As I noted in a recent interview with James Pethokoukis for his Faster, Please! newsletter, “[t]he current policy debate over artificial intelligence is haunted by many mythologies and mistaken assumptions. The most problematic of these is the widespread belief that AI is completely ungoverned today.” In a recent R Street Institute report and series of other publications, I have documented just how wrong that particular assumption is.

The first thing I try to remind everyone is that the U.S. federal government is absolutely massive—2.1 million employees, 15 cabinet agencies, 50 independent federal commissions and 434 federal departments. Strangely, when policymakers and pundits deliver remarks on AI policy today, they seem to completely ignore all that regulatory capacity while simultaneously casually tossing out proposals to just add more and more layers of regulation and bureaucracy to it. Well, I say why not see if the existing regulations and bureaucracy are working first, and then we can have a chat about what more is needed to fill gaps.

And a lot  is being done on this front. In a new blog post for R Street, I offer a brief summary of some of the most important recent efforts.

• In January, the National Institute of Standards and Technology released its “ AI Risk Management Framework ,” which was created through a multi-year, multi-stakeholder process. It is intended to help developers and policymakers better understand how to identify and address various types of potential algorithmic risk.
• The Food and Drug Administration (FDA) has been using its broad regulatory powers  to review and approve AI and ML-enabled medical devices  for many years already, and the agency possesses  broad recall authority  that can address risks that develop from algorithmic or robotic systems. The FDA is currently refining its approach to AI/ML in  a major proceeding .
• The National Highway Traffic Safety Administration (NHTSA) has been issuing  constant revisions  to its driverless car policy guidelines since 2016. Like the FDA, the NHTSA also has broad recall authority, which it used in February 2023 to  mandate a recall  of Tesla’s full self-driving autonomous driving system, also requiring an over-the-air software update to over 300,000 vehicles that had the software package.
• In 2021, the Consumer Product Safety Commission agency issued  a major report  highlighting the many policy tools it already has to address AI risks. Like the FDA and NHTSA, the agency has recall authority that can address risks that develop from consumer-facing algorithmic or robotic systems.
• In April, Securities and Exchange Commission Chairman Gary Gensler told Congress that his agency is  moving to address  AI and predictive data analytics in finance and investing.
• The Federal Trade Commission (FTC) has become increasingly active on AI policy issues and has noted in a series of  recent   blog   posts  that the agency is ready to use its broad authority to “unfair and deceptive practices,” involving algorithmic claims or applications.
• The Equal Employment Opportunity Commission (EEOC) recently  released a memo  as part of its “ongoing effort to help ensure that the use of new technologies complies with federal [equal employment opportunity] law.” It outlines how existing employment antidiscrimination laws and policies cover algorithmic technologies.
• In May, the Consumer Financial Protection Bureau (CFPB) issued a statement clarifying how existing federal anti-discrimination law already applies to complex algorithmic systems used for lending decisions.  The agency also recently released a report on the use of Chatbots in Consumer Finance, and explained the many ways that the “CFPB is actively monitoring the market” for risks associated with these new services.
• Along with the EEOC, the FTC and the CFPB, the Civil Rights Division of the Department of Justice released  an April joint statement  saying that the agency heads said that they would be looking to take preemptive steps to address algorithmic discrimination.

“This is real-time algorithmic governance in action,” I argue. Again, additional regulatory steps may be needed later to fill gaps in current law, but policymakers should begin by acknowledging that a lot of algorithmic oversight authority exists across the federal government. Meanwhile, the courts and our common law system are also starting to address novel AI problems as cases develop. For more along these lines, see my recent essay on “The Many Ways Government Already Regulates Artificial Intelligence.”

So, next time someone suggests that AI is developing in an unregulated “Wild West,” remind them of all these existing laws, agencies, and regulatory efforts. And then also ask them a different question no one is really exploring currently: Could it be the case that many agencies are already overregulating some algorithmic and autonomous systems? (I’m looking at you, FAA!) Why is no one worried about that possibility as the global AI race with China and other countries intensifies?

Additional Reading :

• Adam Thierer, “The Most Important Principle for AI Regulation,” R Street Blog Post, June 21, 2023.
• INTERVIEW: “5 Quick Questions for AI policy analyst Adam Thierer,” interview for the Faster Please! newsletter with James Pethokoukis, June 12, 2024.
• PODCAST: “Who’s Afraid of Artificial Intelligence?” Tech Freedom TechPolicyPodcast, June 12, 2023.
• Adam Thierer, “Existential Risks & Global Governance Issues around AI & Robotics,” R Street Institute Policy Study No. 291 (June 2023).
• FILING: Comments of Adam Thierer, R Street Institute to the National Telecommunications and Information Administration (NTIA) on “AI Accountability Policy,” June 12, 2023.
• PODCAST: Adam Thierer: “Artificial Intelligence For Dummies,” SheThinks (Independent Women’s Forum) podcast, June 9, 2023.
• EVENT: “Does the US Need a New AI Regulator?” Center for Data Innovation & R Street Institute, June 6, 2023.
• Neil Chilson & Adam Thierer, “The Problem with AI Licensing & an ‘FDA for Algorithms,’” Federalist Society Blog, June 5, 2023.
• Adam Thierer, “Microsoft’s New AI Regulatory Framework & the Coming Battle over Computational Control,” Medium, May 29, 2023.
• PODCAST: Neil Chilson & Adam Thierer, “The Future of AI Regulation: Examining Risks and Rewards,” Federalist Society Regulatory Transparency Project podcast, May 26, 2023.
• Adam Thierer, “Here Come the Code Cops: Senate Hearing Opens Door to FDA for Algorithms & AI Occupational Licensing,” Medium, May16, 2023.
• Adam Thierer, “What OpenAI’s Sam Altman Should Say at the Senate AI Hearing,” R Street Institute Blog, May 15, 2023.
• PODCAST: “Should we regulate AI?” Adam Thierer and Matthew Lesh discuss artificial intelligence policy on the Institute for Economic Affairs podcast, May 6, 2023.
• Adam Thierer, “The Biden Administration’s Plan to Regulate AI without Waiting for Congress,” Medium, May 4, 2023.
• Adam Thierer, “NEPA for Al? The Problem with Mandating Algorithmic Audits & Impact Assessments,” Medium, April 23, 2023.
• Adam Thierer, “Flexible, Pro-Innovation Governance Strategies for Artificial Intelligence,” R Street Institute Policy Study No. 283 (April 2023).
• Adam Thierer, “A balanced AI governance vision for America,” The Hill, April 16, 2023.
• Adam Thierer, Brent Orrell, & Chris Meserole, “Stop the AI Pause,” AEI Ideas, April 6, 2023.
• Adam Thierer, “Getting AI Innovation Culture Right,” R Street Institute Policy Study No. 281 (March 2023).
• Adam Thierer, “Can We Predict the Jobs and Skills Needed for the AI Era?,” R Street Institute Policy Study No. 278 (March 2023).
• Adam Thierer, “U.S. Chamber AI Commission Report Offers Constructive Path Forward,” R Street Blog, March 9, 2023.
• Adam Thierer, “Statement for the Record on ‘Artificial Intelligence: Risks and Opportunities,’” U.S. Senate Homeland Security and Governmental Affairs Committee, March 8, 2023.
• Adam Thierer, “What If Everything You’ve Heard about AI Policy is Wrong?” Medium, February 20, 2023.
• Adam Thierer, “Policy Ramifications of the ChatGPT Moment: AI Ethics Meets Evasive Entrepreneurialism,” Medium, February 14, 2023.
• Adam Thierer, “Mapping the AI Policy Landscape Circa 2023: Seven Major Fault Lines,” R Street Blog, February 9, 2023.
• Adam Thierer, “Artificial Intelligence Primer: Definitions, Benefits & Policy Challenges,” Medium, December 2, 2022.
• Neil Chilson & Adam Thierer, “The Coming Onslaught of ‘Algorithmic Fairness’ Regulations,” Regulatory Transparency Project of the Federalist Society, November 2, 2022.

[last updated 4/3/2025 – Check my Medium page for latest posts]

This a running list of all the essays and reports I’ve already rolled out on the governance of artificial intelligence (AI), machine learning (ML), and robotics. Why have I decided to spend so much time on this issue? Because this will become the most important technological revolution of our lifetimes. Every segment of the economy will be touched in some fashion by AI, ML, robotics, and the power of computational science. It should be equally clear that public policy will be radically transformed along the way.

Eventually, all policy will involve AI policy and computational considerations. As AI “eats the world,” it eats the world of public policy along with it. The stakes here are profound for individuals, economies, and nations. As a result, AI policy will be the most important technology policy fight of the next decade, and perhaps next quarter century. Those who are passionate about the freedom to innovate need to prepare to meet the challenge as proposals to regulate AI proliferate.

There are many socio-technical concerns surrounding algorithmic systems that deserve serious consideration and appropriate governance steps to ensure that these systems are beneficial to society. However, there is an equally compelling public interest in ensuring that AI innovations are developed and made widely available to help improve human well-being across many dimensions. And that’s the case that I’ll be dedicating my life to making in coming years.

Here’s the list of what I’ve done so far. I will continue to update this as new material is released:

2025

• Dean Ball, Greg Lukianoff & Adam Thierer, “How state AI regulations threaten innovation, free speech, and knowledge creation,” The Eternally Radical Idea, April 3, 2025.
• Adam Thierer, “Comments of R Street Institute on a Learning Period Moratorium for AI Regulation in Response to Request for Information (RFI) Exploring a Data Privacy and Security Framework,” R Street Institute Regulatory Comments, Apr. 3, 2025.
• PODCAST: “Lawfare Daily: Adam Thierer on the AI Regulatory Landscap e,” Lawfare, Apr. 1, 2025.
• Adam Thierer, “Texas & Virginia Steer States Away from European-Style AI Regulation,” R Street Analysis, Mar. 25, 2025. [Also reprinted as: Adam Thierer, “More States Reject Fear-Based AI Regulation,” Governing, Mar. 27, 2025.]
• Adam Thierer, “Don’t let the states derail America’s AI revolution,” The Hill, March 23, 2025.
• Adam Thierer, “Comments of the R Street Institute in Request for Information on the Development of an Artificial Intelligence (AI) Action Plan,” March 15, 2025.
• PODCAST: “A tech policy bonanza! The FCC, FTC, AI regulations, and more,” So to Speak (FIRE) Podcast, March 12, 2025.
• TESTIMONY: Adam Thierer, “R Street Testimony in Opposition to CT SB 2: ‘An Act Concerning Artificial Intelligence’,” Feb. 25, 2025.
• Adam Thierer & Robert Melvin, “R Street Institute Letter to Virginia Governor Glenn Youngkin in Opposition to VA HB 2094, Restrictions on Artificial Intelligence,” Feb. 20, 2025.
• Adam Thierer, “Ramifications of China’s DeepSeek Moment, Part 3: What Both Parties Need to Accept and Do Next,” R Street Analysis, Feb. 18, 2025.
• Adam Thierer, “The Radicalism of the ‘Future for the Family’ Technology Manifesto,” Medium, Feb, 17, 2025.
• Adam Thierer, “Vice President JD Vance Resets the Global AI Agenda with Paris AI Action Summit Address” R Street Real Analysis, Feb. 11, 2025.
• Adam Thierer, “Ramifications of China’s DeepSeek Moment, Part 2: AI, Cultural Values, and Global Freedom,” R Street Analysis, Feb. 7, 2025.
• Adam Thierer, “Can Trump Hold the Tech Right and Populist Right Together?” Discourse, Feb. 7, 2025.
• TESTIMONY: Adam Thierer, “Testimony In Opposition to LB 642, “The Artificial Intelligence Consumer Protection Act,” Feb. 5, 2025.
• Adam Thierer, “Ramifications of China’s DeepSeek Moment, Part 1: AI, Technological Supremacy and National Security,” R Street Analysis, Feb. 3, 2025.
• Keegan McBride & Adam Thierer, “The Trouble With AI Safety Treaties,” Lawfare, Jan. 29, 2025.
• TESTIMONY: Adam Thierer, “R Street Testimony in Opposition to VA HB 2094: ‘High-Risk Artificial Intelligence Developer and Deployer Act,”’ Jan. 27, 2025.
• Adam Thierer, “Updated Compendium of Bills Pushed by theMultistate AI Policymaker Working Group,” Medium, Jan. 23, 2025. [regularly updated]
• Adam Thierer, “Trump’s New AI Executive Order Begins Undoing Biden’s Bureaucratic Mess,” R Street Analysis, Jan. 23, 2025.
• EVENT: “The Worst Tech Policies of 2024: How the New Administration and Congress Can Turn the Page ,” ITIF, Jan. 21, 2024.

2024

• Adam Thierer, “The House AI Task Force Report: Positive Steps, but One Big Problem,” Medium, Dec. 17, 2024.
• EVENT VIDEO: “AI Policy In President Trump’s Second Term,” Federalist Society Webinar, Dec. 10, 2024.
• Adam Thierer, “Testimony Notes for Presentation to Future of Privacy Forum Multistate AI Working Group,” Dec. 9, 2024.
• Joint letter: Letter from coalition of over 20 groups opposing “Texas Responsible AI Governance Act”, Dec. 2024.
• Adam Thierer, “What Trump’s New AI Czar David Sacks Can Do to Hit the Ground Running,” Medium, Dec. 6, 2024.
• EVENT VIDEO: “Understanding AI & AI Policy in 2024 and Beyond,” Cato Institute event, Dec. 5, 2024.
• Adam Thierer, “There are Two Different AI Policy Debates, and You Need to Start Paying More Attention to the One about ‘Woke AI,’” Medium, Nov 11, 2024.
• Adam Thierer, “AI Policy in the Trump Administration and Congress after the 2024 Elections,” R Street Analysis, Nov. 7, 2024.
• Adam Thierer, “The 2024 Election Results & AI Policy: Here Comes the Mother of All State Regulatory Patchworks,” Medium, Nov. 6, 2024.
• Adam Thierer, “Texas should reject the European path toward AI regulation,” R Street Analysis, Oct. 31, 2024.
• EVENT VIDEO: “What Should the Next Administration Do About AI?” Federalist Society Regulatory Transparency Project, [featuring Ash Kazaryan, Adam Kovacevich, Neil Chilson, and Adam Thierer moderating], Oct. 15, 2024.
• Adam Thierer, “AI and Public Health, Part 3: How AI Can Revolutionize Drug Discovery,” R Street Real Solutions, Oct. 15, 2024.
• Adam Thierer, “AI Is Not the Cause of Rental Woes,” NH Journal, Oct. 14, 2024.
• PODCAST: “AI Policy and Innovation ,” The Spirit of Enterprise, Episode #510, October 2024
• Neil Chilson & Adam Thierer, “A Sensible Approach to State AI Policy,” Federalist Society Regulatory Transparency Project blog, Oct. 9, 2024.
• PODCAST: “Where AI Regulation Can Go Wrong,” The Road to Accountable AI, October 2024.
• Adam Thierer, “California Rejects AI Regulatory Extremism,” R Street Analysis, Sept. 30, 2024.
• Adam Thierer, “Eurocrats plot to hobble US AI leadership on our own shores,” The Hill, Sept. 28, 2024.
• PODCAST: “Navigating AI Policy: Balancing Innovation and Regulation ,” Corner Alliance’s AI, Government, and the Future Podcast, Sept. 18, 2024.
• Adam Thierer, “Biden’s Move Against Nvidia Is a Gift to China,” City Journal, Sept. 16, 2024.
• PODCAST: “California’s AI Law SB 1047 & What It Means for Tech — Adam Thierer,” SVIC Podcast, Sept. 10, 2024.
• Joint letter: “Coalition Urges Governor Newsom To Consider Vetoing SB 1047,” August 27, 2024.
• Adam Thierer, “W​here Does California’s AI Bill (SB 1047) Fit Historically?” Medium, Aug. 26, 2024.
• Adam Thierer, “The Policy Origins of the Digital Revolution & the Continuing Case for the Freedom to Innovate,” R Street Real Solutions, Aug. 15, 2024. [+ video of panel talk]
• Adam Thierer, “AI and Public Health Series: Part 2: How AI Can Help Tackle Major Causes of Suffering and Death,” R Street Analysis, August 6, 2024.
• Adam Thierer, “Regulators are misguided in efforts to restrict open-source AI,” Cointelegraph, July 31, 2024.
• Adam Thierer, “How Trump and Harris Clash on AI Policy,” Medium, July 24, 2024.
• Adam Thierer, “The Hickenlooper AI Auditing Bill and the Expanding Role of the Commerce Department in AI Policy,” R Street Real Solutions, July 22. 2024.
• Adam Thierer, “AI and Public Health Series: How AI can advance medical knowledge and improve the patient experience,” R Street Analysis, July 9, 2024.
• Adam Thierer, “AI and Public Health Series: How AI can advance medical knowledge and improve the patient experience,” R Street Analysis, July 9, 2024.
• Adam Thierer, “AI and Public Health Series: Introduction,” R Street Analysis, July 9, 2024.
• Adam Thierer, “Why the End of Chevron Deference is Largely Meaningless for AI Policy, Part 2,” Medium, July 2, 2024.
• Adam Thierer, “What the Supreme Court Decisions This Week Mean for AI Policy,” Medium, June 28, 2024.
• Joint letter: “Coalition Letter on California bill SB-1047, The Safe and Secure Innovation for Frontier Artificial Intelligence Systems Act,” June 18, 2024.
• WEBINAR: “AI Policy Roundup,” Federalist Society, June 6, 2024.
• TESTIMONY: Adam Thierer, Testimony for U.S. Joint Economic Committee Hearing on “Artificial Intelligence and Its Potential to Fuel Economic Growth and Improve Governance,” June 4, 2024.
• PODCAST: “Adam Thierer on regulating AI,” Faster, Please! — The Podcast #49, May 30, 2024.
• Adam Thierer, “Getting AI Policy Right Through a Learning Period Moratorium,” R Street Real Solutions, May 29, 2024.
• Nirit Weiss-Blatt, Adam Thierer & Taylor Barkley, “The AI Technopanic and Its Effects ,” Abundance Institute report, May 2024.
• Adam Thierer, “Colorado Opens Door to an AI Patchwork as Congress Procrastinates,” R Street Analysis, May 20, 2024.
• Adam Thierer, “The Schumer AI Working Group Report: A Move Toward Policy Normalcy?” Medium, May 16, 2024.
• Group Letter: “A Pro-Innovation Framework for Artificial Intelligence,” May 6, 2024.
• Adam Thierer, “California and Other States Threaten to Derail the AI Revolution,” R Street Analysis, May 2, 2024.
• Adam Thierer, “Artificial Intelligence Legislative Outlook: Spring 2024 Update,” R Street Analysis, April 24, 2024.
• Adam Thierer, “Artificial Intelligence, Section 230 & Looming Liability Threats,” Medium, April 2, 2024.
• Adam Thierer, “Policymakers Should Let Open Source Play a Role in the AI Revolution,” R Street Institute Analysis, March 28, 2024.
• Adam Thierer, Comments in NTIA’s “Openness in AI Request for Comment” proceeding, March 21, 2024.
• Adam Thierer, Testimony for House Oversight Committee hearing on “White House Overreach on AI,” March 21, 2023.
• Adam Thierer, “We Can’t Predict the Future of Work,” in Navigating the Future of Work: Perspectives on Automation, AI, and Economic Prosperity, American Enterprise Institute, March 20, 2024.
• Adam Thierer, “Every Lawmaker Gets Their Own Personal AI Bill!,” Medium, March 1, 2024.
• Adam Thierer, “Artificial Intelligence Task Force: 10 Principles to Guide AI Policy,” R Street blog, February 21, 2024.
• Adam Thierer, “More on the Realpolitik of Global AI Regulation & Computational Control,” Medium, February 14, 2024.
• Adam Thierer, “AI and Technologies of Freedom in the Age of “Weaponized” Government,” R Street blog, February 8, 2024.
• Adam Thierer, “Will California lawmakers give AI innovators a chance?” Orange County Register, January 31, 2024.
• Adam Thierer, “State and local meddling threatens to undermine the AI revolution,” The Hill, January 21, 2024.
• Adam Thierer, “My 2024 Tech Policy Prediction is Same as Always: No Legislative Action,” Medium, January 8, 2024.

2023

• PODCAST: “AI: DC Policymakers Face a Crossroads,” DC EKG podcast, December 11, 2023.
• Adam Thierer & Shoshana Weissmann, “Without Section 230 Protections, Generative AI Innovation Will Be Decimated,” R Street blog, December 6, 2023.
• Adam Thierer, “Is AI Policy Compromise Possible? A Look at the Thune-Klobuchar AI Bill,” R Street blog, December 4, 2023.
• Neil Chilson & Adam Thierer, “Overregulating AI Will Disrupt Markets and Discourage Competition,” Bloomberg Law, November 17, 2023.
• Adam Thierer, “White House Executive Order Threatens to Put AI in a Regulatory Cage,” R Street blog, October 30, 2023.
• Adam Thierer, “Artificial Intelligence Legislative Outlook: Fall 2023 Update,” R Street blog, October 17, 2023.
• Adam Thierer, “Artificial Intelligence, Medical Devices & Soft Law Governance,” unpublished manuscript prepared for an Arizona State law school symposium, (Fall 2023)
• Adam Thierer, “AI Concessions and Commitments in the Name of Democratic Accountability,” Medium, September 28, 2023.
• EVENT: Debating Frontier AI Regulation, Brookings, September 14, 2023. (My remarks begin at 51-minute mark of the video).
• Adam Thierer, “Blumenthal-Hawley AI Regulatory Framework Escalates the War on Computation,” Medium, September 13, 2023.
• Adam Thierer, Statement for the Record, Hearing on “The Need for Transparency in Artificial Intelligence,” September 12, 2023.
• EVENT: “Who’s Leading on AI Policy?” Cato Institute event, September 12, 2023.
• Neil Chilson & Adam Thierer, “Resolving to Defend AI Innovation in the States,” Now + Next, July 24, 2024.
• Adam Thierer, “Will AI Policy Became a War on Open Source Following Meta’s Launch of LLaMA 2?” Medium, July 19, 2023.
• Adam Thierer, “The FTC Looks to Become the Federal AI Commission,” Medium, July 15, 2023.
• Adam Thierer, “Is Telecom Licensing a Good Model for Artificial Intelligence?” Medium, July 8, 2023.
• SLIDES: “AI Worldviews: Similarities & Differences” (July 2023).
• Adam Thierer, “The Schumer AI Framework and the Future of Emerging Tech Policymaking,” R Street Institute Real Solutions, June 27, 2023.
• Adam Thierer, “Is AI Really an Unregulated Wild West?” Technology Liberation Front, June 22, 2023.
• Adam Thierer, “The Most Important Principle for AI Regulation,” R Street Institute Real Solutions, June 21, 2023.
• INTERVIEW: “5 Quick Questions for AI policy analyst Adam Thierer,” interview for the Faster Please! newsletter with James Pethokoukis, June 12, 2024.
• PODCAST: “Who’s Afraid of Artificial Intelligence?” Tech Freedom TechPolicyPodcast, June 12, 2023.
• Adam Thierer, “Existential Risks & Global Governance Issues around AI & Robotics,” R Street Institute Policy Study No. 291 (June 2023).
• FILING: Comments of Adam Thierer, R Street Institute to the National Telecommunications and Information Administration (NTIA) on “AI Accountability Policy,” June 12, 2023.
• PODCAST: Adam Thierer: “Artificial Intelligence For Dummies,” SheThinks (Independent Women’s Forum) podcast, June 9, 2023.
• EVENT: “Does the US Need a New AI Regulator?” Center for Data Innovation & R Street Institute, June 6, 2023.
• Neil Chilson & Adam Thierer, “The Problem with AI Licensing & an ‘FDA for Algorithms,’” Federalist Society Blog, June 5, 2023.
• Adam Thierer, “The Many Ways Government Already Regulates Artificial Intelligence,” Medium, June 2, 2023.
• Adam Thierer, “Microsoft’s New AI Regulatory Framework & the Coming Battle over Computational Control,” Medium, May 29, 2023.
• PODCAST: Neil Chilson & Adam Thierer, “The Future of AI Regulation: Examining Risks and Rewards,” Federalist Society Regulatory Transparency Project podcast, May 26, 2023.
• Adam Thierer, “Here Come the Code Cops: Senate Hearing Opens Door to FDA for Algorithms & AI Occupational Licensing,” Medium, May16, 2023.
• Adam Thierer, “What OpenAI’s Sam Altman Should Say at the Senate AI Hearing,” R Street Institute Blog, May 15, 2023.
• PODCAST: “Should we regulate AI?” Adam Thierer and Matthew Lesh discuss artificial intelligence policy on the Institute for Economic Affairs podcast, May 6, 2023.
• Adam Thierer, “The Biden Administration’s Plan to Regulate AI without Waiting for Congress,” Medium, May 4, 2023.
• Adam Thierer, “NEPA for Al? The Problem with Mandating Algorithmic Audits & Impact Assessments,” Medium, April 23, 2023.
• Adam Thierer, “Flexible, Pro-Innovation Governance Strategies for Artificial Intelligence,” R Street Institute Policy Study No. 283 (April 2023).
• Adam Thierer, “A balanced AI governance vision for America,” The Hill, April 16, 2023.
• Adam Thierer, Brent Orrell, & Chris Meserole, “Stop the AI Pause,” AEI Ideas, April 6, 2023.
• Adam Thierer, “Getting AI Innovation Culture Right,” R Street Institute Policy Study No. 281 (March 2023).
• Adam Thierer, “Can We Predict the Jobs and Skills Needed for the AI Era?,” R Street Institute Policy Study No. 278 (March 2023).
• Adam Thierer, “U.S. Chamber AI Commission Report Offers Constructive Path Forward,” R Street Blog, March 9, 2023.
• Adam Thierer, “Statement for the Record on ‘Artificial Intelligence: Risks and Opportunities,'” U.S. Senate Homeland Security and Governmental Affairs Committee, March 8, 2023.
• Adam Thierer, “What If Everything You’ve Heard about AI Policy is Wrong?” Medium, February 20, 2023.
• Adam Thierer, “Policy Ramifications of the ChatGPT Moment: AI Ethics Meets Evasive Entrepreneurialism,” Medium, February 14, 2023.
• Adam Thierer, “Mapping the AI Policy Landscape Circa 2023: Seven Major Fault Lines,” R Street Blog, February 9, 2023.

2022

• Adam Thierer, “Artificial Intelligence Primer: Definitions, Benefits & Policy Challenges,” Medium, December 2, 2022.
• Neil Chilson & Adam Thierer, “The Coming Onslaught of ‘Algorithmic Fairness’ Regulations,” Regulatory Transparency Project of the Federalist Society, November 2, 2022.
• Adam Thierer, “We Really Need To ‘Have a Conversation’ About AI … or Do We?” Discourse, October 6, 2022.
• Adam Thierer, “How the Embedding of AI Ethics Works in Practice & How It Can Be Improved,” Medium, September 22, 2022.
• Adam Thierer, “No Goldilocks Formula for Content Moderation in Social Media or the Metaverse, But Algorithms Still Help,” Medium, September 13, 2022.
• Adam Thierer, “AI Eats the World: Preparing for the Computational Revolution and the Policy Debates Ahead,” Medium, September 10, 2022.
• Adam Thierer, “‘Running Code and Rough Consensus’ for AI: Polycentric Governance in the Algorithmic Age,” Medium, September 1, 2022.
• Adam Thierer, “AI Governance ‘on the Ground’ vs ‘on the Books,’” Medium, August 19, 2022.
• Adam Thierer, “Why the Future of AI Will Not Be Invented in Europe,” Technology Liberation Front, August 1, 2022.
• Adam Thierer, “How Science Fiction Dystopianism Shapes the Debate over AI & Robotics,” Discourse, July 26, 2022.
• Adam Thierer, “Why is the US Following the EU’s Lead on Artificial Intelligence Regulation?” The Hill, July 21, 2022.
• Adam Thierer, “Algorithmic Auditing and AI Impact Assessments: The Need for Balance,” Medium, July 13, 2022.
• Adam Thierer, “The Proper Governance Default for AI,” Medium, May 26, 2022.
• Adam Thierer, “What I Learned about the Power of AI at the Cleveland Clinic,” Medium, May 6, 2022.
• Adam Thierer, Governing Emerging Technology in an Age of Policy Fragmentation and Disequilibrium, American Enterprise Institute (April 2022).

2021 (and earlier)

• Adam Thierer and John Croxton, “Elon Musk and the Coming Federal Showdown Over Driverless Vehicles,” Discourse, November 22, 2021.
• Adam Thierer, “A Global Clash of Visions: The Future of AI Policy,” The Hill, May 4, 2021.
• Adam Thierer, “A Brief History of Soft Law in ICT Sectors: Four Case Studies,” Jurimetrics, Vol. 61 (Fall 2021): 79-119.
• Adam Thierer, “U.S. Artificial Intelligence Governance in the Obama–Trump Years,” IEEE Transactions on Technology and Society, Vol, 2, Issue 4 (2021).
• Adam Thierer, “The Worst Regulation Ever Proposed,” The Bridge, September 2019.
• Ryan Hagemann, Jennifer Huddleston Skees & Adam Thierer, “Soft Law for Hard Problems: The Governance of Emerging Technologies in an Uncertain Future,” Colorado Technology Law Journal, Vol. 17 (2018).
• Adam Thierer & Trace Mitchell, “No New Tech Bureaucracy,” Real Clear Policy, September 10, 2020.
• Adam Thierer, “OMB’s AI Guidance Embodies Wise Tech Governance,” Mercatus Center Public Comment, March 13, 2020.
• Adam Thierer, “Europe’s New AI Industrial Policy,” Medium, February 20, 2020.
• Adam Thierer, “Trump’s AI Framework & the Future of Emerging Tech Governance,” Medium, January 8, 2020.
• Adam Thierer, “Soft Law: The Reconciliation of Permissionless & Responsible Innovation,” Chapter 7 in Adam Thierer, Evasive Entrepreneurs & the Future of Governance (Washington, DC: Cato Institute, 2020): 183-240.
• Andrea O’Sullivan & Adam Thierer, “Counterpoint: Regulators Should Allow the Greatest Space for AI Innovation,” Communications of the ACM, Volume 61, Issue 12, (December 2018): 33-35.
• Adam Thierer, Andrea O’Sullivan & Raymond Russell, “Artificial Intelligence and Public Policy,” Mercatus Research (2017).
• Adam Thierer, “Shouldn’t the Robots Have Eaten All the Jobs at Amazon By Now?” Technology Liberation Front, July 26, 2017.
• Adam Thierer, “Are ‘Permissionless Innovation’ and ‘Responsible Innovation’ Compatible?” Technology Liberation Front, July 12, 2017.
• Adam Thierer, “The Growing AI Technopanic,” Medium, April 27, 2017.
• Adam Thierer, “The Day the Machines Took Over,” Medium, May 11, 2017.
• Adam Thierer, “When the Trial Lawyers Come for the Robot Cars,” Slate, June 10, 2016.
• Adam Thierer, “Learning by Doing,” the Process of Innovation & the Future of Employment,” Technology Liberation Front, September 25, 2015.
• Adam Thierer, “Problems with Precautionary Principle-Minded Tech Regulation & a Federal Robotics Commission,” Medium, September 22, 2014.
• Adam Thierer, “On the Line between Technology Ethics vs. Technology Policy,” Technology Liberation Front, August 1, 2013.

