Privacy – Technology Liberation Front https://techliberation.com Keeping politicians' hands off the Net & everything else related to technology Mon, 08 May 2023 12:15:12 +0000 en-US hourly 1 6772528 Podcast: Should We Regulate AI? https://techliberation.com/2023/05/08/podcast-should-we-regulate-ai/ https://techliberation.com/2023/05/08/podcast-should-we-regulate-ai/#comments Mon, 08 May 2023 12:15:12 +0000 https://techliberation.com/?p=77120

It was my pleasure to recently join Matthew Lesh, Director of Public Policy and Communications for the London-based Institute of Economic Affairs (IEA), for the IEA podcast discussion, “Should We Regulate AI?” In our wide-ranging 30-minute conversation, we discuss how artificial intelligence policy is playing out across nations and I explained why I feel the UK has positioned itself smartly relative to the US & EU on AI policy. I argued that the UK approach encourages a better ‘innovation culture’ than the new US model being formulated by the Biden Administration.

We also went through some of the many concerns driving calls to regulate AI today, including: fears about job dislocations, privacy and security issues, national security and existential risks, and much more.

Additional reading:

]]> https://techliberation.com/2023/05/08/podcast-should-we-regulate-ai/feed/ 6 77120 7 AI Policy Issues to Watch in 2023 and Beyond https://techliberation.com/2023/02/10/7-ai-policy-issues-to-watch-in-2023-and-beyond/ https://techliberation.com/2023/02/10/7-ai-policy-issues-to-watch-in-2023-and-beyond/#respond Fri, 10 Feb 2023 13:33:58 +0000 https://techliberation.com/?p=77088

In my latest R Street Institute blog post, “Mapping the AI Policy Landscape Circa 2023: Seven Major Fault Lines,” I discuss the big issues confronting artificial intelligence and machine learning in the coming year and beyond. I note that the AI regulatory proposals are multiplying fast and coming in two general varieties: broad-based and targeted. Broad-based algorithmic regulation would address the use of these technologies in a holistic fashion across many sectors and concerns. By contrast, targeted algorithmic regulation looks to address specific AI applications or concerns. In the short-term, it is more likely that targeted or “sectoral” regulatory proposals have a chance of being implemented.

I go on to identify seven major issues of concern that will drive these policy proposals. They include:

1) Privacy and Data Collection

2) Bias and Discrimination

3) Free Speech and Disinformation

4) Kids’ Safety

5) Physical Safety and Cybersecurity

6) Industrial Policy and Workforce Issues

7) National Security and Law Enforcement Issues

Of course, each of these issues includes many sub-issues and nuanced concerns. But I also noted that “this list only scratches the surface in terms of the universe of AI policy issues.” Algorithmic policy considerations are now being discussed in many other fields, including educationinsurancefinancial servicesenergy marketsintellectual propertyretail and trade, and more. I’ll be rolling out a new series of essays examining all these issues throughout the year.

But, as I note in concluding my new essay, the danger of over-reach exists with early regulatory efforts:

AI risks deserve serious attention, but an equally serious risk exists that an avalanche of fear-driven regulatory proposals will suffocate different life-enriching algorithmic innovations. There is a compelling interest in ensuring that AI innovations are developed and made widely available to society. Policymakers should not assume that important algorithmic innovations will just magically come about; our nation must get its innovation culture right if we hope to create a better, more prosperous future.

America needs a flexible governance approach for algorithmic systems that avoids heavy-handed, top-down controls as a first-order solution. “There is no use worrying about the future if we cannot even invent it first,” I conclude.

Additional Reading

]]> https://techliberation.com/2023/02/10/7-ai-policy-issues-to-watch-in-2023-and-beyond/feed/ 0 77088 Studies Document Growing Cost of EU Privacy Regulations https://techliberation.com/2023/02/09/studies-document-growing-cost-of-eu-privacy-regulations/ https://techliberation.com/2023/02/09/studies-document-growing-cost-of-eu-privacy-regulations/#comments Thu, 09 Feb 2023 16:22:47 +0000 https://techliberation.com/?p=77086

[Originally published on Medium on 2/5/2022]

In an earlier essay, I explored “Why the Future of AI Will Not Be Invented in Europe” and argued that, “there is no doubt that European competitiveness is suffering today and that excessive regulation plays a fairly significant role in causing it.” This essay summarizes some of the major academic literature that leads to that conclusion.

Since the mid-1990s, the European Union has been layering on highly restrictive policies governing online data collection and use. The most significant of the E.U.’s recent mandates is the 2018 General Data Protection Regulation (GDPR). This regulation established even more stringent rules related to the protection of personal data, the movement thereof, and limits what organizations can do with data. Data minimization is the major priority of this system, but there are many different types of restrictions and reporting requirements involved in the regulatory scheme. This policy framework also has ramifications for the future of next-generation technologies, especially artificial intelligence and machine learning systems, which rely on high-quality data sets to improve their efficacy.

Whether or not the E.U.’s complicated regulatory regime has actually resulted in truly meaningful privacy protections for European citizens relative to people in other countries remains open to debate. It is very difficult to measure and compare highly subjective values like privacy across countries and cultures. This makes benefit-cost analysis for privacy regulation extremely challenging — especially on the benefits side of the equation.

What is no longer up for debate, however, is the cost side of the equation and the question of what sort of consequences the GDPR has had on business formation, competition, investment, and so on. On these matters, standardized metrics exist and the economic evidence is abundantly clear: the GDPR has been a disaster for Europe.

Summary of Major Studies on Impact of EU Data Regulation

Consider the impact of E.U. data controls on business startups and market structure. GDPR and other regulations greatly limit the flow of data to innovative upstarts who need it most to compete, leaving only the largest companies who can afford to comply to control most of the market. Benjamin Mueller of ITIF notes that it is already the case that just “two of the world’s 30 largest technology firms by market capitalization are from the EU,” and only “5 of the 100 most promising AI startups are based in Europe,” while private funding of AI startups in Europe for 2020 ($4 billion) was dwarfed by US ($36 billion) and China ($25 billion). These issues are even more pressing as the E.U. looks to advance a new AI Act, which would layer on still more regulatory restrictions.

In concrete terms, this has meant that the E.U. came away from the digital revolution with “the complete absence of superstar companies,” argue competition policy experts Nicolas Petit and David Teece. There are no European versions of Microsoft, Google, or Apple, even though Europeans clearly demand the sort of products and services those US-based companies provide. Entrepreneurialism scholar Zoltan Acs asks: “What has been the outcome of E.U. policy in limiting entrepreneurial activity over recent decades?” His conclusion:

It is immediately clear… that the United States and China dominate the platform landscape. Based on the market value of top companies, the United States alone represents 66% of the world’s platform economy with 41 of the top 100 companies. European platform-based companies play a marginal role, with only 3% of market value.

Several recent studies have documented the costs associated with the GDPR and the E.U.’s heavy-handed approach to data flows more generally. Here is a rundown of some of the academic evidence and a summary of the major findings from these studies.

“There is a growing body of economic literature and commentary showing that the costs of implementing the GDPR benefit large online platforms, and that consent-based data collection gives a competitive advantage to firms offering a range of consumer-facing products compared to smaller market actors. This in turn increases concentration in a number of digital markets where access to data is important, by creating barriers to entry or encouraging market exit.” (p. 2–3)

“this paper examines how privacy regulation shaped firm performance in a large sample of companies across 61 countries and 34 industries. Controlling for firm and country-industry-year unobserved characteristics, we compare the outcomes of firms at different levels of exposure to EU markets, before and after the enforcement of the GDPR in 2018. We find that enhanced data protection had the unintended consequence of reducing the financial performance of companies targeting European consumers. Across our full sample, firms exposed to the regulation experienced a 8% decline in profits, and a 2% reduction in sales. An exception is large technology companies, which were relatively unaffected by the regulation on both performance measures. Meanwhile, we find the negative impact on profits among small technology companies to be almost double the average effect across our full sample. Following several robustness tests and placebo regressions, we conclude that the GDPR has had significant negative impacts on firm performance in general, and on small companies in particular.” (p. 1)

“We show that websites’ vendor use falls after the European Union’s General Data Protection Regulation (GDPR), but that market concentration also increases among technology vendors that provide support services to websites. We collect panel data on the web technology vendors selected by more than 27,000 top websites internationally. The week after the GDPR’s enforcement, website use of web technology vendors falls by 15% for EU residents. Websites are more likely to drop smaller vendors, which increases the relative concentration of the vendor market by 17%. Increased concentration predominantly arises among vendors that use personal data such as cookies, and from the increased relative shares of Facebook and Google-owned vendors, but not from website consent requests. Though the aggregate changes in vendor use and vendor concentration dissipate by the end of 2018, we find that the GDPR impact persists in the advertising vendor category most scrutinized by regulators. Our findings shed light on potential explanations for the sudden drop and subsequent rebound in vendor usage.” (p. 1)

GDPR creates inherent tradeoffs between data protection and other dimensions of welfare, including competition and innovation. While some of these effects were acknowledged when constructing the legal data regime, many were disregarded. Furthermore, the magnitude and breadth of such effects may well constitute an unintended and unheeded welfare-reducing consequence. As this article shows, the GDPR limits competition and increases concentration in data and data-related markets, and potentially strengthens large data controllers. It also further reinforces the already existing barriers to data sharing in the EU, thereby potentially reducing data synergies that might result from combining different datasets controlled by separate entities.” (pp. 3–4)

“Using data on 4.1 million apps at the Google Play Store from 2016 to 2019, we document that GDPR induced the exit of about a third of available apps; and in the quarters following implementation, entry of new apps fell by half. We estimate a structural model of demand and entry in the app market. Comparing long-run equilibria with and without GDPR, we find that GDPR reduces consumer surplus and aggregate app usage by about a third. Whatever the privacy benefits of GDPR, they come at substantial costs in foregone innovation.”

“this paper empirically quantifies the effects of the enforcement of the EU’s General Data Protection Regulation (GDPR) on online user behavior over time, analyzing data from 6,286 websites spanning 24 industries during the 10 months before and 18 months after the GDPR’s enforcement in 2018. A panel differences estimator, with a synthetic control group approach, isolates the short- and long-term effects of the GDPR on user behavior. The results show that, on average, the GDPR’s effects on user quantity and usage intensity are negative; e.g., the numbers of total visits to a website decrease by 4.9% and 10% due to GDPR in respectively the short- and long-term. These effects could translate into average revenue losses of $7 million for e-commerce websites and almost $2.5 million for ad-based websites 18 months after GDPR. The GDPR’s effects vary across websites, with some industries even benefiting from it; moreover, more-popular websites suffer less, suggesting that the GDPR increased market concentration.”

“This paper investigates the impact of the General Data Protection Regulation (GDPR for short) on consumers’ online browsing and search behavior using consumer panels from four countries, United Kingdom, Spain, United States, and Brazil. We find that after GDPR, a panelist exposed to GDPR submits 21.6% more search terms to access information and browses 16.3% more pages to access consumer goods and services compared to a non-exposed panelist, indicating higher friction in online search. The implications of increased friction are heterogeneous across firms: Bigger e-commerce firms see an increase in consumer traffic and more online transactions. The increase in the number of transactions at large websites is about 6 times the increase experienced by smaller firms. Overall, the post-GDPR online environment may be less competitive for online retailers and may be more difficult for EU consumers to navigate through.”

“Privacy regulations should increase trust because they provide laws that increase transparency and allow for punishment in cases in which the trustee violates trust. […] We collected survey panel data in Germany around the implementation date and ran a survey experiment with a GDPR information treatment. Our observational and experimental evidence does not support the hypothesis that the GDPR has positively affected trust. This finding and our discussion of the underlying reasons are relevant for the wider research field of trust, privacy, and big data.”

“We follow more than 110,000 websites and their third-party HTTP requests for 12 months before and 6 months after the GDPR became effective and show that websites substantially reduced their interactions with web technology providers. Importantly, this also holds for websites not legally bound by the GDPR. These changes are especially pronounced among less popular websites and regarding the collection of personal data. We document an increase in market concentration in web technology services after the introduction of the GDPR: Although all firms suffer losses, the largest vendor — Google — loses relatively less and significantly increases market share in important markets such as advertising and analytics. Our findings contribute to the discussion on how regulating privacy, artificial intelligence and other areas of data governance relate to data minimization, regulatory competition, and market structure.”

William Rinehart of the Center for Growth and Opportunity has compiled and summarized many additional studies that document the costs associated with restrictions on data, including many state privacy laws imposed in the United States.

“The Biggest Loser”: Innovation Culture Gone Wrong

Taken together, this evidence makes it clear that, “Well-meaning privacy laws can have the unintended consequence of penalizing smaller companies within technology markets.” It can also have broader geopolitical ramifications for continental competitive advantage and engagement between countries. Some have argued that the United Kingdom’s so-called “Brexit” from the EU can be viewed as not only an effort to reclaim its sovereignty but more specifically “to escape its crippling regulatory structure.” The E.U.’s approach to emerging technology regulation likely had some bearing on this. Acs argues that Britain’s move was logical, “because E.U. regulations were holding back the U.K.’s strong DPE (digital platform economy).” “If the United Kingdom was to realize its economic potential,” he says, “it had to extricate itself from the European Union,” due to the growing “dysfunctional E.U. bureaucracy.”

Can Europe turn things around? Most market watchers do not believe that the E.U. will be willing to change its regulatory course in such a way that the continent would suddenly become more open to data-driven innovation. As part of a Spring 2022 journal symposium, The International Economy asked 11 experts from Europe and the U.S. to consider where the European Union currently stood in “the global tech race.” The responses were nearly unanimous and bluntly summarized in the symposium’s title: “The Biggest Loser.” Several respondents observed how “Europe is considered to be lagging behind in the global tech race,” and “is unlikely to become a global hub of innovation.” “The future will not be invented in Europe,” another respondent concluded. Europe’s risk-averse culture and preference for meticulously detailed and highly precautionary regulatory regimes were repeatedly cited as factors.

Europe has become the biggest loser on the digital technology front not because of their people but because of their policy. Europe is filled with some of the most important advanced education and engineering programs in the world, and countless brilliant minds there could be leading world-leading digital technology companies that could rival the U.S., China, and the rest of the world. But Europe’s current “innovation culture” simply will not allow it.

Innovation culture refers to “the various social and political attitudes and pronouncements towards innovation, technology, and entrepreneurial activities that, taken together, influence the innovative capacity of a culture or nation.” A positive innovation culture depends upon a dynamic, open economy that encourages new entry, entrepreneurialism, continuous investment, and the free movement of goods, ideas, and talent.

At this point in time, it is clear that — at least for data-driven sectors — the E.U. has created the equivalent of an anti-innovation culture, and the GDPR has clearly played a major rule in that outcome. This regulatory regime has also had devastating consequences for venture capital formation and investment more generally in Europe. “Public policy and attitudes explain the relative technological decline and lack of economic dynamism,” Petit and Teece argue, and it has resulted in, “weak venture capital markets, fragmented research capabilities, low worker mobility and frustrated entrepreneurs.”

Industrial Policy Won’t Save Europe

While the E.U. is aggressively regulating data-driven sectors, it is simultaneously trying to use industrial policy programs to advance new technological capabilities and innovations. European policymakers would obviously like to avoid a repeat of the past quarter century and the lack of digital technology competition and innovation they witnessed.

But past European industrial policy efforts on the digital technology front have largely failed, as Connor Haaland and I documented earlier. Zoltan Acs notes that, despite many state efforts to promote digital innovation across the continent in recent decades, the E.U.’s regulatory policies have resulted in the opposite. “The European Union protected traditional industries and hoped that existing firms would introduce new technologies. This was a policy designed to fail,” he argues. A major recent book, Questioning the Entrepreneurial State: Status-quo, Pitfalls, and the Need for Credible Innovation Policy (Springer, 2022), offers additional evidence of the failure of European industrial policy efforts. No amount of industrial policy planning and spending is going to be able to overcome a negative innovation culture that suffocates entrepreneurialism and investment out of the gates.

