerment, and targeted enforcement of existing legal standards. As I note in the article:

[America’s “3-E Approach”] does not imagine it is possible to craft a single, universal solution to online safety or privacy concerns. It aims instead to create a flexible framework that can help individuals cope with a world of rapidly evolving technological change and constantly shifting social and market norms as they pertain to information sharing.

But what frustrates Fleischer is that the U.S model still doesn’t translate into a simple narrative for international audiences:

How on earth do you explain US privacy laws to an international audience?  How do you explain the role of class action litigation to people in countries where it doesn’t even exist?  The US privacy law narrative is convoluted. That’s a pity, since almost all of the global privacy professionals with whom I’ve discussed this issue agree with me that the sum of all the individual parts of US privacy laws amounts to a robust legal framework to protect privacy.  (I didn’t say “perfect”, since laws never are, and I’m not grading them either.) By contrast, Europe’s privacy narrative is simple and appealing.  Its laws are very general, aspirational, horizontal and concise.  Critics could say they’re also inevitably vague, as any high-level law would have to be.  But, like the US Bill of Rights, they have a sort of simple and profound universality that has inspired people around the world.  And they are enforced (at least, on paper) by a single, identifiable, specialist regulator.

I understand the frustration Fleischer is expressing here regarding how to frame the U.S. model for broader audiences. But the crucial point here is that, as he correctly notes, “the sum of all the individual parts of US privacy laws amounts to a robust legal framework to protect privacy,” even if it is the case that we will never achieve anything near perfection when it comes to online privacy (or online safety for that matter). But it is unfortunate that Fleischer ignores the many other moving pieces at work here that are important to the U.S. system, especially the diverse array of educational and awareness-building efforts as well as the astonishing array of empowerment tools that currently exist to help user protect their privacy to the degree they desire.

Of course, it should also be obvious that the U.S. regime is never going to appeal to a global audience as much as Europe’s privacy regime for the same reason that many other U.S. policy regimes don’t appeal to certain countries or their leaders: Our systems aren’t regulatory enough in character for them! But while those top-down, centralized, preemptive regulatory regimes will almost always be more “aspirational, horizontal and concise” — and, therefore, have greater appeal to activist-minded lawmakers and regulators — that also means those regimes will likely leave less breathing room for social evolution (i.e., evolving norms about safety and privacy) and economic innovation (new digital goods and services that potentially disrupt those regulatory expectations). That has real consequences for long-term growth and overall consumer welfare.

Regardless, to the extent we need “a better, simpler narrative for U.S. privacy policy” as Fleischer suggests, I believe we can boil it down to a few words: bottom-up, evolutionary, flexible, and reactive. What this means for public policy is clear: We need diverse tools and solutions for a diverse citizenry, while leaving plenty of breathing room for ongoing innovation and the evolution of social norms and market responses. Whether it’s online safety or digital privacy, public policy should take into account the extraordinary diversity of citizen needs and tastes and leave the ultimate decision about acceptable online content and interactions to them. We should look to educate and empower citizens so that they can make decisions about their online safety and privacy for themselves so that policymakers are not constantly trying to make decisions on their behalf.

This is a model worth defending, even if it is sometimes hard to delineate its contours.  Please read my HJLPP article for a fuller exploration of that model and a defense of it.

I’m excited to announce the release of my latest law review article, “The Pursuit of Privacy in a World Where Information Control is Failing,” which appears in the next edition (vol. 36) of the Harvard Journal of Law & Public Policy. This is the first of two complimentary law review articles that I will be releasing this year dealing with privacy policy. The second, which will be published later this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

The new Harvard Journal article is divided into three major sections. Part I focuses on some of normative challenges we face when discussing privacy and argues that there may never be a widely accepted, coherent legal standard for privacy rights or harms here in the United States. It also explores the tensions between expanded privacy regulation and online free speech. Part II turns to the many enforcement challenges that are often ignored when privacy policies are being proposed or formulated and argues that legislative and regulatory efforts aimed at protecting privacy must now be seen as an increasingly intractable information control problem. Most of the problems policymakers and average individuals face when it comes to controlling the flow of private information online are similar to the challenges they face when trying to control the free flow of digitalized bits in other information policy contexts, such as online safety, cybersecurity, and digital copyright.

If the effectiveness of law and regulation is limited by the normative considerations discussed in Part I and the practical enforcement complications discussed in Part II, what alternatives remain to assist privacy-sensitive individuals? I address that question in Part III of the paper and argue that the approach America has adopted to deal with concerns about objectionable online speech and child safety offers a path forward on the privacy front as well. A so-called “3-E” solution that combines consumer education, user empowerment, and selective enforcement of existing targeted laws and other legal standards (torts, anti-fraud laws, contract law, and so on), has helped society achieve a reasonable balance in terms of addressing online safety while also safeguarding other important values, especially freedom of expression.  That does not mean perfect online safety exists, not only because the term means very different things to different people, but because it would be impossible to achieve in the first instance as a result of information control complications. But the “3-E” approach has the advantage of enhancing online safety without sweeping regulations being imposed that could undermine the many benefits information networks and online services offer individuals and society.  This same framework can guide online privacy decisions—both at the individual household level and the public policy level.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and it should be available on the HJLPP website shortly. [Update 4/16: It is now live on the site.] In coming weeks, I hope to do some blogging that builds on the themes and arguments I develop in this article.

The Pursuit of Privacy in a World Where Information Control is Failing

I have always found it strange that the ACLU speaks with two voices when it comes to user empowerment as a response to government regulation of the Internet. That is, when responding to government efforts to regulate the Internet for online safety or speech purposes, the ACLU stresses personal responsibility and user empowerment as the first-order response. But as soon as the conversation switches to online advertising and data collection, the ACLU suggests that people are basically sheep who can’t possibly look out for themselves and, therefore, increased Internet regulation is essential. They’re not the only ones adopting this paradoxical position. In previous essays I’ve highlighted how both EFF and CDT do the same thing. But let me focus here on ACLU.

Writing today on the ACLU “Free Future” blog, ACLU senior policy analyst Jay Stanley cites a new paper that he says proves “the absurdity of the position that individuals who desire privacy must attempt to win a technological arms race with the multi-billion dollar internet-advertising industry.” The new study Stanley cites says that “advertisers are making it impossible to avoid online tracking” and that it isn’t paternalistic for government to intervene and regulate if the goal is to enhance user privacy choices. Stanley wholeheartedly agrees. In this and other posts, he and other ACLU analysts have endorsed greater government action to address this perceived threat on the grounds that, in essence, user empowerment cannot work when it comes to online privacy.