Corbin Barthold invited me on Tech Freedom’s “Tech Policy Podcast” to discuss the history of antitrust and competition policy over the past half century. We covered a huge range of cases and controversies, including: the DOJ’s mega cases against IBM & AT&T, Blockbuster and Hollywood Video’s derailed merger, the Sirius-XM deal, the hysteria over the AOL-Time Warner merger, the evolution of competition in mobile markets, and how we finally ended that dreaded old MySpace monopoly!

What does the future hold for Google, Facebook, Amazon, and Netflix? Do antitrust regulators at the DOJ or FTC have enough to mount a case against these firms? Which case is most likely to have legs?

Corbin and I also talked about the of progress more generally and the troubling rise of more and more Luddite thinking on both the left and right. I encourage you to give it a listen:

The Federal Trade Commission (FTC) voted on July 1 to withdraw its pubic affirmation of consumer welfare as the guiding principle for antitrust enforcement. While this change is symbolic at this point, it weakens the agency’s public commitment to an objective consumer-based approach to antitrust. The result opens the door to politicized and unprincipled antitrust enforcement that will ultimately hurt rather than benefit consumers.

The FTC is the nation’s primary consumer protection agency, focused on ensuring a healthy market that avoids the dangers of monopolistic practices. The statement on the agency’s antitrust enforcement had been uncontroversial up to this point. A bipartisan group of commissioners passed the statement in 2015—during the Obama Administration—and the statement primarily clarified that the FTC’s antitrust enforcement under Section 5 of the FTC Act concerning the agency’s authority over unfair and deceptive trade practices was guided by consumer welfare. In other words, the FTC would focus on those acts that cause or are likely to cause harm to consumers, based on objective economic analysis rather than the effects of business moves on competition itself or other policy standards. The statement sought to provide clarity to consumers and businesses, and in fact, the sole vote against it was on the basis that the statement was too abbreviated to provide meaningful guidance.

Despite these uncontroversial origins, on Thursday at a hastily announced open meeting, the current FTC voted 3-2 to withdraw this statement. The withdrawal of the FTC’s statement is the latest signal that antitrust policy, particularly at the FTC, is shifting away from focusing on consumers and using the consumer welfare standard.  Instead, there are now real concerns the FTC will enforce antitrust policy in a way that promotes competitors or ideology at consumers’ expense.

Most specifically, rejecting the consumer welfare standard signals the FTC may apply its enforcement power in more subjective ways based in changing political motives and policy preference, as was seen in earlier eras of antitrust enforcement. For example, if not focused on the consumer welfare standard, the FTC could act against some of the largest tech companies to break them up or prevent mergers even though consumers were not harmed—or were even helped—by these changes in the market. This shift would have three specific, if related, implications.

First, it would undermine confidence among consumers in the FTC’s actions. It is far less clear now by what standards antitrust enforcement will be guided and if they are truly objective. As a result, it is unclear what the purpose behind enforcement is.

Second, such expansive enforcement could diminish the options available to consumers. Without the consumer welfare standard, aggressive antitrust enforcement could lead to regulatory interventions in competitive and dynamic markets apart from a data-based and consumer-focused analysis. The result of such unnecessary enforcement could be to raise costs or eliminate products, preventing consumers from having access to products they enjoy or face higher prices, not because of unfair or anti-competitive behavior but because of political animus against a particular industry.

Finally, this shift away from the consumer welfare standard is likely to result in inefficient markets. Unprincipled or politically motivated enforcement could result in some products and services never making it to consumers. In other cases, markets may find certain “competitors” kept alive past their value, or other markets could remain with few choices because companies fear that entrance would be considered anticompetitive. Without the consumer welfare standard, misguided notions of concentration or “bigness” could result in a less beneficial market and instead benefit competitors with inferior products that would not have otherwise survived—all to the detriment of consumers.

When regulators move away from an objective, consumer-focused approach to antitrust, it is ultimately the consumers who are harmed in the form of higher prices, inferior products, and less innovation. As Commissioner Christine Wilson stated prior to the vote, “If the Commission is no longer focused on consumer welfare then consumers will be harmed.”

Does anyone remember Blockbuster and Hollywood Video? I assume most of you do, but wow, doesn’t it seem like forever ago when we actually had to drive to stores to get movies to watch at home? What a drag that was!

Yet, just 15 years ago, that was the norm and those two firms were the titans of video distribution, so much so that federal regulators at the Federal Trade Commission looked to stop their hegemony through antitrust intervention. But then those firms and whatever “market power” they possessed quickly evaporated as a wave of Schumpeterian creative destruction swept through video distribution markets. Both those firms and antitrust regulators had completely failed to anticipate the tsunami of technological and marketplace changes about to hit in the form of alternative online video distribution platforms as well as the rise of smartphones and robust nationwide mobile networks.

Today, this serves as a cautionary tale of what happens when regulatory hubris triumphs over policy humility, as Trace Mitchell and I explain in this new essay for  National Review Online entitled, “The Crystal Ball of Antitrust Regulators Is Cracked.” As we note:

There is no discernable end point to the process of entrepreneurial-driven change. In fact, it seems to be proliferating rapidly. To survive, even the most successful companies must be willing to quickly dispense with yesterday’s successful business plans, lest they be steamrolled by the relentless pace of technological change and ever-shifting consumer demands. It is easy to understand why some people find it hard to imagine a time when Amazon, Apple, Facebook, and Google won’t be quite as dominant as they are today. But it was equally challenging 20 years ago to imagine that those same companies could disrupt the giants of that era.

Hopefully today’s policymakers will have a little more patience and trust competition and continued technological innovation to bring us still more wonderful video choices.

[OC] Blockbuster Video US store locations between 1986 and 2019 from r/dataisbeautiful

This week, the Trump Administration proposed a new policy framework for artificial intelligence (AI) technologies that attempts to balance the need for continued innovation with a set of principles to address concerns about new AI services and applications. This represents an important moment in the history of emerging technology governance as it creates a policy vision for AI that is generally consistent with earlier innovation governance frameworks established by previous administrations.

Generally speaking, the Trump governance vision for AI encourages regulatory humility and patience in the face of an uncertain technological future. However, the framework also endorses a combination of “hard” and “soft” law mechanisms to address policy concerns that have already been raised about developing or predicted AI innovations.

AI promises to revolutionize almost every sector of the economy and can potentially benefit our lives in numerous ways. But AI applications also raise a number of policy concerns, specifically regarding safety or fairness. On the safety front, for example, some are concerned about the AI systems that control drones, driverless cars, robots, and other autonomous systems. When it comes to fairness considerations, critics worry about “bias” in algorithmic systems that could deny people jobs, loans, or health care, among other things.

These concerns deserve serious consideration and some level of policy guidance or else the public may never come to trust AI systems, especially if the worst of those fears materialize as AI technologies spread. But how policy is formulated and imposed matters profoundly. A heavy-handed, top-down regulatory regime could undermine AI’s potential to improve lives and strengthen the economy. Accordingly, a flexible governance framework is needed and the administration’s new guidelines for AI regulation do a reasonably good job striking that balance.

Background

Last February, the White House issued Executive Order 13859, on “Maintaining American Leadership in Artificial Intelligence.” The Order announced the creation of the “American AI Initiative,” an effort to “focus the resources of the Federal government to develop AI.” It prioritized investments in AI-focused research and development (R&D), building a workforce ready for the AI era, international engagement on AI priorities, and the establishment governance standards for AI systems to “help Federal regulatory agencies develop and maintain approaches for the safe and trustworthy creation and adoption of new AI technologies.”

Regarding that last objective, Order 13589 required the Office of Management and Budget (OMB) and the Office of Science and Technology Policy (OSTP) to develop a framework and set of principles for federal agencies to follow when considering the development of regulatory and non‑regulatory approaches for AI. Importantly, the Order also specified that the framework should seek to “advance American innovation” and “reduce barriers to the use of AI technologies in order to promote their innovative application while protecting civil liberties, privacy, American values, and United States economic and national security.”

That resulted in the memorandum sent to heads of federal departments and agencies this week entitled, “Guidance for Regulation of Artificial Intelligence Applications” (hereinafter AI Guidance). The draft version of the AI Guidance specifies that “federal agencies must avoid regulatory or non-regulatory actions that needlessly hamper AI innovation and growth.” More specifically:

“Agencies must avoid a precautionary approach that holds AI systems to such an impossibly high standard that society cannot enjoy their benefits. Where AI entails risk, agencies should consider the potential benefits and costs of employing AI, when compared to the systems AI has been designed to complement or replace.”

But the AI Guidance is certainly not a call for comprehensive deregulation or the abandonment of all AI federal oversight. The memorandum’s very title reflects an understanding that existing laws and agency rules will continue to play a role in guiding the development of AI, machine-learning, and autonomous systems.

Accordingly, and consistent with past executive orders and OMB regulatory guidance documents for federal agencies, the AI Guidance establishes a set of ten principles that agencies must take into consideration when considering AI policy:

1. Public trust in AI: Requiring that “the government’s regulatory and non-regulatory approaches to AI promote reliable, robust, and trustworthy AI applications, which will contribute to public trust in AI.”
2. Public participation: Agencies must provide “ample opportunities for the public to provide information and participate in all stages of the rulemaking process.”
3. Scientific integrity and information quality: Agencies should “leverage scientific and technical information and processes” to build trust and ensure data quality and transparency.
4. Risk assessment and management: Acknowledging that “all activities involve tradeoffs,” the AI Guidance requires that “a risk-based approach should be used to determine which risks are acceptable and which risks present the possibility of unacceptable harm, or harm that has expected costs greater than expected benefits.”
5. Benefits and costs: As part of those risk assessments, agencies must “carefully consider the full societal costs, benefits, and distributional effects before considering regulations related to the development and deployment of AI applications. Such consideration will include the potential benefits and costs of employing AI, when compared to the systems AI has been designed to complement or replace, whether implementing AI will change the type of errors created by the system, as well as comparison to the degree of risk tolerated in other existing ones.”
6. Flexibility: OMB encourages agencies to “pursue performance-based and flexible approaches that can adapt to rapid changes and updates to AI applications.”
7. Fairness and non-discrimination: Acknowledging that “in some instances, introduce real-world bias that produces discriminatory outcomes or decisions that undermine public trust and confidence in AI,” the AI Guidance requires agencies to consider “issues of fairness and non-discrimination with respect to outcomes and decisions produced by the AI application at issue.”
8. Disclosure and transparency: Agencies are encouraged to consider how greater “transparency and disclosure can increase public trust and confidence in AI applications.”
9. Safety and security: Agencies are required to “promote the development of AI systems that are safe, secure, and operate as intended, and encourage the consideration of safety and security issues throughout the AI design, development, deployment, and operation process.”
10. Interagency coordination: The guidance makes it clear that a “coherent and whole-of-government approach to AI oversight requires interagency coordination.”

Soft Law Ascends

Importantly, the AI Guidance also encourages agencies to be open to “non-regulatory approaches to AI” governance and specifies three particular models:

• Sector-specific policy guidance or frameworks: OSTP writes that “agencies should consider using any existing statutory authority to issue non-regulatory policy statements, guidance, or testing and deployment frameworks, as a means of encouraging AI innovation in that sector.” The memorandum also notes that this can include “work done in collaboration with industry, such as development of playbooks and voluntary incentive frameworks.”
• Pilot programs and experiments: The document encourages the use of “pilot programs that provide safe harbors for specific AI applications” which “could produce useful data to inform future rulemaking and non-regulatory approaches.”
• Voluntary consensus standards: Before regulating, the AI Guidance encourages agencies to consider how voluntary consensus standards, assessment programs, and compliance programs might be used to address policy concerns.

These represent “soft law” approaches to technological governance and they are becoming all the rage in technology policy discussions today. Soft law mechanisms are informal, collaborative, and constantly evolving governance efforts. While not formerly binding like “hard law” rules and regulations, soft law efforts nonetheless create a set of expectations about sensible development and use of technologies. Soft law can include multistakeholder initiatives, best practices and standards, agency workshops and guidance documents, educational efforts, and much more.

Soft law has become the dominant governance approach for emerging technologies because it is often better able to address the “pacing problem,” which refers to the growing gap between the rate of technological innovation and policymakers’ ability to keep up with it. As I have previously noted, the pacing problem is “becoming the great equalizer in debates over technological governance because it forces governments to rethink their approach to the regulation of many sectors and technologies.”

Not only do traditional legislative and regulatory hard law systems struggle to keep up with fast-paced technological changes, but oftentimes those older mechanisms are just too rigid and unsuited for new sectors and developments. That is definitely the case for AI, which is multi-dimensional in nature and even defies easy definition. Soft law offers a more flexible, adaptive approach to learning on the fly and cobbling together principles and policies that can address new policy concerns as they develop in specific contexts, without derailing potentially important innovations.

Building on Past Governance Frameworks

In this sense, the Trump administration’s AI Guidance borrows from past policy frameworks by marrying up a desire to promote an exciting new set of emerging technologies alongside the need for reasonable but flexible oversight and governance mechanisms. At a high level, the AI Guidance builds on many of the same principles that motivated the Clinton administration’s Framework for Global Electronic Commerce, a statement of principles and policy objectives for the then-emerging Internet. The document, which was issued in July 1997, said that “governments should encourage industry self-regulation and private sector leadership where possible” and “avoid undue restrictions on electronic commerce.”

The Framework was a clean break from the top-down regulatory paradigm that had previously governed traditional communications and media technologies. Clinton’s Framework insisted that, to the extent government intervention was needed at all, “its aim should be to support and enforce a predictable, minimalist, consistent and simple legal environment for commerce.” The use of soft law and multistakeholder models was a key component of this vision, and those more flexible governance approaches were tapped by the subsequent administrations to address emerging tech policy concerns.

For example, the Obama administration considerably expanded the use of multistakeholder mechanisms and other soft law tools in response to the need of oversight of fast-moving technologies. The Obama administration had many different policy governance efforts underway for specific AI technologies and concerns, including workshops and multistakeholder efforts focused on the safety, security, and privacy-related issues surrounding “big data” systems, online advertising, connected cars, drones, and more.

Whereas the Obama administration was deeper in the weeds of the policy issues associated with specific AI and machine-learning applications, the Trump administration has sought to both build on those focused efforts while also stepping back to consider AI governance at the 30,000-foot level. In essence, the AI Guidance combines some of the aspirational elements found in the Clinton Framework alongside the Obama administration’s more targeted approach to consider specific policy concerns across many different sectors and technologies.

Trump’s AI Guidance adds an element of formality to this process regarding how federal agencies should address AI developments and formulate potential policy responses. It does so by counseling humility and even potential forbearance until all the facts are in. “Fostering innovation and growth through forbearing from new regulations may be appropriate,” the memorandum says. Agencies should consider new regulation only after they have reached the decision, in light of the foregoing section and other considerations, that Federal regulation is necessary.” Again, this is very much consistent with more general regulatory guidance issued by every administration since President Reagan was in office.

Flexible, Adaptive Governance is Key

The AI Guidance foreshadows the future of not only AI governance but the governance of many other emerging technologies. Hard law will continue to provide a backstop and have a role in guiding technological developments. Toward that end, efforts like the new AI Guidance are important because it represents an effort to “regulate the regulators” by placing some ground rules on how they go about applying old law to new developments.

But soft law governance is where the real action is at, both for AI and almost all emerging technologies today. The Trump AI Guidance reflects the extent to which soft law has become the dominant governance paradigm for modern tech sectors. As my colleagues Jennifer Huddleston and Trace Mitchell have noted, soft law is already effectively the law of the land for driverless cars, for example. After years of congressional wrangling over a federal autonomous vehicle regulatory framework—one that has widespread bipartisan support, no less—we still do not have a law on the books. Instead, the Department of Transportation has been cobbling together informal “rules of the road” through informal guidance documents that have been “versioned” as if they were computer software (i.e., Version 1.0, 2.0, 3.0). Version 4.0 of the DoT guidance for automated vehicles was just released this week.

That is the same approach that the National Institute of Standards and Technology (NIST) has taken with the privacy guidelines it developed. NIST’s Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is also versioned like software. And many other federal agencies, especially the Federal Trade Commission, have tapped a wide variety of soft law tools—such as agency workshops and workshop reports that recommended privacy best practices for various technologies. Meanwhile, the National Telecommunications and Information Administration (NTIA) has used multistakeholder processes to address privacy concerns surrounding a wide range of technologies, including drones and facial recognition. NIST, FTC, and NTIA have undertaken these informal governance efforts because, despite over a decade of debate, Congress still has not advanced comprehensive federal privacy legislation. For better or worse, soft law has filled that governance gap.

Addressing Likely Objections from Left & Right

Many people of varying ideological dispositions will object to the growing role of soft law as the primary governance tool for emerging technology policy. Some conservatives will cringe at the sound of giving regulators greater leeway to address amorphous policy concerns, fearing that it will result in unconstrained exercises of unaccountable, extra-constitutional power.

Some of those concerns are valid, but they fail to account for the fact that the prospects for agency downsizing or deregulation they prefer are extremely limited. Practically speaking, the administrative state isn’t going anywhere. In some cases, agencies can actually do some real good by encouraging innovators to think about how to “bake-in” sensible best practices to preemptively address concerns about the privacy, safety, security, and fairness of various AI systems. Better those concerns be addressed in more flexible, adaptive fashion than by a heavy-handed, overly-rigid regulatory approach. Soft law offers that possibility, even if legitimate concerns remain about agency accountability and transparency.

Many to the left of center will be critical of this governance approach as well, but on very different grounds. As Associated Press reporter Matt O’Brien notes, “the vagueness of the principles announced by the White House is unlikely to satisfy AI watchdogs who have warned of a lack of accountability as computer systems are deployed to take on human roles in high-risk social settings, such as mortgage lending or job recruitment.”

These concerns actually are addressed in several of the OSTP’s ten principles, including those which stress the need for fairness and non-discrimination, information quality, public participation, disclosure and transparency, and safety and security. Yet many on the left will claim these principles merely pay lip service to these values and that what is really needed is a full-blown regulatory regime and some sort of corresponding new federal AI agency, which would preemptively determine which AI technologies would be allowed into the wild.

Already, an Algorithmic Accountability Act was introduced in Congress last year that would ask the FTC to take a more active role in policing “inaccurate, unfair, biased, or discriminatory decisions impacting consumers” that may have resulted from “automated decision systems.” Meanwhile, some academics have called for the creation of a Federal Robotics Commission or a National Algorithmic Technology Safety Administration to preemptively oversee new AI developments.

The problem with overly-precautionary regulation of that sort could potentially unduly limit AI innovation and the many benefits it entails. There may be some AI applications that pose serious and immediate risks to humanity and which require preemptive restraints on their development and use. Autonomous military and law enforcement applications are the most obvious examples. But most AI applications do not rise to that same level of regulatory concern, and other governance approaches are required to balance the use and misuse of them. This is why a more open and flexible governance approach is needed. Moreover, the old regulatory system just cannot keep up anymore, and it is ill-suited to address most policy concerns in a timely or efficient fashion.

Cristie Ford, and advocate of greater regulatory oversight for fintech, notes in her latest book that the problem with “old-style Welfare State regulation” is that it is “a clumsy, blunt instrument for achieving regulatory objectives” due to its reliance upon “one-size-fits-all mandates, prohibitions, and penalties.” Ford acknowledges what many other regulatory advocates are reluctant to admit:  public policies toward fast-paced technology sectors can no longer be governed effectively using the Analog Era’s top-down, command-and-control regulatory processes. Far too many federal agencies rely on a “build-and-freeze model” of regulation that puts rules in stone to deal with one sets of issues one day, but then either fails to eliminate them later when they become obsolete or to reform those rules to bring them in line with new social, economic, and technical realities.

If we hope to encourage continued innovation in sectors that could produce profoundly important, life-enriching technologies, America’s regulatory approach for AI and emerging technology needs to move away from “build-and-freeze” and toward “build-and-adapt.” Regulation is still needed, but the old regulatory toolkit is badly broken. For better or worse, soft law is going to fill the resulting governance gap, regardless of objections from some on the left or the right. Pragmatic policymaking is going to carry the day for emerging technology governance.

Conclusion

The Trump Administration AI Guidance represents a continuation and extension of this trend toward more flexible, adaptive governance approaches for emerging technologies. It offers a pragmatic vision that builds on the policies and paradigms of the past, while also encouraging fresh thinking about how best to balance the need for continued innovation alongside the various concerns about disruptive technological change.

There are many challenging issues that lie ahead and the new AI Guidance cannot provide bright-line answers to all the hypothetical questions that people want answered today. No one possesses a crystal ball that will allow them to forecast the technological future. Only ongoing trial-and-error experimentation and policy improvisation will allow us to find sensible solutions. A policy approach rooted in humility, flexibility, and forbearance will help ensure that America’s regulatory policies continue to promote both innovation and the public good.

I have been covering telecom and Internet policy for almost 30 years now. During much of that time – which included a nine year stint at the Heritage Foundation — I have interacted with conservatives on various policy issues and often worked very closely with them to advance certain reforms.

If I divided my time in Tech Policy Land into two big chunks of time, I’d say the biggest tech-related policy issue for conservatives during the first 15 years I was in the business (roughly 1990 – 2005) was preventing the resurrection of the so-called Fairness Doctrine. And the biggest issue during the second 15-year period (roughly 2005 – present) was stopping the imposition of “Net neutrality” mandates on the Internet. In both cases, conservatives vociferously blasted the notion that unelected government bureaucrats should sit in judgment of what constituted “fairness” in media or “neutrality” online.

Many conservatives are suddenly changing their tune, however. President Trump and Sen. Ted Cruz, for example, have been increasingly critical of both traditional media and new tech companies in various public statements and suggested an openness to increased regulation. The President has gone after old and new media outlets alike, while Sen. Cruz (along with others like Sen. Lindsay Graham) has suggested during congressional hearings that increased oversight of social media platforms is needed, including potential antitrust action.

Meanwhile, during his short time in office, Sen. Josh Hawley (R-Mo.) has become one of the most vocal Internet critics on the Right. In a shockingly-worded USA Today editorial in late May, Hawley said, “social media wastes our time and resources” and is “a field of little productive value” that have only “given us an addiction economy.” He even referred to these sites as “parasites” and blamed them for a long list of social problems, leading him to suggest that, “we’d be better off if Facebook disappeared” along with various other sites and services.

Hawley’s moral panic over social media has now bubbled over into a regulatory crusade that would unleash federal bureaucrats on the Internet in an attempt to dictate “fair” speech on the Internet. He has introduced an astonishing piece of legislation aimed at undoing the liability protections that Internet providers rely upon to provide open platforms for speech and commerce. If Hawley’s absurdly misnamed new “Ending Support for Internet Censorship Act” is implemented, it would essentially combine the core elements of the Fairness Doctrine and Net Neutrality to create a massive new regulatory regime for the Internet.

The bill would gut the immunities Internet companies enjoy under 47 USC 230 (“Section 230”) of the Communications Decency Act. Eric Goldman of the Santa Clara University School of Law has described Section 230 as the “best Internet law” and “a big part of the reason why the Internet has been such a massive success.” Indeed, as I pointed out in a Forbes column on the occasion of its 15^th anniversary, Section 230 is “the foundation of our Internet freedoms” because it gives online intermediaries generous leeway to determine what content and commerce travels over their systems without the fear that they will be overwhelmed by lawsuits if other parties object to some of that content.

The Hawley bill would overturn this important legal framework for Internet freedom and instead replace it with a new “permissioned” approach. In true “Mother-May-I” style, Internet companies would need to apply for an “immunity certification” from the FTC, which would undertake investigations to determine if the petitioning platform satisfied a “requirement of politically unbiased content moderation.”

The vague language of the measure is an open invitation to massive political abuse. The entirety of the bill hinges upon the ability of Federal Trade Commission officials to define and enforce “political neutrality” online. Let’s consider what this will mean in practice.

Under the bill, the FTC must evaluate whether platforms have engaged in “politically biased moderation,” which is defined as moderation practices that are supposedly, “designed to negatively affect” or “disproportionately restricts or promote access to … a political party, political candidate, or political viewpoint.” As Blake Reid of the University of Colorado Law School rightly asks, “How, exactly, is the FTC supposed to figure out what the baseline is for ‘disproportionately restricting or promoting’? How much access or availability to information about political parties, candidates, or viewpoints is enough, or not enough, or too much?”

There is no Goldilocks formula for getting things just right when it comes to content moderation. It’s a trial-and-error process that is nightmarishly difficult because of the endless eye-of-the-beholder problems associated with constructing acceptable use policies for large speech platforms. We struggled with the same issues in the broadcast and cable era, but they have been magnified a million-fold in the era of the global Internet with the endless tsunami of new content that hits our screens and devices every day. “Do we want less moderation?” asks Sec, 230 guru Jeff Kosseff. “I think we need to look at that question hard.  Because we’re seeing two competing criticisms of Section 230,” he notes. “Some argue that there is too much moderation, others argue that there is not enough.”

The Hawley bill seems to imagine that a handful of FTC officials will magically be able to strike the right balance through regulatory investigations. That’s a pipe dream, of course, but let’s imagine for a moment that regulators could somehow sort through all the content on message boards, tweets, video clips, live streams, gaming sites, and whatever else, and then somehow figure out what constituted a violation of “political neutrality” in any given context. That would actually be a horrible result because let’s be perfectly clear about what that would really be: It would be a censorship board. By empowering unelected bureaucrats to make decisions about what constitutes “neutral” or “fair” speech, the Hawley measure would, as Elizabeth Nolan Brown of Reason summarizes, “put Washington in charge of Internet speech.” Or, as Sen. Ron Wyden argues more bluntly, the bill “will turn the federal government into Speech Police.” “Perhaps a more accurate title for this bill would be ‘Creating Internet Censorship Act,'” Eric Goldman is forced to conclude.

The measure is creating other strange bedfellows. You won’t see Berin Szoka of TechFreedom and Harold Feld of Public Knowledge ever agreeing on much, but they both quickly and correctly labelled Hawley’s bill a “Fairness Doctrine for the Internet.” That is quite right, and much like the old Fairness Doctrine, Hawley’s new Internet speech control regime would be open to endless political shenanigans as parties, policymakers, companies, and the various complainants line up to have their various political beefs heard and acted upon. “That’s the kind of thing Republicans said was unconstitutional (and subject to FCC agency capture and political manipulation) for decades,” says Daphne Keller of the Stanford Center for Internet & Society. Moreover, during the Net Neutrality holy wars, GOP conservatives endlessly blasted the notion that bureaucrats should be determining what constitute “neutrality” online because it, too, would result in abuses of the regulatory process. Yet, Sen. Hawley’s bill would now mandate that exact same thing.

What is even worse is that, as law professor Josh Blackman observes, “the bill also makes it exceedingly difficult to obtain a certification” because applicants need a supermajority of 4 of the 5 FTC Commissioners. This is public choice fiasco waiting to happen. Anyone who has studied the long, sordid history of broadcast radio and television licensing understands the danger associated with politicizing certification processes. The lawyers and lobbyists in the DC “swamp” will benefit from all the petitioning and paperwork, but it is not clear how creating a regulatory certification regime for Internet speech really benefits the general public (or even conservatives, for that matter).

Former FTC Commissioner Josh Wright identifies another obvious problem with the Hawley Bill: it “offers the choice of death by bureaucratic board or the plaintiffs’ bar.” That’s because by weakening Sec. 230’s protections, Hawley’s bill could open the floodgates to waves of frivolous legal claims in the courts if companies can’t get (or lose) certification. The irony of that result, of course, is that this bill could become a massive gift to the tort bar that Republicans love to hate!

Of course, if the law ever gets to court, it might be ruled unconstitutional. “The terms ‘politically biased’ and ‘moderation’ would have vagueness and overbreadth problems, as they can chill protected speech,” Josh Blackman argues. So it could, perhaps, be thrown out like earlier online censorship efforts. But a lot of harm could be done—both to online speech and competition—in the years leading up to a final determination about the law’s constitutionality by higher courts.

What is most outrageous about all this is that the core rationale behind Hawley’s effort—the idea that conservatives are somehow uniquely disadvantaged by large social media platforms—is utterly preposterous. In May, the Trump Administration launched a “tech bias” portal which “asked Americans to share their stories of suspected political bias.” The portal is already closed and it is unclear what, if anything, will come out of this effort. But this move and Hawley’s proposal point to the broader trend of conservatives getting more comfortable asking Big Government to redress imaginary grievances about supposed “bias” or “exclusion.”

In reality, today’s social media tools and platforms have been the greatest thing that ever happened to conservatives. Mr. Trump owes his presidency to his unparalleled ability to directly reach his audience through Twitter and other platforms. As recently as June 12, President Trump tweeted, “The Fake News has never been more dishonest than it is today. Thank goodness we can fight back on Social Media.” Well, there you have it!

Beyond the President, one need only peruse any social media site for a few minutes to find an endless stream of conservative perspectives on display. This isn’t exclusion; it’s amplification on steroids. Conservatives have more soapboxes to stand on and preach than ever before in the history of this nation.

Finally, if they were true to their philosophical priors, then conservatives also would not be insisting that they have any sort of “right” to be on any platform. These are private platforms, after all, and it is outrageous to suggest that conservatives (or any other person or group) are entitled to have a spot on any other them.

Some conservatives are fond of ridiculing liberals for being “snowflakes” when it comes to other free speech matters, such as free speech on college campuses. Many times they are right. But one has to ask who the real snowflakes are when conservative lawmakers are calling on regulatory bureaucracies to reorder speech on private platform based on the mythical fear of not getting “fair” treatment. One also cannot help but wonder if those conservatives have thought through how this new Internet regulatory regime will play out once a more liberal administration takes back the reins of power. Conservatives will only have themselves to blame when the Speech Police come for them.

Addendum: Several folks have pointed out another irony associated with Hawley’s bill is that it would greatly expand the powers of the administrative state, which conservatives already (correctly) feel has too much broad, unaccountable power. I should have said more on that point, but here’s a nice comment from David French of National Review, which alludes to that problem and then ties it back to my closing argument above: i.e., that this proposal will come back to haunt conservatives in the long-run:

when coercion locks in — especially when that coercion is tied to constitutionally suspect broad and vague policies that delegate immense powers to the federal government — conservatives should sound the alarm. One of the best ways to evaluate the merits of legislation is to ask yourself whether the bill would still seem wise if the power you give the government were to end up in the hands of your political opponents. Is Hawley striking a blow for freedom if he ends up handing oversight of Facebook’s political content to Bernie Sanders? I think not.

Additional thoughts on the Hawley bill:

Josh Wright

Daphne Keller

Blake Reid

TechFreedom

Josh Blackman

Sen. Ron Wyden

Jeff Kosseff

Eric Goldman

CCIA

NetChoice

Internet Association

David French at National Review

John Samples

Over at the Mercatus Center Bridge blog, Trace Mitchell and I just posted an essay entitled, “A Non-Partisan Way to Help Workers and Consumers,” which discusses the new Federal Trade Commission’s (FTC) Economic Liberty Task Force report on occupational licensing.

We applaud the FTC’s calls for greater occupational licensing uniformity and portability, but regret the missed opportunity to address root problem of excessive licensing more generally. But while FTC is right to push for greater occupational licensing uniformity and portability, policymakers need to confront the sheer absurdity of licensing so many jobs that pose zero risk to public health & safety. Licensing has become completely detached from risk realities and actual public needs.