These findings have lessons for policymakers in the United States, too, especially with President Biden and even many Republicans now calling for heavy-handed top-down regulation of digital technology companies. Basically, “President Biden Wants America to Become Europe on Tech Regulation,” I argued in a recent R Street Institute blog post. In a letter to the Wall Street JournalI responded to recent opeds by both President Biden and former Trump Administration Attorney General William Barr in which they both advocated regulations that would take us down the disastrous path that the European Union has already charted.

“The only thing Europe exports now on the digital-technology front is regulation,” I noted in my response, and that makes it all the more mind-boggling that Biden and Barr want to go down that same path. “Overregulation by EU bureaucrats led Europe’s best entrepreneurs and investors to flee to the U.S. or elsewhere in search of the freedom to innovate.” This is the wrong innovation culture for the United States if we hope to be a leader in the Computational Revolution that is unfolding — and match expanding efforts by the Chinese to top us at it.

In closing, policymakers should never lose sight of the most fundamental lesson of innovation policy, which can be stated quite simply: You only get as much innovation as you allow to begin with. If the public policy defaults are all set to be maximally restrictive and limit entrepreneurialism and experimentation by design, then it should be no surprise when the country or continent fails to generate meaningful innovation, investment, new companies, and global competitive advantage. The European model is no model for America.

Additional reading:

]]> https://techliberation.com/2023/02/09/studies-document-growing-cost-of-eu-privacy-regulations/feed/ 2 77086 Event Video on Algorithmic Auditing and AI Impact Assessments https://techliberation.com/2022/07/13/event-video-on-algorithmic-auditing-and-ai-impact-assessments/ https://techliberation.com/2022/07/13/event-video-on-algorithmic-auditing-and-ai-impact-assessments/#comments Wed, 13 Jul 2022 18:10:03 +0000 https://techliberation.com/?p=77008

Upsides:

  • Audits and impact assessments can help ensure organizations live up their promises as it pertains to “baking in” ethical best practices (on issues like safety, security, privacy, and non-discrimination).
  • Audits and impact assessments are already utilized in other fields to address safety practices, financial accountability, labor practices and human rights issues, supply chain practices, and various environmental concerns.
  • Internal auditing / Institute of Internal Auditors (IIA) efforts could expand to include AI risks
  • Eventually, more and more organizations will expand their internal auditing efforts to incorporate AI risks because it makes good business sense to stay on top of these issues and avoid liability, negative publicity, or other customer backlash.
  • the International Association of Privacy Professionals (IAPP) trains and certifies privacy professionals through formal credentialing programs, supplemented by regular meetings, annual awards, and a variety of outreach and educational initiatives.
  • We should use similar model for AI and start by supplementing Chief Privacy Officers with Chief Ethical Officers.
  • This is how we formalize the ethical frameworks and best practices that have been formulated by various professional associations such as IEEE, ISO, ACM and others.
  • OECD — Framework for the Classification of AI Systems with the twin goals of helping “to develop a common framework for reporting about AI incidents that facilitates global consistency and interoperability in incident reporting,” and advancing “related work on mitigation, compliance and enforcement along the AI system lifecycle, including as it pertains to corporate governance.”
  • NIST — AI Risk Management Framework “to better manage risks to individuals, organizations, and society associated with artificial intelligence.”
  • These frameworks being developed through a consensus-driven, open, transparent, and collaborative process. Not through top-down regulation.
  • Many AI developers and business groups have endorsed the use of such audits and assessments. BSA|The Software Alliance has said that, “By establishing a process for personnel to document key design choices and their underlying rationale, impact assessments enable organizations that develop or deploy high-risk AI to identify and mitigate risks that can emerge throughout a system’s lifecycle.”
  • Developers can still be held accountable for violations of certain ethical norms and bast practices both through private and potentially even through formal sanctions by consumer protection agencies (Federal Trade Commission / comparable state offices / by state AGs).
  • EqualAI / WEF — “Badge Program for Responsible AI Governance”
  • field of algorithmic consulting continues to expand (ex: O’Neil Risk Consulting)

Downsides:

  • constitutes a harm or impact in any given context will often be a contentious matter.
  • Auditing algorithms is nothing like auditing an accounting ledger, where the numbers either add up or they don’t.
  • With algorithms there are no binary metrics that can quantify the correct amount of privacy, safety, or security in any given system.
  • E.U. AI act will be a disaster for AI innovation and investment
  • Proposed U.S. Algorithmic Accountability Act of 2022 would require that developers perform impact assessments and file them with the Federal Trade Commission. A new Bureau of Technology would be created inside the agency to oversee the process.
  • If enforced through a rigid regulatory regime and another federal bureaucracy, compliance with algorithmic auditing mandates would likely become a convoluted, time-consuming bureaucratic process. That would likely slow the pace of AI development significantly.
  • Academic literature on AI auditing / impact assessment ignores potential costs; Mandatory auditing and assessments are treated as a sort of frictionless nirvana when we already know that such a process would entire significant costs.
  • Some AI scholars suggest that NEPA should be model for AI impact assessments / audits.
  • NEPA assessments were initially quite short (sometimes less than 10 pages), but today the average length of these statements is more than 600 pages and include appendices that average over 1,000 pages on top of that.
  • NEPA assessments take an average of 4.5 years to complete and that, between 2010 and 2017, there were four assessments that took at least 17 years to complete.
  • Many important public projects never get done or take far too long to complete at considerably higher expenditure than originally predicted.
  • would create a number of veto points that opponents of AI could use to stop much progress in the field. This is the “vetocracy” problem.
  • We cannot wait years or even months for bureaucracies to eventually getting around to formally signing off on audits or assessments, many of which would be obsolete before they were even done.
  • “global innovation arbitrage” problem would kick in: Innovators and investors increasingly relocate to the jurisdictions where they are treated most hospitably.
  • Both parties already accuse digital technology companies of manipulating their algorithms to censor their views.
  • Whichever party is in power at any given time could use the process to politicize terms like “safety,” “security,” and “non-discrimination” to nudge or even force private AI developers to alter their algorithms to satisfy the desires of partisan politicians or bureaucrats.
  • FCC abused its ambiguous authority to regulate “in the public interest” and indirectly censor broadcasters through intimidation via jawboning tactics and other “agency threats.” or “regulation by raised eyebrow”
  • There are potentially profound First Amendment issues in play with the regulation of algorithms that have not been explored here but which could become a major part of AI regulatory efforts going forward.

Summary:

  • Auditing and impact assessments can be a part of a more decentralized, polycentric governance framework.
  • Even in the absence of any sort of hard law mandates, algorithmic auditing and impact reviews represent an important way to encourage responsible AI development.
  • But we should be careful about mandating such things due to the many unanticipated cost and consequences of converting this into a top-down, bureaucratic regulatory regime.
  • The process should evolve gradually and organically, as it has in many other fields and sectors.
]]> https://techliberation.com/2022/07/13/event-video-on-algorithmic-auditing-and-ai-impact-assessments/feed/ 3 77008 New Jurimetrics Article: “Soft Law in U.S. ICT Sectors: Four Case Studies” https://techliberation.com/2021/02/01/new-jurimetrics-article-soft-law-in-u-s-ict-sectors-four-case-studies/ https://techliberation.com/2021/02/01/new-jurimetrics-article-soft-law-in-u-s-ict-sectors-four-case-studies/#comments Mon, 01 Feb 2021 21:02:45 +0000 https://techliberation.com/?p=76836

After a slight delay, Jurimetrics has finally published my latest law review article, “Soft Law in U.S. ICT Sectors: Four Case Studies.” It is part of a major symposium that Arizona State University (ASU) Law School put together on “Governing Emerging Technologies Through Soft Law: Lessons For Artificial Intelligence” for the journal. I was 1 of 4 scholars invited to pen foundational essays for this symposium. Jurimetrics is a official publication of the American Bar Association’s Section of Science & Technology Law.

This report was a major undertaking that involved dozens of interviews, extensive historic research, several events and presentations, and then numerous revisions before the final product was released. The final PDF version of the journal article is attached.

Here is the abstract:

Traditional hard law tools and processes are struggling to keep up with the rapid pace of innovation in many emerging technologies sectors. As a result, policy­makers in the United States rely increasingly on less formal “soft law” governance mech­anisms to address concerns surrounding many newer technologies. This Article explores four case studies from different information technology areas where soft law mechanisms have already been utilized to address governance concerns. These four sectoral case stud­ies include domain name management, content oversight, privacy policy, and cyberse­curity matters. After considering the various soft law mechanisms used to address those issues, the Article concludes with some general thoughts about the effectiveness of those approaches and what lessons those case studies might hold for the use of soft law in other emerging technology sectors and contexts.

]]> https://techliberation.com/2021/02/01/new-jurimetrics-article-soft-law-in-u-s-ict-sectors-four-case-studies/feed/ 6 76836 Video: Launch Event for “Evasive Entrepreneurs” Book https://techliberation.com/2020/04/29/video-launch-event-for-evasive-entrepreneurs-book/ https://techliberation.com/2020/04/29/video-launch-event-for-evasive-entrepreneurs-book/#respond Wed, 29 Apr 2020 15:22:06 +0000 https://techliberation.com/?p=76706

Here’s yesterday’s full launch event video for the release of my new book, Evasive Entrepreneurs and the Future of Governance: How Innovation Improves Economies and Governments. My thanks to Matthew Feeney, Director of the Project on Emerging Technologies at the Cato Institute, for hosting the discussion and sorting through audience questions. The video is below and some of the topics we discussed are listed down below:

* innovation culture
* charter cities, innovation hubs & competitive federalism
* the pacing problem
* technological determinism
* innovation arbitrage
* existential risk
* the Precautionary Principle vs. Permissionless Innovation
* responsible innovation
* drones, facial recognition & surveillance tech
* why privacy & cybersecurity bills never pass
* regulatory accumulation
* applying Moore’s Law to government
* technological civil disobedience
* 3D printing
* biohacking & the “Right to Try” movement
* technologies of resistance
* “born free” technologies vs. “born in captivity” tech
* regulatory capture
* agency threats & “regulation by raised eyebrow”
* soft law vs. hard law
* autonomous systems & “killer robots”!
]]> https://techliberation.com/2020/04/29/video-launch-event-for-evasive-entrepreneurs-book/feed/ 0 76706 The use of technology in COVID-19 public health surveillance https://techliberation.com/2020/04/21/the-use-of-technology-in-covid-19-public-health-surveillance/ https://techliberation.com/2020/04/21/the-use-of-technology-in-covid-19-public-health-surveillance/#comments Tue, 21 Apr 2020 16:29:33 +0000 https://techliberation.com/?p=76689

The recently-passed CARES Act included $500 million for the CDC to develop a new “surveillance and data-collection system” to monitor the spread of COVID-19.

There’s a fierce debate about how to use technology for health surveillance for the COVID-19 crisis. Unfortunately this debate is happening in realtime as governments and tech companies try to reduce infection and death while complying with national laws and norms related to privacy.

Technology has helped during the crisis and saved lives. Social media, chat apps, and online forums allow doctors, public health officials, manufacturers, entrepreneurs, and regulators around the world to compare notes and share best practices. Broadband networks, Zoom, streaming media, and gaming make stay-at-home order much more pleasant and keeps millions of Americans at work, remotely. Telehealth apps allow doctors to safely view patients with symptoms. Finally, grocery and parcel delivery from Amazon, Grubhub, and other app companies keep pantries full and serve as a lifeline to many restaurants.

The great tech successes here, however, will be harder to replicate for contact tracing and public health surveillance. Even the countries that had the tech infrastructure somewhat in place for contact tracing and public health surveillance are finding it hard to scale. Privacy issues are also significant obstacles. (On the Truth on the Market blog, FTC Commissioner Christine Wilson provides a great survey of how other countries are using technology for public health and analysis of privacy considerations. Bronwyn Howell also has a good post on the topic.) Let’s examine some of the strengths and weaknesses of the technologies.

Cell tower location information

Personal smartphones typically connect to the nearest cell tower, so a cell networks record (roughly) where a smartphone is at a particular time. Mobile carriers are sharing aggregated cell tower data with public health officials in Austria, Germany, and Italy for mobility information.

This data is better than nothing for estimating district- or region-wide stay-at-home compliance but the geolocation is imprecise (to the half-mile or so). 

Cell tower data could be used to enforce a virtual geofence on quarantined people. This data is, for instance, used in Taiwan to enforce quarantines. If you leave a geofenced area, public health officials receive an automated notification of your leaving home.

Assessment: Ubiquitous, scalable. But: rarely useful and virtually useless for contact tracing.

GPS-based apps and bracelets

Many smartphone apps passively transmit precise GPS location to app companies at all hours of the day. Google and Apple have anonymized and aggregated this kind of information in order to assess stay-at-home order effects on mobility. Facebook reportedly is also sharing similar location data with public health officials.

As Trace Mitchell and I pointed out in Mercatus and National Review publications, this information is imperfect but could be combined with infection data to categorize neighborhoods or counties as high-risk or low-risk. 

GPS data, before it’s aggregated by the app companies for public view, reveals precisely where people are (within meters). Individual data is a goldmine for governments, but public health officials will have a hard time convincing Americans, tech companies, and judges they can be trusted with the data.

It’s an easier lift in other countries where trust in government is higher and central governments are more powerful. Precise geolocation could be used to enforce quarantines.

Hong Kong, for instance, has used GPS wristbands to enforce some quarantines. Tens of thousands of Polish residents in quarantines must download a geolocation-based app and check in, which allows authorities to enforce quarantine restrictions. It appears the most people support the initiative.

Finally, in Iceland, one third of citizens have voluntarily downloaded a geolocation app to assist public officials in contact tracing. Public health officials call or message people when geolocation records indicate previous proximity with an infected person. WSJ journalists reported on April 9 that:

If there is no response, they send a police squad car to the person’s house. The potentially infected person must remain in quarantine for 14 days and risk a fine of up to 250,000 Icelandic kronur ($1,750) if they break it.

That said, there are probably scattered examples of US officials using GPS for quarantines. Local officials in Louisville, Kentucky, for example, are requiring some COVID-19-positive or exposed people to wear GPS ankle monitors to enforce quarantine.

Assessment: Aggregated geolocation information is possibly useful for assessing regional stay-at-home norms. Individual geolocation information is not precise enough for effective contact tracing. It’s probably precise and effective for quarantine enforcement. But: individual geolocation is invasive and, if not volunteered by app companies or users, raises significant constitutional issues in the US.

Bluetooth apps

Many researchers and nations are working on or have released some type of Bluetooth app for contact tracing. This includes Singapore, the Czech Republic, Britain, Germany, Italy and New Zealand.  

For people who use these apps, Bluetooth runs in the background, recording other Bluetooth users nearby. Since Bluetooth is a low-power wireless technology, it really only can “see” other users within a few meters. If you use the app for awhile and later test positive for infection, you can register your diagnosis. The app will then notify (anonymously) everyone else using the app, and public health officials in some countries, who you came in contact with in the past several days. My colleague Andrea O’Sullivan wrote a great piece in Reason about contact tracing using Bluetooth.

These apps have benefits over other forms of public health tech surveillance: they are more precise than geolocation information and they are voluntary.

The problem is that, unlike geolocation apps, which have nearly 100% penetration with smartphone users, Bluetooth contact tracing apps have about 0% penetration in the US today. Further, these app creators, even governments, don’t seem to have the PR machine to gain meaningful public adoption. In Singapore, for instance, adoption is reportedly only 12% of the population, which is way too low to be very helpful.

A handful of institutions in the world could get appreciable use of Bluetooth contact tracing: telecom and tech companies have big ad budgets and they own the digital real estate on our smartphones.

Which is why the news that Google and Apple are working on a contact tracing app is noteworthy. They have the budget and ability to make their hundreds of millions of Android and iOS users aware of the contact tracing app. They could even go so far as push a notification to the home screen to all users encouraging them to use it.