Again, this represents a very different position from the one that ACLU has staked out and brilliantly defended over the past 15 years when it comes to user empowerment as the proper and practical response to government regulation of objectionable online speech and pornography. For those not familiar, beginning in the mid-1990s, lawmakers started pursuing a number of new forms of Internet regulation — direct censorship and mandatory age verification were the primary methods of control — aimed at curbing objectionable online speech. In case after case, the ACLU rose up to rightly defend our online liberties against such government encroachment. (I was proud to have worked closely with many former ACLU officials in these battles.) Most notably, the ACLU pushed back against the Communications Decency Act of 1996 (CDA) and the Child Online Protection Act of 1998 (COPA) and they won landmark decisions for us in the process.

In those and other cases, the ACLU playbook wasn’t just solely focused on a pure First Amendment defense. In other words, they didn’t just say ‘Well, First Amendment values are at stake here, and so all you parents, prudes, and policymakers should just get over your obsession with eradicating online porn.” No, what really won the day for us in these cases was the user empowerment angle. The ACLU rightly noted (and proved in court) that many “less-restrictive means” — filters, monitoring tools, ratings, labels, user education, media literacy, etc. — were available to the public and that those tools and strategies provided compelling alternatives to government regulation. Thus, paternalistic government regulation should yield to those alternatives and the public (namely, parents) should be expected to take responsibility and use those less-restrictive means to protect themselves and their kids. That is the proper approach for a society that cherishes free speech, personal responsibility, and a citizenry with diverse tastes and values.

Not only did the ACLU get courts to agree with this, but the logic of user empowerment as a trump to speech controls became so compelling to justices that in some cases they actually went beyond what free speech advocates had asked or expected, even in non-Internet related decisions. For example, in United States v. Playboy Entertainment Group  (2000), the Court struck down a law that required cable companies to “fully scramble” video signals transmitted over their networks if those signals included any sexually explicit content. Echoing its earlier holding in Reno v. ACLU , the Court found that less restrictive means were available to parents looking to block those potentially objectionable signals in the home. Specifically, the Court argued that:

[T]argeted blocking [by parents] enables the government to support parental authority without affecting the First Amendment interests of speakers and willing listeners—listeners for whom, if the speech is unpopular or indecent, the privacy of their own homes may be the optimal place of receipt. Simply put, targeted blocking is less restrictive than banning, and the Government cannot ban speech if targeted blocking is a feasible and effective means of furthering its compelling interests.

More importantly, the Court held that:

It is no response that voluntary blocking requires a consumer to take action, or may be inconvenient, or may not go perfectly every time. A court should not assume a plausible, less restrictive alternative would be ineffective; and a court should not presume parents, given full information, will fail to act.

The Court endorsed that same logic for video games in the landmark 2011 decision in Brown v. EMA, which struck down a California that prohibited the sale or rental of “violent video games” to minors.

As I noted in my old book on Parental Controls & Online Child Protection , this is an extraordinarily high bar that the Supreme Court has set for policymakers wishing to regulate modern media content or online expression. Not only is it clear that the Court is increasingly unlikely to allow the extension of analog-era content regulations to new media outlets and technologies, but it appears likely that judges will apply much stricter constitutional scrutiny to all efforts to regulate speech and media providers in the future. And we really have to thank the ACLU for getting this user empowerment revolution started because, make no doubt about it, it was that hook that ushered in this amazing jurisprudential revolution — for the Internet, for video games, for new media, for everything.

Sadly, however, the ACLU is now abandoning the user empowerment approach, at least as it pertains to digital privacy regulation.

In Stanley’s latest piece as well as many other ACLU statements on privacy issues, we hear almost nothing about the importance of keeping the Net free of unnecessary regulation or that government regulation should yield to user empowerment. Instead, we are told that citizens cannot be expected to look out for themselves in this way, or that they can’t possibly hope to “win the arms race” against online advertisers. I think that is utter nonsense. The fact of the matter is that it is far, far harder to win “the arms race” against online porn and objectionable speech using user empowerment tools than it is to defeat online advertising or “tracking.”   There exists a very broad array of privacy-enhancing user empowerment tools and strategies today that can help privacy-sensitive individuals attain greater protection. Here’s a big filing I submitted to the Federal Trade Commission documenting just some of what is on the market today. (See Sec. VI). But here’s just a short list of things users can do or install to better enhance their online privacy:

• adjust your browser’s privacy settings to clear out and block the cookies most online ad networks use and utilize private browsing or “incognito” modes to surf the Web more privately;
• download tools to help you manage cookies, blocking web scripts, and so on.  Some of the more notable ones include: Ghostery, NoScript, Cookie Monster, Better Privacy, Track Me Not, and the Targeted Advertising Cookie Opt-Out or “TACO” (all for Firefox); No More Cookies (for Internet Explorer); Disconnect (for Chrome); AdSweep (for Chrome and Opera); CCleaner (for PCs); and Flush (for Mac).
• download AdBlockPlus and block almost all online advertising on most websites, and thus the data collection performed by online cookies. (It remains the most-downloaded add-on for both the Firefox and Chrome web browsers)
• use “ad preference managers” from major search companies. Google, Microsoft and Yahoo! all offer easy to use opt-out tools and educational webpages that clearly explain to consumers how digital advertising works. Meanwhile, DuckDuckGo offers as alternative search experience that blocks data collection altogether.

Again, this list just scratches the surface. New empowerment solutions like these are are constantly turning up. And many other tools and strategies exist that users can tap. See this excellent recent article by Kashmir Hill of Forbes, “10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy.”