As the FTC notes, excessive licensing limits employment opportunities, worker mobility, and competition while also “resulting in higher prices, reduced quality, and less convenience for consumers.” These are unambiguous facts that are widely accepted by experts of all stripes. Both the Obama and Trump Administrations, for example, have been completely in league on the need for comprehensive  licensing reforms.

Trace and I argue that we need serious occupational reforms built on the idea of the “right to earn a living” that must pass this test: “All occupational regulations shall be limited to those demonstrably necessary and carefully tailored to fulfill legitimate public health, safety, or welfare objectives.”  Also, all licensing authorities should be put on the clock and be required, within one year, to reassess the wisdom of all existing licenses to ensure they meet that test. If not, they are repealed or reformed.

In recent testimony in Texas, our Mercatus Center colleague Matthew Mitchell has also discussed other reform options, including the “Occupational Board Reform Act,” which recently passed in Nebraska. The goal of the law is to “protect the fundamental right of an individual to pursue a lawful occupation;.” They key provision of the Act demands that state actors:

use the least restrictive regulation which is necessary to protect consumers from undue risk of present, significant, and substantiated harms that clearly threaten or endanger the health, safety, or welfare of the public when competition alone is not sufficient and which is consistent with the public interest;

That’s an excellent approach to reform and when combined with the Right to Earn a Living Act, policymakers can begin to reverse the protectionist, anti-competitive licensing schemes that encumber entrepreneurs and workers across the land.

In forthcoming work, I hope to more fully develop the connection between the right to earn a living, the need for comprehensive licensing reform, and the freedom to innovate more generally. In the meantime, hop over to The Bridge to read our new essay on how the FTC report helps advance this cause..

Unfortunately, the decision answers none of those important questions and makes a total hash of the FTC’s current unfairness law. While some critics of the FTC’s data security program may be pleased with the outcome of this decision, they ought to be concerned with its reasoning, which harkens back to the “public policy” test for unfairness that was greatly abused by the FTC in the 1970’s.

The most problematic parts of this decision are likely dicta, but it is still worth describing how sharply this decision conflicts with the FTC’s modern unfairness test.  The court’s reasoning could implicate not only the FTC’s data security authority but its overall authority to police unfair practices of any kind.

(I’m going to skip the facts and procedural background of the case because the key issues are matters of law unrelated to the facts of the case. The relevant facts and procedure are laid out in the decision’s first and most lucid section. I’m also going to limit this piece to the decision’s unfairness analysis. There’s more to say about the court’s conclusion that the FTC’s order is unenforceable, but this post is already long. Interesting takes here and here.)

In short, the court’s decision attempts to rewrite a quarter century of FTC unfairness law.  By doing so, it elevates a branch of unfairness analysis that, in the 1970s, landed the FTC in big trouble.  First, I’ll summarize the current unfairness test as stated in the FTC Act. Next, I’ll discuss the previous unfairness test, the trouble it caused, and how that resulted in the modern test. Finally, I’ll look at how the LabMD decision rejects the modern test and discuss some implications.

The Modern Unfairness Test

If you’ve read a FTC complaint with an unfairness count in the last two decades, you’re probably familiar with the modern unfairness test.  A practice is unfair if it causes substantial injury that the consumer cannot avoid, and which is not outweighed by benefits to consumers or competition.  In 1994, Congress codified this three-part test in Section 5(n) of the FTC Act, which reads in full:

The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice [1] causes or is likely to cause substantial injury to consumers which [2] is not reasonably avoidable by consumers themselves and [3] not outweighed by countervailing benefits to consumers or to competition. In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination. [Emphasis added]

The text of Section 5(n) makes two things clear: 1) a practice is not unfair unless it meets the three-part consumer injury test and 2) public policy considerations can be helpful evidence of unfairness but are not sufficient or even necessary to demonstrate it. Thus, the three-part consumer injury test is centrally important to the unfairness analysis. Indeed, the three-part consumer injury test set out in Section 5(n) has been synonymous with the unfairness test for decades.

The Previous, Problematic Test for Unfairness

But the unfairness test used to be quite different.  In outlining the test’s history, I am going to borrow heavily from Howard Beales’ excellent 2003 essay, “The FTC’s Use of Unfairness Authority: Its Rise, Fall, and Resurrection.” (Beales was the Director of the FTC’s Bureau of Consumer Protection under Republican FTC Chairman Timothy Muris.) Beales describes the previous test for unfairness:

In 1964 … the Commission set forth a test for determining whether an act or practice is “unfair”: 1) whether the practice “offends public policy” – as set forth in “statutes, the common law, or otherwise”; 2) “whether it is immoral, unethical, oppressive, or unscrupulous; 3) whether it causes substantial injury to consumers (or competitors or other businessmen).” …. [T]he Supreme Court, while reversing the Commission in Sperry & Hutchinson cited the Cigarette Rule unfairness criteria with apparent approval….

This three-part test – public policy, immorality, and/or substantial injury – gave the agency enormous discretion, and the FTC began to wield that discretion in a problematic manner. Beales describes the effect of the S&H dicta:

Emboldened by the Supreme Court’s dicta, the Commission set forth to test the limits of the unfairness doctrine. Unfortunately, the Court gave no guidance to the Commission on how to weigh the three prongs – even suggesting that the test could properly be read disjunctively.

The result was a series of rulemakings relying upon broad, newly found theories of unfairness that often had no empirical basis, could be based entirely upon the individual Commissioner’s personal values, and did not have to consider the ultimate costs to consumers of foregoing their ability to choose freely in the marketplace. Predictably, there were many absurd and harmful results.

According to Beales, “[t]he most problematic proposals relied heavily on ‘public policy’ with little or no consideration of consumer injury.”  This regulatory overreach triggered a major backlash from businesses, Congress, and the media. The Washington Post called the FTC the “National Nanny.” Congress even defunded the agency for a time.

The backlash prompted the agency to revisit the S&H criteria.  As Beales describes,

As the Commission struggled with the proper standard for unfairness, it moved away from public policy and towards consumer injury, and consumer sovereignty, as the appropriate focus…. On December 17, 1980, a unanimous Commission formally adopted the Unfairness Policy Statement, and declared that “[un]justified consumer injury is the primary focus of the FTC Act, and the most important of the three S&H criteria.”

This Unfairness Statement recast the relationship between the three S&H criteria, discarding the “immoral” prong entirely and elevating consumer injury above public policy: “Unjustified consumer injury is the primary focus of the FTC Act, and the most important of the three S&H criteria. By itself it can be sufficient to warrant a finding of unfairness.” [emphasis added]  It was this Statement that first established the three-part consumer injury test now codified in Section 5(n).

Most importantly for our purposes, the statement explained the optional nature of the S&H “public policy” factor. As Beales details,

[I]n most instances, the proper role of public policy is as evidence to be considered in determining the balance of costs and benefits”  although ”public policy can ‘independently support a Commission action . . . when the policy is so clear that it will entirely determine the question of consumer injury, so there is little need for separate analysis by the Commission.’” [emphasis added]

In a 1982 letter to Congress, the Commission reiterated that public policy “is not a necessary element of the definition of unfairness.”

As the 1980s progressed, the Unfairness Policy statement, specifically the three-part test for consumer injury, “became accepted as the appropriate test for determining unfairness…” But not all was settled.  Beales again:

The danger of unfettered “public policy” analysis as an independent basis for unfairness still existed, however [because] the Unfairness Policy Statement itself continued to hold out the possibility of public policy as the sole basis for a finding of unfairness. A less cautious Commission might ignore the lessons of history, and dust off public policy-based unfairness. … When Congress eventually reauthorized the FTC in 1994, it codified the three-part consumer injury unfairness test. It also codified the limited role of public policy. Under the statutory standard, the Commission may consider public policies, but it cannot use public policy as an independent basis for finding unfairness. The Commission’s long and dangerous flirtation with ill-defined public policy as a basis for independent action was over.

Flirting with Public Policy, Again

To sum up, chastened for overreaching its authority using the public policy prong of the S&H criteria, the FTC refocused its unfairness authority on consumer injury.  Congress ratified that refocus in Section 5(n) of the FTC Act, as I’ve discussed above. Today, under modern unfairness law, FTC complaints rarely make public policy arguments and only then to bolster evidence of consumer injury.

In last week’s LabMD decision, the 11 ^th Circuit rejects this long-standing approach to unfairness. Consider these excerpts from its decision:

“The Commission must find the standards of unfairness it enforces in ‘clear and well-established’ policies that are expressed in the Constitution, statutes, or the common law.” “An act or practice’s ‘unfairness’ must be grounded in statute, judicial decisions – i.e., the common law – or the Constitution. An act or practice that causes substantial injury but lacks such grounding is not unfair within Section 5(a)’s meaning.” “Thus, an ‘unfair’ act or practice is one which meets the consumer-injury factors listed above and is grounded in well-established legal policy.”

And consider this especially salty bite of pretzel logic based on a selective citation of the FTC Act:

“Section 5(n) now states, with regard to public policy, ‘In determining whether an act or practice is unfair, the Commission may consider established public policies as evidence to be considered with all other evidence. Such public policy considerations may not serve as a primary basis for such determination.’  We do not take this ambiguous statement to mean that the Commission may bring suit purely on the basis of substantial consumer injury. The act or practice alleged to have caused injury must still be unfair under a well-established legal standard, whether grounded in statute, the common law, or the Constitution.” [emphasis added]

Yet those two sentences in 5(n) are quite clear when read in context with the full paragraph, which requires the three-part consumer injury test but merely permits the FTC to consider public policies as evidence.  The court’s interpretation here is also undercut by the FTC’s historic misuse of public policy and Congress’s subsequent intent in Section 5(n) to limit the FTC overreach by restricting use of public policy evidence. Congress sought to restrict the FTC’s use of public policy; the 11^th Circuit’s decision seeks to require it.

To be fair, the court is not exactly returning to the wild pre-Unfairness Statement days when the FTC thought public policy alone was sufficient to find an act or practice unfair.  Instead, the court has developed a new, stricter test for unfairness that requires both consumer injury and offense to public policy.

After crafting this bespoke unfairness test by inserting a mandatory public policy element, the decision then criticizes the FTC complaint for “not explicitly” citing the public policy source for its “standard of unfairness.”  But it is obvious why the FTC didn’t include a public policy element in the complaint – no one has thought it necessary, for more than two decades.  (Note, however, that the Commission’s decision does cite numerous statutes and common law principles as public policy evidence of consumer injury in this case.)

The court supplies the missing public policy element for the FTC: “It is apparent to us, though, that the source is the common law of negligence.” The court then determines that “the Commission’s action implies” that common law negligence “is a source that provides standards for determining whether an act or practice is unfair….”

Having thus rewritten the Commission’s argument and decades of FTC law, the court again surprises. Rather than analyze LabMD’s liability under this new standard, the court “assumes arguendo that the Commission is correct and that LabMD’s negligent failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice.”

Thus, the court does not actually rely on the unfairness test it has set out, arguably rendering that entire analysis dicta.

Why Dicta?

What is going on here? I believe the court is suggesting how data security cases ought to be pled, even though it cannot require this standard under Section 5(n) – and perhaps would not want to, given the collateral effect on other types of unfairness cases.

The court clearly wanted to signal something through this exercise.  Otherwise, it would have been much easier to have assumed arguendo LabMD’s liability under the existing three prong consumer injury unfairness test contained in the FTC’s complaint.  Instead, the court constructs a new unfairness test, interprets the FTC’s complaint to match it, and then appears to render its unfairness analysis dicta.

So, what exactly is the court signaling? This new unfairness test is stricter than the Section 5(n) definition of unfairness, and thus any complaint that satisfies the LabMD test would also satisfy the statutory test.  Thus, perhaps the court seeks to encourage the FTC to plead data security complaints more strictly than legally necessary by including references to public policy.

Had the court applied its bespoke standard to find that LabMD was not liable, I think the FTC would have had no choice but to appeal the decision.  By upsetting 20+ years of unfairness law, the court’s analysis would have affected far more than just the FTC’s data security program.  The FTC brings many non-data security cases under its unfairness authority, including illegal bill cramming and unauthorized payment processing and other types of fraud where deception cannot adequately address the problem. The new  LabMD unfairness test would affect many such areas of FTC enforcement. But by assuming arguendo LabMD’s liability, the court may have avoided such effects and thus reduced the FTC’s incentive to appeal on these grounds.

Dicta or not, appeal or not, the LabMD decision has elevated unfairness’s “public policy” factor. Given the FTC’s misuse of that factor in the past, FTC watchers ought to keep an eye out.

—-

Last week’s LabMD decision will shape the constantly evolving data security policy environment.  At the Charles Koch Institute, we believe that a healthy data security policy environment will encourage permissionless innovation while addressing real consumer harms as they arise.  More broadly, we believe that innovation and technological progress are necessary to achieve widespread human flourishing.  And we seek to foster innovation-promoting environments through educational programs and academic grant-making.

“Responsible research and innovation,” or “RRI,” has become a major theme in academic writing and conferences about the governance of emerging technologies. RRI might be considered just another variant of corporate social responsibility (CSR), and it indeed borrows from that heritage. What makes RRI unique, however, is that it is more squarely focused on mitigating the potential risks that could be associated with various technologies or technological processes. RRI is particularly concerned with “baking-in” certain values and design choices into the product lifecycle before new technologies are released into the wild.

In this essay, I want to consider how RRI lines up with the opposing technological governance regimes of “permissionless innovation” and the “precautionary principle.” More specifically, I want to address the question of whether “permissionless innovation” and “responsible innovation” are even compatible. While participating in recent university seminars and other tech policy events, I have encountered a certain degree of skepticism—and sometimes outright hostility—after suggesting that, properly understood, “permissionless innovation” and “responsible innovation” are not warring concepts and that RRI can co-exist peacefully with a legal regime that adopts permissionless innovation as its general tech policy default. Indeed, the application of RRI lessons and recommendations can strengthen the case for adopting a more “permissionless” approach to innovation policy in the United States and elsewhere.

Definitional Ambiguities, Part 1: “Governance”

Before we can have a constructive conversation about these issues, however, we need to agree upon how narrowly or broadly we are defining some relevant terms, beginning with the word “governance.” When some hear the term “governance” their first reaction might be to think “government,” and formal legal and regulatory processes in particular. That is certainly one form of governance, but it is hardly the only one.

We often speak of the “governance” of corporations, schools, churches, other institutions, and even households. When we do, we usually do not mean government administration of these things; we are instead thinking of some other, more amorphous form of governance by a variety of individuals or groups. The “governance” of a company, for example, includes the interaction of shareholders, board members, corporate officials, workers, and so on. The “governance” of a church might involve clergy, the congregation, and sacred scriptures or traditions.  Household “governance” comes down to decisions made by parents and caretakers. And so on.

Thus, “governance” can certainly have the narrow connotation of being associated with formal regulatory enactments by governments, but it can also describe a much broader universe of norms and rules that are established and enforced by a wide variety of people (or groups of people) in a wide variety of ways.

When we consider questions of technological governance—and specifically the notion of “anticipatory governance,” which is prominent feature of RRI discussions—it helps to specify whether we are speaking of governance in a broad or narrow sense. Whether it is done consciously or not, in much of the literature, RRI scholars and advocates fail to make it clear what type of “governance” they are thinking of when proposing new forms of anticipatory technological governance.

Definitional Ambiguities, Part 2: “Precautionary Principle” & “Permissionless Innovation”

These distinctions are particularly important when we compare and contrast the “precautionary principle” and “permissionless innovation.” These concepts are most useful when viewed as governance dispositions or policy postures and they are usually—although not always—used in the narrow “governance” sense to describe one’s perspective on where legal and regulatory defaults should be set.

Even when applied narrowly, however, both terms are open to interpretation as applied in various policy contexts. For example, precaution could mean an outright prohibition on an innovative activity until such time as it had been proven safe (this is the way many FDA or FAA regulations work). But precaution might be imposed through somewhat less restrictive approaches, such as a set of government-established safety standards buttressed by a recall regime (think NHTSA or CPSC). Even less restrictive but still precautionary in orientation would be a mandatory labeling law or a government-led risk reduction educational campaign. In other words, there are probably as many flavors of the precautionary principle as there are flavors of ice cream.

For the longest time, both proponents and critics of the precautionary principle have failed to put a name on its opposing worldview or governance disposition. I have argued that, despite its uncertain origin and imprecise meaning, “permissionless innovation” provides a useful name for the antithesis of the precautionary principle.

As I noted in a recent speech at an Arizona State University law school conference on technological governance, critics of permissionless innovation sometimes like to imply that it is synonymous with anarchy. (In fact, a few people at that event leveled that accusation at me.) But I’ve written an entire book on this notion and surveyed countless essays and articles that cite the term, and I have never once seen any advocate of permissionless innovation going to such an extreme. In fact, those advocates often don’t even bother calling for the abolition of any laws, programs, or agencies. As I noted in my ASU talk, “most of those defenders of permissionless innovation are using the term as a sort of shorthand when what they really mean to say is something like: ‘give innovators a bit more breathing room,’ or, ‘don’t rush to regulate.’”

And so, as a policy posture, permissionless innovation really comes down to a preference for setting public policy defaults closer to green lights rather than red ones. In my own book on the subject, I defined the term as follows:

“Permissionless innovation refers to the notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if any develop, can be addressed later.”

By contrast, the precautionary principle posture generally recommends keeping the light red until innovators can prove their new products and services are “safe,” however that is defined. But there are many points along the spectrum between these two policy postures. And if we can accept the idea that the “precautionary principle” and “permissionless innovation” act more as general governance dispositions instead of fixed and rigid edicts, then it is also easier to imagine how both of those dispositions can incorporate “responsible innovation” notions into their governance visions.

Definitional Ambiguities, Part 3: “Responsible Innovation”

But what exactly constitutes “responsible innovation”? Definitions of responsible research and innovation are still evolving, but a leading article on the subject by René von Schomberg from 2011 argues that it can be defined as:

“A transparent, interactive process by which societal actors and innovators become mutually responsive to each other with a view to the (ethical) acceptability, sustainability and societal desirability of the innovation process and its marketable products (in order to allow a proper embedding of scientific and technological advances in our society).”

A more streamlined definition was offered by Jack Stigloe, Richard Owen, and Phil Macnaghten in a 2013 article: “Responsible innovation means taking care of the future through collective stewardship of science and innovation in the present.” They also proposed four dimensions of responsible innovation—anticipation, reflexivity, inclusion and responsiveness—which they say “provide a framework for raising, discussing and responding to such questions.”

RRI Tools, a European consortium focused on promoting responsible innovation strategies, identifies the six core goals of RRI as: open access, gender equality in science, ethics, science education, governance, and public engagement. Other groups and individuals promoting RRI focus on privacy, safety, and security as crucial values that they hope to work into more product development processes early on.

As with “corporate social responsibility” before it, “responsible innovation” will remain a term that is open to varying interpretations and which can incorporate many distinct values that are context-dependent. What Milton Friedman said of CSR discussions in 1970—that they “are notable for their analytical looseness and lack of rigor”—continues to be somewhat true for both CSR and RRI circa 2017. Nonetheless, what both concepts hold in common is the belief that, whatever those “responsible” values are, they can be “baked in” to corporate decision-making and product design processes in an anticipatory fashion.

And while not everyone will agree on the contours of these concepts, practically speaking, I think we can expect both the CSR and RRI movement will continue to grow in coming years. That will be the case not only because of the pressures applied by various activists, stakeholders, and governments, but also because many companies and their consumers will demand more than just better products and greater profitability.

But Doesn’t RRI Necessitate the Precautionary Principle as a Policy Prerequisite?

But how precisely should RRI notions and recommendations influence policy deliberations over the future course of technological governance in the narrow sense of the term (i.e., more legalistic sense)? Here’s where things get more interesting.

The problem is that many of the advocates of RRI are seemingly more sympathetic to precautionary policy regimes and skeptical of the wisdom of permissionless innovation as a policy default. This is not always well-articulated in their writing. Instead, it is the attitude seemingly on display when I speak with RRI advocates or hear them deliver speeches.  Yet, most of these advocates just won’t ever let you nail them down on the point.

Some RRI advocates do come close to making that connection. In his seminal article, Rene von Schomberg argues that RRI, “can reduce the human cost of trial and error and make advantage of a societal learning process of stakeholders and technical innovators. It creates a possibility for anticipatory governance,” he says. “This should ultimately lead to products which are (more) societal robust.”

He then briefly raises the possibility of RRI informing the application of the precautionary principle in public policy debates:

“The precautionary principle works as an incentive to make safe and sustainable products and allow governmental bodies to intervene with Risk Management decisions (such as temporary licensing, case by case decision making etc) whenever necessary in order to avoid negative impacts.”

Yet, von Schomberg never really spells out the exact relationship between RRI and the precautionary principle as a matter of public policy .

Another leading article on the meaning of RRI by Grace Eden, Marina Jirotka, and Bernd Stahl, says that, “The RRI focus is more on mitigating wider societal long-term risks and so favors incremental rather than radical innovation.” That seems to suggest a closer connection between RRI and a formal application of the precautionary principle in policy deliberations about emerging technologies. They also speak of the “two very different approaches to problem solving (anticipatory vs. evidence-based),” which I have argued gets to the heart of the divergence between the precautionary principle and permissionless innovation policy paradigms. Yet, these authors do not dwell on this connection at length, and most of the rest of their article is focused on the ways in which RRI can (and already does) infuse product and service development processes outside of the realm of public policy.

In a 2015 Brookings Institution white paper about RRI, Walter D. Valdivia and David H. Guston offer a more concrete answer to this question when they insist that responsible innovation “is not a doctrine of regulation and much less an instantiation of the precautionary principle; the actions it recommends do not seek to slow down innovation because they do not constrain the set of options for researchers and businesses, they expand it.” They continue on to note that:

“[responsible innovation] considers innovation inherent to democratic life and recognizes the role of innovation in the social order and prosperity. It also recognizes that at any point in time, innovation and society can evolve down several paths and the path forward is to some extent open to collective choice. What RI pursues is a governance of innovation where that choice is more consonant with democratic principles.”

Here, finally, we have a better demarcation between the general notion of RRI and the formal application of the precautionary principle. But is that line really so bright? Do other RRI scholars agree with Valdivia and Guston about this separation between the “responsible innovation” movement and the formal application of the precautionary principle in the policy realm? And, finally, what is meant by “democratic life” and “democratic principles” in this context?

I suspect that many RRI advocates would read that last line from Valdivia and Guston above (“What RI pursues is a governance of innovation where that choice is more consonant with democratic principles.”) and suggest that it favors an embrace of the precautionary principle as the default position in emerging technology policy discussions. But, again, that remains open to debate because so much of the RRI literature lacks precision regarding the connection between these concepts.

How RRI Can be Compatible with Both Visions

Regardless, I would like to suggest that parties on both sides of this debate would be wise to divorce the concept of responsible innovation from their priors regarding optimal regulatory policy toward emerging technology. Properly understood, “responsible innovation” could be a feature of the “precautionary” vision, but it could also be compatible with the “permissionless” governance vision and resulting policy regimes. To reach that understanding, both sides will need to be open to learning from the other and willing to take their concerns seriously.

Advocates of RRI should understand that, just as CSR can do a great deal of good even in the absence of formal regulatory action, the same can be true of RRI, even in a policy regime in which permissionless innovation is the general default.

If, however, the first instinct among the RRI community is to consider advocates of permissionless innovation nothing more than a bunch of uncaring anarchists, they relinquish the opportunity to work with diverse parties to instill wise guidelines into technological development processes. This would be particularly misguided in an age when the so-called “Pacing Problem”—i.e., the growing gap between the introduction of new technologies and time it takes laws and regulations to adjust or be formulated in response—has become an ever-accelerating reality, making traditional “hard law” regulatory enactment increasingly difficult. If the RRI community wants to get any of the values that they care about incorporated into technological development processes, then they will need to be open to the idea that perhaps the only way to do so will be through less formal procedures precisely because law will likely lag so far behind marketplace developments.

Likewise, if the first instinct among the permissionless innovation advocates is to regard the RRI movement as little more than repackaged Ludditism, hell-bent on derailing all the great inventions of the future, then they are foolishly forgoing the chance to work with a diverse group of well-intentioned scholars and stakeholders who could ensure that new products and services gain more widespread acceptance and public trust. More practically, permissionless innovation advocates would be wise to accept the fact that, although technological innovation is generally outpacing the ability of government to keep up, that doesn’t mean most of the traditional regulatory regimes or agencies are going away any time soon. After all, can you name a technocratic law or regulatory body that has been liberalized or eliminated in recent memory? RRI offers a chance to forge a rough peace with agencies and officials who often just want to have a small say in how innovative processes are unfolding. Of course, if regulators seek to have a BIG say in those matters, then policy fights will no doubt ensue. But in my experience, this is less often the case than some defenders of permissionless innovation suggest.

Thus, advocates of permissionless innovation should understand that RRI is not synonymous with a formal precautionary principle-focused policy prescription and that “anticipatory governance” can mean something more generic and beneficial, so long as it does not come to mean the formal application of the precautionary principle as the public policy default.

We Are Already Going Down This Path

Perhaps I am being naïve to think this sort of common ground might exist. But the funny thing is that I know for a fact that it already does! RRI principles have been infusing various multistakeholder processes in the United States for many years now.

For example, here’s a paper I wrote back in 2009 about the various online safety task forces, blue ribbon commissions, and other collaborative efforts that were instilling “safety by design” principles into various online services and digital products. Meanwhile, “privacy by design” and “security by design” efforts are all the rage these days and a wide variety of best practices and codes of conduct have been established to make sure privacy and security values are baked-in to the product design process from the start.

Meanwhile, safety, security, and privacy best practices have increasingly been formulated by the U.S. Department of Commerce (the National Telecommunications and Information Administration in particular), the Federal Trade Commission, FDA, FCC, and the White House Office of Science and Technology Policy. These multistakeholder efforts and agency best practice reports have contained assorted “responsible innovation” principles for technologies as wide-ranging as: big data, artificial intelligence, the Internet of Things, facial recognition, online advertising, mobile phone privacy, mobile apps for kids, driverless cars, commercial drones, genetic testing, medical advertising on social media, 3D printed medical devices, medical device cybersecurity, nanotech, and much more. (I have a forthcoming paper in the works with Ryan Hagemann of the Niskanen Center in which we attempt to document many of these new “soft law” technological governance efforts. There have been so many of these efforts – many of which are still underway – that we are having a hard time cataloging them all!)

I am utterly perplexed why more RRI scholarship has not identified the many ways in which the principles they advocate already infuse multistakeholder processes such as these. Perhaps it is because those scholars feel that some of these multistakeholder processes fail to address the full range of issues or values that they feel are in play. But if you examine recent reports from these agencies and government bodies, I think you will come away quite impressed by the breadth of issues and concerns that they cover. Likewise, the values and best practices they discuss and/or recommend are exactly the sort of responsible innovation principles that the RRI movement cares about.

To some extent, therefore, RRI is already well-entrenched in the technology governance process, it’s just a bit messy. I think some RRI scholars probably fall prey to the old “Goldilocks myth” that we can get these principles just right with enough consideration and oversight. The reality on the ground is that instilling RRI values into the technological design process is a dynamic, iterative, and quite imprecise art.

In closing, there’s still more to the technological governance story that RRI advocates fail to incorporate into their work. To fully appreciate the many ways technological processes are constrained and corrected, they must take into account other governance forces and factors, including the role of:

• social norms and reputational effects (especially the growing importance of reputational feedback mechanisms);
• third-party accreditation and standards-setting bodies;
• courts and common law (including legal solutions like product liability, negligence, design defects law, failure to warn, breach of warranty, and other assorted torts and class action claims);
• insurance markets as risk calibrators and correctional mechanisms;
• federal and state consumer protection agencies (such as the FTC), which police “unfair and deceptive practices” and other harms; and
• media, academic institutions, non-profit advocacy groups, and the general public more generally, all of which can put pressure on technology developers.

Only by taking into account the full range of players and activities at work can we develop a more robust understanding of how technology is actually “governed” in our modern world. I suspect that many in the RRI community of scholars do appreciate these other factors, even though they don’t always account for all of them in their writing and advocacy. Then again, many of those advocates would perhaps decry the more remedial, ex post nature of these governance tools and insist that more ex ante anticipatory planning must be at the heart of technological design and development processes.

In reality, a mix of these two approaches is already at work today and will likely continue to dominate the governance process well into the future. So long as the anticipatory efforts don’t become formal regulatory proposals, there is no reason that this mix of “responsible innovation” governance tools and methods can’t be embraced by a diverse array of scholars and innovators.

Further Reading:

• Jack Stilgoe, Richard Owen, and Phil Macnaghten, “Developing a Framework for Responsible Innovation,” Research Policy, Vol. 42, No. 9 (2013): 1568–80.
• Rene Von Schomberg (ed.), Towards Responsible Research and Innovation in the Information and Communication Technologies and Security Technologies Fields, A Report from the European Commission Services, (Luxembourg: Publications Office of the European Union, 2011).
• Grace Eden, Marina Jirotka, and Bernd Stahl, “Responsible Research and Innovation,” (IEEE: 2013).
• Walter D. Valdivia and David H. Guston, “Responsible Innovation: A Primer for Policymakers,” Center for Technology Innovation at Brookings Institution, (May 2015),
• “Rethinking the Social Responsibility of Business,” A Reason debate featuring Milton Friedman, Whole Foods’ John Mackey, and Cypress Semiconductor’s T.J. Rodgers, Milton Friedman, John Mackey & T.J. Rodgers,Oct. 1, 2005.
• Milton Friedman, “The Social Responsibility of Business is to Increase its Profits,” The New York Times Magazine, September 13, 1970.
• Adam Thierer, “Wendell Wallach on the Challenge of Engineering Better Technology Ethics,” Technology Liberation Front, April 20, 2016.

Congress passed joint resolutions to rescind FCC online privacy regulations this week, which President Trump is expected to sign. Ignore the hyperbole. Lawmakers are simply attempting to maintain the state of Internet privacy law that’s existed for 20-plus years.

Since the Internet was commercialized in the 1990s, the Federal Trade Commission has used its authority to prevent “unfair or deceptive acts or practices” to prevent privacy abuses by Web companies and ISPs. In 2015, that changed. The Obama FCC classified “broadband Internet access service” as a common carrier service, thereby blocking the FTC’s authority to determine which ISP privacy policies and practices are acceptable.

Privacy advocates failed to convince the Obama FTC that de-identified browsing history is “sensitive” data. (The FTC has treated SSNs, medical information, financial information, precise location, etc. as “sensitive” for years and companies must handle these differently.) The FCC was the next best thing and in 2016 they convinced the FCC to say that browsing history is “sensitive data,” but it’s sensitive only when ISPs have it.

This has contributed to a regulatory mess for consumers and tech companies. Technological convergence is here. Regulatory convergence is not.

Consider a plausible scenario. I start watching an NFL game via Twitter on my tablet on Starbucks’ wifi. I head home at halftime and watch the game from my cable TV provider, Comcast. Then I climb into bed and watch overtime on my smartphone via NFL Mobile from Verizon.

One TV program, three privacy regimes. FTC guidelines cover me at Starbucks. Privacy rules from Title VI of the Communications Act cover my TV viewing. The brand-new FCC broadband privacy rules cover my NFL Mobile viewing and late-night browsing.

Other absurdities result from the FCC’s decision to regulate Internet privacy. For instance, if you bought your child a mobile plan with web filtering, she’s protected by FTC privacy standards, while your mobile plan is governed by FCC rules. Google Fiber customers are covered by FTC policies when they use Google Search but FCC policies when they use Yelp.