However, I suspect they won’t push it hard. It would raise alarm bells with many users. Further, as Dan Grover stated a few weeks ago about why US tech companies haven’t been as active as Chinese tech companies in using apps to improve public education and norms related to COVID-19:

Since the post-2016 “techlash”, tech companies in Silicon Valley have acted with a sometimes suffocating sense of caution and unease about their power in the world. They are extremely careful to not do anything that would set off either party or anyone with ideas about regulation. And they seldom use their pixel real estate towards affecting political change.

[Ed.: their puzzling advocacy of Title II “net neutrality” regulation a big exception].

Techlash aside, presumably US companies also aren’t receiving the government pressure Chinese companies are receiving to push public health surveillance apps and information. [Ed.: Bloomberg reports that France and EU officials want the Google-Apple app to relay contact tracing notices to public health officials, not merely to affected users. HT Eli Dourado]

Like most people, I have mixed feelings about how coercive the state and how pushy tech companies should be during this pandemic. A big problem is that we still have only an inkling about how deadly COVID-19 is, how quickly it spreads, and how damaging stay-at-home rules and norms are for the economy. Further, contact-tracing apps still need extensive, laborious home visits and follow-up from public health officials to be effective–something the US has shown little ability to do.

There are other social costs to widespread tech-enabled tracing. Tyler Cowen points out in Bloomberg that contact tracing tech is likely inevitable, but that would leave behind those without smartphones. That’s true, and a major problem for the over-70 crowd, who lack smartphones as a group and are most vulnerable to COVID-19.

Because I predict that Apple and Google won’t push the app hard and I doubt there will be mandates from federal or state officials, I think there’s only a small chance (less than 15%) a contact tracing wireless technology will gain ubiquitous adoption this year (60% penetration, more than 200 million US smartphone users). 

Assessment: A Bluetooth app could protect privacy while, if volunteered, giving public health officials useful information for contact tracing. However, absent aggressive pushes from governments or tech companies, it’s unlikely there will be enough users to significantly help.

Health Passport

The chances of mass Bluetooth app use would increase if the underlying tech or API is used to create a “health passport” or “immunity passport”–a near-realtime medical certification that someone will not infect others. Politico reported on April 10 that Dr. Anthony Fauci, the White House point man on the pandemic, said the immunity passport idea “has merit.”

It’s not clear what limits Apple and Google will put on their API but most APIs can be customized by other businesses and users. The Bluetooth app and API could feed into a health passport app, showing at a glance whether you are infected or you’d been near someone infected recently.

For the venues like churches and gyms and operators like airlines and cruise ships that need high trust from participants and customers, on the spot testing via blood test or temperature taking or Bluetooth app will likely gain traction. 

There are the beginnings of a health passport in China with QR codes and individual risk classifications from public health officials. Particularly for airlines, which is a favored industry in most nations, there could be public pressure and widespread adoption of a digital health passport. Emirates Airlines and the Dubai Health Authority, for instance, last week required all passengers on a flight to Tunisia to take a COVID-19 blood test before boarding. Results came in 10 minutes.

Assessment: A health passport integrates several types of data into a single interface. The complexity makes widespread use unlikely but it could gain voluntary adoption by certain industries and populations (business travelers, tourists, nursing home residents).

Conclusion

In short, tech could help with quarantine enforcement and contact tracing, but there are thorny questions of privacy norms and it’s not clear US health officials have the ability to do the home visits and phone calls to detect spread and enforce quarantines. All of these technologies have issues (privacy or penetration or testing) and there are many unknowns about transmission and risk. The question is how far tech companies, federal and state law officials, the American public, and judges are prepared to go.

]]> https://techliberation.com/2020/04/21/the-use-of-technology-in-covid-19-public-health-surveillance/feed/ 4 76689 Congress as a Non-Actor in Tech Policy https://techliberation.com/2020/02/04/congress-as-a-non-actor-in-tech-policy/ https://techliberation.com/2020/02/04/congress-as-a-non-actor-in-tech-policy/#comments Tue, 04 Feb 2020 19:28:42 +0000 https://techliberation.com/?p=76658

ImageCongress has become a less important player in the field of technology policy. Why did that happen, and what are the ramifications for technological governance efforts going forward?

I’ve spent almost 30 years covering technology policy. There was a time in my life when I spent almost all my time as a policy analyst preoccupied with developments in the federal legislative arena. I lived in the trenches of Capitol Hill and interacted with lawmakers and their staff morning, noon, and night.

In recent years, however, I have spent very little time focused on the Legislative Branch because it has effectively become a non-actor on technology policy. It is not that congressional lawmakers stopped caring about tech policy. Interest actually remains quite high—perhaps higher than ever before. Congress also continues to introduce lots of bills, host plenty of hearings, and issue mountains of press releases related to tech policy issues.

Nonetheless, all that interest and activity has not really translated into much important legislation. While it is hard to track tech-oriented legislative trends statistically because of the complication of defining “technology policy” over time, judged by substantive output, Congress has largely checked out of technological policymaking.

Think about digital privacy. How many years now have people been predicting a comprehensive “baseline” privacy bill would pass in each legislative session? It never happens. Perhaps it will this year, but if you would like to place a wager on it, I will take that bet.

Speaking of bets, for several years now, I have been wagering with friends that Congress will not pass federal legislation creating a national autonomous vehicles framework. Each session I win that bet. Keep in mind, a framework for driverless cars is far less controversial than privacy policy. Still, nothing substantive ever gets done in Congress.

Same goes for cybersecurity with lots of calls for big measures, but no final action. Folks are now also telling me to expect a big artificial intelligence bill one day soon. I sincerely doubt it. Again, I’ll bet on it if you’d like to lose some money!

Let me be clear, there may actually be some very good reasons why Congress should implement a national framework for privacy, driverless cars, and some AI policy issues. But all the wishful thinking in the world will not magically make it happen.

We need to entertain the possibility that Congress has largely checked out of the world of substantive tech policymaking and isn’t coming back. We may get a few big surprise measures here and there, as we did with clumsily-drafted FOSTA-SESTA. If anything, it is more likely that we instead see misguided legislative riders attached to non-germane measures during late night negotiations. But even haphazard efforts like those will be extremely rare. The days of Congress passing big bills like the Telecom Act of 1996 or the Cable Act of 1992 appear mostly over.

Why Congress Is No Longer the Major Player It Once Was

I think there are probably many obvious explanations for why Congress has checked out of tech policymaking, but let me try to boil it down to a couple of interrelated trends:

The “pacing problem” has intensified: The pacing problem refers to the inability of legal or regulatory regimes to keep adjust to the intensifying pace of technological change. There are just more emerging technologies than ever, and they are evolving faster than ever, too. “New technologies that used to have two-year cycle times now can become obsolete in six months, and the pace of change is not slowing,” says consulting firm Deloitte.

A growing multiplicity of technologies means more tech policy issues to cover. And those issues grow more complicated each year. As soon as lawmakers wrap their heads around one technology (if they do at all), another innovation pops up that complicates things further or crowds out their attention.

Technological convergence and blurring governance boundaries: Technology policymaking increasingly involves metaphysical questions about the underlying nature of things. For example, what is a “phone,” a “medical device,” or an “aerial vehicle”? These things used to be relatively easy to define and had well-understood meanings in federal statutes and regulations. But those concepts evolved rapidly in an age of widespread technological convergence and rapid-fire “combinatorial innovation,” with new technologies multiplying and building on top of one another in the symbiotic fashion. Basically, almost as soon as new tech laws or regulations are enacted, they are confronted with new marketplace realities and technological changes that call into question legal classifications or regulatory distinctions.

For example, today’s smartphones combine dozens of different functions that were previously quite distinct, including health tracking capabilities, mobile payment systems, and video distribution, all of which remain heavily regulated by an assortment of federal laws and agencies. But the convergence of all these capabilities in a single device that we can carry in our pockets creates massive governance challenges, not only for archaic legislative frameworks, but even for newer semantic distinctions that may seem current one moment only to be obliterated the next. These factors also make it harder to figure out who in Congress should be driving policy because technological convergence blurs previously distinct governance categories among legislative committees and the laws they have crafted.

Legislative dysfunctionalism: Policymaking processes move slowly by design. Constitutional constraints and other legal requirements demand it. But things move even slower today because of what Jonathan Rauch calls “demosclerosis,” or the “government’s progressive loss of the ability to adapt.” “[A]s layer is dropped upon layer,” he argued, “the accumulated mass becomes gradually less rational and less flexible.”

Inadequate resources are also part of the problem with Congress facing a complex, rapidly-evolving set of issues but devoting only limited resources to technical staff or studies to better understand these developments. This combined with the factors cited above has led to a never-ending “competency trap,” with lawmakers and their staffs seemingly always one step behind technological developments and societal demands or expectations.

Meanwhile, partisanship increases and the work load on many other fronts grows alongside it. There’s just a lot more on Congress’s plate than ever before. Plus, tech policy matters seemingly always take a back seat to tax, budget, entitlements, defense, and other issues.

Many people hope that boosting technology assessment efforts might help correct these problems. Perhaps better technical advice could help lawmakers ask less ignorant questions at tech-oriented congressional hearings, which have become showcases for the staggering lack of congressional understanding of modern technologies. But just adding new technology assessment capacity, such as in the form of a revived Office of Technology Assessment, won’t likely move the needle much in terms of actual legislative output. More serious structural reforms will be required.

Globalization: Many modern technologies “are truly global and call out for policy approaches that do not respect traditional national borders,” note former NITA officials Lawrence E. Strickling and Jonah Force Hill. Congress only has so much control over technologies that defy national boundaries, further complicating tech governance questions.

Yet, one would think that when America’s global competitive advantage was on the line, Congress would have greater reason to assert itself and craft frameworks to ensure US firms are not disadvantaged by a lack of policy clarity. That has not proven to be the case, however. Congressional lawmakers do plenty of huffing and puffing about the tech governance choices made by Europe, China, and other governments, but they then leave the field wide open to them (as well as lower levels of government) to craft policies that govern national markets throughout the United States.

Endless delegation: Speaking of passing the buck, Congress has been doing it for decades on tech policy by delegating massive and quite amorphous authority to technocratic administrative agencies. Over the past half century, scholars from various disciplines—economics, law, political science, history, and others—have explored the growth of what has been alternatively called the “interest group society,”  “receivership by regulation,”  “iron triangles,” and “client politics.” This literature identifies the way Congress has increasingly abdicated its constitutional role as lawmaker by shifting hard policy questions to regulatory agencies and then hoping that bureaucrats could figure out all the answers.

Delegation is even more common for the most technical policy matters, and that trend has only accelerated in recent years as the complexity increases and overwhelms lawmakers and their staff.

Ramifications for Tech Governance Going Forward

If Congress remains largely incapable of ever getting the ball over the goal line on important tech policy matters, what are some of the ramifications? There are many, but I will identify just a few of the most obvious ones:

  • More tech-oriented legislative activity will shift to the states: In fact, it already has. For each of the tech policy issues I identified earlier (privacy, driverless cars, cybersecurity, and even some AI-related issues like facial recognition), states are—for better or worse—picking up the slack. We should expect that trend to accelerate. This will create an increasingly confusing patchwork of policies that will potentially raise serious barriers to entry and innovation. Nonetheless, I can’t see this trend reversing anytime soon. Perhaps Congress will finally act on privacy or driverless cars legislation if for no other reason than to preempt a crazy-quilt of contradictory policies. Of course, that’s what people have been predicting for years, and it never happens.
  • “Soft law” becomes the dominate governance force for tech: Again, it already has. Soft law refers to informal, collaborative, and constantly evolving governance mechanisms that differ from hard law in that they lack the same degree of enforceability. Soft law can include things like multi-stakeholder processes, industry best practices and standards, agency workshops and guidance documents, and educational efforts. But that just scratches the surface of soft law mechanisms. For better or worse, soft law is becoming the dominant modus operandi for most modern technological governance. We can expect that trend to accelerate to fill the governance gap left by Congressional inaction. For example, we don’t have any formal “rules of the road” for driverless cars, but we do now have four iterations of Department of Transportation guidance on driverless cars. Version 4.0of the DoT guidance for automated vehicles was just released this month. Expect the “soft law-ization” of technological governance to expand considerably in coming years because it is really the only way for agencies to cope with the pacing problem and those metaphysical issues identified earlier. Because soft law is not boxed in by rigid preconceptions of what a particular technology or technological process is or entails, it is often better able to address new marketplace realities. Soft law can adapt as technologies do. With Congress out of the picture, it will have to.
  • The congressional tech policy death spiral accelerates. Some may think (or at least hope) that the situation described here can’t get any worse. To the contrary, it can get radically worse. With our politics increasingly infected with bitter partisanship and rancor, what are the chances that lawmakers can work together to craft comprehensive tech policy measures? I’d say the odds are approaching zero. The Cable Act, the Telecom Act (and Sec. 230), and the Internet Tax Freedom Act all enjoyed broad, bipartisan support when they passed in the 1990s. People reached across the aisle to get things done. It didn’t always work, and sometimes it resulted in misguided policies (like the Communications Decency Act’s provisions trying to censor internet “indecency”). But bipartisan lawmaking scenarios like those seem almost unthinkable now. To the extent many lawmakers even show up at tech-oriented congressional hearings anymore, it is mostly to score points in front of the cameras for Team Red or Team Blue back home. Serious legislative oversight and policymaking is dead; it’s mostly just show-trials and media circuses at this point.

Should I Care about Congress Anymore?

If you believe this miserable thesis is correct but continue to focus on the Legislative Branch for a living, you may be asking yourself: Am I wasting all my time here? Not necessarily. Congress is still actively interested in tech policy matters. For those who hope to limit that damage Congress might do by hastily passing ham-handed, crisis-driven policy measures, your efforts in the trenches will continue to be important in curbing the worst instincts of some lawmakers. In many instances, preserving a perpetual stalemate may go down as a tremendous victory.

For example, as the debate over Section 230 intensifies—with politicians of all stripes looking to gut the most important of all Internet freedom policies—it is vital that smart people work with lawmakers and their staff to beat back misguided and destructive measures. Hopefully this becomes another instance of legislative gridlock winning out! And I think it will.

More realistically, your role will not be to stop Congress from doing insanely destructive things, it will be to just stop them from saying those things. In fact, that seems to be what a lot of people who work with Congress already do today. When I chat with various inside-the-Beltway policy advocates and industry reps today, they usually acknowledge that the prospects for actual legislation on any given issue are quite slim. They will, of course, continue to try to work with lawmakers, their committees, and their staff to either advance or stop legislative measures. Yet, they all seem to accept the utter futility of it all.

Why do they persist? Most obviously, they want to at least preserve the legislative stalemate and not cede the ground to their enemies who might succeed in getting lawmakers to do something if only one side was communicating with Congress.

But the other thing these policy advocates are hoping to achieve is better messaging. Regulatory advocates want lawmakers to use the power of the bully pulpit to put pressure on various people or groups to change behavior, even in the absence of any legislative action. By contrast, many in industry want to make sure that their technologies are understood and not endlessly demonized. Bad press isn’t good for business, even if all the congressional threats never result in final legislation. Also, those defending innovation more generally will want to make sure that even if lawmakers aren’t making any actual laws, they still better understand and appreciate the importance of new technological capabilities for improving human welfare.

Those are all good reasons not to give up your legislative advocacy. For some of us, however, the personal cost-benefit analysis just doesn’t add up. Our focus has shifted to where the real action is at: federal administrative agencies, statehouses and state administrative agencies, the courts, and the growing world of multi-stakeholder governance and other soft law efforts. Congress has checked out, but technological governance lives on in many other forms and venues.