Now, let me be clear: These solutions aren’t perfect. There are no silver bullets or simple fixes when it comes protecting our privacy online. But the exact same thing has always been true for objectionable online content. I find that by using tools and strategies such as those listed above, however, you can eliminate most online advertising and data collection from your digital life. By contrast, as good as online safety tools are, a lot more gets through. That’s because what counts as “objectionable content” is notoriously subjective and, therefore, no tool or strategy can ever work perfectly. “Good enough” seems to be the standard we have to accept here. Again, the same can be said for privacy controls, but it is my contention that, relatively speaking, they actually do a better job if you are willing to live with some inconveniences (as can be the case if you are constantly clearing out your cookies and blocking all scripts, some of which may be important for site functionality). But those are trade-offs you need to accept if you want to ensure all ads are blocked or no data is collected. (Of course, once again, the exact same thing is has always been true for objectionable online content. It can be a huge inconvenience for parents and guardians to try to deal with online porn and objectionable content using all those user empowerment tools and strategies, no matter how good they are). Regardless, my argument here is that, contrary to what many advocates of privacy regulation claim, privacy empowerment tools and strategies can be remarkably effective at screening out almost all online advertising and greatly limiting any collection of personal data.

I can imagine that one response to what I have said here is that, regardless of how well the respective classes of user empowerment tools work, privacy “harms” are more serious and deserve greater government scrutiny and regulation than objectionable online speech/content. But that’s a subjective squabble we’ll never be able to definitively answer. Plenty of people would argue the opposite: that exposure to online porn and objectionable speech will do more harm to minors and society than any amount of online advertising or data collection ever would. Personally, I think both harms are grotesquely inflated “technopanics,” as I noted in this 80-page paper on the topic.

I can anticipate another response that goes like this: “Well, what’s wrong with the government doing a little paternalistic nudging if it’s focused on better empowering users?” First, let’s be clear that groups like ACLU, EFF, and CDT did not adopt that position for objectionable online speech/content. And with good reason. They understood that if we invite the government to come in and create and/or mandate the empowerment tools to be used to address the problem, it could serve as a Trojan Horse that policymakers could later use to expand their influence over speech and speech platforms. But why, then, would the same concern not apply to efforts by the government to mandate certain privacy tools or controls? Such a move would serve as the same sort of open-ended invite to the government to come in and meddle more with online networks.

I suspect what this all comes down to is the artificial distinction between speech rights and economic liberties that the ACLU and other groups have made through the years.  If the regulatory proposals are more about speech regulation, then the ACLU and others will say that personal responsibility and user empowerment represent the proper first-order response. But if we are talking about something perceived to be economic regulation (like advertising regulation), then the standard seems to change and all the talk of personal responsibility and user empowerment go right out the window. (Of course, this is just the classic distinction between “civil libertarians” and actual libertarians manifesting itself in a different way. While the two groups share a mutual distrust of government regulation of speech and social affairs, the civil libertarians distrust free markets and invite regulation of them there whereas the actual libertarians do not.)

But let’s ignore all these other issues and ask a different question: What about the precedent ACLU is setting here by saying user empowerment is hopeless when it comes to privacy? It goes without saying that more than a few social conservatives and regulatory-minded child safety organizations may be listening! Don’t be surprised if those folks throw the ACLU’s words back at them next time controls on speech and expression are being contemplated. They will argue that if people are sheep when it comes to protecting their privacy, then they must also be sheep when it comes to protecting themselves and their families from porn and other objectionable things online.

To me, the consistent and principled position here is this: Personal responsibility and user empowerment should be the first-order solution for all these issues. Governments should only intervene when clear harm can be demonstrated and user empowerment truly proves ineffective as a solution. Conjectural fears must not drive Internet regulation. While there are many legitimate online safety privacy concerns out there, we can find better, less-restrictive ways of dealing with them than by inviting greater government controls for cyberspace.

Andrew Orlowski of The Register (U.K.) recently posted a very interesting essay making the case for treating online copyright and privacy as essentially the same problem in need of the same solution: increased property rights. In his essay (“‘Don’t break the internet’: How an idiot’s slogan stole your privacy“), he argues that, “The absence of permissions on our personal data and the absence of permissions on digital copyright objects are two sides of the same coin. Economically and legally they’re an absence of property rights – and an insistence on preserving the internet as a childlike, utopian world, where nobody owns anything, or ever turns a request down. But as we’ve seen, you can build things like libraries with permissions too – and create new markets.” He argues that “no matter what law you pass, it won’t work unless there’s ownership attached to data, and you, as the individual, are the ultimate owner. From the basis of ownership, we can then agree what kind of rights are associated with the data – eg, the right to exclude people from it, the right to sell it or exchange it – and then build a permission-based world on top of that.”

And so, he concludes, we should set aside concerns about Internet regulation and information control and get down to the business of engineering solutions that would help us property-tize both intangible creations and intangible facts about ourselves to better shield our intellectual creations and our privacy in the information age. He builds on the thoughts of Mark Bide, a tech consultant:

For Bide, privacy and content markets are just a technical challenges that need to be addressed intelligently.”You can take two views,” he told me. “One is that every piece of information flowing around a network is a good thing, and we should know everything about everybody, and have no constraints on access to it all.” People who believe this, he added, tend to be inflexible – there is no half-way house. “The alternative view is that we can take the technology to make privacy and intellectual property work on the network. The function of copyright is to allow creators and people who invest in creation to define how it can be used. That’s the purpose of it. “So which way do we want to do it?” he asks. “Do we want to throw up our hands and do nothing? The workings of a civilised society need both privacy and creator’s rights.”  But this a new way of thinking about things: it will be met with cognitive dissonance. Copyright activists who fight property rights on the internet and have never seen a copyright law they like, generally do like their privacy. They want to preserve it, and will support laws that do. But to succeed, they’ll need to argue for stronger property rights. They have yet to realise that their opponents in the copyright wars have been arguing for those too, for years. Both sides of the copyright “fight” actually need the same thing. This is odd, I said to Bide. How can he account for this irony? “Ah,” says Bide. “Privacy and copyright are two things nobody cares about unless it’s their own privacy, and their own copyright.”

These are important insights that get at a fundamental truth that all too many people ignore today: At root, most information control efforts are related and solutions for one problem can often be used to address others. But there’s another insight that Orlowski ignores: Whether we are discussing copyright, privacy, online speech and child safety, or cybersecurity, all these efforts to control the free flow of digitized bits over decentralized global networks will be increasingly complex, costly, and riddled with myriad unintended consequences. Importantly, that is true whether you seek to control information flows through top-down administrative regulation or by assigning and enforcing property rights in intellectual creations or private information.

Let me elaborate a bit (and I apologize for the rambling mess of rant that follows).