This Swiss-cheese approach to classifying services means that regulatory obligations fall haphazardly across services and technologies. It’s confusing to consumers and to companies, who need to write privacy policies based on artificial FCC distinctions that consumers disregard.

The House and Senate bills rescind the FCC “notice and choice” rules, which is the first step to restoring FTC authority. (In the meantime, the FCC will implement FTC-like policies.) 

Considering that these notice and choice rules have not even gone into effect, the rehearsed outrage from advocates demands explanation:  The theatrics this week are not really about congressional repeal of the (inoperative) privacy rules. Two years ago the FCC decided to regulate the Internet in order to shape Internet services and content. The leading advocates are outraged because FCC control of the Internet is slipping away. Hopefully Congress and the FCC will eliminate the rest of the Title II baggage this year.

The future of emerging technology policy will be influenced increasingly by the interplay of three interrelated trends: “innovation arbitrage,” “technological civil disobedience,” and “spontaneous private deregulation.” Those terms can be briefly defined as follows:

• “Innovation arbitrage” refers to the idea that innovators can, and will with increasingly regularity, move to those jurisdictions that provide a legal and regulatory environment more hospitable to entrepreneurial activity. Just as capital now fluidly moves around the globe seeking out more friendly regulatory treatment, the same is increasingly true for innovations. And this will also play out domestically as innovators seek to play state and local governments off each other in search of some sort of competitive advantage.
• “Technological civil disobedience” represents the refusal of innovators (individuals, groups, or even corporations) or consumers to obey technology-specific laws or regulations because they find them offensive, confusing, time-consuming, expensive, or perhaps just annoying and irrelevant. New technological devices and platforms are making it easier than ever for the public to openly defy (or perhaps just ignore) rules that limit their freedom to create or use modern technologies.
• “Spontaneous private deregulation” can be thought of as de facto rather than the de jure elimination of traditional laws and regulations owing to a combination of rapid technological change as well the potential threat of innovation arbitrage and technological civil disobedience. In other words, many laws and regulations aren’t being formally removed from the books, but they are being made largely irrelevant by some combination of those factors. “Benign or otherwise, spontaneous deregulation is happening increasingly rapidly and in ever more industries,” noted Benjamin Edelman and Damien Geradin in a Harvard Business Review article on the phenomenon.[1]

I have previously documented examples of these trends in action for technology sectors as varied as drones, driverless cars, genetic testing, Bitcoin, and the sharing economy. (For example, on the theme of global innovation arbitrage, see all these various essays. And on the growth of technological civil disobedience, see, “DOT’s Driverless Cars Guidance: Will ‘Agency Threats’ Rule the Future?” and “Quick Thoughts on FAA’s Proposed Drone Registration System.” I also discuss some of these issues in the second edition of my Permissionless Innovation book.)

In this essay, I want to briefly highlight how, over the course of just the past month, a single company has offered us a powerful example of how both global innovation arbitrage and technological civil disobedience— or at least the threat thereof—might become a more prevalent feature of discussions about the governance of emerging technologies. And, in the process, that could lead to at least the partial spontaneous deregulation of certain sectors or technologies. Finally, I will discuss how this might affect technological governance more generally and accelerate the movement toward so-called “soft law” governance mechanisms as an alternative to traditional regulatory approaches.

Comma.ai Case Study, Part 1: The Innovation Arbitrage Threat

The company I want to highlight is Comma.ai, a start-up that had hoped to sell a $999 after-market kit for vehicles called the “Comma One,” which “would give average, everyday cars autonomous functionality.”[2] Created by famed hacker George Hotz, who as a teenager gained notoriety for being the first person to unlock an iPhone in 2007, the Comma One represents an attempt to create autonomous vehicle tech “on the cheap” by using off-the-shelf cameras and GPS technology combined with a healthy dose of artificial intelligence technology.

But regulators at the National Highway Traffic Safety Administration (NHTSA), the federal agency responsible for road safety and automobile regulation, were none too happy to hear about Hotz’s plan to unleash his technology into the wild without first getting their blessing. On October 27, the agency fired off a nastygram to Hotz saying: “We are concerned that your product would put the safety of your customers and other road users at risk. We strongly encourage you to delay selling or deploying your product on the public roadways unless and until you can ensure it is safe.”

Hotz responded on Twitter promptly and angrily. After posting the full NHTSA letter, he said, “First time I hear from them and they open with threats. No attempt at a dialog.” In a follow-up tweet, he said, “Would much rather spend my life building amazing tech than dealing with regulators and lawyers. It isn’t worth it.” And then he announced that, “The comma one is cancelled. comma.ai will be exploring other products and markets. Hello from Shenzhen, China.” A flood of news articles followed about Hotz’s threat to engage in this sort of global innovation arbitrage by bolting US shores.[3]

Incidentally, what Hotz and Comma.ai were proposing to do with Comma One—i.e., deploy autonomous vehicle tech into the wild without prior regulatory approval—was recently done by Otto, a developer of autonomous trucking technology. As Mark Harris reported on Backchannel:

When Otto performed its test drive — the one shown in the May video — it did so despite a clear warning from Nevada’s Department of Motor Vehicles (DMV) that it would be violating the state’s autonomous vehicle regulations. When the DMV realized that Otto had gone ahead anyway, one official called the drive “illegal” and even threatened to shut down the agency’s autonomous vehicle program.”[4]

While Nevada regulators were busy firing off angry letters, Otto was busy doing even more testing in others states (like Ohio), which are eager to make their jurisdictions a testbed for autonomous vehicle innovation.[5] In fact, just recently, Ohio Gov. John Kasich announced the creation of the “Smart Mobility Corridor,” which, according to the Dayton Daily News, will be “a 35-mile stretch of U.S. 33 in central Ohio that runs through Logan County. Officials say that section of U.S. 33 will become a corridor where technologies can be safely tested in real-life traffic, aided by a fiber-optic cable network and sensor systems slated for installation next year.”[6]

This is an example of innovation arbitrage will increasingly take root here domestically as well as abroad, and some states (or countries) will use inducements in an effort to lure innovators to their jurisdictions.

Anyway, let’s get back to the Comma One case study. I don’t want to get too sidetracked regarding the merits of the concerns raised by NHTSA in its letter to Hotz and the implications of the agency’s threats for innovation in this space. But EFF board member Brad Templeton did a nice job addressing that issue in an essay about NHTSA’s letter that threatened Comma. As Templeton observed:

I will presume the regulators will say, “We only want to scare away dangerous innovation” but the hard truth is that is a very difficult thing to judge. All innovation in this space is going to be a bit dangerous. It’s all there trying to take the car — the 2nd most dangerous legal consumer product — and make it safer, but it starts from a place of danger. We are not going to get to safety without taking risks along the way.[7]

This gets to the very real trade-offs in play in the debate over driverless car technology and its regulation. In fact, my Mercatus Center colleague Caleb Watney and I recently filed comments [8] with NHTSA addressing the agency’s recently proposed “Federal Automated Vehicles Policy.”[9] We stressed the potentially deleterious implications of prior regulatory restraints on autonomous vehicle innovation by stressing the horrific real-world baseline we live with today, in which over 35,000 people dying on US roadways in 2015 (roughly 96 people per day) and 94 percent of all those crashes being attributable to human error.

Caleb and I noted that, by imposing new preemptive constraints on the coding of superior autonomous driving technology, “NHTSA’s proposed policy for automated vehicles may inadvertently increase the number of total automobile fatalities by delaying the rapid development and diffusion of this life-saving technology.” Needless to say, if that comes to pass, it would be a disaster because “automation on the roads could be the great public-health achievement of the 21st century.”[10]

In our filing, Caleb and I estimated that, “If NHTSA’s proposed premarket approval process slows the deployment of HAVs by 5 percent, we project an additional 15,500 fatalities over the course of the next 31 years. At 10 percent regulatory delay, we project an additional 34,600 fatalities over 33 years. And at 25 percent regulatory delay, we project an additional 112,400 fatalities over 40 years.[11]

So, needless to say, this is a very big deal.

But let’s ignore all those potential foregone benefits for the moment and just stick with the question of whether Hotz’s threat to engage in a bit of global innovation arbitrage (by moving to China or somewhere else) could work, or at least affect policy in some fashion. I think it absolutely could be an effective threat both because (a) policymakers really do want to do everything they can to achieve greater road safety, and (b) the auto sector remains a hugely important industry for the United States, and one that policymakers will want to do everything in their power to retain on our shores.

Moreover, as Templeton observes that “Comma is not the only company trying to build a system with pure neural networks doing the actual steering decisions.” Even if NHTSA succeeds in bringing Comma to heel, there will be others who will follow in its footsteps. It might be a firm like Otto, but there are many other players in this space today, including big dogs like Tesla and Google. If ever there was a truly global technology industry, it the automotive sector. Autonomous vehicle innovation could take root and blossom in almost any country in the world, and many countries will be waiting with open arms if America screws up its regulatory process.

As Templeton concludes:

The USA and California led the way in robocars in part because it was unregulated. In the USA, everything is permitted unless it was explicitly forbidden and nobody thought to write “no robots” in the laws. Progress in other countries where everything is forbidden unless it is permitted was much slower. The USA is moving in the wrong direction.[12]

Comma.ai Case Study, Part 2: The Technological Civil Disobedience Threat

But an interesting thing happened on the way to Comma’s threatened exodus. On November 30, the firm announced that it would now be open sourcing the code for its autonomous vehicle technology. Reporters at The Verge noted that, during a press conference:

Hotz said that Comma.ai decided to go open source in an effort to sidestep NHTSA as well as the California DMV, the latter of which he said showed up to his house on three separate occasions. “NHTSA only regulates physical products that are sold,” Hotz said. “They do not regulate open source software, which is a whole lot more like speech.” He went on to say that “if the US government doesn’t like this [project], I’m sure there are plenty of countries that will.”[13]

So here we see Hotz combining the threat of still potentially taking the project offshore (i.e., global innovation arbitrage) with the suggestion that by open-sourcing the code for Comma One he might be able to get around the law altogether. We might consider that an indirect form of technological civil disobedience.

Incidentally, Hotz may not be aware of the fact that NHTSA is in the process of making a power-play to become a driverless car code cop. While Hotz is technically correct that, under current law, NHTSA officials “do not regulate open source software, which is a whole lot more like speech,” NHTSA’s recent Federal Automated Vehicles Policy claimed that the agency “has authority to regulate the safety of software changes provided by manufacturers after a vehicle’s first sale to a consumer” while also suggesting that the agency “may need to develop additional regulatory tools and rules to regulate the certification and compliance verification of such post-sale software updates.”^[14]

Needless to say, this proposal has important ramifications for not only Comma, but all other firms in this sector. Consider the implications for Tesla’s “autopilot” mode, which is really little more than a string of constantly-evolving code it pushes out to offer greater and greater autonomous driving functionality.  How would that iterative process work if every time Tesla wanted to make a little tweak to its code it had to run to Washington and file paperwork with NHTSA petitioning for permission to experiment and improve their systems? And then think about all the smaller innovators out there who want to be the next Elon Musk or George Hotz but do not yet have the resources or political connections in Washington to even go through this complex and costly process.

In any event, I have no idea if Hotz or Comma.ai will follow through with any of these threats or be successful in doing so. It may be the case that he is just blowing off smoke and that he and his firm will end up staying in the U.S. and perhaps even later reversing course on the decision to open source the Comma code. But to the extent that innovators like Hotz even hint that they might split the country or open source their code to avoid burdensome regulatory regimes, it can have an influence on future policy decisions. Or at least it should.

New Tech Realities & Their Policy Implications

Indeed, the increasing prevalence of global innovation arbitrage and technological civil disobedience raise some interesting issues for the governance of emerging technologies going forward. The traditional regulatory stance toward many existing sectors and technologies will be challenged by these realities. That’s because most of those traditional regulatory systems are highly precautionary, preemptive, and prophylactic in character. They generally opt for policy solutions that are top-down, overly rigid, and bureaucratic.

Of course, in the past, many innovators (especially smaller scale entrepreneurs) really couldn’t do much to avoid similar regulatory systems where they existed. You either fell into line, or else! It wasn’t always clear what “or else!” would entail, but it could range from being denied a permit/license to operate, waiting months or years for rules to emerge, dealing with fines or other penalties, or some combination of all those things. Or perhaps you would just give up on your innovative idea altogether and exit the market.

But the world has changed in some important ways in recent years. Many of the underlying drivers of the digital revolution—massive increases in processing power, exploding storage capacity, steady miniaturization of computing, ubiquitous communications and networking capabilities, the digitization of all data, and more—are beginning to have a profound impact beyond the confines of cyberspace.^[15] As venture capitalist Marc Andreessen explained in a widely read 2011 essay about how “software is eating the world”:

More and more major businesses and industries are being run on software and delivered as online services—from movies to agriculture to national defense. Many of the winners are Silicon Valley-style entrepreneurial technology companies that are invading and overturning established industry structures. Over the next 10 years, I expect many more industries to be disrupted by software, with new world-beating Silicon Valley companies doing the disruption in more cases than not. Why is this happening now? Six decades into the computer revolution, four decades since the invention of the microprocessor, and two decades into the rise of the modern Internet, all of the technology required to transform industries through software finally works and can be widely delivered at global scale.^[16]

We can add to this list of a new realities the more general problem of technology accelerating at an unprecedented pace. This is what philosophers of technology call the “pacing problem.”  In his new book,  A Dangerous Master: How to Keep Technology from Slipping beyond Our Control, Wendell Wallach concisely defined the pacing problem as “the gap between the introduction of a new technology and the establishment of laws, regulations, and oversight mechanisms for shaping its safe development.” “There has always been a pacing problem,” Wallach correctly observed, but like other philosophers, he believes that modern technological innovation is accelerating much faster than it was in the past.[17]

What are the ramifications of all this for policy? As technology lawyer and consultant Larry Downes has noted, lawmaking in the information age is now inexorably governed by the “law of disruption” or the fact that “technology changes exponentially, but social, economic, and legal systems change incrementally.”[18] This law is “a simple but unavoidable principle of modern life,” he said, and it will have profound implications for the way businesses, government, and culture evolve. “As the gap between the old world and the new gets wider,” he argues, “conflicts between social, economic, political, and legal systems” will intensify and “nothing can stop the chaos that will follow.”[19]

The end result of the “law or disruption” and a world relentlessly governed by the ever-accelerating “pacing problem” is that it will be harder than ever to effectively control emerging technologies using traditional legal and regulatory systems and mechanisms. And this makes it even more likely that the related threats of global innovation arbitrage and various forms of technological civil disobedience will become more regular fixtures in debates about many emerging technologies.

New Governance Models

How one reacts to these new realities will depend upon their philosophical disposition toward innovative activities more generally.

Consider first those adhering to a more “precautionary principle” mindset, which I have defined in my recent book as those who believe “that new innovations should be curtailed or disallowed until their developers can prove that they will not cause any harm to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions.”[20]

Needless to say, the precautionary principle crowd with be dismayed by these new trends and perhaps even decry them as “lawlessness.” Some of these folks seem to be in denial about these new realities and pretend that nothing much has changed. Yet, I have found that most precautionary principle-oriented advocates, and even many regulatory agencies themselves, tend to acknowledge these new realities. But they remain very uncertain about how best to respond to them, often just suggesting that we’ll all need to just try harder to impose new and better regulations on a more expedited or streamlined basis.

Of course, those of us who generally embrace the alternative policy vision for technological governance—“permissionless innovation”—are going to be more accepting of the new technological realities I have described, and we will perhaps even work to defend and encourage them. But while I count myself among this crowd, we cannot ignore the fact that many serious challenges will arise when innovation outpaces law or can easily evade it.

There is some middle ground here, although it is very messy middle ground.

The era of technocratic, top-down, one-size-fits-all regulatory regimes is fading, or at least being severely strained. We will instead need to craft flexible and adaptive policies going forward that are bottom-up, flexible, and evolutionary in character.

What that means in practice is that a lot more “soft law” and informal governance mechanisms will become the new norm. I wrote about this new policy environment in my recent essay, “DOT’s Driverless Cars Guidance: Will ‘Agency Threats’ Rule the Future?” as well as this lengthy review of Wendell Wallach’s latest book about technology ethics.  Along with Gary Marchant of the Arizona State University law school, Wallach recently published an excellent book chapter on “Governing the Governance of Emerging Technologies,” which discussed these soft law mechanisms, which include: “codes of conduct, statements of principles, partnership programs, voluntary programs and standards, certifications programs and private industry initiatives.”[21]

Their chapter appears in an important collection of essays that Gary Marchant edited with Kenneth W. Abbott and Braden Allenby entitled, Innovative Governance Models for Emerging Technologies.

What is interesting about the chapters in that book is that seemingly widespread consensus now exists among experts in this field that some combination of these soft law mechanisms are likely to become the primary mode of technological governance for the indefinite future.  This is because, as Marc A. Saner points out in a different chapter of that book, “the control paradigm is too limited to address all the issues that arise in the context of emerging technologies.”[22] By the control paradigm, he generally means traditional administrative regulatory agencies and processes. He and other contributors in the book all seem to agree that the control problem paradigm “has its limits when diffusion, pacing and ethical issues associated with emerging technologies become significant, as is often the case.”[23]

And so the traditional command-and-control ways will gradually give way to a new paradigm for emerging technology governance. In fact, as I noted in my recent essay on driverless cars, we see this happening quite a bit already. “Multistakeholder processes” are already all the rage in the world of emerging technologies and their governance. In recent years, we have seen the White House and various agencies (such as the FTC, NTIA, FDA, and others) craft multistakeholder agreements or best practice guidance documents for technologies as far ranging as:

• Drones & privacy
• Sharing economy
• Internet of Things
• Driverless cars
• Big data
• Artificial intelligence
• Cross-device tracking
• Native advertising
• Online data collection
• Mobile app transparency and security
• Mobile apps for kids
• Mobile medical apps
• Online health advertising
• 3D printing
• Facial recognition

And that list is not comprehensive. I know I am missing other multistakeholder efforts, best practices, or industry guidance documents that have been crafted in recent years.

Of course, many challenging issues need to be sorted out here, most notably: how transparent and accountable will these soft law systems be in practice? How will they be enforced? And what will happen to all those existing laws, regs, and agencies that will continue to exist? More generally, it is worth asking whether we can more closely study these various multistakeholder arrangements and soft law governance mechanisms and determine if there are certain principles or strategies that could be applicable across a wide class of technologies and sectors. In other words, can we a do a better job of “formalizing the informal,” without falling right back into the trap of trying to impose rules in a rigid, top-down, one-size-fits-all fashion?

Conclusion

Those are just a few of the hard questions we will need to consider going forward. For now, however, I think it is safe to conclude that we will no longer see much “law” being made for emerging technologies, at least not in the traditional sense of the term. Thanks to the new technological realities I have described here—and the relentless reality of the “pacing problem” more generally—I believe we are witnessing a wide-ranging and quite profound transformation in how technology is governed in our modern world. And I believe this movement away from traditional “hard law” and toward “soft law” governance mechanisms is likely to accelerate due to the increasing prevalence of innovation arbitrage, technological civil disobedience, and spontaneous private deregulation.

The ramifications of this transformation will be studied by philosophers, legal theorists, and political scientists for many decades to come. But we are still in the early years of this momentous transformation in technological governance and we will continue to struggle to figure out how to make it all work, as messy as it all may be.

[ Note: This essay is condensed from a manuscript I have been working on about The Rise of Technological Civil Disobedience. I’m not sure I will ever get around to finishing it, however, so I thought I would at least post this piece for now. In a subsequent essay, which is also part of that draft manuscript, I hope to discuss how this process might play out for technologies that are “born free” versus those that are “born in captivity.” That is, how likely is it that the trends I discuss here will take hold for technologies that have no pre-existing laws or agencies, while other technologies that are born into a regulatory environment are potentially doomed to be pigeonholed into those old regulatory regimes? What are the chances that the latter technologies can escape captivity and gain the freedom the other technologies already enjoy? How might technology-enabled “spontaneous private deregulation” be accelerated for those sectors? Is that always desirable? Again, I will leave these questions for another day. Scholars and students who are interested in these topics can feel free to contact me if they are interested in discussing them as well as potential paper ideas. Regardless of how you feel about these trends, these issues are ripe for intellectual exploration.]

[1]     Benjamin Edelman and Damien Geradin, “Spontaneous Deregulation,” Harvard Business Review, April 2016, https://hbr.org/2016/04/spontaneous-deregulation.

[2]     Megan Geuss, “After mothballing Comma One, George Hotz releases free autonomous car software,” Ars Technica, November 30, 2016, http://arstechnica.com/cars/2016/11/after-mothballing-comma-one-george-hotz-releases-free-autonomous-car-software.

[3]     See: “NHTSA Scared This Self-Driving Entrepreneur Off the Road,” Bloomberg Technology, October 28, 2016, https://www.bloomberg.com/news/articles/2016-10-28/nhtsa-scared-this-self-driving-entrepreneur-off-the-road; Sean O’Kane, “George Hotz cancels his self-driving car project after NHTSA expresses concern,” The Verge, October 28, 2016, http://www.theverge.com/2016/10/28/13453344/comma-ai-self-driving-car-comma-one-kit-canceled; Brad Templeton, “Comma.ai cancels comma-one add-on box after threats from NHTSA,” Robohub, October 31, 2016, http://robohub.org/comma-ai-cancels-comma-one-add-on-box-after-threats-from-nhtsa.

[4]     Mark Harris, “How Otto Defied Nevada and Scored a $680 Million Payout from Uber,” Backchannel, November 28, 2016,  https://backchannel.com/how-otto-defied-nevada-and-scored-a-680-million-payout-from-uber-496aa07f5ba2#.9rmtb29bl

[5]     Larry E. Hall, “Otto Self-Driving Truck Tests in Ohio; Violated Nevada Regulations,” Hybrid Cars, November 29, 2016, http://www.hybridcars.com/otto-self-driving-truck-tests-in-ohio-violated-nevada-regulations.

[6]     Kara Driscoll, “Ohio to create ‘smart’ road for driverless trucks,” Dayton Daily News, November 30, 2016, http://www.daytondailynews.com/business/ohio-create-smart-road-for-driverless-trucks/25qC7uYjz9rE96q6YFVUUK.

[7]     Brad Templeton, “Comma.ai cancels comma-one add-on box after threats from NHTSA,” Robohub, October 31, 2016, http://robohub.org/comma-ai-cancels-comma-one-add-on-box-after-threats-from-nhtsa/

[8]     Adam Thierer and Caleb Watney, “Comment on the Federal Automated Vehicles Policy,” November 22, 2016, https://www.researchgate.net/publication/311065194_Comment_on_the_Federal_Automated_Vehicles_Policy.

[9]     National Highway Traffic Safety Administration (NHTSA), Federal Automated Vehicles Policy, September 2016.

[10]   Adrienne LaFrance, “Self-Driving Cars Could Save 300,000 Lives per Decade in America,” Atlantic, September 29, 2015

[11]   Adam Thierer and Caleb Watney, “Comment on the Federal Automated Vehicles Policy,” November 22, 2016, https://www.researchgate.net/publication/311065194_Comment_on_the_Federal_Automated_Vehicles_Policy.

[12]   Templeton.

[13]   Sean O’Kane and Lauren Goode, “George Hotz is giving away the code behind his self-driving car project,” The Verge, November 30, 2016, http://www.theverge.com/2016/11/30/13779336/comma-ai-autopilot-canceled-autonomous-car-software-free.

^[14]   NHTSA, Federal Automated Vehicles Policy, 76.

[15]   Adam Thierer, Jerry Brito, and Eli Dourado, “Technology Policy: A Look Ahead,” Technology Liberation Front, May 12, 2014, http://techliberation.com/2014/05/12/technology-policy-a-look-ahead.

[16]   Marc Andreessen, “Why Software Is Eating the World,” Wall Street Journal, August 20, 2011, http://www.wsj.com/articles/SB10001424053111903480904576512250915629460.

[17]   Wendell Wallach, A Dangerous Master: How to Keep Technology from Slipping beyond Our Control (New York: Basic Books, 2015), 60.

[18]   Larry Downes, The Laws of Disruption: Harnessing the New Forces That Govern Life and Business in the Digital Age 2 (2009).

[19]   Id.

[20]   Thierer, Permissionless Innovation, at 1.

[21]   Gary E. Marchant and Wendell Wallach, “Governing the Governance of Emerging Technologies,” in Gary E. Marchant, Kenneth W. Abbott & Braden Allenby (eds.), Innovative Governance Models for Emerging Technologies (Cheltenham, UK: Edward Elgar, 2013), 136.

[22]   Marc A. Saner,  “The Role of Adaptation in the Governance of Emerging Technologies,” in Gary E. Marchant, Kenneth W. Abbott & Braden Allenby (eds.), Innovative Governance Models for Emerging Technologies (Cheltenham, UK: Edward Elgar, 2013), 106.

[23]   Ibid., at 94.

Wallach’s latest book is entitled, A Dangerous Master: How to Keep Technology from Slipping beyond Our Control. And, as I’ve noted here recently, the greatly expanded second edition of my latest book, Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom, has just been released.

Of all the books of technological criticism or skepticism that I’ve read in recent years—and I have read stacks of them!— A Dangerous Master is by far the most thoughtful and interesting. I have grown accustomed to major works of technological criticism being caustic, angry affairs. Most of them are just dripping with dystopian dread and a sense of utter exasperation and outright disgust at the pace of modern technological change.

Although he is certainly concerned about a wide variety of modern technologies—drones, robotics, nanotech, and more—Wallach isn’t a purveyor of the politics of panic. There are some moments in the book when he resorts to some hyperbolic rhetoric, such as when he frets about an impending “techstorm” and the potential, as the book’s title suggests, for technology to become a “dangerous master” of humanity. For the most part, however, his approach is deeper and more dispassionate than what is found in the leading tracts of other modern techno-critics.

Many Questions, Few Clear Answers

Wallach does a particularly good job framing the major questions about emerging technologies and their effect on society. “Navigating the future of technological possibilities is a hazardous venture,” he observes. “It begins with learning to ask the right questions—questions that reveal the pitfalls of inaction, and more importantly, the passageways available for plotting a course to a safe harbor.” (p. 7) Wallach then embarks on a 260+ page inquiry that bombards the reader with an astonishing litany of questions about the wisdom of various forms of technological innovation—both large and small. While I wasn’t about to start an exact count, I would say that the number of questions Wallach poses in the book runs well into the hundreds. In fact, many paragraphs of the book are nothing but an endless string of questions.

Thus, if there is a primary weakness with A Dangerous Master, it’s that Wallach spends so much time formulating such a long list of smart and nuanced questions that some readers may come away disappointed when they do not find equally satisfying answers. On the other hand, the lack of clear answers is also completely understandable because, as Wallach notes, there really are no simple answers to most of these questions.

Just Slow Down!

Moving on to substance, let me make clear where Wallach and I generally see eye-to-eye and where we part ways.

Generally speaking, we agree about the need to come up with better “soft governance” systems for emerging technologies, which might include multistakeholder process, developer codes of conduct, sectoral self-regulation, sensible liability rules, and so on. (More on those strategies in a moment.)

But while we both believe it is wise to consider how we might “bake-in” better ethics and norms into the process of technological development, Wallach seems much more inclined than me to expect that we will be able to pre-ordain (or potentially require?) all this happens before much of this experimentation and innovation actually moves forward. Wallach opens by asking:

Determining when to bow to the judgment of experts and whether to intervene in the deployment of a new technology is certainly not easy. How can government leaders or informed citizens effectively discern which fields of research are truly promising and which pose serious risks? Do we have the intelligence and means to mitigate the serious risks that can be anticipated? How should we prepare for unanticipated risks? (p. 6)

Again, many good questions here! But this really gets to the primary difference between Wallach’s preferred approach and my own: I tend to believe that many of these things can only be worked out through ongoing trial and error, the constant reformulation of the various norms that govern the process of innovation, and the development of sensible ex post solutions to some of the most difficult problems posed by turbulent technological change.

By contrast, Wallach’s generally attitude toward technological evolution is probably best summarized by the phrases: “Slow down!” and, “Let’s have a conversation about it first!” As he puts it in his own words: “Slowing down the accelerating adoption of technology should be done as a responsible means to ensure basic human safety and to support broadly shared values.” (p. 13)

But I tend to believe that it’s not always possible to preemptively determine which innovations to slow down, or even how to determine what those “shared values” are that will help us make this determination. More importantly, I worry that there are very serious potential risks and unintended consequences associated with slowing down many forms of technological innovation, which could improve human welfare in important ways. There can be no prosperity, after all, without a certain degree of risk-taking and disruption.

Getting Out Ahead of the Pacing Problem

Yet, what concerns Wallach most is the much-discussed issue from the field of the philosophy of technology, the so-called “pacing problem.” Wallach concisely defines the pacing problem as “the gap between the introduction of a new technology and the establishment of laws, regulations, and oversight mechanisms for shaping its safe development.” (p. 251) “There has always been a pacing problem,” he notes, but he is concerned that technological innovation—especially highly disruptive and potentially uncontrollable forms of innovation—is now accelerating at an absolutely unprecedented pace.

(Just as an aside for all the philosophy nerds out there…  Such a rigid belief in the “pacing problem” represents a techno-deterministic viewpoint that is, ironically, sometimes shared by technological skeptics like Wallach as well as technological optimists like Larry Downes and even many in the middle of this debate, like Vivek Wadhwa. See, for example, The Laws of Disruption by Downes and “Laws and Ethics Can’t Keep Pace with Technology” by Wadhwa. Although these scholars approach technology ethics and politics quite differently, they all seem to believe that the pace of modern technological change is so relentless as to almost be an unstoppable force of nature. I guess the moral of the story is that, to some extent, we’re all technological determinists now!)

Despite his repeated assertions that modern technologies are accelerating at such a potentially uncontrollable pace, Wallach nonetheless hopes we can achieve some semblance of control over emerging technologies before they reach a critical “inflection point.” In the study of history and science, an inflection point generally represents a moment when a situation and trend suddenly changes in a significant way and things begin moving rapidly in a new direction. These inflections points can sometimes develop quite abruptly, ushering in major changes by creating new social, economic, or political paradigms. As it relates to technology in particular, inflection points can refer to the moment with a particular technology achieves critical mass in terms of adoption or, more generally, to the time when that technology begins to profoundly transform the way individuals and institutions act.

Another related concept that Wallach discusses is the so-called “Collingridge dilemma,” which refers to the notion that it is difficult to put the genie back in the bottle once a given technology has reached a critical mass of public adoption or acceptance. The concept is named after David Collingridge, who wrote about this in his 1980 book, The Social Control of Technology. “The social consequences of a technology cannot be predicated early in the life of the technology,” Collingridge argued. “By the time undesirable consequences are discovered, however, the technology is often so much part of the whole economics and social fabric that its control is extremely difficult.”