]]> https://techliberation.com/2020/02/04/congress-as-a-non-actor-in-tech-policy/feed/ 1 76658 Trump’s AI Framework & the Future of Emerging Tech Governance https://techliberation.com/2020/01/08/trumps-ai-framework-the-future-of-emerging-tech-governance/ https://techliberation.com/2020/01/08/trumps-ai-framework-the-future-of-emerging-tech-governance/#respond Wed, 08 Jan 2020 20:04:57 +0000 https://techliberation.com/?p=76648

This week, the Trump Administration proposed a new policy framework for artificial intelligence (AI) technologies that attempts to balance the need for continued innovation with a set of principles to address concerns about new AI services and applications. This represents an important moment in the history of emerging technology governance as it creates a policy vision for AI that is generally consistent with earlier innovation governance frameworks established by previous administrations.

Generally speaking, the Trump governance vision for AI encourages regulatory humility and patience in the face of an uncertain technological future. However, the framework also endorses a combination of “hard” and “soft” law mechanisms to address policy concerns that have already been raised about developing or predicted AI innovations.

AI promises to revolutionize almost every sector of the economy and can potentially benefit our lives in numerous ways. But AI applications also raise a number of policy concerns, specifically regarding safety or fairness. On the safety front, for example, some are concerned about the AI systems that control drones, driverless cars, robots, and other autonomous systems. When it comes to fairness considerations, critics worry about “bias” in algorithmic systems that could deny people jobs, loans, or health care, among other things.

These concerns deserve serious consideration and some level of policy guidance or else the public may never come to trust AI systems, especially if the worst of those fears materialize as AI technologies spread. But how policy is formulated and imposed matters profoundly. A heavy-handed, top-down regulatory regime could undermine AI’s potential to improve lives and strengthen the economy. Accordingly, a flexible governance framework is needed and the administration’s new guidelines for AI regulation do a reasonably good job striking that balance.

Background

Last February, the White House issued Executive Order 13859, on “Maintaining American Leadership in Artificial Intelligence.” The Order announced the creation of the “American AI Initiative,” an effort to “focus the resources of the Federal government to develop AI.” It prioritized investments in AI-focused research and development (R&D), building a workforce ready for the AI era, international engagement on AI priorities, and the establishment governance standards for AI systems to “help Federal regulatory agencies develop and maintain approaches for the safe and trustworthy creation and adoption of new AI technologies.”

Regarding that last objective, Order 13589 required the Office of Management and Budget (OMB) and the Office of Science and Technology Policy (OSTP) to develop a framework and set of principles for federal agencies to follow when considering the development of regulatory and non‑regulatory approaches for AI. Importantly, the Order also specified that the framework should seek to “advance American innovation” and “reduce barriers to the use of AI technologies in order to promote their innovative application while protecting civil liberties, privacy, American values, and United States economic and national security.”

That resulted in the memorandum sent to heads of federal departments and agencies this week entitled, “Guidance for Regulation of Artificial Intelligence Applications” (hereinafter AI Guidance). The draft version of the AI Guidance specifies that “federal agencies must avoid regulatory or non-regulatory actions that needlessly hamper AI innovation and growth.” More specifically:

“Agencies must avoid a precautionary approach that holds AI systems to such an impossibly high standard that society cannot enjoy their benefits. Where AI entails risk, agencies should consider the potential benefits and costs of employing AI, when compared to the systems AI has been designed to complement or replace.”

But the AI Guidance is certainly not a call for comprehensive deregulation or the abandonment of all AI federal oversight. The memorandum’s very title reflects an understanding that existing laws and agency rules will continue to play a role in guiding the development of AI, machine-learning, and autonomous systems.

Accordingly, and consistent with past executive orders and OMB regulatory guidance documents for federal agencies, the AI Guidance establishes a set of ten principles that agencies must take into consideration when considering AI policy:

  1. Public trust in AI: Requiring that “the government’s regulatory and non-regulatory approaches to AI promote reliable, robust, and trustworthy AI applications, which will contribute to public trust in AI.”
  2. Public participation: Agencies must provide “ample opportunities for the public to provide information and participate in all stages of the rulemaking process.”
  3. Scientific integrity and information quality: Agencies should “leverage scientific and technical information and processes” to build trust and ensure data quality and transparency.
  4. Risk assessment and management: Acknowledging that “all activities involve tradeoffs,” the AI Guidance requires that “a risk-based approach should be used to determine which risks are acceptable and which risks present the possibility of unacceptable harm, or harm that has expected costs greater than expected benefits.”
  5. Benefits and costs: As part of those risk assessments, agencies must “carefully consider the full societal costs, benefits, and distributional effects before considering regulations related to the development and deployment of AI applications. Such consideration will include the potential benefits and costs of employing AI, when compared to the systems AI has been designed to complement or replace, whether implementing AI will change the type of errors created by the system, as well as comparison to the degree of risk tolerated in other existing ones.”
  6. Flexibility: OMB encourages agencies to “pursue performance-based and flexible approaches that can adapt to rapid changes and updates to AI applications.”
  7. Fairness and non-discrimination: Acknowledging that “in some instances, introduce real-world bias that produces discriminatory outcomes or decisions that undermine public trust and confidence in AI,” the AI Guidance requires agencies to consider “issues of fairness and non-discrimination with respect to outcomes and decisions produced by the AI application at issue.”
  8. Disclosure and transparency: Agencies are encouraged to consider how greater “transparency and disclosure can increase public trust and confidence in AI applications.”
  9. Safety and security: Agencies are required to “promote the development of AI systems that are safe, secure, and operate as intended, and encourage the consideration of safety and security issues throughout the AI design, development, deployment, and operation process.”
  10. Interagency coordination: The guidance makes it clear that a “coherent and whole-of-government approach to AI oversight requires interagency coordination.”

Soft Law Ascends

Importantly, the AI Guidance also encourages agencies to be open to “non-regulatory approaches to AI” governance and specifies three particular models:

  • Sector-specific policy guidance or frameworks: OSTP writes that “agencies should consider using any existing statutory authority to issue non-regulatory policy statements, guidance, or testing and deployment frameworks, as a means of encouraging AI innovation in that sector.” The memorandum also notes that this can include “work done in collaboration with industry, such as development of playbooks and voluntary incentive frameworks.”
  • Pilot programs and experiments: The document encourages the use of “pilot programs that provide safe harbors for specific AI applications” which “could produce useful data to inform future rulemaking and non-regulatory approaches.”
  • Voluntary consensus standards: Before regulating, the AI Guidance encourages agencies to consider how voluntary consensus standards, assessment programs, and compliance programs might be used to address policy concerns.

These represent “soft law” approaches to technological governance and they are becoming all the rage in technology policy discussions today. Soft law mechanisms are informal, collaborative, and constantly evolving governance efforts. While not formerly binding like “hard law” rules and regulations, soft law efforts nonetheless create a set of expectations about sensible development and use of technologies. Soft law can include multistakeholder initiatives, best practices and standards, agency workshops and guidance documents, educational efforts, and much more.

Soft law has become the dominant governance approach for emerging technologies because it is often better able to address the “pacing problem,” which refers to the growing gap between the rate of technological innovation and policymakers’ ability to keep up with it. As I have previously noted, the pacing problem is “becoming the great equalizer in debates over technological governance because it forces governments to rethink their approach to the regulation of many sectors and technologies.”

Not only do traditional legislative and regulatory hard law systems struggle to keep up with fast-paced technological changes, but oftentimes those older mechanisms are just too rigid and unsuited for new sectors and developments. That is definitely the case for AI, which is multi-dimensional in nature and even defies easy definition. Soft law offers a more flexible, adaptive approach to learning on the fly and cobbling together principles and policies that can address new policy concerns as they develop in specific contexts, without derailing potentially important innovations.

Building on Past Governance Frameworks

In this sense, the Trump administration’s AI Guidance borrows from past policy frameworks by marrying up a desire to promote an exciting new set of emerging technologies alongside the need for reasonable but flexible oversight and governance mechanisms. At a high level, the AI Guidance builds on many of the same principles that motivated the Clinton administration’s Framework for Global Electronic Commerce, a statement of principles and policy objectives for the then-emerging Internet. The document, which was issued in July 1997, said that “governments should encourage industry self-regulation and private sector leadership where possible” and “avoid undue restrictions on electronic commerce.”

The Framework was a clean break from the top-down regulatory paradigm that had previously governed traditional communications and media technologies. Clinton’s Framework insisted that, to the extent government intervention was needed at all, “its aim should be to support and enforce a predictable, minimalist, consistent and simple legal environment for commerce.” The use of soft law and multistakeholder models was a key component of this vision, and those more flexible governance approaches were tapped by the subsequent administrations to address emerging tech policy concerns.

For example, the Obama administration considerably expanded the use of multistakeholder mechanisms and other soft law tools in response to the need of oversight of fast-moving technologies. The Obama administration had many different policy governance efforts underway for specific AI technologies and concerns, including workshops and multistakeholder efforts focused on the safety, security, and privacy-related issues surrounding “big data” systems, online advertising, connected cars, drones, and more.

Whereas the Obama administration was deeper in the weeds of the policy issues associated with specific AI and machine-learning applications, the Trump administration has sought to both build on those focused efforts while also stepping back to consider AI governance at the 30,000-foot level. In essence, the AI Guidance combines some of the aspirational elements found in the Clinton Framework alongside the Obama administration’s more targeted approach to consider specific policy concerns across many different sectors and technologies.

Trump’s AI Guidance adds an element of formality to this process regarding how federal agencies should address AI developments and formulate potential policy responses. It does so by counseling humility and even potential forbearance until all the facts are in. “Fostering innovation and growth through forbearing from new regulations may be appropriate,” the memorandum says. Agencies should consider new regulation only after they have reached the decision, in light of the foregoing section and other considerations, that Federal regulation is necessary.” Again, this is very much consistent with more general regulatory guidance issued by every administration since President Reagan was in office.

Flexible, Adaptive Governance is Key

The AI Guidance foreshadows the future of not only AI governance but the governance of many other emerging technologies. Hard law will continue to provide a backstop and have a role in guiding technological developments. Toward that end, efforts like the new AI Guidance are important because it represents an effort to “regulate the regulators” by placing some ground rules on how they go about applying old law to new developments.

But soft law governance is where the real action is at, both for AI and almost all emerging technologies today. The Trump AI Guidance reflects the extent to which soft law has become the dominant governance paradigm for modern tech sectors. As my colleagues Jennifer Huddleston and Trace Mitchell have noted, soft law is already effectively the law of the land for driverless cars, for example. After years of congressional wrangling over a federal autonomous vehicle regulatory framework—one that has widespread bipartisan support, no less—we still do not have a law on the books. Instead, the Department of Transportation has been cobbling together informal “rules of the road” through informal guidance documents that have been “versioned” as if they were computer software (i.e., Version 1.0, 2.0, 3.0). Version 4.0 of the DoT guidance for automated vehicles was just released this week.

That is the same approach that the National Institute of Standards and Technology (NIST) has taken with the privacy guidelines it developed. NIST’s Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is also versioned like software. And many other federal agencies, especially the Federal Trade Commission, have tapped a wide variety of soft law tools—such as agency workshops and workshop reports that recommended privacy best practices for various technologies. Meanwhile, the National Telecommunications and Information Administration (NTIA) has used multistakeholder processes to address privacy concerns surrounding a wide range of technologies, including drones and facial recognition. NIST, FTC, and NTIA have undertaken these informal governance efforts because, despite over a decade of debate, Congress still has not advanced comprehensive federal privacy legislation. For better or worse, soft law has filled that governance gap.

Addressing Likely Objections from Left & Right

Many people of varying ideological dispositions will object to the growing role of soft law as the primary governance tool for emerging technology policy. Some conservatives will cringe at the sound of giving regulators greater leeway to address amorphous policy concerns, fearing that it will result in unconstrained exercises of unaccountable, extra-constitutional power.

Some of those concerns are valid, but they fail to account for the fact that the prospects for agency downsizing or deregulation they prefer are extremely limited. Practically speaking, the administrative state isn’t going anywhere. In some cases, agencies can actually do some real good by encouraging innovators to think about how to “bake-in” sensible best practices to preemptively address concerns about the privacy, safety, security, and fairness of various AI systems. Better those concerns be addressed in more flexible, adaptive fashion than by a heavy-handed, overly-rigid regulatory approach. Soft law offers that possibility, even if legitimate concerns remain about agency accountability and transparency.

Many to the left of center will be critical of this governance approach as well, but on very different grounds. As Associated Press reporter Matt O’Brien notes, “the vagueness of the principles announced by the White House is unlikely to satisfy AI watchdogs who have warned of a lack of accountability as computer systems are deployed to take on human roles in high-risk social settings, such as mortgage lending or job recruitment.”

These concerns actually are addressed in several of the OSTP’s ten principles, including those which stress the need for fairness and non-discrimination, information quality, public participation, disclosure and transparency, and safety and security. Yet many on the left will claim these principles merely pay lip service to these values and that what is really needed is a full-blown regulatory regime and some sort of corresponding new federal AI agency, which would preemptively determine which AI technologies would be allowed into the wild.

Already, an Algorithmic Accountability Act was introduced in Congress last year that would ask the FTC to take a more active role in policing “inaccurate, unfair, biased, or discriminatory decisions impacting consumers” that may have resulted from “automated decision systems.” Meanwhile, some academics have called for the creation of a Federal Robotics Commission or a National Algorithmic Technology Safety Administration to preemptively oversee new AI developments.

The problem with overly-precautionary regulation of that sort could potentially unduly limit AI innovation and the many benefits it entails. There may be some AI applications that pose serious and immediate risks to humanity and which require preemptive restraints on their development and use. Autonomous military and law enforcement applications are the most obvious examples. But most AI applications do not rise to that same level of regulatory concern, and other governance approaches are required to balance the use and misuse of them. This is why a more open and flexible governance approach is needed. Moreover, the old regulatory system just cannot keep up anymore, and it is ill-suited to address most policy concerns in a timely or efficient fashion.

Cristie Ford, and advocate of greater regulatory oversight for fintech, notes in her latest book that the problem with “old-style Welfare State regulation” is that it is “a clumsy, blunt instrument for achieving regulatory objectives” due to its reliance upon “one-size-fits-all mandates, prohibitions, and penalties.” Ford acknowledges what many other regulatory advocates are reluctant to admit:  public policies toward fast-paced technology sectors can no longer be governed effectively using the Analog Era’s top-down, command-and-control regulatory processes. Far too many federal agencies rely on a “build-and-freeze model” of regulation that puts rules in stone to deal with one sets of issues one day, but then either fails to eliminate them later when they become obsolete or to reform those rules to bring them in line with new social, economic, and technical realities.

If we hope to encourage continued innovation in sectors that could produce profoundly important, life-enriching technologies, America’s regulatory approach for AI and emerging technology needs to move away from “build-and-freeze” and toward “build-and-adapt.” Regulation is still needed, but the old regulatory toolkit is badly broken. For better or worse, soft law is going to fill the resulting governance gap, regardless of objections from some on the left or the right. Pragmatic policymaking is going to carry the day for emerging technology governance.

Conclusion

The Trump Administration AI Guidance represents a continuation and extension of this trend toward more flexible, adaptive governance approaches for emerging technologies. It offers a pragmatic vision that builds on the policies and paradigms of the past, while also encouraging fresh thinking about how best to balance the need for continued innovation alongside the various concerns about disruptive technological change.

There are many challenging issues that lie ahead and the new AI Guidance cannot provide bright-line answers to all the hypothetical questions that people want answered today. No one possesses a crystal ball that will allow them to forecast the technological future. Only ongoing trial-and-error experimentation and policy improvisation will allow us to find sensible solutions. A policy approach rooted in humility, flexibility, and forbearance will help ensure that America’s regulatory policies continue to promote both innovation and the public good.