Parallels in Debates over Copyright & Privacy Protection

In several essays here over the past few years I have attempted to draw parallels between the battles over protecting digital copyright and online privacy, as well as battle over online safety/speech and cybersecurity. Here are a few of those essays in case you’re interested in seeing the evolution of my thinking about this:

• When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed
• And so the IP & Porn Wars Give Way to the Privacy & Cybersecurity Wars
• SOPA & Selective Memory about a Technologically Incompetent Congress
• Privacy as an Information Control Regime: The Challenges Ahead
• Isn’t “Do Not Track” Just a “Broadcast Flag” Mandate for Privacy?

In those essays I have argued that a combination of selective morality and wishful thinking are at work in the information policy world these days. In essence, people hate Internet regulation… until they love it! Here’s how I summarized that fact during the debate over SOPA:

… conservatives rush out and breathlessly denounce each and every effort to impose Net neutrality regulation because of the danger of empowering an already over-zealous bunch of bumbling bureaucrats at the FCC. (And I agree with them.) Yet, with their next breath many conservatives praise SOPA even though it also empowers government to muck with the inner workings of the Internet. Some of those conservatives are also turning a blind eye to the growing appetite of the defense/security community to meddle with the Net’s architecture in the name of avoiding any number of non-catastrophes. Meanwhile, the liberals decry SOPA and want it stopped at all costs. There’s never been a copyright protection measure they liked, of course, but each time one pops up we hear them claim that our analog era Congress is not well-positioned to be designing industrial policy schemes for the Internet. (And I generally agree with them.) But most liberals do a complete 180 whenever online privacy or Net neutrality regulations are the subject of congressional inquiry. Suddenly, the cyber-oafs in Congress are considered veritable technocratic philosopher kings who we should trust to guard our cyber-freedoms to lead us to the digital promised land.

Again, it’s both selective morality and wishful thinking. It’s selective morality in that some folks think certain values are sacrosanct and deserving of a “by-any-means-necessary” enforcement attitude, yet they are often just as likely to denounce similar information control efforts when it comes to issues or values they don’t give a damn about.  And it is wishful thinking in that you can’t run around insisting that “information wants to be free” in some contexts but then express outrage when something that you want to bottle up turns out to “just want to be free” as well!

But the important takeaway here is that, consistent with what Orlowski argues, I believe that online copyright and privacy are essentially the same problem: It’s an information control problem.

Potential Costs of Control

Once you start thinking about Internet policy debates as a single issue — namely, information control — you can begin to investigate the potential costs of control in a somewhat more objective fashion. Of course, challenging issues remain:

1. Which method of control should we choose? On one hand, there are many varieties of administrative regulation, technical infrastructure controls, and device mandates. On the other hand, there are property rights and liability / tort schemes. And there are many hybrid enforcement models, such as increasingly popular “co-regulation” models, government standard-setting, and “nudging” of system defaults. Each method will entail different costs and trade-offs.
2. What metric(s) should we use when attempting to determine whether the benefits of control exceed the costs? Ask any advocate of information control about whether the costs might exceed the benefits of regulation for their pet issue and they will typically suggest that either (a) there are no costs or that (b) the benefits dwarf any costs that may exist. But all too often the benefits they identify are extremely subjective and amorphous in character (“privacy,” “safety,” and “security” are hard to quantify, after all) while the costs are very real and increasingly substantial.

In my view, these practical questions are increasingly the most interesting issues to explore in the field of cyberlaw and digital economics. We can debate the normative or ethical considerations until we’re all blue in the face and ready to rip each other’s heads off, but I am less and less interested in such squabbles. Instead, I keep coming back to the question of how we’ll go about controlling info flows and how much effort and resources it makes sense to expend in pursuit of each of the values identified above. Some of the specific considerations I find myself asking in every paper I write these days include:

(A) Will the proposed form of information control tie us up in the courts forever, lead to increasingly onerous and unworkable liability norms, and end up yielding outrageous litigation costs?

(B) Will the proposed form of information control require a significant increase in regulatory bureaucracy? How many levels of government will need to be involved in the proposed enforcement scheme? How many new offices and officials will need to be empowered in the hope of achieving some measure of control?

(C) What are the alternatives to the proposed form of information control? Are there less costly or less restrictive means of addressing the concern in question? For example, education and empowerment effort are often an effective way to address many online safety and digital privacy concerns. Can we use those methods in conjunction with social norms, public pressure, self-regulation, informal contracting, and other methods to address these and other concerns?

For me, the costs associated with the A & B are increasing so rapidly that I almost always default to C as the better approach. Importantly, although A & B will be less onerous or costly when the solution is of the increased property-ization variety than of the administrative regulation variety, that does not mean property rights-based solutions for information are costless. Indeed, I increasingly find myself concluding that C solutions are more cost-effective even compared to increased property rights.

Practical Advice Once You Accept the Increasing Costs & Complications of Control

At this point, readers may be thinking: “Wait a minute, this dude is just some kooky libertarian who doesn’t want any form of information control, so he’s just trying to rationalize anarchy here.” No, I’m not. I certainly favor less control across the board than most people, but I also understand that there are times, at the margin, when some forms of “control” are necessary. But my views on the wisdom of control are heavily influenced by the costs of control. The costs of control — broadly defined — are a key factor in every cost-benefit analysis I do related to the wisdom of Net regulation and information control methods — even when one of those methods is increased “property-ization.” And because I have come to believe that those costs are going up and that most information control efforts will not work well in practice, I have boiled down my advice on this front to two simple principles:

1. Choose your info control battles wisely. Figure out where the most serious harms or threats lie and then target the info control solution accordingly and forget about the rest. For example, in child safety debates, that would mean going after child porn rings but leaving run-of-the-mill adult porn alone entirely. In copyright, it would mean nailing the largest commercial mass piracy sites but accepting a certain amount of casual sharing. In the field of personal info, it means singling out health and financial information and data for special protections and likely giving up on most other forms of info control. And so on. In essence, these are where the greatest potential harms lie that most people would consider intolerable. As you move further away from such issues, the case for control becomes harder and harder and the costs will almost certainly exceed the benefits.
2. Have a good backup plan in mind when those info control plans fail anyway. That backup plan should generally be based on education, empowerment, coping strategies, and resiliency. Again, these are the “C” solutions mentioned above. [I developed this model more robustly in the second half of this recent paper.] This approach won’t be perfect but it will likely be what you’ll end up relying on anyway, so you better start thinking about plowing more resources into this alternative approach even while you’re trying to devise info control mechanisms.