On “Having a Discussion” & Coming Up with “a Broad Plan”

These related concepts of inflection points and the Collingridge dilemma constitute the operational baseline of Wallach’s worldview. “In weighing speedy development against long-term risks, speedy development wins,” he worries. “This is particularly true when the risks are uncertain and the perceived benefits great.” (p. 85)

Consequently, throughout his book, Wallach pleads with us to take what I will call Technological Time Outs. He says we need to pause at times so that we can have “a full public discussion” (p. 13) and make sure there is a “broad plan in place to manage our deployment of new technologies” (p. 19) to make sure that innovation happens only at “a humanly manageable pace” (p. 261) “to fortify the safety of people affected by unpredictable disruptions.” (p. 262) Wallach’s call for Technological Time Outs is rooted in his belief that “the accelerating pace [of modern technological innovation] undermines the quality of each of our lives.” (p. 263)

That is Wallach’s weakest assertion in the book and he doesn’t really offer much evidence to prove that the velocity of modern technological is hurting us rather than helping us, as many of us believe. Rather, he treats it as a widely accepted truism that necessitates some sort of collective effort to slow things down if the proverbial genie is about to exit the bottle, or to make sure those genies don’t get out of their bottles without a lot of preemptive planning regarding how they are to be released into the world. In the following passage on pg. 72, Wallach very succinctly summarizes his approach recommended throughout A Dangerous Master:

this book will champion the need for more upstream governance: more control over the way that potentially harmful technologies are developed or introduced into the larger society. Upstream management is certainly better than introducing regulations downstream, after a technology is deeply entrenched or something major has already gone wrong. Yet, even when we can access risks, there remain difficulties in recognizing when or determining how much control should be introduced. When does being precautionary make sense, and when is precaution an over-reaction to the risks? (p. 72)

Those who have read my Permissionless Innovation book will recall that I open by framing innovation policy debates in almost exactly the same way as Wallach suggests in that last line above. I argue in the first lines of my book that:

The central fault line in innovation policy debates today can be thought of as ‘the permission question.’  The permission question asks: Must the creators of new technologies seek the blessing of public officials before they develop and deploy their innovations? How that question is answered depends on the disposition one adopts toward new inventions and risk-taking, more generally.  Two conflicting attitudes are evident. One disposition is known as the ‘precautionary principle.’ Generally speaking, it refers to the belief that new innovations should be curtailed or disallowed until their developers can prove that they will not cause any harm to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions. The other vision can be labeled ‘permissionless innovation.’ It refers to the notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if any develop, can be addressed later.

So, by contrasting these passages, you can see what I am setting up here is a clash of visions between what appears to be Wallach’s precautionary principle-based approach versus my own permissionless innovation-focused worldview.

How Much Formal Precaution?

But that would be a tad bit too simplistic because just a few paragraphs after Wallach makes the statement just above about “upstream management” being superior to ex post solutions formulated “after a technology is deeply entrenched,” Wallach begins slowly backing away from an overly-rigid approach to precautionary principle-based governance of technological processes and systems.

He admits, for example, that “precautionary measures in the form of regulations and governmental oversight can slow the development of research whose overall society impact will be beneficial,” (p. 26) and that can “be costly” and “slow innovation.” For countries, Wallach admits, this can have real consequences because “Countries with more stringent precautionary policies are at a competitive disadvantage to being the first to introduce a new tool or process.” (p. 74)

So, he’s willing to admit that what we might call a hard precautionary principle usually won’t be sensible or effective in practice, but he is far more open to soft precaution. But this is where real problems begin to develop with Wallach’s approach, and it presents us with a chance to turn the tables on him a bit and begin posing some serious questions about his vision for governing technology.

Much of what follows below are my miscellaneous ramblings about the current state of the intellectual dialogue about tech ethics and technological control efforts. I have discussed these issues at greater length in my new book as well as a series of essays here in past years, most notably: “On the Line between Technology Ethics vs. Technology Policy; “What Does It Mean to “Have a Conversation” about a New Technology?”; and, “Making Sure the “Trolley Problem” Doesn’t Derail Life-Saving Innovation.”

As I’ve argued in those and other essays, my biggest problem with modern technological criticism is that specifics are in scandalously short supply in this field! Indeed, I often find the lack of details in this arena to be utterly exasperating. Most modern technological criticism follows a simple formula:

TECHNOLOGY –>> POTENTIAL PROBLEMS –>> DO SOMETHING!

But almost all the details come in the discussion about the nature of the technology in question and the apparent many problems associated with it. Far, far less thought goes into the “DO SOMETHING!” part of the critics’ work. One reason for that is probably self-evident: There are no easy solutions. Wallach admits as much at many junctures throughout the book. But that doesn’t excuse the need for the critics to give us a more concrete blueprint for identifying and then potentially rectifying the supposed problems.

Of course, the other reason that many critics are short of specifics is because what they really mean when they quip how much we need to “have a conversation” about a new disruptive technology is that we need to have a conversation about stopping that technology.

Where Shall We Draw the Line between Hard and Soft Law?

But this is what I found most peculiar about Wallach’s book: He never really gives us a good standard by which to determine when we should look to hard governance (traditional top-down regulation) versus soft governance (more informal, bottom-up and non-regulatory approaches).

On one hand, he very much wants society to exercise greatly restraint and precaution when it comes to many of the technologies he and others worry about today. Again, he’s particularly concerned about the potential runaway development and use of drones, genetic editing, nanotech, robotics, and artificial intelligence. For at least one class of robotics—autonomous military robots—Wallach does call for immediate policy action in the form of an Executive Order to ban “killer” autonomous systems. (Incidentally, there’s also a major effort underway called the “Campaign to Stop Killer Robots” that aims to make such a ban part of international law through a multinational treaty.)

But Wallach also acknowledges the many trade-offs associated with efforts to preemptively controls on robotics and other technology. Perhaps for that reason, Wallach doesn’t develop a clear test for when the Precautionary Principle should be applied to new forms of innovation.

Clearly there are times when it is appropriate, although I believe it is only in an extremely narrow subset of cases. In the 2 ^nd Edition of my Permissionless Innovation book, I tried to offer a rough framework for when formal precautionary regulation (i.e., highly-restrictive policy defaults are necessary, such as operational restrictions, licensing requirements, research limitations, or even formal bans) might be necessary. I do not want to interrupt the flow of this review of Wallach’s book too much, so I have decided to just cut-and-paste that portion of Chapter 3 of my book (“When Does Precaution Make Sense?”) down below as an appendix to this essay.

The key takeaway of that passage from my book is that all of us who study innovation policy and the philosophy of technology—Wallach, myself, the whole darn movement—have done a remarkably poor job being specific about precisely when formal policy precaution is warranted. What is the test? All too often, we get lazy and apply what we might call an “I-Know-It-When-I-See-It” standard. Consider the possession of bazookas, tanks, and uranium. Almost all of us would agree that citizens should not be allowed to possess or use such things. Why? Well, it seems obvious, right? They just shouldn’t! But what is the exact standard we use to make that determination.

In coming years, I plan on spending a lot more time articulating a better test by which Precautionary Principle-based policies could be reasonably applied. Those who know me may be taken aback by what I just said. After all, I’ve spend many years explaining why Precautionary Principle-based thinking threatens human prosperity and should be rejected in the vast majority of cases. But that doesn’t excuse the lack of a serious and detailed exploration of the exact standard by which we determine when we should impose some limits on technological innovation.

Generally speaking, while I strongly believe that “permissionless innovation” should remain the policy default for most technologies, there certainly exists some scenarios where the threat of harm associated with a new innovation might be highly probable, tangible, immediate, irreversible, and catastrophic in nature. If so, that could qualify it for at least a light version of the Precautionary Principle. In a future paper or book chapter I’m just now starting to research, I hope to fuller develop those qualifiers and formulate a more robust test around them.

I would have very much liked to see Wallach articulate and defend a test of his own for when formal precaution would make sense. And, by extension, when should we default to soft precaution, or soft law and informal governance mechanisms for emerging technologies.

We turn to that issue next.

Toward Soft Governance & the Engineering of Better Technological Ethics

Even though Wallach doesn’t provide us with a test for determining when precaution makes sense or when we should instead default to soft governance, he does a much better job explaining the various models of soft law or informal governance that might help us deal with the potential negative ramifications of highly disruptive forms of technological change.

What Wallach proposes, in essence, is that we bake a dose of precautionary directly into the innovation process through a wide variety of informal governance/oversight mechanisms. “By embedding shared values in the very design of new tools and techniques, engineers improve the prospect of a positive outcome,” he claims. “The upstream embedding of shared values during the design process can ease the need for major course adjustments when it’s often too late.” (p. 261)

Wallach’s favored instrument of soft governance is what he refers to as “Governance Coordinating Committees” (GCCs). These Committees would coordinate “the separate initiatives by the various government agencies, advocacy groups, and representatives of industry” who would serve as “issue managers for the comprehensive oversight of each field of research.” (p. 250) He elaborates and details the function of GCCs as follows:

These committees, led by accomplished elders who have already achieved wide respect, are meant to work together with all the interested stakeholders to monitor technological development and formulate solutions to perceived problems. Rather than overlap with or function as a regulatory body, the committee would work together with existing institutions. (p. 250-51)

Wallach discussed the GCC idea in much greater detail in a 2013 book chapter he penned with Gary E. Marchant for a collected volume of essays on Innovative Governance Models for Emerging Technologies. (I highly recommend you pick up that book if you can afford it! Many terrific essays in that book on these issues.) In their chapter, Marchant and Wallach specify some of the soft law mechanisms we might use to instill a bit of precaution preemptively. These mechanisms include: “codes of conduct, statements of principles, partnership programs, voluntary programs and standards, certification programs and private industry initiatives.”

If done properly, GCCs could provide exactly the sort of wise counsel and smart recommendations that Wallach desires. In my book and many law review articles on various disruptive technologies, I have endorsed many of the ideas and strategies Wallach identifies. I’ve also stressed the importance of many other mechanisms, such as education and empowerment-based strategies that could help the public learn to cope with new innovations or use them appropriately. In addition, I’ve highlighted the many flexible, adaptive ex post remedies that can help when things go wrong. Those mechanisms include common law remedies such as product defects law, various torts, contract law, property law, and even class action lawsuits. Finally, I have written extensively about the very active role played by the Federal Trade Commission (FTC) and other consumer protection agencies, which have broad discretion to police “unfair and deceptive practices” by innovators.

Moreover, we already have a quasi-GCC model developing today with the so-called “multistakeholder governance” model that is often used in both informal and formal ways to handle many emerging technology policy issues.  The Department of Commerce (the National Telecommunications and Information Administration in particular) and the FTC have already developed many industry codes of conduct and best practices for technologies such as biometrics, big data, the Internet of Things, online advertising, and much more. Those agencies and others (such as the FDA and FAA) are continuing to investigate other codes or guidelines for things like advanced medical devices and drones, respectively. Meanwhile, I’ve heard other policymakers and academics float the idea of “digital ombudsmen,” “data ethicists,” and “private IRBs” (institutional review boards) as other potential soft law solutions that technology companies might consider. Perhaps going forward, many tech firms will have Chief Ethical Officers just as many of them today have Chief Privacy Officers or Chief Security Officers.

In other words, there’s already a lot of “soft law” activities going on in this space. And I haven’t even begun an inventory of the many other bodies or groups that already exist in each sector today that has set forth their own industry self-regulatory codes, but they exist in almost every field that Wallach worries about.

So, I’m not sure how much his GCC idea will add to this existing mix, but I would not be opposed to them playing the sort of coordinating “issue manager” role he describes. But I still have many questions about GCC’s, including:

• How many of them are needed and how we will know which one is the definitive GCC for each sector or technology?
• If they are overly formal in character and dominated by the most vociferous opponents of any particular technology, a real danger exists that a GCC could end up granting a small cabal a “heckler’s veto” over particular forms of innovation.
• Alternatively, the possibility of “regulatory capture” could be a problem for some GCCs if incumbent companies come to dominate their membership.
• Even if everything went fairly smoothly and the GCCs produced balanced reports and recommendations, future developers might wonder if and why they are to be bound by older guidelines.
• And if those future developers choose not to play by the same set of guidelines, what’s the penalty for non-compliance?
• And how are such guidelines enforced in a world where what I’ve called “global innovation arbitrage” is an increasing reality?

Challenging Questions for Both Hard and Soft Law

To summarize, whether we are speaking of “hard” or “soft” law approaches to technological governance, I am just not nearly as optimistic as Wallach seems to be that we will be able to find consensus on these three things:

(1) what constitutes “harm” in many of these circumstances;

(2) which “shared values” should prevail when “society” debates the shaping of ethics or guiding norms for emerging technologies but has highly contradictory opinions about those values (consider online privacy as a good example, where many people enjoy hyper-sharing while other demand hyper-privacy); and,

(3) that we can create a legitimate “governing body” (or bodies) that will be responsible for formulating these guidelines in a fair way without completely derailing the benefits of innovation in new fields and also remaining relevant for very long.

Nonetheless, as he and others have suggested, the benefit of adopting a soft law/informal governance approach to these issues is that it at least seeks to address these questions in more flexible and adaptive fashion. As I noted in my book, traditional regulatory systems “tend to be overly rigid, bureaucratic, inflexible, and slow to adapt to new realities. They focus on preemptive remedies that aim to predict the future, and future hypothetical problems that may not ever come about. Worse yet, administrative regulation generally preempts or prohibits the beneficial experiments that yield new and better ways of doing things.” ( Permissionless Innovation, p. 120)

So, despite the questions I have raised here, I welcome the more flexible soft law approach that Wallach sets forth in his book. I think it represents a far more constructive way forward when compared to the opposite “top-down” or “command-and-control” regulatory systems of the past. But I very much want to make sure that even these new and more flexible soft law approaches leave plenty of breathing room for ongoing trial-and-error experimentation with new technologies and systems.

Conclusion

In closing, I want to reiterate that not only did I appreciate the excellent questions raised by Wendell Wallach in A Dangerous Master, but I take them very seriously. When I sat down to revise and expand my Permissionless Innovation book last year, I decided to include this warning from Wallach in my revised preface: “The promoters of new technologies need to speak directly to the disquiet over the trajectory of emerging fields of research. They should not ignore, avoid, or superficially dampen criticism to protect scientific research.” (p. 28–9)

As I noted, in response to Wallach: “I take this charge seriously, as should others who herald the benefits of permissionless innovation as the optimal default for technology policy. We must be willing to take on the hard questions raised by critics and then also offer constructive strategies for dealing with a world of turbulent technological change.”

Serious questions deserve serious answers. Of course, sometimes those posing those questions fail to provide many answers of their own! Perhaps it is because they believe the questions answer themselves. Other times, it’s because they are willing to admit that easy answers to these questions typically prove quite elusive. In Wallach’s case, I believe it’s more the latter.

To wrap up, I’ll just reiterated that both Wallach and I share a common desire to find solutions to the hard questions about technological innovation. But the crucial question that probably separates his worldview and my own is this: Whether we are talking about hard or soft governance, how much faith should we place in preemptive planning vs. ongoing trial and error experimentation to solve technological challenges? Wallach is more inclined to believe we can divine these things with the sagacious foresight of “accomplished elders” and technocratic “issue managers,” who will help us slow things down until we figure out how to properly ease a new technology into society (if at all). But I believe that the only way we will find many of the answers we are searching for is by allowing still more experimentation with the very technologies that he and others seek to control the development of. We humans are outstanding problem-solvers and have the uncanny ability among all mammals to adapt to changing circumstances. We roll with the punches, learn from them, and become more resilient in the process. As I noted in my 2014 essay, “Muddling Through: How We Learn to Cope with Technological Change”:

we modern pragmatic optimists must continuously point to the unappreciated but unambiguous benefits of technological innovation and dynamic change. But we should also continue to remind the skeptics of the amazing adaptability of the human species in the face of adversity. [. . .] Humans have consistently responded to technological change in creative, and sometimes completely unexpected ways. There’s no reason to think we can’t get through modern technological disruptions using similar coping and adaptation strategies.

Will the technologies that Wallach fears bring about a “techstorm” that overwhelms our culture, our economy, and even our very humanity? It’s certainly possible, and we should continue to seriously discuss the issues that he and other skeptics raise about our expanding technological capabilities and the potential for many of them to do great harm. Because some of them truly could.

But it is equally plausible—in fact, some of us would say, highly probable—that instead of overwhelming us, we learn how to bend these new technological capabilities to our will and make them work for our collective benefit. Instead of technology becoming “a dangerous master,” we will instead make it our helpful servant, just as we have so many times before.

APPENDIX: When Does Precaution Make Sense?

[excerpt from chapter 3 of Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom. Footnotes omitted. See book for all references.]

But aren’t there times when a certain degree of precautionary policymaking makes good sense? Indeed, there are, and it is important to not dismiss every argument in favor of precautionary principle–based policymaking, even though it should not be the default policy rule in debates over technological innovation.

The challenge of determining when precautionary policies make sense comes down to weighing the (often limited) evidence about any given technology and its impact and then deciding whether the potential downsides of unrestricted use are so potentially catastrophic that trial-and-error experimentation simply cannot be allowed to continue. There certainly are some circumstances when such a precautionary rule might make sense. Governments restrict the possession of uranium and bazookas, to name just two obvious examples.

Generally speaking, permissionless innovation should remain the norm in the vast majority of cases, but there will be some scenarios where the threat of tangible, immediate, irreversible, catastrophic harm associated with new innovations could require at least a light version of the precautionary principle to be applied.  In these cases, we might be better suited to think about when an “anti-catastrophe principle” is needed, which narrows the scope of the precautionary principle and focuses it more appropriately on the most unambiguously worst-case scenarios that meet those criteria.

But most cases don’t fall into this category. Instead, we generally allow innovators and consumers to freely experiment with technologies, and even engage in risky behaviors, unless a compelling case can be made that precautionary regulation is absolutely necessary.  How is the determination made regarding when precaution makes sense? This is where the role of benefit-cost analysis (BCA) and regulatory impact analysis is essential to getting policy right.  BCA represents an effort to formally identify the tradeoffs associated with regulatory proposals and, to the maximum extent feasible, quantify those benefits and costs.  BCA generally cautions against preemptive, precautionary regulation unless all other options have been exhausted—thus allowing trial-and-error experimentation and “learning by doing” to continue. (The mechanics of BCA are discussed in more detail in section VII.)

This is not the end of the evaluation, however. Policymakers also need to consider the complexities associated with traditional regulatory remedies in a world where technological control is increasingly challenging and quite costly. It is not feasible to throw unlimited resources at every problem, because society’s resources are finite.  We must balance risk probabilities and carefully weigh the likelihood that any given intervention has a chance of creating positive change in a cost-effective fashion.  And it is also essential to take into account the potential unintended consequences and long-term costs of any given solution because, as Harvard law professor Cass Sunstein notes, “it makes no sense to take steps to avert catastrophe if those very steps would create catastrophic risks of their own.”  “The precautionary principle rests upon an illusion that actions have no consequences beyond their intended ends,” observes Frank B. Cross of the University of Texas. But “there is no such thing as a risk-free lunch. Efforts to eliminate any given risk will create some new risks,” he says.

Oftentimes, after working through all these considerations about whether to regulate new technologies or technological processes, the best solution will be to do nothing because, as noted throughout this book, we should never underestimate the amazing ingenuity and resiliency of humans to find creative solutions to the problems posed by technological change.  (Section V discusses the importance of individual and social adaptation and resiliency in greater detail.) Other times we might find that, while some solutions are needed to address the potential risks associated with new technologies, nonregulatory alternatives are also available and should be given a chance before top-down precautionary regulations are imposed. (Section VII considers those alternative solutions in more detail.)

Finally, it is again essential to reiterate that we are talking here about the dangers of precautionary thinking as a public policy prerogative—that is, precautionary regulations that are mandated and enforced by government officials. By contrast, precautionary steps may be far more wise when undertaken in a more decentralized manner by individuals, families, businesses, groups, and other organizations. In other words, as I have noted elsewhere in much longer articles on the topic, “there is a different choice architecture at work when risk is managed in a localized manner as opposed to a society-wide fashion,” and risk-mitigation strategies that might make a great deal of sense for individuals, households, or organizations, might not be nearly as effective if imposed on the entire population as a legal or regulatory directive.

Finally, at times, more morally significant issues may exist that demand an even more exhaustive exploration of the impact of technological change on humanity. Perhaps the most notable examples arise in the field of advance medical treatments and biotechnology. Genetic experimentation and human cloning, for example, raise profound questions about altering human nature or abilities as well as the relationship between generations.

The case for policy prudence in these matters is easier to make because we are quite literally talking about the future of what it means to be human.  Controversies have raged for decades over the question of when life begins and how it should end. But these debates will be greatly magnified and extended in coming years to include equally thorny philosophical questions.  Should parents be allowed to use advanced genetic technologies to select the specific attributes they desire in their children? Or should parents at least be able to take advantage of genetic screening and genome modification technologies that ensure their children won’t suffer from specific diseases or ailments once born?

Outside the realm of technologically enhanced procreation, profound questions are already being raised about the sort of technological enhancements adults might make to their own bodies. How much of the human body can be replaced with robotic or bionic technologies before we cease to be human and become cyborgs?  As another example, “biohacking”—efforts by average citizens working together to enhance various human capabilities, typically by experimenting on their own bodies —could become more prevalent in coming years.  Collaborative forums, such as Biohack.Me, already exist where individuals can share information and collaborate on various projects of this sort.  Advocates of such amateur biohacking sometimes refer to themselves as “grinders,” which Ben Popper of the Verge defines as “homebrew biohackers [who are] obsessed with the idea of human enhancement [and] who are looking for new ways to put machines into their bodies.”

These technologies and capabilities will raise thorny ethical and legal issues as they advance. Ethically, they will raise questions of what it means to be human and the limits of what people should be allowed to do to their own bodies. In the field of law, they will challenge existing health and safety regulations imposed by the FDA and other government bodies.

Again, most innovation policy debates—including most of the technologies discussed throughout this book—do not involve such morally weighty questions. In the abstract, of course, philosophers might argue that every debate about technological innovation has an impact on the future of humanity and “what it means to be human.” But few have much of a direct influence on that question, and even fewer involve the sort of potentially immediate, irreversible, or catastrophic outcomes that should concern policymakers.

In most cases, therefore, we should let trial-and-error experimentation continue because “experimentation is part and parcel of innovation” and the key to social learning and economic prosperity.  If we froze all forms of technological innovation in place while we sorted through every possible outcome, no progress would ever occur. “Experimentation matters,” notes Harvard Business School professor Stefan H. Thomke, “because it fuels the discovery and creation of knowledge and thereby leads to the development and improvement of products, processes, systems, and organizations.”

Of course, ongoing experimentation with new technologies always entails certain risks and potential downsides, but the central argument of this book is that (a) the upsides of technological innovation almost always outweigh those downsides and that (b) humans have proven remarkably resilient in the face of uncertain, ever-changing futures.

In sum, when it comes to managing or coping with the risks associated with technological change, flexibility and patience is essential. One size most certainly does not fit all. And one-size-fits-all approaches to regulating technological risk are particularly misguided when the benefits associated with technological change are so profound. Indeed, “[t]echnology is widely considered the main source of economic progress”; therefore, nothing could be more important for raising long-term living standards than creating a policy environment conducive to ongoing technological change and the freedom to innovate.

I wanted to draw your attention to this important address on online platform regulation by Alex Chisholm, the head of UK’s Competition and Markets Authority. That’s the non-ministerial department in the UK responsible for competition policy issues. Chisholm delivered the address on October 27th at the Bundesnetzagentur conference in Bonn. It’s a terrific speech that other policymakers would be wise to read and mimic to ensure that antitrust and competition policy decisions don’t derail the many benefits of the Information Revolution.

“Today, as regulators, we have the responsibility but also the great historical privilege of playing an influential role in the deployment throughout the economy of the latest of these defining technological eras,” Chisholm began. “As regulators, we must try to minimise the inevitable mismatch between how we’ve done things before and the opportunities and risks of the new,” he argued.

He continued on to specify three recommendations for those crafting policy on this front:

1. “First, blanket solutions should be avoided. Instead an evidence-based assessment of potential adverse effects of specific industry features or practices should be carried out before either ex ante regulatory or ex post enforcement tools are deployed. In either case this should be closely targeted to the specific harm identified, and every care given to avoid disproportionate actions and unwelcome side-effects. In that respect, online platforms and the digital economy do not differ from any other sector: there is no need to reinvent the regulatory wheel.
2. Secondly, the significant risks associated with premature, broad-brush ex ante legislation or rule-making point towards a need to shift away from sector-specific regulation to ex post antitrust enforcement, which is better adapted to the period we’re in, with its fast-changing technology and evolving market reactions.
3. Thirdly, as regulators, policymakers, businesses and consumers, we all need to adapt our practices to harvest the benefits of the new while containing its costs and risks.”

That’s an excellent framework that can and should guide future antitrust and competition policy decisions by policymakers across the globe. But Chisholm wasn’t done. Here are some of my other favorite highlights from his address:

• On avoiding “one-size-fits-all” regulation: “[T]here is no ‘digital one size fits all’. . .  [O]penness is not necessarily always good for competition, nor are closed systems always bad.”
• On dealing with the pace of change: “Leaving aside costs of compliance, protecting consumers by virtue of ex ante regulation is inherently difficult in digital markets where consumer preferences evolve fast and in a less predictable manner.”
• On the difficulty of forecasting: “Where ex ante regulation is introduced, it therefore risks harming innovation by locking in existing standards and discouraging or preventing more disruptive innovations. The evolution of digital markets has been particularly difficult to predict.”
• On how to level the playing field: “Finally, consider deregulation. If policymakers were to seek to avoid every hypothetical consumer harm through pre-emptive ex ante regulation, they would likely prevent many best-case scenarios entailing significant consumer benefits from ever coming about. Policymakers and regulators should be open to the idea that a review of existing regulation and its suitability in the context of online platforms may in certain cases actually result in a withdrawal of such regulation – creating a reasonably level playing field by ‘levelling down’ as opposed to ‘levelling up’.”

I really appreciate those last few points, and they are very much consistent with the recommendations set forth in my recent book on  Permissionless Innovation. In the book, I argued that, “Trying to preemptively plan for every hypothetical worst-case scenario means that many best-case scenarios will never come about.”

I was pleased to see the book cited in Chisholm’s speech, as well as some work that Mercatus scholars had done on how to level the proverbial playing field within sectors undergoing rapid technological and regulatory change. Chris Koopman, Matt Mitchell, and I have argue that, while regulatory asymmetries represent a legitimate policy problem,

the solution is not to punish new innovations by simply rolling old regulatory regimes onto new technologies and sectors. The better alternative is to level the playing field by “deregulating down” to put everyone on equal footing, not by “regulating up” to achieve parity. Policymakers should relax old rules on incumbents as new entrants and new technologies challenge the status quo. By extension, new entrants should only face minimal regulatory requirements as more onerous and unnecessary restrictions on incumbents are relaxed.

Anyway, make sure to read Alex Chisholm’s entire speech. It’s very much worth your time. Incidentally, I think his vision is very much consistent with that of  Maureen K. Ohlhausen, a Commissioner with the Federal Trade Commission (FTC). I have written extensively here and elsewhere about Commissioner Ohlhausen’s laudable vision for wise tech policy-making, most recently in this essay.

I wanted to draw your attention to yet another spectacular speech by Maureen K. Ohlhausen, a Commissioner with the Federal Trade Commission (FTC). I have written here before about Commissioner Ohlhausen’s outstanding speeches, but this latest one might be her best yet.

On Tuesday, Ohlhausen was speaking at U.S. Chamber of Commerce Foundation day-long event on “The Internet of Everything: Data, Networks and Opportunities.” The conference featured various keynote speakers and panels discussing, “the many ways that data and Internet connectiviting is changing the face of business and society.” (It was my honor to also be invited to deliver an address to the crowd that day.)

As with many of her other recent addresses, Commissioner Ohlhausen stressed why it is so important that policymakers “approach new technologies and new business models with regulatory humility.” Building on the work of the great Austrian economist F.A. Hayek, who won a Nobel prize in part for his work explaining the limits of our knowledge to plan societies and economies, Ohlhausen argues that:

regulators face a fundamental knowledge problem that limits the effective reach of regulation. A regulator must acquire knowledge about the present state and future trends of the industry being regulated. The more prescriptive the regulation, and the more complex the industry, the more detailed knowledge the regulator must collect. But, regulators simply cannot gather all the information relevant to every problem. Such information is widely distributed and therefore very expensive to collect. Even when a regulator manages to collect information, it quickly becomes out of date as a regulated industry continues to evolve. Obsolete data is a particular concern for regulators of fast-changing technological fields like the Internet of Things. This knowledge problem means that centralized problem solving cannot make full use of the available knowledge about a problem. Therefore, centralized regulation generally offers worse solutions when compared to distributed or emergent constraints such as social norms.

She continued on to explain the dangers of “precautionary principle” thinking as applied to new technologies, noting that, far too often, policymakers seek to impose preemptive, top-down controls on new sectors and technologies based on “concern over largely hypothetical future harms.” That’s a point I have stressed repeatedly in my own work on the importance of “permissionless innovation.” As I note in my book of the same title, living in constant fear of worst-case scenarios—and premising public policy upon them—means that best-case scenarios will never come about. When public policy is shaped by precautionary principle reasoning, it poses a serious threat to technological progress, economic entrepreneurialism, social adaptation, and long-run prosperity.

What’s the better alternative to precautionary controls to address potential risks? As Commissioner Ohlhausen noted in her speech to the Chamber of Commerce, regulators should “focus on identifying and addressing real, not speculative, consumer harm.” She explains how the FTC already has the tools to do so:

At the FTC, this focus is part of our statute. Congress charged us in Section 5 of the FTC Act with preventing deceptive or unfair acts and practices. Deceptive acts violate Section 5 only if they are material – that is, if they actually harm consumers. And practices are only unfair if there is a substantial harm that consumers cannot avoid and that outweighs any benefits to consumers or competition. In both cases, the law concerns itself with addressing actual consumer harms. Likewise the FTC carefully evaluates consumer welfare (or, its corollary, consumer harm) when it exercises its antitrust authority.

Importantly, she noted, the focus in this regard is on  ex post enforcement, not highly prescriptive ex ante regulation. “This incremental approach, which we have been using for nearly 100 years, has significant benefits,” Ohlhausen argued, and it is “consistent with Hayek’s thesis about the knowledge problem.” Namely, regulators should not be acting based on limited knowledge to address hypothetical future threats. Doing so derails opportunities for innovation and leads to myriad unintended consequences.

But the best part of Commissioner Ohlhausen’s speech was her embrace of what author Matt Ridley calls “rational optimism”:

Over the past two centuries, humankind has proven its ability to transform innovation into widespread prosperity. Fueled by supportive social attitudes and free market institutions, businesses have been the engines of this prosperity. Regulators who don’t want to stall these engines of innovation should remember the long history of beneficial innovation, remain humble about what they can know and accomplish, focus on addressing real consumer harm, and apply tools appropriate to the harms that do arise.

Critics will protest that innovation can just be too darn disruptive and that we have to preemptively legislate or regulate to counter those effects. But Ohlhausen has a powerful response to those critics:

innovation can, and will, be unnerving or unsettling. By its very nature, innovation changes things. Change is uncomfortable. That is why, as long as there has been innovation, there have been detractors and doomsayers. William Petty, the economist and doctor, said, “When a new invention is first propounded, in the beginning every man objects and the poor inventor runs the gauntloop of all petulant wits.” And he was talking in 1679! Pessimism about innovation sells newspapers and books. It also has a surprising intellectual caché. “The man who despairs when others hope is admired by a large class of persons as a sage,” said John Stuart Mill. But if the past 200 years of innovation have any lesson, it is this: society has repeatedly and quickly integrated and greatly benefited from innovation. The somber doomsday “sages” – from the Luddites in 19th century England to critics of credit card technology in the 1970s – have been wrong about the general effects of innovation. The many benefits have far outweighed the few costs. I am quite optimistic that the disruption of the Internet of Everything will continue the trend and greatly promote our prosperity.