]]> https://techliberation.com/2020/01/08/trumps-ai-framework-the-future-of-emerging-tech-governance/feed/ 0 76648 New Report: “Raising Rivals’ Costs Using the GDPR” (Just $1999!) https://techliberation.com/2019/10/10/new-report-raising-rivals-costs-using-the-gdrp-just-1999/ https://techliberation.com/2019/10/10/new-report-raising-rivals-costs-using-the-gdrp-just-1999/#comments Thu, 10 Oct 2019 19:19:12 +0000 https://techliberation.com/?p=76614

“Rent-Seeking Consultants, Inc.,” a subsidiary of the Strategies and Tactics to Annoy Neighbors (SATAN) Group, is pleased to announce its latest product for clients looking to exploit well-intentioned regulation to serve their own ends. Our new report, “Raising Rivals’ Costs Using the GDPR: A Strategic Guide to Thwarting Competition, Expanding Market Share & Enhancing Profits with Minimal Effort,” is available for immediate download for just $1,999 (discounted to just $999 for our loyal “Dante’s Ninth Circle” club members).

Over the last three decades, our experts at Rent-Seeking Consultants have dedicated themselves to the mission of advancing narrow interests at the expense of public welfare. We have done so by creatively exploiting laws and regulations that — while often implemented with the very best of intentions in mind — we recognized could be converted into a tool to advantage the few at the expense of the many.

Our motto: Where others see good intentions, we see good opportunities!

Our “Raising Rivals’ Costs Using the GDPR” report continues our latest line of new products, which aim to take Europe’s bold new privacy regulatory regime and convert it into a rent-seeker’s paradise. Our previous report outlined, “How to Pretend Compliance Costs Will Destroy Your Big Company, While Also Letting Your Shareholders Know It is Actually an Amazing Way to Crush the Competition.”

In our new report, we discuss how to weaponize the GDPR complaint process to your advantage. In this regard, some crowd-sourced efforts already exist, such as the “Ship Your Enemies GDPR” website. The site helps you take advantage of GDPR’s legal requirements by forcing rival firms to respond to as many frivolous claims as you can send their way. “We’ll help you send them a GDPR Data Access Request designed to waste as much of their time as possible,” the site notes.

More recently, angry gamers took to Reddit to devise a plan to use GDPR to harass gaming giant Blizzard. Fans were mad that Blizzard had kowtowed to the Chinese government by suspending a professional gamer who had voiced support for Hong Kong protestors. In essence, the Reddit protestors hope to use the GDPR to generate the equivalent of a DDOS attack on a company through massive, coordinated data requests. Brilliant!

We admire the spirit of these ingenious initiatives, but we aim to more fully capture the value associated with them for our clients using concerted manipulation of whatever political levers we can help you pull. How? Weaponizing complaint processes is a tactic that Rent-Seeking Consultants, Inc. has used effectively in the past. When a small handful of censorial-minded folks wanted to get the Federal Communications Commission to beef up fines and penalties for broadcast “indecency,” we helped them stuff the ballot box at the agency with form letters and fake complaints to make regulators believe the public was clamoring for greater censorship, when it reality it was just serving a very small group of people who wanted a heckler’s veto over broadcast programming. We tied those broadcasters up in courts for years with these tactics! Meanwhile, the new media operators we also represented were able to race ahead with whatever content they wanted to post on their platforms. Victory!

This led to the creation of our Scaring Consumers Really Effectively While Earning Money (SCREWEM™) initiative, which eventually won the prestigious Lobbying Award for Manipulating Effectively (LAME) Award in the “Creating Needless Panic” category. Our latest report highlights how we can use that same SCREWEM™ system to whip up serious privacy-related troubles for your rivals using the GDPR complaint process — all while pretending that this is all in the public interest.

We hope you will consider ordering our new report, and please let us know what we can do to help our trusted clients take advantage of well-intentioned regulation to undermine the public good on an ongoing basis. Finally, with California set to impose costly new privacy mandates extraterritorially on the entire nation, you can count on us being in touch again soon about exciting new opportunities for raising rivals’ costs using the machinery of the State.

Sincerely,

I.M. Prehensile Director of Strategic Political Exploits for S.A.T.A.N.

[This has been an act of satire, but the unintended consequences of GDPR are quite real. For some hard facts about what GDPR has meant in practice, see: Alec Stapp, “ GDPR after One Year: Costs and Unintended Consequences ,” and Eline Chivot and Daniel Castro, “ What the Evidence Shows About the Impact of the GDPR After One Year .” More generally, see: “Tech Policy, Unintended Consequences & the Failure of Good Intentions.”]

]]> https://techliberation.com/2019/10/10/new-report-raising-rivals-costs-using-the-gdrp-just-1999/feed/ 3 76614 Explaining the California Privacy Rights and Enforcement Act of 2020 https://techliberation.com/2019/10/02/explaining-the-california-privacy-rights-and-enforcement-act-of-2020/ https://techliberation.com/2019/10/02/explaining-the-california-privacy-rights-and-enforcement-act-of-2020/#comments Wed, 02 Oct 2019 16:41:26 +0000 https://techliberation.com/?p=76610

California’s recently enacted digital privacy legislation, the “California Consumer Privacy Act,” may be getting a sequel in the form of an initiative called the “California Privacy Rights and Enforcement Act of 2020.” While the fallout of CCPA has yet to be seen, since the Act does not go into effect until next year and the regulations governing its application have yet to be finalized, CPREA promises to double-down on its approach by creating yet more largely superfluous – and hugely expensive – digital “rights”.

How did we get here? Well, CCPA, the original, was the brainchild of a wealthy real estate investor named Alastair Mactaggart who, inspired by a cocktail party conversation, used California’s initiative process as a cudgel to get the full attention of the legislature in Sacramento. The body was given an ultimatum, negotiate and pass privacy legislation or Mactaggart would place his creation on the ballot.

Instead of running the risk of complicating a 2018 midterm ballot in which Democrats were slated to make huge gains, the Democratic super-majorities in Sacramento chose to pass comprehensive privacy legislation in a matter of days, thereby utterly transforming the way in which digital commerce occurs in the Golden State. Unsurprisingly, the result of doing so was that California became subject to a technically unworkable mess of regulation that necessitated an entire year of subsequent legislative work to it clean-up.

Now, in the wake of that saga, and in spite of a largely successful campaign in the state capital, Mactaggart has grown weary of the legislative process and crafted another initiative to expand and refine the vision of privacy that he would like to impose on America’s most populous state. Only, this time, it appears that he has no intention of working through the legislative process. This time, Mactaggart is going to be a one-man policy decider.

As released, the initiative is equal parts privacy extremism and cynical-politics. Substantively, some will find elements to applaud in the CPREA, between prohibitions on the use of behavioral advertising and reputational risk assessment (all of which are deserving of their own critiques), but the operational structure of the CPREA is nothing short of disastrous. Here are some of the worst bits:

  • Amendments (Section 24) – this section would effectively prevent California from changing its approach to privacy without another initiative, and may even prevent the sort of subsequent legislative clean-up that was necessary to make CCPA at all workable in the first place. A straightforward lesson in exactly what happens when such provisions are passed is available in the form of 1988’s Proposition 103, which has a similar provision that has effectively prevented innovation in California’s insurance market. Wonder why property insurance premiums are skyrocketing in the wake of the state’s fires and why there has been no appreciable development in the auto insurance sector? Look no further than this clause.

  • California Privacy Protection Agency (Section 23) – to enforce the Act, the CPREA creates a new government agency with the power to audit firm’s approaches to security and to fine them, in the amount of $2,500 per/unwitting-transgression, should they be found in violation. While pointless (why have an Attorney General anyway?), that’s not entirely  unusual. What is problematic is that the new agency’s entire existence would be funded directly by fines instead of the general fund, thereby creating an incentive to use broadly defined powers to search for violations to sustain its very existence. What’s more, the suggested statute of limitations in the Act is long, the right to cure is curtailed, and the agency is directed to fund – annually – consumer groups to “promote and protect consumer privacy”. All of this represents a devil’s cocktail of bad incentives for regulatory overreach.

  • Duties of Businesses that Collect Personal Information (Section 4) – new business-side duties in the CPREA will lead to compliance headaches without achieving clear benefits for consumers. For instance, the Act includes an obligation to maintain “reasonable security,” a standard without definition, but readily enforceable by a fine-inclined agency. Similarly troubling, the definition of “personal information” included in the Act likely encompasses a person’s likeness. Which, in consort with the Act’s other requirements, means that when a Californian walks into a brick-and-mortar retailer using security cameras, the Act would require firms to provide them with notice. In effect, this requirement will function as an enforcement trap. The only good to come of it will be the resulting boom in the state’s sign making industry as notices proliferate in a manner that makes Proposition 65’s utterly pointless chemical warnings appear reasonable.

Fortunately, there is time yet for the CPREA to be fought off. Californians, and industry within the state, could see to the direct electoral defeat of CPREA and/or the passage of another initiative designed to more directly remedy consumer harms. Doing so will require not only clear communication about the costs of CCPA and CPREA alike, but also a recognition that voters do want to see something, anything, done related to privacy. Give them a moderate alternative and a reason to choose it, and Mactaggart’s status as de facto state privacy administrator may come to an end.

]]> https://techliberation.com/2019/10/02/explaining-the-california-privacy-rights-and-enforcement-act-of-2020/feed/ 2 76610 Tech Policy, Unintended Consequences & the Failure of Good Intentions https://techliberation.com/2019/09/26/tech-policy-unintended-consequences-the-failure-of-good-intentions/ https://techliberation.com/2019/09/26/tech-policy-unintended-consequences-the-failure-of-good-intentions/#respond Thu, 26 Sep 2019 19:09:20 +0000 https://techliberation.com/?p=76601

by Andrea O’Sullivan & Adam Thierer

This essay originally appeared on The Bridge on September 25, 2019.

It is quickly becoming one of the iron laws of technology policy that by attempting to address one problem (like privacy, security, safety, or competition), policymakers often open up a different problem on another front. Trying to regulate to protect online safety, for example, might give rise to privacy concerns, or vice versa. Or taking steps to address online privacy through new regulations might create barriers to new entry, thus hurting online competition.

In a sense, this is simply a restatement of the law of unintended consequences. But it seems to be occurring with greater regularity in the technology policy today, and it serves as another good reminder why humility is essential when considering new regulations for fast-moving sectors.

Consider a few examples.

Privacy vs security & competition 

Many US states and the federal government are considering data privacy regulations in the vein of the European Union’s wide-reaching General Data Privacy Regulation (GDPR). But as early experiences with the GDPR and various state efforts can attest, regulations aimed at boosting consumer privacy can often butt against other security and competition concerns.

Consider how the GDPR can be abused to undermine user security—and ultimately (and ironically) privacy itself. At this year’s Black Hat computer security conference, one researcher recently explained how the GDPR’s “right of access” provision—which mandates that companies give users their personal data—can be exploited by malicious actors to steal personally identifiable information. If a hacker is convincing enough, he or she can use “social engineering” to pose as the target and coax companies to divulge the information. Without GDPR’s mandated reporting infrastructure, such an attack would be much harder.

Nor are malicious actors even necessary for the GDPR to undermine security. In 2018, a customer requested their Alexa voice recordings from Amazon. The company sent the data to the wrong person in an apparent case of human error. If mighty Amazon cannot rise to the challenge of error-free GDPR compliance, what hope do smaller outfits have?

Perhaps the biggest story about the GDPR, however, has been its malign effects on competition. After all, the law earned its nickname—the “Google Data Protection Regulation”—for a reason. Titans like Google and Facebook have dominated European ad tech market since the advent of the GDPR because they can shoulder compliance risks in a way that smaller vendors cannot. More ad money has flowed to Google’s coffers as a result.

But the GDPR applies to far more than just ad tech. Ventures as varied as publishing and virtual tabletop dice rollers have been forced to shutter their digital doors rather than risk the wrath of European data authorities.

Similar stories emanate from the US. Illinois’ biometric privacy law, which governs the use of technologies like facial recognition and fingerprint scanning, led to the prohibition of Google’s Arts and Culture app which matched user-submitted photos with a classical work of art. If Google can’t hack it in the Land of Lincoln, how could a potential Google-slayer be expected to do so?

These are just the stories we hear about. A prematurely thwarted venture is unlikely to have a platform to voice their compliance problems. What is clear is that the data privacy laws enacted so far have had predictable negative impacts on security and competition, and that ill-defined “privacy fundamentalism” too often drives ill-fitting policies.

Safety vs. free speech & competition

Content moderation at scale is extremely challenging, especially as it relates to efforts to address “hate speech” and extremist viewpoints. On the one hand, free speech activists argue that onerous private content moderation policies can limit debate and punish certain viewpoints, particularly if a platform is a public default for expression. On the other hand, social justice activists contend that lax private standards can fuel the proliferation of conspiracy theories, radicalization, and violent rhetoric.

Recently, President Trump and some conservative lawmakers have been clamoring for greater regulatory controls of social media platforms in the name of “fairness” and countering supposed anti-conservative bias. Sens. Josh Hawley (R-MO) and Ted Cruz (R-TX), for example, have introduced a bill that would require platforms to submit their content moderation policies to regular regulatory audits. If a platform is deemed to be not “politically neutral,” it will lose its liability protections under Section 230 of the Communications Decency Act.

This is reminiscent of the “fairness doctrine,” a long-standing Federal Communications Commission (FCC) policy that was a thinly-veiled attempt to influence the political content of broadcast programs. Conservatives rightly opposed such government involvement in content decisions in decades past, but with this new effort against technology platforms, many of them are repeating the mistakes of the past.

The history of the actual fairness doctrine serves as a cautionary tale here. Today the fairness doctrine is mostly remembered as an anti-conservative effort because of the attention paid to right-leaning talk radio. Former Kennedy administration official Bill Ruder admitted that their “massive strategy was to use the [fairness doctrine] to challenge and harass right-wing broadcasters, and hope that the challenges would be so costly to them that they would be inhibited and decide it was too costly to continue.”

But as testaments from previous broadcast leaders point out, the fairness doctrine was wielded against both “conservatives” and “liberals” depending on who was in power and what their objectives were. When the Nixon administration took office, they wielded the rule to muzzle broadcasters who criticized the White House. And the FCC also applied the doctrine against The Kingmen’s song “Louie Louie” for its suspiciously unintelligible lyrics.

The tension between policies to promote “safety” and government-protected rights to free speech can be literal, as well. Consider efforts to ban so-called “3-D printed guns.” Defense Distributed and other activists do not 3-D print and sell guns. Rather, they publish the schematics for others to print their own arms online. As with the encryption technologies we will discuss below, such code is probably First Amendment-protected speech, although the applications of the schematics may be considered “dual-use” (meaning with both civilian and military applications.) An outright ban on 3-D printed gun blueprints very clearly antagonizes the right to free speech in the US and could threaten innovation in other open source, peer-to-peer 3D-printed applications.

Safety vs. privacy & security

Efforts to promote “safety” can also too often backfire at the expense of privacy and security.

Perhaps the most dramatic and high-stakes illustration of this principle was the years-long legal drama that pitted law enforcement authorities against computer scientists in the so-called “Crypto Wars.” Although cryptographic technologies that conceal data for privacy or security have been around since the days of ancient Egypt—our own Founding Fathers are known to have communicated using ciphers—in the 20th century, they had mostly been limited to military and academic institutions.

The advent of public-key cryptography made these security techniques more accessible to the public for the first time. This was great news for information security: communications and devices could be made hardened to attacks, and people were given more privacy options. But law enforcement feared that criminals would use cryptography to cover their tracks. Thus, in the name of safety, law enforcement first tried banning cryptography as a dual use technology through munitions export controls. When that failed on First Amendment grounds, policymakers attempted to legislate “backdoors” into encryption protocols that would allow government access.

It is easy to see how outright bans or backdoors for encryption technologies could hurt privacy and security. Obviously, prohibiting the civilian use of a privacy and security technology limits privacy and security. But granting government access into encryption standards would ironically ultimately undermine safety as well. After all, if a government can get into an encryption standard, so might a malicious hacker. Although the “Crypto Wars” seemed settled in the 1990’s, these same debates have been cropping up again as more and more devices have default encryption technologies.