Let me just say a brief word to my market-oriented friends who are dismayed by my inclusion of property rights in the mix of “information control” efforts. I’m a big believer in the importance of property rights in many contexts, but context does matter. More specifically, physicality matters. It is easy to create property rights in tangible goods and almost always right to do so. Property rights in intangible ideas and creations raise special issues, however. Because ideas are non-rivalrous and have public good qualities, it makes property-ization more complicated and less effective. Property rights in facts can also come into conflict with other values and more well-established rights, especially freedom of speech and expression.

On the privacy front, Eugene Volokh made this point in his famous 2000 law review article, “Freedom of Speech, Information Privacy, and the Troubling Implications of a Right to Stop People from Speaking About You,” when he noted that, “The difficulty[with] the right to information privacy — the right to control other people’s communication of personally identifiable information about you — is a right to have the government stop people from speaking about you. And the First Amendment (which is already our basic code of “fair information practices”) generally bars the government from “control[ling the communication] of information,” either by direct regulation or through the authorization of private lawsuits.” That doesn’t mean free speech values should always trump privacy values, but denying this tension is just plain silly. If you want to propertytize all personal information, then you better be prepared to explain how that plays out in practice. How far are you prepared to go to ban the dissemination of facts? Would you place prior restraint on the press to accomplish it? Would you ban a historian from writing a biographies that reveal intimate facts about the subject? Would you shut down all the online sites and services that rely on a certain amount of personal information to fuel their free offerings?

Likewise, copyright law was far more effective in the analog age when we were still pressing music on vinyl and plastic. As soon as digitization become widespread, it was pretty much game over for traditional copyright law and now we are off and running with all sorts of convoluted and increasingly costly regulatory regimes. It’s not that I don’t want these some of these schemes to work — I’ve been a long-time copyright defender — but, again, the practicality of control simply must be considered here. I am not will to “pay any price, bear any burden” in defense of protecting intellectual property rights even as I remain outraged by the staggering amount of free-riding at work every single second of the day on the Internet. So, adopting the framework I outlined about, we might try targeted solutions to go after the biggest of those freeloaders — commercial mass piracy hubs — but we should generally avoid the sort of ham-handed technical control methods we saw in SOPA and other fights, like the broadcast flag battle among others. But, generally speaking, property rights just aren’t going to work as well in this space going forward. I’ve come to believe that the best hope lies in massive consolidation of content and conduit. In other words, pipe and device owners need to buy out all the content-creating industries and just embed a small fee in their monthly services to cross-subsidize content. This is essentially a private collective licensing solution and it is not unprecedented. Nor is it perfect. It will be very leaky. Plenty of piracy will still take place. But it will probably offer creators a better chance of finding a sustainable revenue stream than the current system does. The old copyright system that served them and us so well is dying and they had better start thinking of alternatives like this. Of course, antitrust law may never allow it, so I could be wasting my breath here. (Just look at all the grief that antitrust officials both here and abroad are giving Apple and eBook sellers for working together even though that it probably the best scheme devised in recent memory to sustain publishing in an age of mass piracy. Policymakers should be encouraging more of that sort of thing, not punishing it.)

An Uncertain Future

So, to wrap up… I can imagine a future in which both heavy-handed, top-down info control efforts and property / liability solutions are failing almost universally because of the ubiquitous, instantaneous, quicksilver-like flow of information across decentralized digital networks. Some utopians will argue that such a world will be better in every way than the one we live in today. I do not share such hyper-optimism. While I believe that, on balance, the free flow if information generally benefits society, I also understand how it creates enormous angst and intractable challenges for many. It’s a world in which copyright is a hollow shell of its former self that offers creators very little protection for their expressive works. And it’s a world in which personal privacy is harder to safeguard with each passing day because no matter how hard we try to property-tize facts about ourselves, that enforcement model simply breaks down at some point or becomes socially and economically intolerable. As with copyright, efforts to property-tize personal information will lose the battle against data sharing. As computer scientist Ben Adida argued in his essay, “(Your) Information Wants to be Free,” “unfortunately, information replication doesn’t discriminate: your personal data, credit cards and medical problems alike, also want to be free. Keeping it secret is really, really hard.”

Indeed, and it is growing harder by the day. Contrary to what Orlowski suggests, therefore, this isn’t a simple engineering problem. I wish it were as easy as he suggests to build “permissions-based markets” because they could have real benefits for individuals and society. But it is most certainly not that simple. It is far more costly and complicated than ever to devise workable information control schemes on one hand and “permissions-based” property rights schemes on the other. In some cases, I might still be willing to try the latter, but unlike Orlowski, I just don’t place much faith in the success of the endeavor.

[UPDATE Feb. 2012: This little essay eventually led to an 80-page working paper, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle.”]

In this essay, I will suggest that (1) while “moral panics” and “techno-panics” are nothing new, their cycles seem to be accelerating as new communications and information networks and platforms proliferate; (2) new panics often “crowd-out” or displace old ones; and (3) the current scare over online privacy and “tracking” is just the latest episode in this ongoing cycle.

What Counts as a “Techno-Panic”?

First, let’s step back and define our terms. Christopher Ferguson, a professor at Texas A&M’s Department of Behavioral, Applied Sciences and Criminal Justice, offers the following definition: “A moral panic occurs when a segment of society believes that the behavior or moral choices of others within that society poses a significant risk to the society as a whole.” By extension, a “techno-panic” is simply a moral panic that centers around societal fears about a specific contemporary technology (or technological activity) instead of merely the content flowing over that technology or medium. In her brilliant 2008 essay on “The MySpace Moral Panic,” Alice Marwick noted:

Technopanics have the following characteristics. First, they focus on new media forms, which currently take the form of computer–mediated technologies. Second, technopanics generally pathologize young people’s use of this media, like hacking, file-sharing, or playing violent video games. Third, this cultural anxiety manifests itself in an attempt to modify or regulate young people’s behavior, either by controlling young people or the creators or producers of media products.

While protection of youth is typically a motivating factor, some techno-panics transcend the old “It’s For the Children” rationales for information control. What all panics share in common, however, is a general desire by the public, media pundits, and policymakers to “do something” to rid ourselves of the apparent menace. Thus, an effort to control the particular content or technology in question is what really defines a true “panic.”