Preach it, sister! That is exactly right.

Anyway, make sure to read Commissioner Ohlhausen’s entire speech. It is absolutely spectacular. I wish every regulatory approached their jobs with the same degree of humility, patience, and “rational optimism” that Commissioner Ohlhausen does.

On June 9th, the Federal Trade Commission hosted an excellent workshop on “The ‘Sharing’ Economy: Issues Facing Platforms, Participants, and Regulators,” which included 4 major panels and dozens of experts speaking about these important issues. It was my great pleasure to be part of the 4th panel of the day on the policy implications of the sharing economy. Along with my Mercatus colleagues Christopher Koopman and Matt Mitchell, I submitted a 20-page filing  to the Commission summarizing our research findings in this area. (We also released a major new working paper that same day on, “How the Internet, the Sharing Economy, and Reputational Feedback Mechanisms Solve the ‘Lemons Problem.’” (All Mercatus Center research on sharing economy issues can be found on this page and we plan on releasing additional papers in coming months.)

The FTC has now posted the videos from their workshop and down below I have embedded my particular panel. My remarks begin around the 5-minute mark of the video.

The Federal Trade Commission (FTC) is taking a more active interest in state and local barriers to entry and innovation that could threaten the continued growth of the digital economy in general and the sharing economy in particular. The agency recently announced it would be hosting a June 9th workshop “to examine competition, consumer protection, and economic issues raised by the proliferation of online and mobile peer-to peer business platforms in certain sectors of the [sharing] economy.” Filings are due to the agency in this matter by May 26th. (Along with my Mercatus Center colleagues, I will be submitting comments and also releasing a big paper on reputational feedback mechanisms that same week. We have already released this paper on the general topic.)

Relatedly, just yesterday, the FTC sent a letter to Michigan policymakers about restricting entry by Tesla and other direct-to-consumer sellers of vehicles. Michigan passed a law in October 2014 prohibiting such direct sales. The FTC’s strongly-worded letter decries the state’s law as “protectionism for independent franchised dealers” noting that “current provisions operate as a special protection for dealers—a protection that is likely harming both competition and consumers.” The agency argues that:

consumers are the ones best situated to choose for themselves both the vehicles they want to buy and how they want to buy them. Automobile manufacturers have an economic incentive to respond to consumer preferences by choosing the most effective distribution method for their vehicle brands. Absent supportable public policy considerations, the law should permit automobile manufacturers to choose their distribution method to be responsive to the desires of motor vehicle buyers.

The agency cites the “well-developed body of research on these issues strongly suggests that government restrictions on distribution are rarely desirable for consumers” and the staff letter continues on to utterly demolish the bogus arguments set forth by defenders of the blatantly self-serving, cronyist law. (For more discussion of just how anti-competitive and anti-consumer these laws are in practice, see this January 2015 Mercatus Center study, “State Franchise Law Carjacks Auto Buyers,” by Jerry Ellig and Jesse Martinez.)

The FTC’s letter is another example of how the agency can take steps using its advocacy tools to explain to state and local policymakers how their laws may be protectionist and anti-consumer in character. Needless to say, this also has ramifications for how the agency approaches parochial restraints on entry and innovation affecting the sharing economy.

In our forthcoming Mercatus Center comments to the FTC for its June 6th sharing economy workshop, Christopher Koopman, Matt Mitchell, and I will address many issues related to the sharing economy and its regulation. Beyond addressing all five of the specific questions asked in the Commission’s workshop notice, we also include a discussion about “Federal Responses to Local Anticompetitive Regulations.” Down below I have reproduced the current rough draft of that section of our filing in the hope of getting input from others. Needless to say, the idea of the FTC aggressively using its advocacy efforts or even federal antitrust laws to address state and local barriers to trade and innovation will make some folks uncomfortable–especially on federalism grounds. But we argue that a good case can be made for the agency using both its advocacy and antitrust tools to address these issues. Let us know what you think.

The Federal Trade Commission possesses two primary tools to address public restraints of trade created by state and local authorities: advocacy and antitrust.[1]

Through its advocacy program, the Commission can provide specific comments to state and local officials regarding the effects of both proposed and existing regulations.[2] Commissioner Joshua Wright has noted that, “For many years, the FTC has used its mantle to comment on legislation and regulation that may restrain competition in a way that harms consumers.”[3] Thus, at a minimum, the Commission can and should shine light on parochial governmental efforts to restrain trade and limit innovation throughout the sharing economy.[4] By shining more light on state or local anti-competitive rules, the Commission will hopefully make governments, or their surrogate bodies (such as licensing boards), more transparent about their practices and more accountable for laws or regulations that could harm consumer welfare. However, to be successful, the Commission’s advocacy efforts depend upon the willingness of state and local legislators and regulators to heed its advice.^[5]

The Commission has already used its advisory role in its recent guidance to state and local policymakers regarding the regulation of ridesharing services. The Commission noted then that “a regulatory framework should be responsive to new methods of competition,” and set forth the following vision regarding what it regards as the proper approach to parochial regulation of passenger transportation services:

Staff recommends that a regulatory framework for passenger vehicle transportation should allow for flexibility and adaptation in response to new and innovative methods of competition, while still maintaining appropriate consumer protections. [Regulators] also should proceed with caution in responding to calls for change that may have the effect of impairing new forms or methods of competition that are desirable to consumers. . . .  In general, competition should only be restricted when necessary to achieve some countervailing procompetitive virtue or other public benefit such as protecting the public from significant harm.[6]

This represents a reasonable framework for addressing concerns about parochial regulation of the sharing economy more generally.

Unfortunately, in areas relevant to the regulation of the sharing economy (e.g., taxicab regulations and rules governing home and apartment rentals) anticompetitive regulations have remained on the books—and in some instances have expanded—in spite of more than 30 years of Commission comment and advocacy.[7]  In fact, as Public Citizen noted in a recent Supreme Court filing:

[M]any more occupations are regulated than ever before, and most boards doing the regulating—in both traditional and new professions—are dominated by industry members who compete in the regulated market. Those board member-competitors, in turn, commonly engage in regulation that can be seen as anticompetitive self-protection. The particular forms anticompetitive regulations take are highly varied, the possibilities seemingly limited only by the imaginations of the board members.[8]

In these instances, the Commission’s antitrust enforcement authority may need to be utilized when its advocacy efforts fall short with regard to regulations that favor incumbents by limiting competition and entry.[9] Many academics have endorsed expanded antitrust oversight of public barriers to trade and innovation.[10] As Commissioner Wright has argued, “the FTC is in a good position to use its full arsenal of tools to ensure that state and local regulators do not thwart new entrants from using technology to disrupt existing marketplace.”[11] He notes specifically that he is “quite confident that a significant shift of agency resources away from enforcement efforts aimed at taming private restraints of trade and instead toward fighting public restraints would improve consumer welfare.”[12] We agree.

The Supreme Court’s recent decision in North Carolina State Board of Dental Examiners v. Federal Trade Commission made it clear that local authorities cannot claim broad immunity from federal antitrust laws.[13] This is particularly true, the Court noted, “where a State delegates control over a market to a nonsovereign actor,” such as a professional licensing board consisting primarily of members of the affected interest being regulated.[14] “Limits on state-action immunity are most essential when a State seeks to delegate its regulatory power to active market participants,” the Court held, “for dual allegiances are not always apparent to an actor and prohibitions against anticompetitive self-regulation by active market participants are an axiom of federal antitrust policy.”[15]

The touchstone of this case and the Court’s related jurisprudence in this area is political accountability.[16] State officials must (1) “clearly articulate” and (2) “actively supervise” licensing arrangements and regulatory bodies if they hope to withstand federal antitrust scrutiny.[17] The Court clarified this test in N.C. Dental holding that “the Sherman Act confers immunity only if the State accepts political accountability for the anticompetitive conduct it permits and controls.”[18] In other words, if state and local officials want to engage in protectionist activities that restrain trade in pursuit of some other countervailing objective, then they need to own up to it by being transparent about their anticompetitive intentions and then actively oversee the process after that to ensure it is not completely captured by affected interests.[19]

Some might argue that this does not go far enough to eradicate anti-competitive barriers to trade at the state or local level that could restrain the innovative potential of the sharing economy. While that may be true, some limits on the Commission’s federal antitrust discretion are necessary to avoid impinging upon legitimate state and local priorities.

Over time, it is our hope that by empowering the public with more options, more information and better ways to shine light on bad actors, the sharing economy will continue to make many of those old regulations unnecessary. Thus, in line with Commissioner Maureen Ohlhausen’s wise advice, the Commission should encourage state and local officials to exercise patience and humility as they confront technological changes that disrupt traditional regulatory systems.[20]

But when parochial regulators engage in blatantly anti-competitive activities that restrain trade, foster cartelization, or harm consumer welfare in other ways, the Commission can act to counter the worst of those tendencies.[21] The Commission’s standard of review going forward was appropriately articulated by Commissioner Wright recently when he noted that, “in the context of potentially disruptive forms of competition through new technologies or new business models, we should generally be skeptical of regulatory efforts that have the effect of favoring incumbent industry participants.”[22]

Such parochial protectionist barriers to trade and innovation will become even more concerning as the potential reach of so many sharing economy businesses grows larger. The boundary between intrastate and interstate commerce is sometimes difficult to determine for many sharing economy platforms. Clearly, much of the commerce in question occurs within the boundaries of a state or municipality, but sharing economy services also rely upon Internet-enabled platforms with a broader reach. To the extent state or local restrictions on sharing economy operations create negative externalities in the form of “interstate spillovers,” the case for federal intervention is strengthened.[23] It would be preferable if Congress chose to deal with such spillovers using its Commerce Clause authority (Art. 1, Sec. 8 of the Constitution),[24] but the presence of such negative externalities might also bolster the case for the Commission’s use of antitrust to address parochial restraints on trade.

[1]     See Maureen K. Ohlhausen, Reflections on the Supreme Court’s North Carolina Dental Decision and the FTC’s Campaign to Rein in State Action Immunity, before the Heritage Foundation, Washington, DC, March 31, 2015, at 19-20.

[2]     Id., at 20. (“The primary goal of such advocacy is to convince policymakers to consider and then minimize any adverse effects on competition that may result from regulations aimed at preventing various consumer harms.”) Also see James C. Cooper and William E. Kovacic, “U.S. Convergence with International Competition Norms: Antitrust Law and Public Restraints on Competition,” Boston University Law Review, Vol. 90, No. 4, (August 2010): 1582, “Competition advocacy helps solve consumers’ collective action problem by acting within the regulatory process to advocate for regulations that do not restrict competition unless there is a compelling consumer protection rationale for imposing such costs on citizens.”).

[3]     Joshua D. Wright, “Regulation in High-Tech Markets:  Public Choice, Regulatory Capture, and the FTC,” Remarks of Joshua D. Wright Commissioner, Federal Trade Commission at the Big Ideas about Information Lecture Clemson University, Clemson, South Carolina, April 2, 2015, at 15, https://www.ftc.gov/public-statements/2015/04/regulation-high-tech-markets-public-choice-regulatory-capture-ftc.

[4]     Cooper and Kovacic, “U.S. Convergence with International Competition Norms,” at 1610, (“Competition agencies could devote greater resources to conduct research to measure the effects of public policies that restrict competition. A research program could accumulate and analyze empirical data that assesses the consumer welfare effects of specific restrictions. Such a program could also assess whether the stated public interest objectives of government restrictions are realized in practice.”)

[5]     Cooper and Kovacic, “U.S. Convergence with International Competition Norms,” at 1582, (“The value of competition advocacy should be measured by (1) the degree to which comments altered regulatory outcomes times (2) the value to consumers of those improved outcomes. For all practical purposes, however, both elements are difficult to measure with any degree of certainty.”).

[6]     Federal Trade Commission, Staff Comments Before the Colorado Public Utilities Commission In The Matter of The Proposed Rules Regulating Transportation By Motor Vehicle, 4 Code of Colorado Regulations, (March 6, 2013), http://ftc.gov/os/2013/03/130703coloradopublicutilities.pdf.

[7]     Marvin Ammori, “Can the FTC Save Uber,” Slate, March 12, 2013, http://www.slate.com/articles/technology/future_tense/2013/03/uber_lyft_sidecar_can_the_ftc_fight_local_taxi_commissions.html (noting that, “not only does the FTC have the authority to take these cities to impartial federal courts and end their anticompetitive actions; it also has deep expertise in taxi markets and antitrust doctrines.”) Also see, Edmund W. Kitch, “Taxi Reform—The FTC Can Hack It,” Regulation, May/June 1984, http://object.cato.org/sites/cato.org/files/serials/files/regulation/1984/5/v8n3-3.pdf.

[8]     Brief of Amici Curiae Public Citizen in Support of Respondent, North Carolina State Bd. of Dental Exam’rs v. FTC, (August 2014): 24.

[9]     Brief of Antitrust Scholars as Amici Curiae in Support of Respondent, North Carolina State Bd. of Dental Exam’rs v. FTC, (August 6, 2014): 24, (“Antitrust review is entirely appropriate for curbing the excesses of occupational licensing because the anticompetitive effect has a similar effect on the market—and in particular consumers—as does traditional cartel activity.”)

[10]   See Mark A. Perry, “Municipal Supervision and State Action Antitrust Immunity,” The University of Chicago Law Review, Vol. 57, (Fall 1990): 1413-1445; William J. Martin, “State Action Antitrust Immunity for Municipally Supervised Parties,” The University of Chicago Law Review, Vol. 72, (Summer, 2005): 1079-1102; Jarod M. Bona, “The Antitrust Implications of Licensed Occupations Choosing Their Own Exclusive Jurisdiction,” University of St. Thomas Journal of Law & Public Policy, Vol 5, (Spring 2011): 28-51; Ingram Weber “The Antitrust State Action Doctrine and State Licensing Boards,” The University of Chicago Law Review, Vol. 79, (2012); Aaron Edlin and Rebecca Haw, “Cartels by Another Name:  Should Licensed Occupations Face Antitrust Scrutiny?,” University of Pennsylvania Law Review, Vol. 162, (2014): 1093-1164.

[11]   Wright, “Regulation in High-Tech Markets,” at 28-9.

[12]   Wright, “Regulation in High-Tech Markets,” at 29.

[13]   North Carolina State Bd. of Dental Exam’rs v. FTC, 135 S. Ct. 1101 (2015).

[14]   Id.

[15]   Id. Also see Edlin & Haw, “Cartels by Another Name,” at 1143, (“Who could seriously argue that an unsupervised group of competitors appointed to regulate their own profession can be counted on to neglect their selfish interests in favor of the state’s?”); Brief Amicus of the Pacific Legal Foundation and Cato Institute, North Carolina State Bd. of Dental Exam’rs v. FTC, (August 2014): 3, (“Antitrust immunity for private parties who act under color of state law is especially problematic, given that anticompetitive conduct is most likely to occur when private parties are in a position to exploit government’s regulatory powers.”)

[16]   See Maureen K. Ohlhausen, Reflections on the Supreme Court’s North Carolina Dental Decision and the FTC’s Campaign to Rein in State Action Immunity, before the Heritage Foundation, Washington, DC, March 31, 2015, at 16, https://www.ftc.gov/public-statements/2015/03/reflections-supreme-courts-north-carolina-dental-decision-ftcs-campaign, (“states need to be politically accountable for whatever market distortions they impose on consumers.”); Edlin & Haw, “Cartels by Another Name,” at 1137, (“political accountability is the price a state must pay for antitrust immunity.)

[17]   See Federal Trade Commission, Office of Policy and Planning, Report of the State Action Task Force (2003): 54, (“clear articulation requires that a state enunciate an affirmative intent to displace competition and to replace it with a stated criterion. Active supervision requires the state to examine individual private conduct, pursuant to that regulatory regime, to ensure that it comports with that stated criterion. Only then can the underlying conduct accurately be deemed that of the state itself, and political responsibility for the conduct fairly placed with the state.”) This test has been developed and refined in a variety of cases over the past 35 years. See: California Retail Liquor Dealers Ass’n v. Midcal Aluminum, Inc., 445 U.S. 97 (1980); Cmty. Comm’ns Co., Inc. v. City of Boulder, 455 U.S. 40, 48-51 (1982); City of Columbia v. Omni Outdoor Advertising, Inc., 499 U.S. 365 (1991); FTC v. Ticor Title Ins. Co., 504 U.S. 621 (1992).

[18]   North Carolina State Bd. of Dental Exam’rs v. FTC, 135 S. Ct. 1101 (2015).

[19]   Edlin & Haw, “Cartels by Another Name,” at 1156. (“Requiring that the state place its imprimatur on regulation is at least better than the status quo, in which states too often delegate self-regulation to professionals and walk away.”) See also North Carolina State Bd. of Dental Exam’rs v. FTC, 135 S. Ct. 1101 (2015) (“[Federal antitrust] immunity requires that the anticompetitive conduct of nonsovereign actors, especially those authorized by the State to regulate their own profession, result from procedures that suffice to make it the State’s own.”).

[20]  Maureen K. Ohlhausen, Commissioner, Fed. Trade Commission, “Regulatory Humility in Practice,” Remarks of the American Enterprise Institute, Washington, D.C. (April 1, 2015).

[21]   Edlin & Haw, “Cartels by Another Name,” at 1094, (“state action doctrine should not prevent antitrust suits against state licensing boards that are comprised of private competitors deputized to regulate and to outright exclude their own competition, often with the threat of criminal sanction.”). See also Brief Amicus of the Pacific Legal Foundation and Cato Institute, North Carolina State Bd. of Dental Exam’rs v. FTC, (August 2014): 2, 21, http://www.americanbar.org/content/dam/aba/publications/supreme_court_preview/BriefsV4/13-534_resp_amcu_plf-cato.authcheckdam.pdf, (noting that courts “should presume strongly against granting state-action immunity in antitrust cases.  It makes little sense to impose powerful civil and criminal punishments on private parties who are deemed to have engaged in anti-competitive conduct, while exempting government entities—or, worse, private parties acting under the government’s aegis—when they engage in the exact same conduct. . . . “Whatever one’s opinion of antitrust law in general, there is no justification for allowing states broad latitude to disregard federal law and erect private cartels with only vague instructions and loose oversight.”)

[22]   Wright, “Regulation in High-Tech Markets,” at 7.

[23]   FTC, Report of the State Action Task Force, 44, (“an unfortunate gap has emerged between scholarship and case law. Although many of the leading commentators have expressed serious concern regarding problems posed by interstate spillovers, their thinking has yet to take root in the law. Such spillovers undermine both economic efficiency and some of the same political representation values thought to be protected by principles of federalism.”); Brief Amicus of the Pacific Legal Foundation and Cato Institute, North Carolina State Bd. of Dental Exam’rs v. FTC, (August 2014): 13, (“Allowing states expansive power to exempt private actors from antitrust laws would also disrupt national economic policy by encouraging a patchwork of state-established entities licensed to engage in cartel behavior. This would disrupt interstate investment and consumer expectations, and would have spillover effects across state lines.”) Cooper and Kovacic, “U.S. Convergence with International Competition Norms,” at 1598, (“When a state exports the costs attendant to its anticompetitive regulatory scheme to those who have not participated in the political process, however, there is no political backstop; arguments for immunity based on federalism concerns are severely weakened, if not wholly eviscerated, in these situations.”

[24]   See Adam Thierer, The Delicate Balance: Federalism, Interstate Commerce, and Economic Freedom in the Technological Age (Washington, DC: The Heritage Foundation, 1998): 81-118.

Yesterday, the Federal Trade Commission (FTC) released its long-awaited report on “The Internet of Things: Privacy and Security in a Connected World.” The 55-page report is the result of a lengthy staff exploration of the issue, which kicked off with an FTC workshop on the issue that was held on November 19, 2013.

I’m still digesting all the details in the report, but I thought I’d offer a few quick thoughts on some of the major findings and recommendations from it. As I’ve noted here before, I’ve made the Internet of Things my top priority over the past year and have penned several essays about it here, as well as in a big new white paper (“The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation”) that will be published in the Richmond Journal of Law & Technology shortly. (Also, here’s a compendium of most of what I’ve done on the issue thus far.)

I’ll begin with a few general thoughts on the FTC’s report and its overall approach to the Internet of Things and then discuss a few specific issues that I believe deserve attention.

Big Picture, Part 1: Should Best Practices Be Voluntary or Mandatory?

Generally speaking, the FTC’s report contains a variety of “best practice” recommendations to get Internet of Things innovators to take steps to ensure greater privacy and security “by design” in their products. Most of those recommended best practices are sensible as general guidelines for innovators, but the really sticky question here continued to be this: When, if ever, should “best practices” become binding regulatory requirements?

The FTC does a bit of a dance when answering that question. Consider how, in the executive summary of the report, the Commission answers the question regarding the need for additional privacy and security regulation: “Commission staff agrees with those commenters who stated that there is great potential for innovation in this area, and that IoT-specific legislation at this stage would be premature.” But, just a few lines later, the agency (1) “reiterates the Commission’s previous recommendation for Congress to enact strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach;” and (2) “recommends that Congress enact broad-based (as opposed to IoT-specific) privacy legislation.”

Here and elsewhere, the agency repeatedly stresses that it is not seeking IoT-specific regulation; merely “broad-based” digital privacy and security legislation. The problem is that once you understand what the IoT is all about you come to realize that this largely represents a distinction without a difference. The Internet of Things is simply the extension of the Net into everything we own or come into contact with. Thus, this idea that the agency is not seeking IoT-specific rule sounds terrific until you realize that it is actually seeking something far more sweeping: greater regulation of all online / digital interactions. And because “the Internet” and “the Internet of Things” will eventually (if they are not already) be considered synonymous, this notion that the agency is not proposing technology-specific regulation is really quite silly.

Now, it remains unclear whether there exists any appetite on Capitol Hill for “comprehensive” legislation of any variety – although perhaps we’ll learn more about that possibility when the Senate Commerce Committee hosts a hearing on these issues on February 11. But at least thus far, “comprehensive” or “baseline” digital privacy and security bills have been non-starters.

And that’s for good reason in my opinion: Such regulatory proposals could take us down the path that Europe charted in the late 1990s with onerous “data directives” and suffocating regulatory mandates for the IT / computing sector. The results of this experiment have been unambiguous, as I documented in congressional testimony in 2013. I noted there how America’s Internet sector came to be the envy of the world while it was hard to name any major Internet company from Europe. Whereas America embraced “permissionless innovation” and let creative minds develop one of the greatest success stories in modern history, the Europeans adopted a “Mother, May I” regulatory approach for the digital economy. America’s more flexible, light-touch regulatory regime leaves more room for competition and innovation compared to Europe’s top-down regime. Digital innovation suffered over there while it blossomed here.

That’s why we need to be careful about adopting the sort of “broad-based” regulatory regime that the FTC recommends in this and previous reports.

Big Picture, Part 2: Does the FTC Really Need More Authority?

Something else is going on in this report that has also been happening in all the FTC’s recent activity on digital privacy and security matters: The agency has been busy laying the groundwork for its own expansion.

In this latest report, for example, the FTC argues that

Although the Commission currently has authority to take action against some IoT-related practices, it cannot mandate certain basic privacy protections… The Commission has continued to recommend that Congress enact strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.

In other words, this agency wants more authority. And we are talking about sweeping authority here that would transcend its already sweeping authority to police “unfair and deceptive practices” under Section 5 of the FTC Act. Let’s be clear: It would be hard to craft a law that grants an agency more comprehensive and open-ended consumer protection authority than Section 5. The meaning of those terms — “unfairness” and “deception” — has always been a contentious matter, and at times the agency has abused its discretion by exploiting that ambiguity.

Nonetheless, Sec. 5 remains a powerful enforcement tool for the agency and one that has been wielded aggressively in recently years to police digital economy giants and small operators alike. Generally speaking, I’m alright with most Sec. 5 enforcement, especially since that sort of retrospective policing of unfair and deceptive practices is far less likely to disrupt permissionless innovation in the digital economy. That’s because it does not subject digital innovators to the sort of “Mother, May I” regulatory system that European entrepreneurs face. But an expansion of the FTC’s authority via more “comprehensive, baseline” privacy and security regulatory policies threatens to convert America’s more sensible bottom-up and responsive regulatory system into the sort of innovation-killing regime we see on the other side of the Atlantic.

Here’s the other thing we can’t forget when it comes to the question of what additional authority to give the FTC over privacy and security matters: The FTC is not the end of the enforcement story in America. Other enforcement mechanism exist, including: privacy torts, class action litigation, property and contract law, state enforcement agencies, and other targeted privacy statutes. I’ve summarized all these additional enforcement mechanisms in my recent law review article referenced above. (See section VI of the paper.)

FIPPS, Part 1: Notice & Choice vs. Use-Based Restrictions

Next, let’s drill down a bit and examine some of the specific privacy and security best practices that the agency discusses in its new IoT report.

The FTC report highlights how the IoT creates serious tensions for many traditional Fair Information Practice Principles (FIPPs). The FIPPs generally include: (1) notice, (2) choice, (3) purpose specification, (4) use limitation, and (5) data minimization. But the report is mostly focused on notice and choice as well as data minimization.

When it comes to notice and choice, the agency wants to keep hope alive that it will still be applicable in an IoT world. I’m sympathetic to this effort because it is quite sensible for all digital innovators to do their best to provide consumers with adequate notice about data collection practices and then give them sensible choices about it. Yet, like the agency, I agree that “offering notice and choice is challenging in the IoT because of the ubiquity of data collection and the practical obstacles to providing information without a user interface.”

The agency has a nuanced discussion of how context matters in providing notice and choice for IoT, but one can’t help but think that even they must realize that the game is over, to some extent. The increasing miniaturization of IoT devices and the ease with which they suck up data means that traditional approaches to notice and choice just aren’t going to work all that well going forward. It is almost impossible to envision how a rigid application of traditional notice and choice procedures would work in practice for the IoT.

Relatedly, as I wrote here last week, the Future of Privacy Forum (FPF) recently released a new white paper entitled, “A Practical Privacy Paradigm for Wearables,” that notes how FIPPs “are a valuable set of high-level guidelines for promoting privacy, [but] given the nature of the technologies involved, traditional implementations of the FIPPs may not always be practical as the Internet of Things matures.” That’s particularly true of the notice and choice FIPPS.

But the FTC isn’t quite ready to throw in the towel and make the complete move toward “use-based restrictions,” as many academics have. (Note: I have lengthy discussion of this migration toward use-based restrictions in my law review article in section IV.D.). Use-based restrictions would focus on specific uses of data that are particularly sensitive and for which there is widespread agreement they should be limited or disallowed altogether. But use-based restrictions are, ironically, controversial from both the perspective of industry and privacy advocates (albeit for different reasons, obviously).

The FTC doesn’t really know where to go next with use-based restrictions. The agency says that, on one hand, “has incorporated certain elements of the use-based model into its approach” to enforcement in the past. On the other hand, the agency says it has concerns “about adopting a pure use-based model for the Internet of Things,” since it may not go far enough in addressing the growth of more widespread data collection, especially of more sensitive information.

In sum, the agency appears to be keeping the door open on this front and hoping that a best-of-all-worlds solution miraculously emerges that extends both notice and choice and use-based limitations as the IoT expands. But the agency’s new report doesn’t give us any sort of blueprint for how that might work, and that’s likely for good reason: because it probably won’t work at that well in practice and there will be serious costs in terms of lost innovation if they try to force unworkable solutions on this rapidly evolving marketplace.

FIPPS, Part 2: Data Minimization

The biggest policy fight that is likely to come out of this report involves the agency’s push for data minimization. The report recommends that, to minimize the risks associated with excessive data collection:

companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data. However, recognizing the need to balance future, beneficial uses of data with privacy protection, staff’s recommendation on data minimization is a flexible one that gives companies many options. They can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or deidentify the data they collect. If a company determines that none of these options will fulfill its business goals, it can seek consumers’ consent for collecting additional, unexpected categories of data…

This is an unsurprising recommendation in light of the fact that, in previous major speeches on the issue, FTC Chairwoman Edith Ramirez argued that, “information that is not collected in the first place can’t be misused,” and that:

The indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the off chance that it might prove useful is not consistent with privacy best practices. And remember, not all data is created equally. Just as there is low quality iron ore and coal, there is low quality, unreliable data. And old data is of little value.

In my forthcoming law review article, I discussed the problem with such reasoning at length and note:

if Chairwoman Ramirez’s approach to a preemptive data use “commandment” were enshrined into a law that said, “Thou shall not collect and hold onto personal information unnecessary to an identified purpose.” Such a precautionary limitation would certainly satisfy her desire to avoid hypothetical worst-case outcomes because, as she noted, “information that is not collected in the first place can’t be misused,” but it is equally true that information that is never collected may never lead to serendipitous data discoveries or new products and services that could offer consumers concrete benefits. “The socially beneficial uses of data made possible by data analytics are often not immediately evident to data subjects at the time of data collection,” notes Ken Wasch, president of the Software & Information Industry Association. If academics and lawmakers succeed in imposing such precautionary rules on the development of IoT and wearable technologies, many important innovations may never see the light of day.

FTC Commissioner Josh Wright issued a dissenting statement to the report that lambasted the staff for not conducting more robust cost-benefit analysis of the new proposed restrictions, and specifically cited how problematic the agency’s approach to data minimization was. “[S]taff merely acknowledges it would potentially curtail innovative uses of data. . . [w]ithout providing any sense of the magnitude of the costs to consumers of foregoing this innovation or of the benefits to consumers of data minimization,” he says. Similarly, in her separate statement, FTC Commissioner Maureen K. Ohlhausen worried about the report’s overly precautionary approach on data minimization when noting that, “without examining costs or benefits, [the staff report] encourages companies to delete valuable data — primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive,” she concludes.

Regardless, the battle lines have been drawn by the FTC staff report as the agency has made it clear that it will be stepping up its efforts to get IoT innovators to significantly slow or scale back their data collection efforts. It will be very interesting to see how the agency enforces that vision going forward and how it impacts innovation in this space. All I know is that the agency has not conducted a serious evaluation here of the trade-offs associated with such restrictions. I penned another law review article last year offering “A Framework for Benefit-Cost Analysis in Digital Privacy Debates” that they could use to begin that process if they wanted to get serious about it.

The Problem with the “Regulation Builds Trust” Argument

One of the interesting things about this and previous FTC reports on privacy and security matters is how often the agency premises the case for expanded regulation on “building trust.” The argument goes something like this (as found on page 51 of the new IoT report): “Staff believes such legislation will help build trust in new technologies that rely on consumer data, such as the IoT. Consumers are more likely to buy connected devices if they feel that their information is adequately protected.”

This is one of those commonly-heard claims that sounds so straight-forward and intuitive that few dare question it. But there are problems with the logic of the “we-need-regulation-to-build-trust-and boost adoption” arguments we often hear in debates over digital privacy.

First, the agency bases its argument mostly on polling data. “Surveys also show that consumers are more likely to trust companies that provide them with transparency and choices,” the report says. Well, of course surveys say that! It’s only logical that consumers will say this, just as they will always say they value privacy and security more generally when asked. You might as well ask people if they love their mothers!

But what consumers claim to care about and what they actually do in the real-world are often two very different things. In the real-world, people balance privacy and security alongside many other values, including choice, convenience, cost, and more. This leads to the so-called “privacy paradox,” or the problem of many people saying one thing and doing quite another when it comes to privacy matters. Put simply, people take some risks — including some privacy and security risks — in order to reap other rewards or benefits. (See this essay for more on the problem with most privacy polls.)