We can also think about mandated reporting requirements intended to promote public safety. Consider the “know your customer” rules imposed on financial institutions. To prevent ills like money laundering and financial fraud, banks and exchanges must keep detailed customer information on file. Yet this ostensibly “pro-safety” rule generates its own security and privacy risks. Banks must manage to responsibly store and protect this valuable customer data, lest their customers’ information get hacked and their identities stolen. This has sadly too often proven too tall an order, and third-party-managed personally identifiable information is exposed to outside parties all the time.

A similar problem arises with efforts to promote child safety online. Consider the debate over MySpace’s age verification efforts in the mid-2000s. Child safety advocates grew concerned over the risks facing children on new social media platforms. Young children lacking awareness of the dangers that could lurk online could unwittingly make friendships with predators posing as other children. So a movement grew to require these new platforms to verify age and identity with a government-provided identification card.

There were obvious technical problems. For starters, children that were young enough to fall under the age verification limit were unlikely to have a government-provided photo identification card. But beyond these simple administrative issues, there was the question of privacy and security. Could Myspace adequately protect the reams of sensitive data from outside breach? Might children actually be put more at danger should those items—which would likely include the children’s address—fall into the wrong hands? And should the government and social media platforms really be in the business of parenting to begin with? Might this actually create a “moral hazard” which leaves parents thinking that online spaces are safer than they actually are?

Tying it all together

In each of these instances, it probably seemed like there was no downside to newly proposed regulations. With time, however, the dynamic effects associated with those policies become evident, and often result in the opposite of what was intended, or the policies led to other problems that supporters did not originally envision.

The nineteenth-century French economic philosopher Frédéric Bastiat famously explained the importance of considering the many unforeseen, second-order effects of economic change and policy. Many pundits and policy analysts pay attention to only the first-order effects—what Bastiat called “the seen”—and ignore the subsequent and often “unseen” effects. Those unseen effects can have profound real-world consequences in the form of less technological innovation, diminished growth, fewer job opportunities, higher prices, diminished choices, and other costs.

Even when defenders of the failed interventions are forced to admit that their well-intentioned plans did not work out as planned, their response is typically of the  we-can-do-better variety. The result is usually just more regulation as one intervention begs another and another. As the Austrian economist Ludwig von Mises taught us 70 years ago in his masterwork, Human Action:

“All varieties of interference with the market phenomena not only fail to achieve the ends aimed at by their authors and supporters, but bring about a state of affairs which—from the point of view of their authors’ and advocates’ valuations—is less desirable than the previous state affairs which they were designed to alter. If one wants to correct their manifest unsuitableness and preposterousness by supplementing the first acts of intervention with more and more of such acts, one must go farther and farther…”

The lesson is clear: paternalistic public policies may sound sensible on the surface, but as Milton Friedman taught us long ago, “One of the great mistakes is to judge policies and programs by their intentions rather than their results. We all know a famous road that is paved with good intentions.”

]]> https://techliberation.com/2019/09/26/tech-policy-unintended-consequences-the-failure-of-good-intentions/feed/ 0 76601 Should the US Adopt the GDPR? https://techliberation.com/2018/10/01/should-the-us-adopt-the-gdpr/ https://techliberation.com/2018/10/01/should-the-us-adopt-the-gdpr/#comments Mon, 01 Oct 2018 16:50:16 +0000 https://techliberation.com/?p=76389

Last week, I had the honor of being a panelist at the  Information Technology and Innovation Foundation’s event on the future of privacy regulation. The debate question was simple enough: Should the US copy the EU’s new privacy law?

When we started planning the event, California’s Consumer Privacy Act (CCPA) wasn’t a done deal. But now that it has passed and presents a deadline of 2020 for implementation, the terms of the privacy conversation have changed. Next year, 2019, Congress will have the opportunity to pass a law that could supersede the CCPA and some are looking to the EU’s General Data Protection Regulation (GDPR) for guidance. Here are some reasons for not taking that path.

GDPR imposes three kinds of costs on firms. First, the regulation forces firms to retool data processes to realign with the new demands. This is generally one time fixed cost that raises the cost of all information using entities. Second, the regime adds risk compliance costs, causing companies to staff up to ensure compliance. Finally, the law will change the dynamics of the industry, as companies adapt to the new requirements.

Right now, the retooling costs and the risk compliance costs are going hand in hand, so it is difficult to suss out the costs of each. Still, they are substantial. A McDermott-Ponemon survey on GDPR preparedness found that almost two-thirds of all companies say the regulation will “significantly change” their informational workflows. For the just over 50 percent of companies expecting to be ready for the changes, the average budget for getting to compliance tops $13 million, by this estimate. Among all the new requirements, this survey found that companies were struggling with the data-breach notification the most. The inability to comply with the notification requirement was cited by 68 percent of companies as posing the greatest risk because of the size of levied fines.

The International Association of Privacy Professionals (IAPP) estimated the regulation will cost Fortune 500 companies around $7.8 billion to get up to speed with the law. And these won’t be one time costs since, “Global 500 companies will be hiring on average five full-time privacy employees and filling five other roles with staff members handling compliance rules.” A PwC survey on the rule change found that 88% of companies surveyed spent more than $1 million on GDPR preparations, and 40% more than $10 million.

It might take some time to truly understand the impact of GDPR, but the law will surely change the dynamics of countless industries. For example, when the EU adopted the e-Privacy Directive in 2002, Goldfarb and Tucker found that advertising became far less effective. The impact seems to have reverberated throughout the ecosystem as venture capital investment in online news, online advertising, and cloud computing dropped by between 58 to 75 percent . Information restrictions shift consumer choices. In Chile, for example, credit bureaus were forced to stop reporting defaults in 2012, which was found to reduce the costs for most of the poorer defaulters, but raised the costs for non-defaulters. Overall the law lead to a 3.5 percent decrease in lending and reduced aggregate welfare.  

As the Chilean example suggests, some might benefit from a GDPR-like privacy regime. But as Daniel Castro, my co-panelist pointed out, strong privacy laws haven’t done much to sway public opinion. As he wrote with Alan McQuinn ,

The biannual Eurobarometer survey, which interviews 100 individuals from each EU country on a variety of topics, has been tracking European trust in the Internet since 2009. Interestingly, European trust in the Internet remained flat from 2009 through 2017, despite the European Union strengthening its ePrivacy regulations in 2009 (implementation of which occurred over the subsequent few years) and significantly changing its privacy rules, such as the court decision that established the right to be forgotten in 2014. Similarly, European trust in social networks, which the Eurobarometer started measuring in 2014, has also remained flat, albeit low

In other words, it doesn’t seem as though strong regulations have done anything to make people feel as though they are getting a better deal with Internet companies.   

One of my top concerns with the GDPR that wasn’t really discussed relates to the consent requirement in the law. Now, people must affirmatively say that data processors can use their data. As I explained at the American Action Forum ,

Affirmative consent is also known as an opt-in privacy regime. Opt-in is frequently described as giving consumers more privacy protection, but opt-out regimes give an individual the same option to exit data processing without the added burdens. Indeed, most of the large companies already provide a method of opting out of certain data processing and collection. Setting the default by regulation simply biases consumer choices in a particular direction.

Overall, I think I think there was general agreement among the panelists that the US should not adopt the GDPR. But, both Amie Stepanovich of Access Now and Justin Brookman of Consumer’s Union were generally in favor of implementing a couple of the fundamental elements of the GDPR, assuming they were adopted to the US legal system. Indeed, Access Now released a paper on exactly this topic. 

The big question is whether the GDPR or something similar is a set of optimal rules. For countless reasons, I’m skeptical they will really improve consumer experience without imposing substantial costs. 

For more on this topic, check out:

]]> https://techliberation.com/2018/10/01/should-the-us-adopt-the-gdpr/feed/ 2 76389 The Problem of Patchwork Privacy https://techliberation.com/2018/08/15/the-problem-of-patchwork-privacy/ https://techliberation.com/2018/08/15/the-problem-of-patchwork-privacy/#comments Wed, 15 Aug 2018 15:43:18 +0000 https://techliberation.com/?p=76345

There are a growing number of voices raising concerns about privacy rights and data security in the wake of news of data breaches and potential influence. The European Union (EU) recently adopted the heavily restrictive General Data Privacy Rule (GDPR) that favors individual privacy over innovation or the right to speak. While there has been some discussion of potential federal legislation related to data privacy, none of these attempts has truly gained traction beyond existing special protections for vulnerable users (like children) or specific information (like that of healthcare and finances). Some states, notably including California, are attempting to solve this perceived problem of data privacy on their own, but often are creating bigger problems and passing potentially unconstitutional and often poorly drafted solutions.

All states have at least minimal data breach laws and the quality of such laws both in effectiveness and impact on innovation varies. Normally states work as “laboratories of democracy” and are able to test out different regulatory schemes for new technologies with less demosclerosis than the federal process. Similarly, they are better able to account for different preferences in tradeoffs, and in some cases, they are more able to remove barriers to entry by reforming existing areas of law like licensure or products liability to accommodate a new technology. In areas like autonomous vehicles, telemedicine, and drone policy states are often leading the way to embrace these new technologies. However, a new trend in some states to formally regulate the Internet through laws aimed at data privacy or net neutrality to achieve what they perceive as failures of the federal government to act ignores the potential damage to the permissionless federal policy that made the Internet what it is today.

California has passed the California Consumer Privacy Act (CCPA) and other states are likely to follow suit. Unfortunately, these type of statutes are likely to impact innovation in a misguided attempt to correct issues with data privacy. However, these statutes could reach far beyond state borders and illustrate the potential risks of a fifty-state privacy patchwork.

These laws will likely lead to a problem in identifying what entities are covered by the privacy legislation. California’s recent CCPA defines those who are required to comply so ambiguously that a reasonable interpretation would imply the law applies so long as a single user is a resident of California whether they are accessing the website from California or not and no matter if the website purposefully avails itself of California or not.

State laws also unintentionally make it more difficult for small, local companies to compete with Internet giants. Large companies like Google and Facebook can afford the cost of additional compliance but it is more difficult for smaller and mid-size companies to cover such costs. As a result, if they are able to comply they often are more limited in their ability to fund future innovation as they instead invest resources in compliance. In a world of state based privacy laws, it’s inevitable that some would impose contradictory standards and as a result might actually make it worse rather than better as companies pick and choose which states to comply with. What is already playing out in Europe where small and mid-size companies are choosing to exit the market rather spend the cost in complying with new restrictions could play out for states with more restrictive data requirements. And it’s not just fledging startups that have difficulty, the L.A. Times and Chicago Tribune have been unavailable to Europeans since GDPR became effective as they had not completed compliance by the May deadline. In some cases companies have founded it easier to block or exclude effected users than to comply with onerous data restrictions.

In some cases, states making exceptions for companies below a certain number of user also may discourage investment at a certain point. For example the CCPA kicks in at 50,000 users. As a result there is a large marginal costs for gaining 50,001 st user as compliance with the standards are immediately required. This might lead to caps on certain newer platforms or encourage innovators to look for loopholes to avoid the high cost of compliance early on.

But even if states were able to create a sort of interstate compact that created an effectively uniform state level set of privacy laws, it would still be an inappropriate use of federalism for the state to govern data privacy due to its de facto impact on interstate commerce and the First Amendment.

The Internet by its very nature transcends states borders and any state laws aimed at impacting privacy are likely to have national and global impact. This is not what is intended by federalism and not just the case for states like California with a significant amount of tech companies. If there are 50 different state laws than new online intermediaries will have  develop 50 different compliance policies or the most restrictive state will become the de facto standard for everyone left in the industry. As Jeff Kosseff points out, a world of 50 variations of the same privacy law based on users would require out-of-state content creators would likely require significant changes to their existing systems and place an undue burden on content creators and users.

Additionally, there are legitimate concerns about the First Amendment rights to share information that may be in conflict with the way privacy rights are enforced under proposed laws. Requiring otherwise lawful content to be removed silences the speaker. For example, if a friend posts a picture from a party that includes you and you ask all your data be removed is that data yours or your friends. To remove the data would silence a speaker and value one individual’s right to privacy over another’s right to speak. In some cases it seems such tradeoffs could be reasonable such as speech that is not just merely offensive but causes clear harm to the person it is about such as revenge porn, but in many cases it is far less clear. Unfortunately when faced with the crippling potential sanctions of such laws, many companies take a remove first question second approach as has been seen with copyright under the Digital Millennium Copyright Act (DMCA).

While there is a growing voice for data privacy, there seems to be little willingness on the part of consumers or regulators to make such tradeoffs. The so called “privacy paradox” where people do not undertake the necessary actions to match with their stated desire for increased data privacy and many willingly admit they prefer the convenience they receive in exchange for their data. If action on data privacy is necessary, it should occur at a federal level to avoid the patchwork problems that would result from inconsistent state laws. Any law must be narrowly tailored to respect the First Amendment rights of both users and platforms. We also must be aware of the tradeoffs that we are making between innovation and privacy when we see calls for a US GDPR. At the same time we should be concerned that as a result of the heavy burden of compliance with GDPR, a more regulated Internet where only those who can afford to comply survive may replace the permissionless start-up American driven version.

While federal preemption may be needed to address a patchwork of state privacy laws, we should be cautious and seek to avoid the mistakes of GDPR type privacy laws that place a value on individual privacy above innovation and knowledge sharing. Simple steps in providing more transparent information and requirements for notification are more likely to allow individuals to make the privacy choices that best fit their needs.

A privacy patchwork of state based “solutions” is likely to create more problems than it solves. The real solutions to our current dilemmas will come from conversations about how we balance the rewards of innovation with individual preferences for privacy.

]]> https://techliberation.com/2018/08/15/the-problem-of-patchwork-privacy/feed/ 2 76345 How Should Privacy Be Defined? A Roadmap https://techliberation.com/2018/08/06/how-should-privacy-be-defined-a-roadmap/ https://techliberation.com/2018/08/06/how-should-privacy-be-defined-a-roadmap/#comments Mon, 06 Aug 2018 12:00:45 +0000 https://techliberation.com/?p=76335

Privacy is an essentially contested concept . It evades a clear definition and when it is defined , scholars do so inconsistently. So, what are we to do now with this fractured term? Ryan Hagemann suggests a bottom up approach. Instead of beginning from definitions, we should be building a folksonomy of privacy harms :

By recognizing those areas in which we have an interest in privacy, we can better formalize an understanding of when and how it should be prioritized in relation to other values. By differentiating the harms that can materialize when it is violated by government as opposed to private actors, we can more appropriately understand the costs and benefits in different situations.

Hagemann aims to route around definitional problems by exploring the spaces where our interests intersect with the concept of privacy, in our relations to government, to private firms, and to other people. It is a subtle but important shift in outlook that is worth exploring.

Hagemann’s colleague Will Wilkinson laid out the benefits of this kind of philosophical exercise, which comes to me via Paul Crider . Wilkinson traces it back to very beginnings of liberal thought, which takes a bit to wind up:

Thomas Reid, the Scottish Enlightenment philosopher, pointed out that there are two ways to construct an account of what it means to really know something, rather than just believing it to be true. The first way is to develop an abstract theory of knowledge—a general criterion that separates the wheat of knowledge from the chaff of mere opinion—and then see which of our opinions qualify as true knowledge. Reid noted that this method tends to lead to skepticism, because it’s hard, if not impossible, to definitively show that any of our opinions check off all the boxes these sort of general criteria tend to set out.

That’s why Descartes ends up in a pickle and Hume leaves us in a haze of uncertainty. It’s all a big mistake, Reid said, because the belief that I have hands, for example, is on much firmer ground than any abstract notions about the nature of true knowledge that I might dream up. If my theory implies that I don’t really know that I have hands, that’s a reason to reject the theory, not a reason to be skeptical about the existence of my appendages.

According to Reid, a better way to come up with a theory of knowledge is to make a list of the things we’re very sure that we really know. Then, we see if we can devise a coherent theory that explains how we know them.

The 20th century philosopher Roderick Chisholm called these two ways of theorizing about knowledge “methodism”—start with a general theory, apply it, and see what, if anything, counts as knowledge according to the theory—and “particularism”—start with an inventory of things that we’re sure we know and then build a theory of knowledge on top of it.