It’s impossible to be scientific about this but there seems to be a cycle of such moral panics or techno-panics at work in our society.  Indeed, looking back over the past few decades, it seems that we experience a new panic roughly every 3 to 5 years. Consider this chronological breakdown of some notable techno-panics since the 1980s on:

• mid-1980s: music lyrics and music videos
• early to mid-1990s: violent video games
• mid- to late 1990s: Internet porn
• late 1990s to early 2000s: browser cookies + kids privacy
• mid-2000: TV & movie violence
• mid- to late 2000: online predators / “stranger danger”
• late 2000s to present: cyberwar
• late 2000s to present: online privacy / web “tracking”

Of course, there were other “mini-panics” that occurred during this stretch and, again, some of them did not involve child safety rationales. There was a brief panic over RFID chips and even the Y2K scare in the late 1990s, for example. Some might argue we also had a bit of panic with copyright and file-sharing back in the early 2000s, and perhaps even one back in the early 1980s when the VCR came on the scene, although that seemed to be more industry-driven. Wireless geo-location and geo-tagging has also been getting more attention recently and still may blossom into a full-blown techno-panic.   And you could make the case that we experienced a different type of techno-panic last year over the supposed “Death of the Web,” although few took that one all that seriously.

Why Do Techno-Panics Pass?

To be clear, there are no clear boundaries with techno-panics.  They do not just suddenly begin and end, and it is impossible to gauge their relative severity since no metric or yardstick exists to measure them against.  Nonetheless, these techno-panics certainly seem to have peaks and valleys in terms of public / political / media attention.

Just a few years ago, for example, the online predator panic reached a fever pitch and “stranger danger” reports were all over the media. As a result, legislation banning social networking sites in publicly funded schools and libraries was introduced, and state attorneys general proposed mandatory online age verification schemes for the Internet to segregate adults and children online. And then, it seems, the fever passed. I couldn’t tell you exactly what week or month it happened — and in many ways some of those fears still exist out there — but it’s clear that the panic about online predation has subsided greatly. I’d like to think that education and awareness helped debunk some of the myths that were fueling that particular panic, just as I’d like to believe that education and awareness helped deflate the fear bubbles that surrounded previous panics.

While I don’t want to entirely discount that possibility, I’m convinced another more cynical explanation may exist: New techno-panics simply crowd-out old techno-panics. There may be several explanations for this:

• Perhaps there is only so much fear-mongering our minds can handle at any given time.
• Perhaps it is becuase the media gets myopically focused on one panic and then hammers it till all the fear has been squeezed out of it such that they have to move on.
• Perhaps it is because a new technology comes along that spooks politicians and the media even more than the previous one they were demonizing.
• Or perhaps all of those factors combine to limit the duration of panics.

Regardless, it seems evident that moral panics and techno-panics have always been with us and will always be with us. From the waltz to rock and roll to rap music, from movies to comic books to video games, from radio and television to the Internet and social networking websites — every new media format or technology spawns a fresh debate about the potential negative effects it might have on society or our kids in particular. An excellent recent report by the U.K. government entitled Safer Children in a Digital World noted that “New media are often met by public concern about their impact on society and anxiety and polarisation of the debate can lead to emotive calls for action.” Indeed, each of the media technologies or communications platforms mentioned above was either regulated or threatened with regulation at some point in its history.

The Cycle is Accelerating but is the Severity of Each Panic Diminished as a Result?

However, it seems like these cycles are now accelerating somewhat.  They peak and fizzle out faster, that is. Perhaps that is a natural outgrowth of the technological explosion we have witnessed in recent years.  Digital innovation is unfolding at a breakneck pace and each new development gives rise to a new set of concerns. Going forward, this could mean we experience more “mini-panics” and fewer of those sweeping “the-world-is-going-to-hell” type panics.

This brings me to the current debate over online advertising, web “tracking,” and personal privacy. What’s interesting about this debate is that, unlike many of the other moral or techno-panics mentioned above, this debate is not being driven by the mantra that “It’s For the Children.”  Today’s privacy panic reflects a more widespread unease with the notion that our digital footprints are somehow being “tracked” for nefarious purposes.  In reality, there isn’t anything nefarious going on here at all. Online sites and service providers are simply using data collection to improve our web experience and better target ads to us in an attempt to cross-subsidize all that wonderful free stuff we enjoy online today. This is truly one of the great pro-innovation, pro-consumer success stories of modern times.  Yet, irrational fears about data collection and targeted marketing have given rise to the second major privacy techno-panic of the past dozen years. (Again, the first privacy-related panic was the “cookie craze” that took place back in the late-90s but then subsided). It is also somewhat ironic that many of the same people and groups who have done yeoman’s work debunking techno-panics in other contexts are driving this modern privacy panic.

I want to make it clear that I am not oblivious to the fact that there are occasionally some legitimate concerns behind some of these moral panics or techno-panics.  For example, I certainly don’t want my young children (ages 9 & 6) viewing hard-core porn, playing extremely violent video games, or even reading graphic comics. And I understand that some forms of personal information are quite sensitive and a legitimate topic for policy discussions.  But, again, these concerns are typically greatly over-hyped, and to the extent that they represent more legitimate concerns, I would argue that education and empowerment-based solutions typically represent a more sensible approach than regulation. Although I sometimes question whether the “harm” that people fear is legitimate, I would hope we could work together to find more sensible ways to address people’s concerns without calling for comprehensive control of the media, content, technology, or the Internet more generally.

Resiliency, Responsibility & Common Sense

Finally, in these discussion, I believe many people overlook the importance of human adaptability and resiliency.  The amazing thing about humans is that we adapt so much better than other creatures. When it comes to technological change, resiliency is hard-wired into our genes.  “The techno-apocalypse never comes,” notes Slate’s Jack Shafer, because “cultures tend to assimilate and normalize new technology in ways the fretful never anticipate.” We learn how to use the new tools given to us and make them part of our lives and culture.  Indeed, we have lived through revolutions more radical than the Information Revolution.  We can adapt and learn to live with some of the legitimate difficulties and downsides of the Information Age. [See my recent book chapter on, “The Case for Internet Optimism, Part 1: Saving the Net From Its Detractors.”]

A healthy does of humility, patience, personal responsibility, and good ‘ol common sense will usually get us through these things. Quite literally, there is no need to panic!