Second, online activity and the Internet of Things are both growing like gangbusters despite the privacy and security concerns that the FTC raises. Virtually every metric I’ve looked at that track IoT activity show astonishing growth and product adoption, and projections by all the major consultancies that have studied this consistently predict the continued rapid growth of IoT activity. Now, how can this be the case if, as the FTC claims, we’ll only see the IoT really take off after we get more regulation aimed at bolstering consumer trust? Of course, the agency might argue that the IoT will grow at an even faster clip than it is right now, but there is no way to prove one way or the other. In any event, the agency cannot possible claim that the IoT isn’t already growing at a very healthy clip — indeed, a lot of the hand-wringing the staff engages in throughout the report is premised precisely on the fact that the IoT is exploding faster that our ability to keep up with it!! In reality, it seems far more likely that cost and complexity are the bigger impediments to faster IoT adoption, just as cost and complexity have always been the factors weighing most heavily on the adoption of other digital technologies.

Third, let’s say that the FTC is correct – and it is – when it says that a certain amount of trust is needed in terms of IoT privacy and security before consumers are willing to use more of these devices and services in their everyday lives. Does the agency imagine that IoT innovators don’t know that? Are markets and consumers completely irrational? The FTC says on page 44 of the report that, “If a company decides that a particular data use is beneficial and consumers disagree with that decision, this may erode consumer trust.” Well, if such a mismatch does exist, then the assumption should be that consumers can and will push back, or seek out new and better options. And other companies should be able to sense the market opportunity here to offer a more privacy-centric offering for those consumers who demand it in order to win their trust and business.

Finally, and perhaps most obviously, the problem with the argument that increased regulation will help IoT adoption is that it ignores how the regulations put in place to achieve greater “trust” might become so onerous or costly in practice that there won’t be as many innovations for us to adopt to begin with! Again, regulation — even very well-intentioned regulation — has costs and trade-offs.

In any event, if the agency is going to premise the case for expanded privacy regulation on this notion, they are going to have to do far more to make their case besides simply asserting it.

Once Again, No Appreciation of the Potential for Societal Adaptation

Let’s briefly shift to a subject that isn’t discussed in the FTC’s new IoT report at all.

Regular readers may get tired of me making this point, but I feel it is worth stressing again: Major reports and statements by public policymakers about rapidly-evolving emerging technologies are always initially prone to stress panic over patience. Rarely are public officials willing to step-back, take a deep breath, and consider how a resilient citizenry might adapt to new technologies as they gradually assimilate new tools into their lives.

That is really sad, when you think about it, since humans have again and again proven capable of responding to technological change in creative ways by adopting new personal and social norms. I won’t belabor the point because I’ve already written volumes on this issue elsewhere. I tried to condense all my work into a single essay entitled, “Muddling Through: How We Learn to Cope with Technological Change.” Here’s the key takeaway:

humans have exhibited the uncanny ability to adapt to changes in their environment, bounce back from adversity, and learn to be resilient over time. A great deal of wisdom is born of experience, including experiences that involve risk and the possibility of occasional mistakes and failures while both developing new technologies and learning how to live with them. I believe it wise to continue to be open to new forms of innovation and technological change, not only because it provides breathing space for future entrepreneurialism and invention, but also because it provides an opportunity to see how societal attitudes toward new technologies evolve — and to learn from it. More often than not, I argue, citizens have found ways to adapt to technological change by employing a variety of coping mechanisms, new norms, or other creative fixes.

Again, you almost never hear regulators or lawmakers discuss this process of individual and social adaptation even though they must know there is something to it. One explanation is that every generation has their own techno-boogeymen and lose faith in the ability of humanity to adapt to it.

To believe that we humans are resilient, adaptable creatures should not be read as being indifferent to the significant privacy and security challenges associated with any of the new technologies in our lives today, including IoT technologies. Overly-exuberant techno-optimists are often too quick to adopt a “Just-Get-Over-It!” attitude in response to the privacy and security concerns raised by others. But it is equally unforgivable for those who are worried about those same concerns to utterly ignore the reality of human adaptation to new technologies realities.

Why are Educational Approaches Merely an Afterthought?

One final thing that troubled me about the FTC report was the way consumer and business education is mostly an afterthought. This is one of the most important roles that the FTC can and should play in terms of explaining potential privacy and security vulnerabilities to the general public and product developers alike.

Alas, the agency devotes so much ink to the more legalistic questions about how to address these issues, that all we end up with in the report is this one paragraph on consumer and business education:

Consumers should understand how to get more information about the privacy of their IoT devices, how to secure their home networks that connect to IoT devices, and how to use any available privacy settings. Businesses, and in particular small businesses, would benefit from additional information about how to reasonably secure IoT devices. The Commission staff will develop new consumer and business education materials in this area.

I applaud that language, and I very much hope that the agency is serious about plowing more effort and resources into developing new consumer and business education materials in this area. But I’m a bit shocked that the FTC report didn’t even bother mentioning the excellent material already available on the “On Guard Online” website it helped created with a dozen other federal agencies. Worse yet, the agency failed to highlight the many other privacy education and “digital citizenship” efforts that are underway today to help on this front. I discuss those efforts in more detail in the closing section of my recent law review article.

I hope that the agency spends a little more time working on the development of new consumer and business education materials in this area instead of trying to figure out how to craft a quasi-regulatory regime for the Internet of Things. As I noted last year in this Maine Law Review article, that would be a far more productive use of the agency’s expertise and resources. I argued there that “policymakers can draw important lessons from the debate over how best to protect children from objectionable online content” and apply them to debates about digital privacy. Specifically, after a decade of searching for legalistic solutions to online safety concerns — and convening a half-dozen blue ribbon task forces to study the issue — we finally saw a rough consensus emerge that no single “silver-bullet” technological solutions or legal quick-fixes would work and that, ultimately, education and empowerment represented the better use of our time and resources. What was true for child safety is equally true for privacy and security for the Internet of Things.

It’s a shame the FTC staff squandered the opportunity it had with this new report to highlight all the good that could be done by getting more serious about focusing first on those alternative, bottom-up, less costly, and less controversial solutions to these challenging problems. One day we’ll all wake up and realize that we spent a lost decade debating legalistic solutions that were either technically unworkable or politically impossible. Just imagine if all the smart people who were spending all their time and energy on those approaches right now were instead busy devising and pushing educational and empowerment-based solutions instead!

One day we’ll get there. Sadly, if the FTC report is any indication, that day is still a ways off.

The Mercatus Center at George Mason University has just released my latest working paper, “The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation.” The “Internet of Things” (IoT) generally refers to “smart” devices that are connected to both the Internet and other devices. Wearable technologies are IoT devices that are worn somewhere on the body and which gather data about us for various purposes. These technologies promise to usher in the next wave of Internet-enabled services and data-driven innovation. Basically, the Internet will be “baked in” to almost everything that consumers own and come into contact with.

Some critics are worried about the privacy and security implications of the Internet of Things and wearable technology, however, and are proposing regulation to address these concerns. In my new 93-page article, I explain why preemptive, top-down regulation would derail the many life-enriching innovations that could come from these new IoT technologies. Building on a recent book of mine, I argue that “permissionless innovation,” which allows new technology to flourish and develop in a relatively unabated fashion, is the superior approach to the Internet of Things.

As I note in the paper and my earlier book, if we spend all our time living in fear of the worst-case scenarios — and basing public policies on them — then best-case scenarios can never come about. As the old saying goes: nothing ventured, nothing gained. Precautionary principle-based regulation paralyzes progress and must be avoided.  We instead need to find constructive, “bottom-up” solutions to the privacy and security risks accompanying these new IoT technologies instead of top-down controls that would limit the development of life-enriching IoT innovations.

The better alternative is to deal with concerns creatively as they develop, using a balanced, layered approach  involving many different solutions, including: educational efforts, technological empowerment tools, social norms, public and watchdog pressure, industry best practices and self-regulation, transparency, torts and products liability law, and targeted enforcement of existing legal standards as needed.

Generally speaking, patience, humility, and forbearance by policymakers is crucial to allowing greater innovation and consumer choice in this arena. Importantly, policymakers should not forget that societal and individual adaptation will play a role here, just as it has during so many other turbulent technological transformations.

This article can be downloaded on my Mercatus Center page, on SSRN, or at Research Gate. I am hoping to find a law or policy journal interested in publishing this paper soon. If you with a journal and are interested, please contact me. [UPDATE 12/3/14: This paper has been accepted for publication in the Richmond Journal of Law & Technology, Vol. 21, Issue 6 (2015).]

Finally, if you are interested in this topic, you might want to flip through these slides I prepared for a presentation on this topic that I made at the Federal Communications Commission in September:

On Thursday, it was my great pleasure to present a draft of my forthcoming paper, “The Internet of Things & Wearable Technology: Addressing Privacy & Security Concerns without Derailing Innovation,” at a conference that took place at the Federal Communications Commission on “Regulating the Evolving Broadband Ecosystem.” The 3-day event was co-sponsored by the American Enterprise Institute and the University of Nebraska College of Law.

The 65-page working paper I presented is still going through final peer review and copyediting, but I posted a very rough first draft on SSRN for conference participants. I expect the paper to be released as a Mercatus Center working paper in October and then I hope to find a home for it in a law review. I will post the final version once it is released. [UPDATE:The final version of this working paper was released on November 19, 2014.]

In the meantime, however, I thought I would post the 46 slides I presented at the conference, which offer an overview of the nature of the Internet of Things and wearable technology, the potential economic opportunities that exist in this space, and the various privacy and security challenges that could hold this technological revolution back. I also outlined some constructive solutions to those concerns. I plan to be very active on these issues in coming months.

Additional Reading

• “The Growing Conflict of Visions over the Internet of Things & Privacy,” January 14, 2012
• “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013
• My Filing to the FTC in its ‘Internet of Things’ Proceeding, May 31, 2013
• Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom (2014)
• [Video] Cap Hill Briefing on Emerging Tech Policy Issues (June 2014)

My latest law review article is entitled, “Privacy Law’s Precautionary Principle Problem,” and it appears in Vol. 66, No. 2 of the Maine Law Review. You can download the article on my Mercatus Center page, on the Maine Law Review website, or via SSRN. Here’s the abstract for the article:

Privacy law today faces two interrelated problems. The first is an information control problem. Like so many other fields of modern cyberlaw—intellectual property, online safety, cybersecurity, etc.—privacy law is being challenged by intractable Information Age realities. Specifically, it is easier than ever before for information to circulate freely and harder than ever to bottle it up once it is released.

This has not slowed efforts to fashion new rules aimed at bottling up those information flows. If anything, the pace of privacy-related regulatory proposals has been steadily increasing in recent years even as these information control challenges multiply.

This has led to privacy law’s second major problem: the precautionary principle problem. The precautionary principle generally holds that new innovations should be curbed or even forbidden until they are proven safe. Fashioning privacy rules based on precautionary principle reasoning necessitates prophylactic regulation that makes new forms of digital innovation guilty until proven innocent.

This puts privacy law on a collision course with the general freedom to innovate that has thus far powered the Internet revolution, and privacy law threatens to limit innovations consumers have come to expect or even raise prices for services consumers currently receive free of charge. As a result, even if new regulations are pursued or imposed, there will likely be formidable push-back not just from affected industries but also from their consumers.

In light of both these information control and precautionary principle problems, new approaches to privacy protection are necessary. We need to invert the process of how we go about protecting privacy by focusing more on practical “bottom-up” solutions—education, empowerment, public and media pressure, social norms and etiquette, industry self-regulation and best practices, and an enhanced role for privacy professionals within organizations—instead of “top-down” legalistic solutions and regulatory techno-fixes. Resources expended on top-down regulatory pursuits should instead be put into bottom-up efforts to help citizens better prepare for an uncertain future.

In this regard, policymakers can draw important lessons from the debate over how best to protect children from objectionable online content. In a sense, there is nothing new under the sun; the current debate over privacy protection has many parallels with earlier debates about how best to protect online child safety. Most notably, just as top-down regulatory constraints came to be viewed as constitutionally-suspect and economically inefficient, and also highly unlikely to even be workable in the long-run for protecting online child safety, the same will likely be true for most privacy related regulatory enactments.

This article sketches out some general lessons from those online safety debates and discusses their implications for privacy policy going forward.

Read the full article here [PDF].

Related Material:

• Book: Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom
• Law review article: “The Pursuit of Privacy in a World Where Information Control Is Failing,” Harvard Journal of Law & Public Policy, 36 (2013): 409–55.
• Law review article: “A Framework for Benefit-Cost Analysis in Digital Privacy Debates,” George Mason University Law Review, 20, no. 4 (Summer 2013): 1055–105.
• Law review article: “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” Minnesota Journal of Law, Science & Technology, 14 (2013): 309–86.

Adam Thierer – Privacy Law’s Precautionary Problem (Maine Law Review, 2014) by Adam Thierer

I am pleased to announce the release of my latest book, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom.” It’s a short manifesto (just under 100 pages) that condenses — and attempts to make more accessible — arguments that I have developed in various law review articles, working papers, and blog posts over the past few years. I have two goals with this book.

First, I attempt to show how the central fault line in almost all modern technology policy debates revolves around “the permission question,” which asks: Must the creators of new technologies seek the blessing of public officials before they develop and deploy their innovations? How that question is answered depends on the disposition one adopts toward new inventions. Two conflicting attitudes are evident.

One disposition is known as the “precautionary principle.” Generally speaking, it refers to the belief that new innovations should be curtailed or disallowed until their developers can prove that they will not cause any harms to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions.

The other vision can be labeled “permissionless innovation.” It refers to the notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if they develop at all, can be addressed later.

I argue that we are witnessing a grand clash of visions between these two mindsets today in almost all major technology policy discussions today.

The second major objective of the book, as is made clear by the title, is to make a forceful case in favor of the latter disposition of “permissionless innovation.” I argue that policymakers should unapologetically embrace and defend the permissionless innovation ethos — not just for the Internet but also for all new classes of networked technologies and platforms. Some of the specific case studies discussed in the book include: the “Internet of Things” and wearable technologies, smart cars and autonomous vehicles, commercial drones, 3D printing, and various other new technologies that are just now emerging.

I explain how precautionary principle thinking is increasingly creeping into policy discussions about these technologies. The urge to regulate preemptively in these sectors is driven by a variety of safety, security, and privacy concerns, which are discussed throughout the book. Many of these concerns are valid and deserve serious consideration. However, I argue that if precautionary-minded regulatory solutions are adopted in a preemptive attempt to head-off these concerns, the consequences will be profoundly deleterious.

The central lesson of the booklet is this: Living in constant fear of hypothetical worst-case scenarios — and premising public policy upon them — means that best-case scenarios will never come about. When public policy is shaped by precautionary principle reasoning, it poses a serious threat to technological progress, economic entrepreneurialism, social adaptation, and long-run prosperity.

Again, that doesn’t mean we should ignore the various problems created by these highly disruptive technologies. But how we address these concerns matters greatly. If and when problems develop, there are many less burdensome ways to address them than through preemptive technological controls. The best solutions to complex social problems are almost always organic and “bottom-up” in nature. Luckily, there exists a wide variety of constructive approaches that can be tapped to address or alleviate concerns associated with new innovations. These include:

• education and empowerment efforts (including media literacy, digital citizenship efforts);
• social pressure from activists, academics, and the press and the public more generally.
• voluntary self-regulation and adoption of best practices (including privacy and security “by design” efforts); and,
• increased transparency and awareness-building efforts to enhance consumer knowledge about how new technologies work.

Such solutions are almost always superior to top-down, command-and-control regulatory edits and bureaucratic schemes of a “Mother, May I?” (i.e., permissioned) nature. The problem with “top-down” traditional regulatory systems is that they often tend to be overly-rigid, bureaucratic, inflexible, and slow to adapt to new realities. They focus on preemptive remedies that aim to predict the future, and future hypothetical problems that may not ever come about. Worse yet, administrative regulation generally preempts or prohibits the beneficial experiments that yield new and better ways of doing things. It raises the cost of starting or running a business or non-business venture, and generally discourages activities that benefit society.

To the extent that other public policies are needed to guide technological developments, simple legal principles are greatly preferable to technology-specific, micro-managed regulatory regimes. Again, ex ante (preemptive and precautionary) regulation is often highly inefficient, even dangerous. To the extent that any corrective legal action is needed to address harms, ex post measures, especially via the common law (torts, class actions, etc.), are typically superior. And the Federal Trade Commission will, of course, continue to play a backstop here by utilizing the broad consumer protection powers it possesses under Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” In recent years, the FTC has already brought and settled many cases involving its Section 5 authority to address identity theft and data security matters. If still more is needed, enhanced disclosure and transparency requirements would certainly be superior to outright bans on new forms of experimentation or other forms of heavy-handed technological controls.

In the end, however, I argue that, to the maximum extent possible, our default position toward new forms of technological innovation must remain: “innovation allowed.” That is especially the case because, more often than not, citizens find ways to adapt to technological change by employing a variety of coping mechanisms, new norms, or other creative fixes. We should have a little more faith in the ability of humanity to adapt to the challenges new innovations create for our culture and economy. We have done it countless times before. We are creative, resilient creatures. That’s why I remain so optimistic about our collective ability to confront the challenges posed by these new technologies and prosper in the process.

If you’re interested in taking a look, you can find a free PDF of the book at the Mercatus Center website or you can find out how to order it from there as an eBook. Hardcopies are also available. I’ll be doing more blogging about the book in coming weeks and months. The debate between the “permissionless innovation” and “precautionary principle” worldviews is just getting started and it promises to touch every tech policy debate going forward.

Related Essays :

• “The Growing Conflict of Visions over the Internet of Things & Privacy,” Technology Liberation Front, January 14, 2014.
• “CES 2014 Report: The Internet of Things Arrives, but Will Washington Welcome It?” Technology Liberation Front, January 8, 2014.
• “Who Really Believes in ‘Permissionless Innovation’?” Technology Liberation Front, March 4, 2013.
• “What Does It Mean to ‘Have a Conversation’ about a New Technology?” Technology Liberation Front, May 23, 2013.
• “On the Line between Technology Ethics vs. Technology Policy,” Technology Liberation Front, August 1, 2013.
• “Planning for Hypothetical Horribles in Tech Policy Debates,” Technology Liberation Front, August 6, 2013.
• “Edith Ramirez’s ‘Big Data’ Speech: Privacy Concerns Prompt Precautionary Principle Thinking,” Technology Liberation Front, August 29, 2013.
• “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed,” Technology Liberation Front, April 29, 2011.
• “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges,” Technology Liberation Front, April 10, 2012.
• “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013.
• “Why Do We Always Sell the Next Generation Short?” Forbes, January 8, 2012.
• “The Six Things That Drive ‘Technopanics,’” Forbes, March 4, 2012.

With each booth I pass and presentation I listen to at the 2014 International Consumer Electronics Show (CES), it becomes increasingly evident that the “Internet of Things” era has arrived. In just a few short years, the Internet of Things (IoT) has gone from industry buzzword to marketplace reality. Countless new IoT devices are on display throughout the halls of the Las Vegas Convention Center this week, including various wearable technologies, smart appliances, remote monitoring services, autonomous vehicles, and much more.

This isn’t vaporware; these are devices or services that are already on the market or will launch shortly. Some will fail, of course, just as many other earlier technologies on display at past CES shows didn’t pan out. But many of these IoT technologies will succeed, driven by growing consumer demand for highly personalized, ubiquitous, and instantaneous services.

But will policymakers let the Internet of Things revolution continue or will they stop it dead in its tracks? Interestingly, not too many people out here in Vegas at the CES seem all that worried about the latter outcome. Indeed, what I find most striking about the conversation out here at CES this week versus the one about IoT that has been taking place in Washington over the past year is that there is a large and growing disconnect between consumers and policymakers about what the Internet of Things means for the future.

When every device has a sensor, a chip, and some sort of networking capability, amazing opportunities become available to consumers. And that’s what has them so excited and ready to embrace these new technologies. But those same capabilities are exactly what raise the blood pressure of many policymakers and policy activists who fear the safety, security, or privacy-related problems that might creep up in a world filled with such technologies.

But at least so far, most consumers don’t seem to share the same worries. Instead, they are too busy shouting “More, More, More!” IoT technologies have generated enormous interest and every projection I’ve seen so far shows that explosive growth can be expected across all classes of devices. ABI Research estimates that there are more than ten billion wirelessly connected devices in the market today and more than thirty billion devices expected by 2020. Last year Cisco projected that by 2020 thirty-seven billion intelligent things will be connected and communicating but has now apparently revised that estimate upward to 40 or 50 billion. Thus, we are well on the way to a world where “everyone and everything will be connected to the network.”

Yet, it remains unclear what the IoT public policy landscape will look like in coming years and what disposition lawmakers and regulators will adopt toward these new amazing new technologies. Two distinct policy disposition are clashing over what approach should govern the future of innovation in this space.

I discussed this tension during a CES panel this morning on “The Internet of Things and the Home of the Future.” It featured outstanding opening remarks by FTC Commissioner Maureen K. Ohlhausen, who made the case for regulatory humility and focusing on how these new technologies can empower individuals in important new ways. “The Internet has evolved in one generation from a network of electronically interlinked research facilities in the United States to one of the most dynamic forces in the global economy, in the process reshaping entire industries and even changing the way we interact on a personal level,” she noted. “And the Internet of Things offers the promise of even greater progress ahead for consumers and competition.” I strongly encourage you to read Commissioner Ohlhausen’s entire speech. It is terrific and sets exactly the right tone for these discussions.

After Commissioner Ohlhausen spoke, we had a panel discussion that was expertly moderated by tech policy guru Larry Downes and which included remarks from Robert M. McDowell (Hudson Institute), Jeff  Hagins, (Smart Things), Robert Pepper (Cisco), Marc Rogers (Lookout), and me.

When I spoke, I described the future of the Internet of Things as a grand battle of two alternative worldviews: the “precautionary principle” and “permissionless innovation.” The “precautionary principle” refers to the belief that new innovations should be curtailed or disallowed until their developers can prove that they will not cause any harms to individuals, groups, specific entities, cultural norms, or various existing laws, norms, or traditions. The other worldview, “permissionless innovation,” refers to the notion that experimentation with new technologies and business models should generally be permitted by default. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated and problems, if they develop at all, can be addressed later.

I’ll soon be releasing a new eBook about this conflict of visions. The book will be called, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom” and it should be out in the next few weeks. In it, I will explain how precautionary principle thinking is increasingly creeping into modern information technology policy discussions, explain how that is dangerous and must be rejected, and argue that policymakers should instead unapologetically embrace and defend the permissionless innovation vision — not just for the Internet but also for all new classes of networked technologies and platforms.

This intellectual tension is already evident in debates over the Internet of Things. While we are still very early in this debate, we can expect rising calls for preemptive regulatory controls on IoT technologies based on various safety, security, and especially privacy rationales.  If the precautionary principle mentality wins out and trumps the permissionless innovation ethos that has already powered the first wave of the digital revolution, it will have profound ramifications.

As I’ll note in my forthcoming eBook, preserving and extending the permissionless innovation ethos to the Internet of Things is not about “protecting corporate profits” or assisting any particular technology, industry sector, or set of innovators. Rather, preserving an environment in which permissionless innovation can flourish is about ensuring that individuals as both citizens and consumers continue to enjoy the myriad benefits that accompany an open, innovative information ecosystem. More profoundly, this general freedom to innovate is essential for powering the next great wave of industrial innovation and rejuvenating our dynamic, high-growth economy. Even more profoundly, this is about preserving social and economic freedom more generally while rejecting the central-planning mentality and methods that throughout history have stifled human progress and prosperity.

Safety, security, and privacy problems will continue to persist, of course, and we should work to find practical, “bottom-up” solutions to them. As I detail in my eBook, education and empowerment, social pressure, societal norms, voluntary self-regulation, transparency efforts, and targeted enforcement of existing legal norms (especially through the common law) are almost always superior to “top-down,” command-and-control regulatory edits and bureaucratic schemes of a “Mother, May I” (i.e., permissioned) nature. Preemptive technological controls of that sort would limit new innovation in this space and sacrifice the many benefits that will flow to consumers from continued experimentation.

Those who advocate precautionary regulatory approaches to the Internet of Things should think through to consequences of preemptively prohibiting technological innovation and realize that not everyone shares their same values, especially pertaining to privacy, which is a highly subjective concept that is often difficult to legislate around. We should instead find ways work with together to seek out those practical, bottom-up solutions that will help individuals, institutions, and society learn how to better cope with technological change over time. Using this approach, we can embrace our dynamic future together without doing permanent damage to our innovative minds and economy.

Tomorrow, the Federal Trade Commission (FTC) will host an all-day workshop entitled, “Internet of Things: Privacy and Security in a Connected World.” [Detailed agenda here.] According to the FTC: “The workshop will focus on privacy and security issues related to increased connectivity for consumers, both in the home (including home automation, smart home appliances and connected devices), and when consumers are on the move (including health and fitness devices, personal devices, and cars).”

Where is the FTC heading on this front? This Politico story by Erin Mershon from last week offers some possible ideas. Yet, it still remains unclear whether this is just another inquiry into an exciting set of new technologies or if it is, as I worried in my recent comments to the FTC on this matter, “the beginning of a regulatory regime for a new set of information technologies that are still in their infancy.”

First, for those not familiar with the “Internet of Things,” this short new report from Daniel Castro & Jordan Misra of the Center for Data Innovation offers a good definition:

The “Internet of Things” refers to the concept that the Internet is no longer just a global network for people to communicate with one another using computers, but it is also a platform or devices to communicate electronically with the world around them. The result is a world that is alive with information as data flows from one device to another and is shared and reused for a multitude of purposes. Harnessing the potential of all of this data for economic and social good will be one of the primary challenges and opportunities of the coming decades.

The report continues on to offer a wide range of examples of new products and services that could fulfill this promise.

What I find somewhat worrying about the FTC’s sudden interest in the Internet of Things is that it opens to the door for some regulatory-minded critics to encourage preemptive controls on this exciting new wave of digital age innovation, based almost entirely on hypothetical worst-case scenarios they have conjured up. And plenty of those boogeyman scenarios are floating around already because the Internet of Things has created a potential perfect storm of four major information policy concerns: online safety, privacy, security, and even intellectual property issues. You can find concerned critics from each of those quarters already wringing their hands about what the Internet of Things means for their pet issues.

This is why in both my filing to the agency and in an upcoming eBook, I discuss the danger of letting “precautionary principle” reasoning trump the alternative paradigm of “permissionless innovation.” As I’ve explained here before as well in this longer law review article, the precautionary principle generally holds that, because a given new technology could pose some theoretical danger or risk in the future, public policies should control or limit the development of such innovations until their creators can prove that they won’t cause any harms.

The problem with letting such precautionary thinking guide policy is that it poses a serious threat to technological progress, economic entrepreneurialism, and human prosperity. Under an information policy regime guided at every turn by a precautionary principle, technological innovation would be impossible because of fear of the unknown; hypothetical worst-case scenarios would trump all other considerations. Social learning and economic opportunities become far less likely, perhaps even impossible, under such a regime. In practical terms, it means fewer services, lower quality goods, higher prices, diminished economic growth, and a decline in the overall standard of living.

For these reasons, to the maximum extent possible, the default position toward new forms of technological innovation should be innovation allowed. This policy norm is better captured in the well-known Internet ideal of “permissionless innovation,” or the general freedom to experiment and learn through trial-and-error experimentation.

Which leads back to the FTC workshop tomorrow. Which path will the agency head down? If the recent comments of FTC Chairwoman Edith Ramirez are any indication, there is certainly a healthy appetite for precautionary principle policymaking, at least as it pertains to “big data.” As I noted here in a critique of one of her recent speeches, Chairwoman Ramirez has offered “a rather succinct articulation of precautionary principle thinking as applied to modern data collection practices.”

She worried that “‘big data’ leads to the indiscriminate collection of personal information,” and that “the indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the offchance that it might prove useful is not consistent with privacy best practices,” she continued, and she went on to argue that “Information that is not collected in the first place can’t be misused” and then suggests a parade of horribles that will befall if such data collection is allowed at all.  So, it would not be surprising to see her extend that sort of precautionary reasoning to the Internet of Things since all those fears would apply equally to it.

A better approach can be found in some remarks delivered by Ramirez’s fellow FTC Commissioner Maureen K. Ohlhausen. In an important speech last month entitled, “The Internet of Things and the FTC: Does Innovation Require Intervention?” Ohlhausen noted that, “The success of the Internet has in large part been driven by the freedom to experiment with different business models, the best of which have survived and thrived, even in the face of initial unfamiliarity and unease about the impact on consumers and competitors.” This reflects Ohlhausen’s general embrace of permissionless innovation reasoning and a rejection of the precautionary principle mindset articulated by FTC Chairwoman Ramirez.

More importantly, in her speech, Commissioner Ohlhausen went on to highlight another crucial point about why the precautionary mindset is dangerous when enshrined into laws or regulations. Put simply, many elites and regulatory advocates ignore regulator irrationality or regulatory ignorance. That is, they spend so much time focused on the supposed irrationality of consumers and their openness to persuasion or “manipulation” that they ignore the more concerning problem of the  irrationality or ignorance of those who (incorrectly) believe they are always in the best position to solve every complex problem. Regulators simply do not possess the requisite knowledge to perfectly plan for every conceivable outcome. This is particularly true for information technology markets, which generally evolve much more rapidly than other sectors, and especially more rapidly that law itself.

That insight leads Ohlhausen to issue a wise word of caution to her fellow regulators:

It is [] vital that government officials, like myself, approach new technologies with a dose of regulatory humility, by working hard to educate ourselves and others about the innovation, understand its effects on consumers and the marketplace, identify benefits and likely harms, and, if harms do arise, consider whether existing laws and regulations are sufficient to address them, before assuming that new rules are required.

That is absolutely right and this again makes it clears how Commissioner Ohlhausen’s approach to technological innovation is consistent with the permissionless innovation approach while Chairwoman Ramirez’s is based on precautionary principle thinking. This conflict of visions dominates almost all policy debates over new technology today, even if it is not always on such vivid display as it is in this case.

This also makes it abundantly clear just what is at stake as the FTC embarks on its exploration of the Internet of Things. Will we continue to embrace and defend the philosophy that made America’s digital economy the envy of the world (i.e., “permissionless innovation”), or will we be paralyzed by fear of the unknown and hypothetical worst-case scenarios.  As I have said here many times before, living in constant fear of such worst-case scenarios — and premising public policy upon them — means that best-cast scenarios will never come about.

So, stay tuned. The fight over the Internet of Things promises to be one of the most important public policy battles in the technology policy arena for many years to come.

This issue will be the focus of my forthcoming eBook, “Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom,” but until that is released, here are a few other recommended readings on the topic:

Blog posts:

• “Who Really Believes in ‘Permissionless Innovation’?” Technology Liberation Front, March 4, 2013.
• “What Does It Mean to ‘Have a Conversation’ about a New Technology?” Technology Liberation Front, May 23, 2013.
• “Planning for Hypothetical Horribles in Tech Policy Debates,” Technology Liberation Front, August 6, 2013.
• “On the Line between Technology Ethics vs. Technology Policy,” Technology Liberation Front, August 1, 2013.
• “Edith Ramirez’s ‘Big Data’ Speech: Privacy Concerns Prompt Precautionary Principle Thinking,” Technology Liberation Front, August 29, 2013.
• “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed,” Technology Liberation Front, April 29, 2011.
• “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges,” Technology Liberation Front, April 10, 2012.
• “Can We Adapt to the Internet of Things?” IAPP Privacy Perspectives, June 19, 2013.