Hagemann is right to build privacy on the particularism of Wilkinson, Reid and Chisholm. Given the changing nature of technology, we should take a regular “inventory of things that we’re sure we know” about privacy and then build theories on top of it.

Indeed, privacy scholarship finds its genesis in this method. While many have gotten hung up on the rights talk in the “Right to Privacy”, Warren and Brandeis actually aim “to consider whether the existing law affords a principle which can properly be invoked to protect the privacy of the individual; and, if it does, what the nature and extent of such protection is.” The article looks to previous law to construct a principle for “recent inventions and business methods.” This is particularism applied to privacy.

Only a handful of court cases that are actually reviewed in the article, the most important of which is Marian Manola v. Stevens & Myers . Marian Manola was a classically trained comic opera prima donna that had a string of altercations with her company where Stevens was the manager. About a year before the case, the New York Times carried a story describing a dispute between Manola and another actor in the McCaull Opera Company. She refused to go on stage after the actor pushed her on stage and Benjamin Stevens, apparently “ignored her until she returned to her duty.” About a year later, Stevens set up the photographer Myers in a box, as a stunt to boost sales. Manola sued the both of them. Today, the case would be cited in the right to publicity literature.

Still, Warren and Brandeis were trying to survey the land of privacy harms and then build a principle on top of it.

Be it either particularism or methodism, these ways of constructing knowledge frame the moral ground, creating a field where privacy advocates and privacy scholars can converse. What unites these two groups, then, is their common rhetoric about the contours of  privacy harms. And so, what constitutes a harm is still the central question in privacy policy.

]]> https://techliberation.com/2018/08/06/how-should-privacy-be-defined-a-roadmap/feed/ 2 76335 Why Did The Facebook Stock Drop Last Week? Some Economics Of Decision-making https://techliberation.com/2018/07/31/why-did-the-facebook-stock-drop-last-week-some-economics-of-decision-making/ https://techliberation.com/2018/07/31/why-did-the-facebook-stock-drop-last-week-some-economics-of-decision-making/#comments Tue, 31 Jul 2018 22:15:44 +0000 https://techliberation.com/?p=76329

A curious thing happened last week. Facebook’s stock, which had seem to have weathered the 2018 controversies, took a beating.

In the Washington Post, Craig Timberg and Elizabeth Dwoskin explained that the stock market drop was representative of a larger wave:

The cost of years of privacy missteps finally caught up with Facebook this week, sending its market value down more than $100 billion Thursday in the largest single-day drop in value in Wall Street history.

Jeff Chester of the Center for Digital Democracy piled on, describing the drop as “a privacy wake-up call that the markets are delivering to Mark Zuckerberg.”

But the downward pressure was driven by more fundamental changes. Simply put, Facebook missed its earnings target. But it is important to peer into why the company didn’t meet those targets.

As Zuckerberg noted in the earning call ,

Now, perhaps one of the most important things we’ve done this year to bring people closer together is to shift News Feed to encourage connection with friends and family over passive consumption of content. We’ve launched multiple changes over the last half to News Feed that encourage more interaction and engagement between people, and we plan to keep launching more like this.

Later in the call, Facebook CFO David Wehner signaled total revenue growth rate would decelerate due to the choices made by Zuckerberg,  

We plan to grow and promote certain engaging experiences like Stories that currently have lower levels of monetization, and we are also giving people who use our services more choices around data privacy, which may have an impact on our revenue growth.

Moreover, the costs would continue to rise as they also embedded more privacy and security features into the platform:

Turning now to expenses; we continue to expect that full-year 2018 total expenses will grow in the range of 50% to 60% compared to last year. In addition to increases in core product development and infrastructure, this growth is driven by increasing investment in areas like safety and security, AR/VR, marketing, and content acquisition. Looking beyond 2018, we anticipate that total expense growth will exceed revenue growth in 2019.

So, Facebook got hammered because it invested more in privacy and security, while also transitioning to less revenue generating source of content. At first glance, this might seem to signal from the market to not invest in these sort of changes. Indeed, as Blake Reid noted ,

They got punished by the market for investing in less-monetized content and spending more on privacy and security. Doesn’t that send a signal to not do that?

Yes and no.

It has been widely accepted that corporations often adopt short term strategies that attempt to maximize earnings. As one well cited survey of financial executive explained, “Because of the severe market reaction to missing an earnings target, we find that firms are willing to sacrifice economic value in order to meet a short-run earnings target.”

This preference for the near term, especially for payoffs in the near term, seems to be a common feature among humans . People tend to prefer small rewards that occur now over much larger rewards that come later. This is known as hyperbolic discounting and it helps to explain why households under-save , why smokers find it tough to quit , and why firms prefer near term earnings.

Pulling together the insights from finance and behavioral psychology, two economists pointed out “that a firm exhibiting hyperbolic discounting preferences faces an underinvestment problem, i.e. there exists another feasible investment plan that improves all periods’ present values.” Conversely, a firm exhibiting time invariant preferences would invest, even if it meant a short term hit.   

Facebook is probably playing the long game. Zuckerberg has an overwhelming controlling stake in the company and wants to build value in the long term . And if these changes lead to more durability, that is, if users stay on the site longer in the next 5 or 10 years, then it makes sense to take the short term hit. It would be better to do this than have a massive exodus at some point down the road.

In the same kind of way, Amazon has been criticized for years for spending too much money on company investments to the detriment of returns. But, Amazon’s Q2 2018 numbers came in this week and they were double expectations . Bezos’ 1997 shareholder letter laid out the strategy, “We believe that a fundamental measure of our success will be the shareholder value we create over the long term.” Bezos is also more concerned with building for the long term.

I’m working on a more formal model of this, but I think there are reasons to believe that Facebook would be especially sensitive to privacy concerns. And Facebook’s missing earnings also point to a real concern about the long term viability of the platform.

]]> https://techliberation.com/2018/07/31/why-did-the-facebook-stock-drop-last-week-some-economics-of-decision-making/feed/ 1 76329 GDPR Compliance: The Price of Privacy Protections https://techliberation.com/2018/07/09/gdpr-compliance-the-price-of-privacy-protections/ https://techliberation.com/2018/07/09/gdpr-compliance-the-price-of-privacy-protections/#respond Tue, 10 Jul 2018 00:43:36 +0000 https://techliberation.com/?p=76312

In preparation for a Federalist Society teleforum call that I participated in today about the compliance costs of the EU’s General Data Protection Regulation (GDPR), I gathered together some helpful recent articles on the topic and put together some talking points. I thought I would post them here and try to update this list in coming months as I find new material. (My thanks to Andrea O’Sullivan for a major assist on coming up with all this.)

Key Points :

  • GDPR is no free lunch; compliance is very costly
      • All regulation entails trade-offs, no matter how well-intentioned rules are
      • $7.8 billion estimated compliance cost for U.S. firms already
      • Punitive fees can range from €20 million to 4 percent of global firm revenue
      • Vagueness of language leads to considerable regulatory uncertainty — no one knows what “compliance” looks like
      • Even EU member states do not know what compliance looks like: 17 of 24 regulatory bodies polled by Reuters said they were unprepared for GDPR
  • GDPR will hurt competition & innovation; favors big players over small
      • Google, Facebook & others beefing up compliance departments. (“ EU official, Vera Jourova: “They have the money, an army of lawyers, an army of technicians and so on.”)
      • Smaller firms exiting or dumping data that could be used to provide better, more tailored services
      • PwC survey found that 88% of companies surveyed spent more than $1 million on GDPR preparations, and 40% more than $10 million.
      • Before GDPR, half of all EU ad spend went to Google. The first day after it took effect, an astounding 95 percent went to Google.
      • In essence, with the GDPR, the EU is surrendering on the idea of competition being possible going forward
      • The law will actually benefit the same big companies that the EU has been going after on antitrust grounds. Meanwhile, the smaller innovators and innovations will suffer.

  • GDPR likely to raise costs to consumers, or diminish choice/quality
      • Consumers care about privacy, but they also care about choice, convenience, and low-cost services
      • The modern data-driven economy has given consumers access to an unparalleled cornucopia of information and services and it is remarkable how much of that content and how many of those services are offered to the public at no charge to them. That’s a real benefit.  
      • But if you take all the data out of the Data Economy, you won’t have much of an economy left
      • “Many organizations will pass these costs on to consumers either by erecting paywalls or forcing users to view more ads.”
      • Websites blacked out post GDPR: Instapaper, Los Angeles Times , Chicago Tribune (all Tronc- and Lee Enterprises-owned media platforms), A&E Networks websites.
      • “EU-only” web experience: stripped down websites without illustration or images. NPR and USA Today .
      • Washington Post is charging for a more expensive GDPR compliant subscription.
  • GDPR hurts global flow of information; worsens problem of data localization
    • Rules only allow data to move to jurisdictions that offer an adequate level of protection
    • Cloud computing? Cloud architects are building costly new infrastructure that can isolate and inspect EU data to ensure it is not “sent” to the wrong jurisdiction.
    • Another step toward a more “bordered” Internet
    • Likely to just create more walled gardens
    • Max Schrems: “Unfortunately data localization is probably the best solution right now. It’s not really a solution that appeals to me a lot, but I think we need data localization for other reasons anyways, like load times and so on.”
    • Roundabout way to impose tariffs? Data-based firms are largely external to EU.
  • GDPR doesn’t solve bigger problem of government access to data
    • EU Data Retention Directive: third parties must keep data for law enforcement for two years (passed after terrorist attacks).
    • EU member states often have no FISA-like body overseeing government wiretap requests. France and the UK have no court apparatus governing surveillance — instead issued directly by administrative bodies. In Germany, their FBI equivalent can install a “Federal Trojan” virus directly into third party platforms without their knowledge.
  • GDPR doesn’t really move the needle much in terms of real privacy protection
    • heavy-handed, top-down regulatory regimes don’t always accomplish their goals when it comes to privacy
    • what consumers need is new competitive options and privacy innovations
    • Unfortunately, the world won’t get the new choices we need if regulations like the GDPR essentially punish them with regulatory compliance costs that only the largest current incumbents can possibly absorb

Related Research & Articles :

]]> https://techliberation.com/2018/07/09/gdpr-compliance-the-price-of-privacy-protections/feed/ 0 76312 A Roundup of Commentary on the Supreme Court’s Carpenter v. United States Decision https://techliberation.com/2018/06/25/a-roundup-of-commentary-on-the-supreme-courts-carpenter-v-united-states-decision/ https://techliberation.com/2018/06/25/a-roundup-of-commentary-on-the-supreme-courts-carpenter-v-united-states-decision/#comments Mon, 25 Jun 2018 13:08:42 +0000 https://techliberation.com/?p=76289

On Friday, the Supreme Court ruled on Carpenter v. United States, a case involving the cell-site location information. In the 5 to 4 decision, the Court declared that “The Government’s acquisition of Carpenter’s cell-site records was a Fourth Amendment search.” What follows below is a roundup of reactions and comments to the decision. 

Ashkhen Kazaryan, Legal Fellow at TechFreedom, had this to say about the ruling:

This ruling recognizes the immensely sensitive nature of cell phone location data, and rightly requires a showing of probable cause before law enforcement can obtain location information from mobile carriers. Our country’s Founders would have expected no lesser safeguards to apply to non-stop surveillance. Indeed, the American Revolution was first instigated over surveillance that was far less invasive.

Ryan Radia at Competitive Enterprise Institute commended the decision:

Although the court’s opinion was narrowly crafted to address the particular facts in this case, its decision underscores the court’s willingness to apply rigorous scrutiny to governmental surveillance involving new technologies. In the United States, the Constitution protects people from unreasonable searches and seizures, and Fourth Amendment protection should apply to private information held on or collected through our personal devices.

Curt Levy, president of Committee for Justice, penned an op-ed in Fox News:

Rapid technological change inevitably outpaces the glacial evolution of the law and the Carpenter case is a perfect example. The location data in question was obtained under the Stored Communications Act (SCA), which did not require prosecutors to meet the “probable cause” standard of a warrant.

So Timothy Carpenter turned to the Constitution. But the Justice Department argued that the Fourth Amendment didn’t apply because of the Supreme Court’s Third-Party Doctrine. That doctrine holds that no search or seizure occurs when the government obtains data that the accused has voluntarily conveyed to a third party – in this case, one’s wireless provider.

The Third-Party Doctrine made some sense when it was invented 40 years ago. However, when applied to today’s modern technology, the doctrine results in a gaping hole in the Fourth Amendment…

The good news is that the Supreme Court took a big step towards repairing that hole Friday. In an opinion by Chief Justice John Roberts, the court acknowledged that Fourth Amendment doctrines must evolve to account for “seismic shifts in digital technology.”

Orin Kerr runs through nine questions you might have on the decision over at the Volokh Conspiracy:

(9) Does This Reasoning Apply Just For Physical Location Tracking, Or Does It Apply More Broadly?

That’s the big question. On one hand, the reasoning of the opinion is largely about tracking a person’s physical location. The opinion takes as a given that you have a reasonable expectation of privacy in the “whole” of your “physical movements.” The Court has never held that, so it’s sort of an unusual thing to just assume! But the Court seems to be getting it mostly from Justice Alito’s Jones concurrence, and the idea, as Alito wrote in Jones, that “society’s expectation has been that law enforcement agents and others would not— and indeed, in the main, simply could not—secretly monitor and catalogue every single movement of an individual’s car for a very long period.” …

On the other hand, there’s lots of language in the opinion that cuts the other way. Although the Court “decides no more than the case before us,” it also recasts a lot of doctrine in ways that could be used to argue for lots of other changes. Its use of equilibrium-adjustment will open the door to lots of new arguments about other records that are also protected. For example, what is the scope of this reasonable expectation of privacy in the “whole” of physical movements? Why is there? The Jones concurrences were really light on that, and Carpenter doesn’t do much beyond citing them for it: What is this doctrine and where did it come from? (And what other reasonable expectations of privacy in things do people have that we didn’t know about, and what will violate them?)

Cato’s Ilya Shapiro and Julian Sanchez comment on the Supreme Court’s decision in this Cato Daily podcast.

Columbia Law Professor Eben Moglen of the Software Freedom Law Center also opined on the decision:

The decision in Carpenter v. United States is a groundbreaking change in the application of the Fourth Amendment in digital society. By stating that the pervasive geographic location data assembled by cellular providers is not insulated from the warrant requirement even though it is information collected by third parties, the Court has fundamentally changed the principles underlying the application of the Amendment before today. The Court has stated that its present decision is narrow and factual, but a flood of further cases will seek to widen the meaning of today’s opinion.

]]> https://techliberation.com/2018/06/25/a-roundup-of-commentary-on-the-supreme-courts-carpenter-v-united-states-decision/feed/ 1 76289 How Well-Intentioned Privacy Regulation Could Boost Market Power of Facebook & Google https://techliberation.com/2018/04/25/how-well-intentioned-privacy-regulation-could-boost-market-power-of-facebook-google/ https://techliberation.com/2018/04/25/how-well-intentioned-privacy-regulation-could-boost-market-power-of-facebook-google/#respond Wed, 25 Apr 2018 14:25:08 +0000 https://techliberation.com/?p=76261

Image result for Zuckerberg Schmidt laughing

Two weeks ago, as Facebook CEO Mark Zuckerberg was getting grilled by Congress during a two-day media circus set of hearings, I wrote a counterintuitive essay about how it could end up being Facebook’s greatest moment. How could that be? As I argued in the piece, with an avalanche of new rules looming, “Facebook is potentially poised to score its greatest victory ever as it begins the transition to regulated monopoly status, solidifying its market power, and limiting threats from new rivals.”