Related Reading

• Techno-Panic Cycles (and How the Latest Privacy Scare Fits In)
• Against Techno-Panics
• Collier on “Why Technopanics are Bad”
• Kids, Media, Commercialism & Moral Panic
• The Next Great Technopanic: Wireless Geo-Location / Social Mapping
• Technopanics and the Great Social Networking Scare
• Sen. Klobuchar Stirs Up Facebook Child Safety Technopanic
• A Rarity: Newspaper Argues Against Techno-panic, Cites Constitution
• Google Street View/Wi-Fi Privacy Technopanic Continues
• Digital Sensors, Darknets, Hyper-Transparency & the Future of Privacy

Distracted driving is a serious problem. When you’re flying down the road at speed maneuvering a 2-ton piece of machinery, you need to be paying attention to the road to keep yourself, and others around you, safe.  Distractions of any sort can be dangerous and undercut the driver’s ability to stay focused.  And it’s certainly true that digital devices can be among the biggest distractions. But I think we have to ask some practical questions about just how far law can and should go to minimize that distraction.

I raise this issue because, according to this Bloomberg article yesterday, “U.S. Transportation Secretary Ray LaHood says he believes motorists are distracted by any use of mobile phones while driving, including hands-free calls, as his department begins research that may lead him to push for a ban.”  Sec. LaHood believes that even hands-free phone conversations are a “cognitive distraction” and should be prohibited.  Also, “his concerns extend to vehicle information and entertainment systems such as Ford Motor Co.’s Sync and General Motors Co.’s OnStar,” which means that almost every conceivable in-vehicle technology could be regulated under LaHood’s scheme.

To be clear, I’m not necessarily opposed to laws addressing talking on phones or texting while driving since those actions can have dangerous consequences. But I’ve always preferred a more generic enforcement strategy when it comes to distracted driving laws.  As I noted in my old 2007 essay, “Banning In-Car Technologies Won’t Work,” to the extent law enforcement needs to be brought into the picture it should be done in a technology-agnostic or activity-agnostic fashion. I went on to argue:

Instead of trying to ban technologies (cell phones, radios, MP3 players, navigation devices, etc.) or specific activities (conversations, singing, smoking, etc.) inside the cabin of an automobile, police officers should simply enforce those laws already on the books dealing with reckless or negligent driving.  If a driver is weaving in and out of traffic lanes, or posing a serious threat to others on the road for any reason, they should be pulled over and probably ticketed if the infraction is serious enough.  For starters, I’d like to see some of those stupid idiots I see eating while driving, or worse yet, putting on make-up behind the wheel, pulled over and ticketed when they are driving erratically. But the same goes for anyone who is operating a vehicle in a dangerous fashion. Again, enforce basic traffic safety rules and focus on educating drivers about vehicle safety. Don’t ban new technologies.

That’s still where I stand on this issue.  Moreover, I keep coming back to the practicality of the sort of sweeping technology bans that Sec. LaHood and others advocate.  I just don’t think it’s possible to eliminate all these devices and activities from cars, at least not with creating an Auto Police State, and a huge headache for law enforcement officers to boot.  Even if you banned integration at the factory of in-vehicle technologies, plenty of people would find after-market alternatives.  And you just can’t stop people from lugging their digital devices around with them wherever they go.

Thus, to reiterate, the better solution here is to:

1. Continue to make those technologies more road-friendly by integrating in more safety features. As I noted in this CNBC interview earlier this year, Ford’s new systems, for example, have some very impressive voice-activated features. And others are following suit.
2. Educate drivers about safer vehicle operation & proper technology use.  For more on that, see Berin Szoka’s excellent post, “Texting While Driving: Regulate or Empower & Educate?”
3. Apply stiffer fines to erratic driving infractions. Again, if a driver is posing a threat others on the road for any reason, they should be penalized for that behavior.

I want to raise a final proposal. If Sec. LaHood and others are serious about minimizing distracting in-vehicle conversations, then I would ask them to find to a solution to the greatest threat to driver safety: nagging spouses and poorly-behaved children!  Seriously, there is no greater “cognitive distraction” to a driver than family fights and bad kids.

Sen. Amy Klobuchar just released a letter to Facebook demanding the site require “a prominent safety button or link on the profile pages of users under the age of 18″—akin to the so-called “panic button” app launched earlier this week by the UK’s Child Exploitation & Online Protection Centre (CEOP). She doesn’t seem to realize that this app is available to all Facebook users, not just those in the UK. But her focus on empowerment tools and education is admirable, and it’s certainly a fair question to ask what sites like Facebook and MySpace are doing in these areas.

Unfortunately, Klobuchar’s letter also engages in blatant fear-mongering:

Recent research has shown that one in four American teenagers have been victims of a cyber predator.  And when teens experience abusive behavior online, only ten percent discuss it with their parents and even fewer report the misconduct to law enforcement.  It’s clear that teenagers need to know how to respond to a cyber attack and I believe we need stronger reporting mechanisms to keep our kids safe.

Klobuchar doesn’t actually cite anything, so it’s not clear what research she’s relying on. The 25% statistic is particularly incendiary, suggesting a nationwide cyber-predation crisis—perhaps leading the public to believe 8 or 9 million teens have been lured into sexual encounters offline. Perhaps the Senator considers every cyber-bully a cyber predator—which might get to the 25% number. But there are two serious problem with that moral equivalence.

First, to equate child predation with peer bullying is to engage in a dangerous game of defining deviancy down. Predation and bullying are radically different things. The first (sexual abuse) is a clear and heinous crime that can lead to long-term psychological damage. The second might be a crime in certain circumstances, but generally not.  And it is even less likely to be a crime when it occurs among young peers, which research shows constitutes the vast majority of cases. As Adam Thierer and I noted in our Congressional testimony last year, there are legitimate concerns about cyberbullying, but it’s something best dealt with by parents and schools rather than prosecutors (like Klobuchar in her pre-Senate career).

Second, a series of official taskforces have concluded that the cyberpredator technopanic is vastly overblown. NTIA’s Online Safety and Technology Working Group final 2010 report concluded that “several studies, including some funded by the U.S. Department of Justice, have shown that the statistical probability of a young person being physically harmed by an adult who they first met online is extremely low,” (OSTWG Report at 10-11). Harvard’s 2009 Berkman Center Internet Safety Technical Task Force report concluded:

cases [of adult to child sexual encounters on social networks] typically involved post-pubescent youth who were aware that they were meeting an adult male for the purpose of engaging in sexual activity…. the risk profile for the use of different genres of social media depends on the type of risk, common uses by minors, and the psychosocial makeup of minors who use them…. Youth identify most sexual solicitors as being other adolescents (48%; 43%) or young adults between the ages of 18 and 21 (20%; 30%) and that youth typically ignore or deflect solicitations without experiencing distress.