Testimony / Filings:

• Senate Testimony on Privacy, Data Collection & Do Not Track, April 24, 2013
• Comments of the Mercatus Center to the FTC in Privacy & Security Implications of the Internet of Things, May 31, 2013.
• Comments of the Mercatus Center to FAA on commercial domestic drones (with Jerry Brito and Eli Dourado) , April 23, 2013.

Journal articles & book chapters:

• “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” Minnesota Journal of Law, Science & Technology, Vol. 14, (2013): 309-386.
• “The Pursuit of Privacy in a World Where Information Control Is Failing,” Harvard Journal of Law & Public Policy, Vol. 36, (2013): 409-455.
• “A Framework for Benefit-Cost Analysis in Digital Privacy Debates ,” George Mason University Law Review, Vol. 20, No. 4 (Summer 2013): 1055-1105.

Last week, the FTC proposed to use its Section 6(b) power to investigate patent trolls. Its clear from the agency’s comment request that what they’re really interested in examining is the practice of patent privateering.

For The Umlaut, I wrote an article explaining what patent privateering is and how it upsets the fragile state of affairs in the software industry.

Because patent trolls are non-practicing, they are not subject to threats of counter-suit and mutually assured destruction. Because they are not members of any SSOs, they do not have any obligation to license on a FRAND basis; standard-essential patents can be transferred to privateers and then asserted against all users of the standard. And because the transfer of patents to patent trolls is often done through various shell companies or other shadowy means, the defendant and the public often cannot know on which practicing software company’s behalf the privateer is working. This means the defendant cannot retaliate through countersuits or a public relations offensive.

I think that understanding how patent privateering actually works and how it disrupts companies’ attempts to innovate makes one much more sympathetic to simply abolishing software patents outright. Given that the practice is  not widely understood, the FTC could add value by simply disseminating information about it to a wider audience. I don’t think that the FTC has the authority to regulate patent enforcement, since patent rights are explicitly authorized by Congress, but they can and should send Congress the message that software patents are being used to stifle innovation, not promote it.

Much of my recent research and writing has been focused on the contrast between “permissionless innovation” (the notion that innovation should generally be allowed by default) versus its antithesis, the “precautionary principle” (the idea that new innovations should be discouraged or even disallowed until their developers can prove that they won’t cause any harms).  I have discussed this dichotomy in three recent law review articles, a couple of major agency filings, and several blog posts. Those essays are listed at the end of this post.

In this essay, I want to discuss a recent speech by Federal Trade Commission (FTC) Chairwoman Edith Ramirez and show how precautionary principle thinking is increasingly creeping into modern information technology policy discussions, prompted by the various privacy concerns surrounding “big data” and the “Internet of Things” among other information innovations and digital developments.

First, let me recap the core argument I make in my recent articles and filings. It can be summarized as follows:

• If public policy is guided at every turn by the precautionary mindset then innovation becomes impossible because of fear of the unknown. Hypothetical worst-case scenarios trump all other considerations under this mentality. Social learning and economic opportunities become far less likely under such a policy regime. In practical terms, it means fewer services, lower quality goods, higher prices, diminished economic growth, and a decline in the overall standard of living. (See this essay and this one.)
• Wisdom is born of experience, including experiences involving risk and the possibility of mistakes and accidents. Patience and a general openness to permissionless innovation represent the wise disposition toward new technologies not only because it provides breathing space for future entrepreneurialism, but also because it provides an opportunity to observe both the evolution of societal attitudes toward new technologies and how citizens adapt to them. (See this essay.)
• Not every wise ethical principle, social norm, or industry best practice automatically makes for wise public policy. If we hope to preserve a free and open society, we simply cannot convert every ethical directive or norm — no matter how sensible — into a legal directive or else the scope of human freedom and innovation will need to shrink precipitously. (See this essay.)
• The best solutions to complex social problems are organic and “bottom-up” in nature. User education and empowerment, informal household media rules, social pressure, societal norms, and targeted enforcement of existing legal norms (especially through the common law) are almost always superior to “top-down,” command-and-control regulatory edits and bureaucratic schemes of a “Mother, May I” nature. (See this essay).
• For the preceding reasons, when it comes to information technology policy, “permissionless innovation” should, as a general rule, trump “precautionary principle” thinking. To the maximum extent possible, the default position toward new forms of technological innovation should be “innovation allowed,” or what Paul Ohm has appropriately labeled the “anti-Precautionary Principle.” (See this essay.)

Again, we are today witnessing the clash of these conflicting worldviews in a fairly vivid way in many current debates about online commercial data collection, “big data,” and the so-called “Internet of Things.” For example, FTC Chairwoman Ramirez recently delivered a speech at the annual Technology Policy Institute Aspen Forum on the topic of “The Privacy Challenges of Big Data: A View from the Lifeguard’s Chair.” Ramirez made several provocative assertions and demands in the speech, but here’s the one “commandment” I really want to focus on. Claiming that “One risk is that the lure of ‘big data’ leads to the indiscriminate collection of personal information,” Chairwoman Ramirez went on to argue:

The indiscriminate collection of data violates the First Commandment of data hygiene: Thou shall not collect and hold onto personal information unnecessary to an identified purpose. Keeping data on the offchance that it might prove useful is not consistent with privacy best practices. And remember, not all data is created equally. Just as there is low quality iron ore and coal, there is low quality, unreliable data. And old data is of little value. (emphasis added)

And later in the speech she goes on to argue that “Information that is not collected in the first place can’t be misused” and then suggests a parade of horribles that will befall if such data collection is allowed at all.

The Problem with “Mother, May I”?

So here we have a rather succinct articulation of precautionary principle thinking as applied to modern data collection practices. Chairwoman Ramirez is essentially claiming that — because there are various privacy risks associated with data collection and aggregation — we must consider preemptive and potentially highly restrictive approaches to the initial collection and aggregation of data.

The problem with that logic should be fairly obvious and it was perfectly identified by the great political scientist Aaron Wildavsky in his seminal 1988 book Searching for Safety. Wildavsky warned of the dangers of the “trial without error” mentality — otherwise known as the precautionary principle approach — and he contrasted it with the trial-and-error method of evaluating risk and seeking wise solutions to it. Wildavsky argued that:

The direct implication of trial without error is obvious: If you can do nothing without knowing first how it will turn out, you cannot do anything at all. An indirect implication of trial without error is that if trying new things is made more costly, there will be fewer departures from past practice; this very lack of change may itself be dangerous in forgoing chances to reduce existing hazards. (emphasis added)

Let’s apply that lesson to Chairwoman Ramirez’s speech. When she argues that “Information that is not collected in the first place can’t be misused,” there is absolutely no doubt that her statement is true. But it is equally true that information that is not collected at all is information that might have been used to provide us with the next “killer app” or the great gadget or digital service that we cannot currently contemplate but that some innovative entrepreneur out there might be looking to develop.

Likewise, claiming that “old data is of little value” and issuing the commandment that “Thou shall not collect and hold onto personal information unnecessary to an identified purpose” reveals a rather stunning arrogance about the possibility of serendipitous data discovery: Either Chairwoman Ramirez doesn’t think it can happen or she doesn’t care if it does. But the reality is that the cornucopia of innovation information options and opportunities we have at our disposal today was driven in large part by data collection, including personal data collection. And often those innovations were not part of some initial grand design; instead they came about through the discovery of new and interesting things that could be done with data after the fact.

For example, many of the information services and digital technologies that we enjoy and take for granted today — language translation tools, mobile traffic services, digital mapping technologies, spam and fraud detection tools, instant spell-checkers, and so on — came about not necessarily because of some initial grand design but rather through innovative thinking after-the-fact about how preexisting data sets might be used in interesting new ways. As Viktor Mayer-Schonberger and Kenneth Cukier point out in their recent book, Big Data: A Revolution That Will Transform How We Live, Work, and Think, “data’s value needs to be considered in terms of all the possible ways it can be employed in the future, not simply how it is used in the present.” “In the big-data age,” they note, “data is like a magical diamond mine that keeps on giving long after its principle value has been tapped.” (p. 103-4)

In any event, if the new policy in the United States is to follow Chairwoman Ramirez’s pronouncement that “Keeping data on the offchance that it might prove useful is not consistent with privacy best practices,” then much of the information economy as we know it today will need to be shut down. At a minimum, entrepreneurs will need to start hiring a lot more lobbyists who can sit in Washington and petition the FTC or other policymakers for permission to innovate whenever they have an interesting new idea for how to use data in order to offer us a new service that was not initially collected for a previously stated purpose. Again, it’s “Mother, May I” regulation and we had better get used to a lot more of it if we go down the path that Chairwoman Ramirez is charting.

Alternative, Less-Restrictive Remedies

But here’s the biggest flaw in Chairwoman Ramirez’s reasoning: There is no need for preemptive, prophylactic, precautionary approaches when less-restrictive and potentially equally effective remedies exist.

The title of Ramirez’s speech was subtitled “A View from the Lifeguard’s Chair,” implying that her role is oversee online practices to ensure consumers are safe. That’s a noble intention, but based on some of her remarks, one is left wondering if her true intention is to just drain the information oceans instead.

But there are better ways to deal with dangerous digital waters. In my work on both online child safety and commercial data privacy, I have argued that the best answer to these complex social problems is a mix of technological controls, social pressure and, informal rules and norms, and, most importantly, education and digital literacy efforts.  And government can play an important role by helping educate and empower citizens to help prepare them for our new media environment.

That was the central finding of a blue-ribbon panel of experts convened in 2002 by the National Research Council of the National Academy of Sciences to study how best to protect children in the new, interactive, “always-on” multimedia world. Under the leadership of former U.S. Attorney General Richard Thornburgh, the group produced an amazing report entitled Youth, Pornography, and the Internet, which outlined a sweeping array of methods and technological controls for dealing with potentially objectionable media content or online dangers. Ultimately, however, the experts used a compelling metaphor to explain why education was the most important tool on which parents and policymakers should rely:

Technology—in the form of fences around pools, pool alarms, and locks—can help protect children from drowning in swimming pools. However, teaching a child to swim—and when to avoid pools—is a far safer approach than relying on locks, fences, and alarms to prevent him or her from drowning. Does this mean that parents should not buy fences, alarms, or locks? Of course not—because they do provide some benefit. But parents cannot rely exclusively on those devices to keep their children safe from drowning, and most parents recognize that a child who knows how to swim is less likely to be harmed than one who does not. Furthermore, teaching a child to swim and to exercise good judgment about bodies of water to avoid has applicability and relevance far beyond swimming pools—as any parent who takes a child to the beach can testify. (p. 224)

Regrettably, as I noted in my old book on online safety, we often fail to teach our children how to swim in the new media waters. Indeed, to extend the metaphor, it is as if we are generally adopting an approach that is more akin to just throwing kids in the deep water and waiting to see what happens. The same is true for digital privacy. We sometimes expect both kids and adults to figure out how to swim in these information currents without a little training first.

To rectify this situation, a serious media literacy and digital citizenship agenda is needed in America. Media literacy programs teach children and adults alike to think critically about media, and to better analyze and understand the messages that media providers are communicating.  I went on to argue in my old book that government should push media literacy efforts at every level of the education process. And those efforts should be accompanied by widespread public awareness campaigns to better inform parents about the parental control tools, rating systems, online safety tips, and other media control methods at their disposal.

In the three recent law review articles listed below, I extended this model to privacy and showed how this bottom-up, education and empowerment-based approach is equally applicable to all the debates we are having today about commercial data collection. And I also stressed to vital importance of personal responsibility and corporate responsibility as part of these digital citizenship efforts.

Conclusion

So, in sum, the key question going forward is: Are we going teach people how to swim, or are we going to drain the information oceans based on the fear that people could be harmed by the very existence of some deep data waters?

Chairwoman Ramirez concluded her speech by noting that, “Like the lifeguard at the beach, though, the FTC will remain vigilant to ensure that while innovation pushes forward, consumer privacy is not engulfed by that wave.” As well-intentioned as that sounds, the thrust of her remarks suggest that fear of the water is prompting this particular lifeguard to consider drastic precautionary steps to save us from the potential dangers of those waves. Needless to say, such a mentality and corresponding policy framework would have profound ramifications.

Indeed, let’s be clear about what’s at stake here. This is not about “protecting corporate profits” or Silicon Valley companies. This is about ensuring that individuals as both citizens and consumers continue to enjoy the myriad benefits that accompany an open, innovative information ecosystem. We can find better ways to address the dangers of deep data waters without draining the info-oceans. Let’s teach people how to swim in those waters and how to be responsible data stewards so that we can all continue to enjoy the many benefits of our modern data-driven economy.

 Additional Reading:

Law Review Articles:

• “The Pursuit of Privacy in a World Where Information Control is Failing” – Harvard Journal of Law & Public Policy
• “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle” – Minnesota Journal of Law, Science & Technology
• “A Framework for Benefit-Cost Analysis in Digital Privacy Debates” – George Mason University Law Review

Blog posts:

• “Who Really Believes in ‘Permissionless Innovation’?” – March 4, 2013
• “What Does It Mean to ‘Have a Conversation’ about a New Technology?”
• “Planning for Hypothetical Horribles in Tech Policy Debates,” August 6, 2013
• “On the Line between Technology Ethics vs. Technology Policy,” August 1, 2013
• “Can We Adapt to the Internet of Things?” – June 19, 2013 (IAPP Privacy perspectives blog)

Testimony / Filings:

• Senate Testimony on Privacy, Data Collection & Do Not Track – April 24, 2013
• Comments of the Mercatus Center to the FTC in Privacy & Security Implications of the Internet of Things
• Mercatus filing to FAA on commercial domestic drones

I’m pleased to announce the release of my latest law review article, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.” It appears in the new edition of the George Mason University Law Review. (Vol. 20, No. 4, Summer 2013)

This is the second of two complimentary law review articles I am releasing this year dealing with privacy policy. The first, “The Pursuit of Privacy in a World Where Information Control is Failing,” was published in Vol. 36 of the Harvard Journal of Law & Public Policy this Spring. (FYI: Both articles focus on privacy claims made against private actors — namely, efforts to limit private data collection — and not on privacy rights against governments.)

My new article on benefit-cost analysis in privacy debates makes a seemingly contradictory argument: benefit-cost analysis (“BCA”) is extremely challenging in online child safety and digital privacy debates, yet it remains essential that analysts and policymakers attempt to conduct such reviews. While we will never be able to perfectly determine either the benefits or costs of online safety or privacy controls, the very act of conducting a regulatory impact analysis (“RIA”) will help us to better understand the trade-offs associated with various regulatory proposals.

However, precisely because those benefits and costs remain so remarkably subjective and contentious, I argue that we should look to employ less-restrictive solutions — education and awareness efforts, empowerment tools, alternative enforcement mechanisms, etc. — before resorting to potentially costly and cumbersome legal and regulatory regimes that could disrupt the digital economy and the efficient provision of services that consumers desire. This model has worked fairly effectively in the online safety context and can be applied to digital privacy concerns as well.

The article is organized as follows. Part I examines the use of BCA by federal agencies to assess the utility of government regulations. Part II considers how BCA can be applied to online privacy regulation and the challenges federal officials face when determining the potential benefits of regulation. Part III then elaborates on the cost considerations and other trade-offs that regulators face when evaluating the impact of privacy-related regulations. Part IV discusses alternative measures that can be taken by government regulators when attempting to address online safety and privacy concerns. This article concludes that policymakers must consider BCA when proposing new rules but also recognize the utility of alternative remedies such as education and awareness campaigns, to address consumer concerns about online safety and privacy.

I’ve embedded the full article down below in a Scribd reader, but you can also download it from my SSRN page and my Mercatus author page.

A Framework for Benefit-Cost Analysis in Digital Privacy Debates by Adam Thierer

This afternoon, Berin Szoka asked me to participate in a TechFreedom conference on “COPPA: Past, Present & Future of Children’s Privacy & Media.” [CSPAN video is here.] It was a in-depth, 3-hour, 2-panel discussion of the Federal Trade Commission’s recent revisions to the rules issued under the 1998 Children’s Online Privacy Protection Act (COPPA).

While most of the other panelists were focused on the devilish details about how COPPA works in practice (or at least should work in practice), I decided to ask a more provocative question to really shake up the discussion: What are we going to do when COPPA fails?

My notes for the event follow down below. I didn’t have time to put them into a smooth narrative, so please pardon the bullet points.

COPPA will fail in the long-run for two reasons:

(1)    With COPPA, the FTC is engaged in a technological arms race that it cannot win.

• COPPA was formulated for a Web 1.0 world of static websites with limited interactivity. In that environment is worked reasonably well, although it certainly imposed costs on site developers and affected market structure.
• As we moved into a Web 2.0 world of interactive social media in the mid to late-2000s, however, the rule has been strained by marketplace new realities. COPPA’s drafters never really envisioned sites like Facebook, Twitter, etc.
• In our current environment—let’s call it the Web 2.5 world—we have added mobile geolocation and social discovery to the mix and that is straining COPPA to the breaking point.
• But we are about to enter the Web 3.0 world of the “Internet of Things;” a sensor-based world in which the communication technology will literally be woven into the clothes we wear and all the devices we use.
  • Cisco has estimated that by 2020, 37 billion devices will be linked together and communicating.
  • It will be almost impossible for COPPA to keep up with the explosion of these technologies because everything in our lives and our children’s lives will be interconnected, communicating, and collecting data.
  • Information will be ubiquitously collected simply by nature of the technology itself.
  • The entire Web 3.0 world will be one of comprehensive passive information collection.
  • So, notions like “collection”, “directed at children” and “personal information” will be become impossible to enforce absence a flat-out ban on the technologies themselves

(2)    COPPA will also fail because of the simple reality that the more complicated and costly this regulatory regime becomes, the more likely it is that that both kids and parents will ignore it or seek to actively evade it.

• The actual monetary cost of any online service may obviously be one thing parents and kids seek to avoid.
• But the bigger cost is the mental hassle associated with delayed gratification.
  • When people demand certain services, they want them now. And they will get them even when law gets in the way. And sometimes they value the utility / functionality that those services provide more than they value privacy.
  • A 2011 Harvard-Berkeley study pointed out the evasion is already rampant and that many parents are facilitating that result by encouraging their kids to lie about their ages online.
    • This problem will only increase in the Internet of Things era as kids and parents come to expect all their devices to be communicating at all times and retaining data for them.

So, what are we going to do about? How do we prepare for the post-COPPA world that’s coming?

• We shouldn’t just throw up our hands in defeat.
• But we must accept the technological and practical challenges associated with regulation and seek out alternative approaches.
• Best solution, therefore, is: Education, media literacy, and digital citizenship
  • We need to do a much better job educating both kids and adults about sensible online interactions.
  • We need to talk to our kids and each other about being more savvy, sensible, respectful, and resilient media consumers and digital citizens.
  • In encouraging our kids and fellow Netizens to be good “digital citizens,” we must stress smarter online hygiene (sensible personal data use) and better “Netiquette” (proper behavior toward others), which can further both online safety and digital privacy goals.
  • More generally, as part of these digital literacy and citizenship efforts, we must do more  to explain the potential perils of over-sharing information about ourselves and others while simultaneously encouraging consumers to delete unnecessary online information occasionally and cover their digital footprints in other ways.
  • These education and literacy efforts are also important because they help us adapt to new technological changes by employing a variety of coping mechanisms or new social norms. These efforts and lessons should start at a young age and continue on well into adulthood through other means, such as awareness campaigns and public service announcements.

Additional Reading:

• The Unintended Consequences of Well-Intentioned Privacy Regulation
• Thoughts on Latest FTC COPPA Rule Revisions & Online Child Safety / Privacy
• Joint CDT-PFF-EFF Comments on FTC’s COPPA Review & the Dangers of COPPA Expansion
• What We Didn’t Hear at Yesterday’s FTC COPPA Workshop
• COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech, by Berin Szoka & Adam Thierer

In mid-April, the Federal Trade Commission (FTC) requested comments regarding “the consumer privacy and security issues posed by the growing connectivity of consumer devices, such as cars, appliances, and medical devices” or the so-called “Internet of Things.” This is in anticipation of a November 21 public workshop that the FTC will be hosting on the same issue.

These issues are finally starting to catch the attention of the public and policymakers alike with the rise of wearable computing, remote home automation and monitoring technologies, smart grids, autonomous vehicles and intelligent traffic systems, and so on. The Internet of Things represents the next great wave of Internet innovation, but it also represents the next great battleground in the field of Internet policy.

I filed comments with the FTC today in this proceeding and made a few simple points about why they should proceed cautiously here. A summary of my filing follows.

Avoiding a Precautionary Principle for the Internet of Things

First, while it is unclear where the FTC is heading with this proceeding—or for that matter, whether this even a formal proceeding at all—the danger exists that it represents the beginning of a regulatory regime for a new set of information technologies that are still in their infancy. Fearing hypothetical worst-case scenarios about the misuse of some IoT technologies, some policy activists and policymakers could seek to curb or control their development.

Policymakers should avoid acting on those impulses. Simply put, the Internet of Things—like the Internet itself—should not be subjected to a precautionary principle, which would impose preemptive, prophylactic restrictions on this rapidly evolving sector to guard against every theoretical harm that could develop. Preemptive restrictions on the development of the Internet of Things could retard technological innovation and limit the benefits that flow to consumers.

In other words, to the maximum extent possible, the default position toward new forms of technological innovation such as the Internet of Things should be innovation allowed, or what Paul Ohm, who recently joined the FTC as a Senior Policy Advisor, refers to as an “anti-Precautionary Principle.” This policy norm is better captured in the well-known Internet ideal of “permissionless innovation,” or the general freedom to experiment and learn through trial-and-error experimentation. As I noted in a recent essay here:

Wisdom is born of experience, including experiences involving risk and the possibility of mistakes and accidents. Patience and openness to permissionless innovation represent the wise disposition toward new technologies not only because it provides breathing space for future entrepreneurialism, but also because it provides an opportunity to observe both the evolution of societal attitudes toward new technologies and how citizens adapt to them.

Adaptation Is Not Just Possible but Likely

Which leads to the next major point I make in my filing: Humans adapt! The more I study the history of various technological innovations the more I find the same story unfolding: again and again society has found ways to adapt to new technological changes by employing a variety of coping mechanisms or new social norms. In fact, we see a common cycle of initial resistance, gradual adaptation, and then eventual assimilation of new technologies into society. (I previously outlined this cycle in my law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle.”)

I offer several specific examples of this process in action—from the rise of the telephone and the camera to RFID and Gmail. I argue that these examples should give us hope that we will also find ways of adapting to the challenges presented by the rise of the Internet of Things.

Norms Evolve and “Regulate”

Third, my filing discusses how societal norms evolve in response to new technologies and even come to “regulate” acceptable use of those technologies. Law tends to regulate in sweeping ways and then get locked in. Social norms and technological etiquette, by contrast, flexibly evolve in unique ways over time.

Some of these norms or social constraints are more “top-down” and formal in nature in that they are imposed by establishments or organizations in the form of restrictions on technologies. In other cases, these norms or social constraints are purely bottom-up and group-driven. I offer examples of both types of norms in my filing.

Other Remedies Exist or Will Develop as Needed

Finally, I argue in my filing that policymakers should exercise restraint and humility in the face of uncertain change and address harms that develop—if they do at all—after careful benefit-cost analysis of various remedies. I note that many federal and state laws already exist that could address perceived harms associated with these technologies.

And let’s be clear: some misuses and harms will develop, just as they have for every other information technology ever invented. But, to reiterate, we have generally not preemptive applied precautionary regulation to each and every new information technology based on the potential threat of some misuses developing. Instead, we have allowed experimentation and innovation to take place largely unimpeded and then relied on a combination of education, user empowerment, various social norms and coping mechanisms, and then targeted laws as needed after serious harms were demonstrated. That same approach should govern the Internet of Things.

If we succumb to the opposite impulse and apply a “Mother May I?” permissioned approach to the Internet of Things—with innovation only being allowed after regulators deem those technologies “safe” or “acceptable”—then we risk derailing the next great wave of Internet-based innovation. The implications for America’s consumers and our global competitiveness could not be more profound. The result will be fewer services, lower quality goods, higher prices, diminished economic growth, and a decline in the overall standard of living.

Hopefully the FTC is not going down that path with this proceeding or its forthcoming workshop on the Internet of Things. But stay tuned. This set of issues is expanding rapidly and promises to produce heated privacy, security, and safety debates for many years to come.

Please read my filing for more details. I’ve also embedded it below.

Comments of Adam Thierer Mercatus Center in FTC Internet of Things Proceeding (June 2013)

My colleague Eli Dourado brought to my attention this XKCD comic and when tweeting it out yesterday he made the comment that “Half of tech policy is dealing with these people”:

The comic and Eli’s comment may be a bit snarky, but something about it rang true to me because while conducting research on the impact of new information technologies on society I often come across books, columns, blog posts, editorials, and tweets that can basically be summed up with the line from that comic: “we should stop to consider the consequences of [this new technology] before we …”  Or, equally common is the line: “we need to have a conversation about [this new technology] before we…”

But what does that really mean? Certainly “having a conversation” about the impact of a new technology on society is important. But what is the nature of that “conversation”? How is it conducted? How do we know when it is going on or when it is over?

Generally speaking, it is best to avoid guessing as to motive when addressing public policy arguments. It is better to just address the assertions or proposals set forth in someone’s work and not try to determine what motivates it or what other ulterior motives may be driving their reasoning.

Nonetheless, I can’t help but think that sometimes what the “we-need-to-have-a-conversation” crowd is really suggesting is that we need to have a conversation about how to slow or stop the technology in question, not merely talk about its ramifications.

I see this at work all the time in the field of privacy policy. Many policy wonks craft gloom-and-doom scenarios that suggest our privacy is all but dead. I’ve notice a lot more of this lately in essays about the “Internet of Things” and Google Glass in particular. (See these recent essays by Paul Bernal and Bruce Schneier for good examples). Dystopian dread drips from almost every line of these essays.

But, after conjuring up a long parade of horribles and suggesting “we need to have a conversation” about new technologies, authors of such essays almost never finish their thought. There’s no conclusion or clear alternative offered. I suppose that in some cases it is because there aren’t any easy answers. Other times, however, I get the feeling that they have an answer in mind — comprehensive regulation of new technologies in question — but that they don’t want to come out and say it because they think they’ll sound like Luddites. Hell, I don’t know and, again, I don’t want to guess as to motive. I just find it interesting that so much of the writing being done in this arena these days follows that exact model.

But here’s the other point I want to make: I don’t think we’ll ever be able to “have a conversation” about a new technology that yields satisfactory answers because real wisdom is born of experience. This is one of the many important lessons I learned from my intellectual hero Aaron Wildavsky and his pioneering work on risk and safety. In his seminal 1988 book Searching for Safety, Wildavsky warned of the dangers of the “trial without error” mentality — otherwise known as the precautionary principle approach — and he contrasted it with the trial-and-error method of evaluating risk and seeking wise solutions to it. Wildavsky argued that:

The direct implication of trial without error is obvious: If you can do nothing without knowing first how it will turn out, you cannot do anything at all. An indirect implication of trial without error is that if trying new things is made more costly, there will be fewer departures from past practice; this very lack of change may itself be dangerous in forgoing chances to reduce existing hazards … Existing hazards will continue to cause harm if we fail to reduce them by taking advantage of the opportunity to benefit from repeated trials.

This is a lesson too often overlooked not just in the field of health and safety regulation, but also in the world of information policy and this insight is the foundation of a filing I will be submitting to the FTC next week in its new proceeding on the “Privacy and Security Implications of the Internet of Things.” In that filing, I will note that, as was the case with many other new information and communications technologies, the initial impulse may be to curb or control the development of certain Internet of Things technologies to guard against theoretical future misuses or harms that might develop.

Again, when such fears take the form of public policy prescriptions, it is referred to as a “precautionary principle” and it generally holds that, because a given new technology could pose some theoretical danger or risk in the future, public policies should control or limit the development of such innovations until their creators can prove that they won’t cause any harms.

The problem with letting such precautionary thinking guide policy is that it poses a serious threat to technological progress, economic entrepreneurialism, and human prosperity. Under an information policy regime guided at every turn by a precautionary principle, technological innovation would be impossible because of fear of the unknown; hypothetical worst-case scenarios would trump all other considerations. Social learning and economic opportunities become far less likely, perhaps even impossible, under such a regime. In practical terms, it means fewer services, lower quality goods, higher prices, diminished economic growth, and a decline in the overall standard of living.

For these reasons, to the maximum extent possible, the default position toward new forms of technological innovation should be innovation allowed. This policy norm is better captured in the well-known Internet ideal of “permissionless innovation,” or the general freedom to experiment and learn through trial-and-error experimentation.

Stated differently, when it comes to new information technologies such as the Internet of Things, the default policy position should be an “ anti-Precautionary Principle.” Paul Ohm, who recently joined the FTC as a Senior Policy Advisor, outlined the concept in his 2008 article, “The Myth of the Superuser: Fear, Risk, and Harm Online.” “Fear of the powerful computer user, the ‘Superuser,’ dominates debates about online conflict,” Ohm argued, but this superuser is generally “a mythical figure” concocted by those who are typically quick to set forth worst-case scenarios about the impact of digital technology on society. Fear of such superusers and the hypothetical worst-case dystopian scenarios they might bring about prompts policy action, since “Policymakers, fearful of his power, too often overreact by passing overbroad, ambiguous laws intended to ensnare the Superuser but which are instead used against inculpable, ordinary users.” “This response is unwarranted,” Ohm says “because the Superuser is often a marginal figure whose power has been greatly exaggerated.”

Ohm gets it exactly right and he could have cited Wildavsky on the matter, who noted that, “’Worst case’ assumptions can convert otherwise quite ordinary conditions… into disasters, provided only that the right juxtaposition of unlikely factors occur.” In other words, creative minds can string together some random anecdotes or stories and concoct horrific-sounding scenarios for the future that leave us searching for preemptive to solutions to problems that haven’t even developed yet.

Unfortunately, fear of “superusers” and worst-case boogeyman scenarios are already driving much of the debate over the Internet of Things. Most of the fear and loathing involves privacy-related dystopian scenarios that envision a miserable panoptic future from which there is no escape. And that’s about the time the authors suggest “we need to have a conversation” about these new technologies — by which they really mean to suggest we need to find ways to put the genie back in the bottle or smash the bottle before the genie even gets out.

But how are we to know what the future holds? And even to the extent some critics believe they possess a techno-crystal ball that can forecast the future, why is it seemingly always the case that none of those possible futures involves humans gradually adapting and assimilating these new technologies into their lives the way they have countless times before? In my FTC filing next week, I will document examples of that process of initial resistance, gradual adaptation, and then eventual assimilation of various new information technologies into society. But I have already developed a model explaining this process and offering plenty of examples in my recent law review article, “Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle,” as well as in this lengthy blog post, “Who Really Believes in ‘Permissionless Innovation’?”

In sum, the most important “conversations” we have about new technologies are the ones we have every day as we interact with those new technologies and with each other. Wisdom is born of experience, including experiences involving risk and the possibility of mistakes and accidents. Patience and an openness to permissionless innovation represent the wise disposition toward new technologies not only because it provides breathing space for future entrepreneurialism, but also because it provides an opportunity to observe both the evolution of societal attitudes toward new technologies and how citizens adapt to them.