A number of other task force reports have reached similar conclusions, all agreeing that education and empowerment are the answer. In particular, a 2008 study found that use of popular social networking sites such as MySpace and Facebook does not appear to increase their risk of being victimized by online predators. In particular, the study noted that the 500 arrests made nation-wide for Internet-initiated sex crimes accounted for just 7% of all statutory rapes”—i.e., for adult-on minor sex.

The letter goes on to ask about Facebook’s Internet safety page (she could have just Googled “Facebook Safety” and found it and its wealth of resources) and whether Facebook has a report abuse system—see the “Report Abuse” button at the bottom of any profile, page or group, which produces this dialogue box for user profiles:

And this box for pages:

MySpace has similar reporting mechanisms (and this form) and resources for kids & parents. Both sites employ hundreds of people to respond to such requests, decide when to take down content, and when to bring in law enforcement—which is a pretty big commitment from sites that don’t charge users a penny.

If the good Senator or her staff had had Googled (or Binged) “Facebook safety advisory board,” she would have found a number of press releases about the group, which Facebook launched last December to interface with child safety experts.

Again, it’s a fair question whether Facebook could do even more than it’s already done. For example, the “report abuse” link could probably be moved to a more prominent location on the page. But with its incendiary rhetoric and easily answered questions, Klobuchar’s letter seems intended more to make headlines and score political points than to really move the ball forward on her stated objective, which we should all share: enhancing education and empowerment solutions. Playing fast and loose with the facts—and throwing more fuel on the fire of a technopanic in the process—is unwise and unconstructive.

The Online Safety and Technology Working Group (OSTWG) has just released its final report to Congress entitled, “Youth Safety on a Living Internet.”  As I mentioned here last year, this government task force was established by the “Protecting Children in the 21st Century Act,” (part of the ‘‘Broadband Data Improvement Act’,’ Pub. L. No. 110-385) and its mission was to review and evaluate:

• The status of industry efforts to promote online safety through educational efforts, parental control technology, blocking and filtering software, age-appropriate labels for content or other technologies or initiatives designed to promote a safe online environment for children;
• The status of industry efforts to promote online safety among providers of electronic communications services and remote computing services by reporting apparent child pornography, including any obstacles to such reporting;
• The practices of electronic communications service providers and remote computing service providers related to record retention in connection with crimes against children; and,
• The development of technologies to help parents shield their children from inappropriate material on the Internet.

The task force included over 30 experts from academia, industry, advocacy groups, and think tanks. It was my great honor to be a member of OSTWG and to serve as the chair of 1 of the 4 subcommittees. The four subcommittees addressed: data retention, child pornography reporting, educational efforts, and parental controls technologies. I chaired that last subcommittee on parental controls.

Our conclusions will not be surprising to those who have read previous online safety task force reports, which I have summarized in 2009 white paper, “Five Online Safety Task Forces Agree: Education, Empowerment & Self-Regulation Are the Answer.”  Generally speaking, we concluded that there is no silver-bullet technical solution to online child safety concerns. Instead – and again in agreement with previous research and task force reports – we have concluded that a diverse toolbox and a “layered approach” must be brought to bear on these problems and concerns. Here’s how we put it in the report:

• There’s no one-size-fits-all, once-and-for-all solution to providing children with every aspect of online child safety. Rather, it takes a comprehensive “toolbox” from which parents, educators, and other safety providers can choose tools appropriate to children’s developmental stages and life circumstances, as they grow. That toolbox needs to include safety education, “parental control” technologies such as filtering and monitoring, safety features on connected devices and in online services, media ratings, family and school policy, and government policy. In essence, any solution to online safety must be holistic in nature and multi-dimensional in breadth.
• To youth, social media and technologies are not something extra added on to their lives; they’re embedded in their lives. Their offline and online lives have converged into one life. They are socializing in various environments, using various digital and real-life “tools,” from face-to-face gatherings to cell phones to social network sites, to name just a few.
• Because the Internet is increasingly user-driven, with its “content” changing in real-time, users are increasingly stakeholders in their own well-being online. Their own behavior online can lead to a full range of experiences, from positive ones to victimization, pointing to the increasingly important role of safety education for children as well as their caregivers. The focus of future task forces therefore needs to be as much on protective education as on protective technology.
• The Internet is, in effect, a “living thing,” its content a constantly changing reflection not only of a constantly changing humanity but also its individual and collective publications, productions, thoughts, behaviors, and sociality.

I encourage everyone to check out the entire report, which I have also embedded down below. I very much hope policymakers will heed the advice found in this and the previous task force reports, which have uniformly found that only such a layered, multi-dimensional approach to online child safety can be effective. The three key prongs to that strategy — or what I call the “3-E Strategy” — are education, empowerment and law enforcement efforts.

Importantly, OSTWG accomplished our charge without resorting to the “moral panic” tone that some have adopted when approaching these issues and concerns. While there are serious challenges and concerns surrounding discussions about child safety, it’s important to acknowledge the important benefits of new media and communications technologies to us and our children. We have done so in this report.

We also were careful not to try to unsettle any settled First Amendment law. One of the most regrettable developments of the past 15 years is that so much time has been wasted passing and then litigating legislative and regulatory enactments that have been so clearly unconstitutional under the First Amendment. If the time and resources that were squandered in those legal skirmishes would have instead been plowed into education, empowerment, and enforcement-based efforts, it could have made a lasting difference.

More generally, we should always remember the sage advice offered by the Supreme Court in 2000: “Technology expands the capacity to choose; and it denies the potential of this revolution if we assume the Government is best positioned to make these choices for us.” OSTWG has charted a sensible way forward in the final report that should hopefully avoid those problems. It is my hope that policymakers take our findings and recommendations seriously and adopt the sort of constructive, practical approach we have outlined in this report.

Finally, I want to send out a big THANK YOU! to Hemanshu Nigam and Anne Collier, who very ably and patiently co-chaired the OSTWG. They did a terrific job herding a lot of cats and bringing this report to a successful completion. Well done Hemu and Anne!

Online Safety and Technology Working Group Final Report http://d1.scribdassets.com/ScribdViewer.swf