With the exception of probably only Google, no firm other than Facebook likely has enough lawyers, lobbyists, and money to deal with layers of red tape and corresponding regulatory compliance headaches that lie ahead. That’s true both here and especially abroad in Europe, which continues to pile on new privacy and “data protection” regulations. While such rules come wrapped in the very best of intentions, there’s just no getting around the fact that  regulation has costs. In this case, the unintended consequence of well-intentioned data privacy rules is that the emerging regulatory regime will likely discourage (or potentially even destroy) the chances of getting the new types of innovation and competition that we so desperately need right now.

Others now appear to be coming around to this view. On April 23, both the  New York Times and The Wall Street Journal ran feature articles with remarkably similar titles and themes. The New York Times article by Daisuke Wakabayashi and Adam Satariano was titled, “How Looming Privacy Regulations May Strengthen Facebook and Google,” and The Wall Street Journal’s piece, “Google and Facebook Likely to Benefit From Europe’s Privacy Crackdown,” was penned by Sam Schechner and Nick Kostov. “In Europe and the United States, the conventional wisdom is that regulation is needed to force Silicon Valley’s digital giants to respect people’s online privacy. But new rules may instead serve to strengthen Facebook’s and Google’s hegemony and extend their lead on the internet,” note Wakabayashi and Satariano in the  NYT essay. They continue on to note how “past attempts at privacy regulation have done little to mitigate the power of tech firms.” This includes regulations like Europe’s “right to be forgotten” requirement, which has essentially put Google in a privileged position as the “chief arbiter of what information is kept online in Europe.” Meanwhile, the  WSJ article opens with this interesting story about the epiphany EU regulator Věra Jourová had upon visiting with the supposed victims of the EU’s new General Data Protection Regulation, or GDPR:
When the European Union’s justice commissioner traveled to California to meet with Google and Facebook last fall, she was expecting to get an earful from executives worried about the Continent’s sweeping new privacy law. Instead, she realized they already had the situation under control. “They were more relaxed, and I became more nervous,” said the EU official, Věra Jourová. “They have the money, an army of lawyers, an army of technicians and so on.”
Image result for Google Brin laughingIndeed they do. And that means that they are better positioned to absorb the significant costs of compliance that will be associated with the new GDPR rules, which are somewhat ambiguous and will require a great deal of ongoing interpretation and legal wrangling.  The Journal essay also cites an unnamed Brussels lobbyist for an media-measurement firm saying, “The politicians wanted to teach Google and Facebook a lesson. And yet they favor them.” Consider this paragraph from the WSJ essay about how the two firms worked diligently to come into compliance with the new GDPR regulations:
Once the law passed in spring 2016, Google and Facebook threw people at the problem. Google involved lawyers in the U.S., Ireland, Brussels and elsewhere to pore over contracts and procedures, said people close to the company. Facebook mobilized hundreds of people in what it describes as the largest interdepartmental team it has ever assembled. Facebook lawyers spent a year scrutinizing the law’s lengthy text. Designers and engineers then toiled over how to implement changes, according to Stephen Deadman, Facebook’s global deputy chief privacy officer. During the process, Facebook got frequent access to regulators across Europe. It met with Helen Dixon, the data protection commissioner in Ireland, where the company bases its European operations, and her staff to run through changes Facebook was planning. Ms. Dixon’s agency provided the firm with feedback on the wording of its consent requests, Facebook said.
Now ask yourself how many other smaller existing or new firms would be in a position to do the same thing. Answer: Not many. We’re already seeing the deleterious effects of the GDPR on market structure, the  Journal reports. “Some advertisers are planning to shift money away from smaller providers and toward Google and Facebook,” Schechner and Kostov note. And they end their essay with the telling thoughts of Bill Simmons, co-founder and chief technology officer of Dataxu, Boston-based company that helps buy targeted ads, who says, “It is paradoxical. The GDPR is actually consolidating the control of consumer data onto these tech giants.” The  NYT essay included a funny tidbit about how “Some privacy advocates also bristle at the idea that these new restrictions would help already powerful internet companies, noting that is a well-worn argument employed by tech giants to try to prevent future regulation.” That’s a highly unfortunate attitude. If privacy advocates really care about improving the situation on the ground, then the best way to do that is with more and better choices. Sadly, it seems that with each passing day the write off the idea of any new competition emerging to today’s tech giants. “Can Facebook be replaced?” asks Olivia Solon writing in The Guardian today. Some probably think not, but as Solon notes, “prominent Silicon Valley investor Jason Calacanis, who was an early investor in several high-profile tech companies including Uber certainly hopes so. He has launched a competition to find a ‘social network that is actually good for society,'” and his “Openbook Challenge will offer seven “purpose-driven teams” $100,000 in investment to build a billion-user social network that could replace the technology titan while protecting consumer privacy.” In a blog post announcing the Challenge, Calacanis wrote: “All community and social products on the internet have had their era, from AOL to MySpace, and typically they’re not shut down by the government — they’re slowly replaced by better products. So, let’s start the process of replacing Facebook.” I don’t have any idea whether this Openbook Challenge will succeed. It’s hard building big, scalable digital platforms that satisfy the diverse needs of a diverse world. But this is exactly the sort of innovation that we should be encouraging. Even the very threat of new competition will keep the big dogs on their toes. Alas, all the new regulations being consider will likely just leave us with fewer choices and regulations that probably won’t even do all that much to truly better protect our data or privacy. But hey, at least it was all well-intentioned!

Updates :

]]> https://techliberation.com/2018/04/25/how-well-intentioned-privacy-regulation-could-boost-market-power-of-facebook-google/feed/ 0 76261 The Week Facebook Became a Regulated Monopoly (and Achieved Its Greatest Victory in the Process) https://techliberation.com/2018/04/10/the-week-facebook-became-a-regulated-monopoly-and-achieved-its-greatest-victory-in-the-process/ https://techliberation.com/2018/04/10/the-week-facebook-became-a-regulated-monopoly-and-achieved-its-greatest-victory-in-the-process/#comments Tue, 10 Apr 2018 20:30:45 +0000 https://techliberation.com/?p=76253

With Facebook CEO Mark Zuckerberg in town this week for a political flogging, you might think that this is darkest hour for the social networking giant. Facebook stands at a regulatory crossroads, to be sure. But allow me to offer a cynical take, and one based on history: Facebook is potentially poised to score its greatest victory ever as it begins the transition to regulated monopoly status, solidifying its market power, and limiting threats from new rivals.

By slowly capitulating to critics (both here and abroad) who are thirsty for massive regulation of the data-driven economy, Facebook is setting itself up as a servant of the state. In the name of satisfying some amorphous political “public interest” standard and fulfilling a variety of corporate responsibility objectives, Facebook will gradually allow itself to be converted into a sort of digital public utility or electronic essential facility.

That sounds like trouble for the firm until you realize that Facebook is one of the few companies who will be able to sacrifice a pound of flesh like that and remain alive. As layers of new regulatory obligations are applied, barriers to new innovations will become formidable obstacles to the very competitors that the public so desperately needs right now to offer us better alternatives. Gradually, Facebook will recognize this and go along with the regulatory schemes. And then eventually they will become the biggest defender of all of it.

Welcome to Facebook’s broadcast industry moment. The firm is essentially in the same position the broadcast sector was about a century ago when it started cozying up to federal lawmakers. Over time, broadcasters would warmly embrace an expansive licensing regime that would allow all parties—regulatory advocates, academics, lawmakers, bureaucrats, and even the broadcasters themselves—to play out the fairy tale that broadcasters would be good “public stewards” of the “public airwaves” to serve the “public interest.”

Alas, the actual listening and viewing public got royally shafted in this deal. Broadcasters got billions of dollars’ worth of completely free beachfront spectrum along with protected geographic monopolies. Congressional lawmakers and the unelected bureaucrats at the FCC got power to tinker with broadcast content and received other special favors (like free airtime) from their cronies in the industry. People, money, and influence floated freely between the political and business realms until at some point there really wasn’t much distinction between them. Meanwhile, the public got stuck with bland fare and limited competition for their ears and eyes. The “public interest” ended up meaning many things during this time, but it rarely had much to do with what the public actually desired—namely, more and better options for a diverse citizenry.

Of course, much the same story played out in the U.S. telecommunications market a few decades prior to the broadcast industry making their deal with the devil. The early history of telecommunications in America was characterized by competition among a variety of local and regional rivals. But it was derailed by political shenanigans. Here are a few choice paragraphs about the cronyist origins of the Bell System monopoly from a law review article that Brent Skorup and I wrote back in 2013 [footnotes omitted]. As you read it, imagine how similar well-intentioned regulations might play out for Facebook:

… this intensely competitive, pro-consumer free-for-all would be derailed by AT&T’s brilliant strategy to use the government to accomplish what it could not in the free market: eliminate its rivals. In 1907, Theodore Newton Vail became AT&T’s president. He had a clear vision: achieving “universal service” (in the form of interconnected and fully integrated systems) by eliminating rivals and consolidating networks. Befriending lawmakers and regulators was a crucial component of this strategy. While many policymakers nominally supported the idea of competition, they were more preoccupied with achieving widespread, interconnected network coverage. Vail capitalized on that impulse. On December 19, 1913, the government and AT&T reached the “Kingsbury Commitment.” Named after AT&T vice president Nathan C. Kingsbury, who helped negotiate the terms, the agreement outlined a plan whereby AT&T agreed not to acquire any other independent companies while also allowing other competitors to interconnect with the Bell System. The Kingsbury Commitment was thought to be pro-competitive, yet it was hardly an altruistic agreement on AT&T’s part. Regulators did not interpret the agreement so as to restrict AT&T from acquiring any new telephone systems, but only to require that an equal number be sold to an independent buyer for each system AT&T purchased. Hence, the Kingsbury Commitment contained a built-in incentive for network swapping (trading systems and solidifying territorial monopolies) rather than continued competition.  “The government solution, in short, was not the steamy, unsettling cohabitation that marks competition but rather a sort of competitive apartheid, characterized by segregation and quarantine,” observe telecom legal experts Michael Kellogg, John Thorne, and Peter Huber.  Thus, the move toward interconnection, while appearing to assist independent operators, actually allowed AT&T to gain greater control over the industry. “Vail chose at this time to put AT&T squarely behind government regulation, as the quid pro quo for avoiding competition,” explains [Richard] Vietor.  “This was the only politically acceptable way for AT&T to monopolize telephony,” he notes.  AT&T’s 1917 annual report confirms this fact, stating, “[with a] combination of like activities under proper control and regulation, the service to the public would be better, more progressive, efficient, and economical than competitive systems.”

So much for “the public interest”! If the last century’s worth of communications and media regulation teaches us anything, it’s that good intentions only get you so far in this world. Many of the lawmakers and regulators who allowed themselves to be duped by big corporations asking for protection from competition probably thought they were doing the right thing. Those policymakers may even have believed that they were actually encouraging innovation and competition through some of their regulatory actions. Alas, things did not turn out that way. We the public were denied real, meaningful choices and innovations because of these misguided policies.

And so now it’s Facebook’s turn to become part of this sordid tale. Zuckerberg has already made it clear that he is open to regulation and that his firm would also start enforcing new European data rules globally. And after this week’s political circus in Congress, the floodgates will be wide open and everyone’s regulatory pet peeve will be up for political consideration, which is exactly what happened for broadcasters and communications in past decades.

Every crackpot idea under the sun will be on the table but the most extreme versions of those proposals will be beaten back just enough to ensure that Facebook can offer up its pound of sacrificial flesh each time without running the risk of killing the patient entirely. Again, this was always part of the broadcast and communications regulatory playbook as well. So long as they were guaranteed a fairly stable market return and protection from pesky new innovators, the firms were willing to go along with the deal.

The “deal” in this case between Facebook and regulators won’t be so explicitly cronyist as it was for broadcasters and communications companies, however. The days of price controls, rate-of-return regulation, and formal line of business restrictions are likely over. Everyone now recognizes that regulations creating formal barriers to innovation and entry are a bad idea and, as a result, they are usually rejected.

But laws and regulations can sometimes create informal or hidden barriers to innovation and entry, even when they are well-intentioned. And that’s what could happen here as this latest Facebook fiasco leads to calls for seeming innocuous things like transparency and disclosures requirements, restrictions on “bad speech,” advertising and data collection regulations, “fiduciary” responsibilities, “algorithmic accountability” efforts, and so on. Facebook hasn’t wanted to adopt some of these things in the past, but now they’ll be pushed aggressively to do so by policymakers and regulatory activists. As Zuckerberg and Facebook cozy up with policymakers and regulatory activists and begin talking about a “broader view of responsibility,” the transition to the firm’s next phase as a quasi-public utility will get underway.

The rich irony of all this is that the same regulatory advocates who are cheering on this week’s developments as well as the coming regulatory avalanche will be the ones howling the loudest if and when only Facebook is left standing in the social media universe. In fact, that’s already happened in Europe where policymakers and their burdensome top-down data protection regulations have driven most digital innovators and investors to other continents, leaving only Facebook, Google, and handful of other (mostly U.S.-based) companies left to regulate. And then European policymakers have the audacity to cry foul about the market power of these firms! It boggles the mind how European policymakers and regulatory advocates see zero connection between their heavy-handed approach to the Digital Economy and the corresponding lack of enough competitors in those sectors.

But none of that will make any difference to the regulatory advocates. They want that pound of flesh, and they are going to get it. And then in Facebook they will have a regulatory plaything to toy with for years to come.

What about the public? Will we really be any better off because of any of this? How many people will want to stick with Facebook if it becomes a digital public utility or a social media version of the Post Office? That sure doesn’t sound like much fun for us. But if the new regulations imposed on Facebook do end up hurting smaller rivals more and create barriers to new entry and innovation going forward, then it’s unclear whether it makes any difference what we want because the options just won’t be there for us.

With time, Facebook will not only become more comfortable with its new regulatory status for that reason but then in the name of ensuring a “level playing field,” the firm will simultaneously advocate that each and every new rule be applied to all its rivals. Again, this is how well-intentioned regulation ends up indirectly discouraging the very innovation and competitive options that we need. Broadcasters and communications companies played the “level playing field” card at every juncture to beat down new technologies and rivals.

Finally, at some point, don’t be surprised if all roads lead back to prices for digital services. Right now, social networking services like Facebook are free-of-charge to consumers and digital companies use advertising to support their services. Many regulatory advocates have suggested that this sort of business model is fundamentally incompatible with privacy and have wanted it strictly curtail if not ended altogether. Of course, if you ask the public how many of them would be willing to pay $19.95 a month for Facebook, you won’t get many takers.

I wrote a couple of law review articles talking about the “privacy paradox” and consumer “willingness to pay” for privacy more generally. All the evidence suggests that consumer willingness to pay for privacy is significantly lower than privacy advocates would prefer. But if in the name protecting privacy, prices get pushed or imposed as a matter of public policy, then we will have entered a truly surreal moment in the history of regulatory policy because we will have inverted the presumption that consumer welfare is better served by lower prices. Over the past century, the purpose of most public utility regulation was lower prices, higher quality, and more choice. The modern Digital Economy has largely achieved those goals without heavy-handed regulation. But now, with the emerging regulatory regime looming for Facebook and social media more generally, we might end up with a sort of bizarro policy world in which we make people pay more in the name of making them better off!

I hope I’m wrong about everything I’ve said here. It would be troubling if we enter an era of less competition, less innovation, and lower quality information services. But to borrow a quote from my favorite sci-fi show, “all of this has happened before, and all of this will happen again.” And regulatory history tends to repeat. We shouldn’t be surprised, therefore, when some forget the ugly history of public utility-style regulation or broadcast era “public interest” mandates and we find ourselves stuck right back in the hole that we’ve been trying to dig ourselves out of for so many decades.

]]> https://techliberation.com/2018/04/10/the-week-facebook-became-a-regulated-monopoly-and-achieved-its-greatest-victory-in-the-process/feed/ 4 76253 new Mercatus paper on “Public Policy for Virtual and Augmented Reality” https://techliberation.com/2017/09/25/new-mercatus-paper-on-public-policy-for-virtual-and-augmented-reality/ https://techliberation.com/2017/09/25/new-mercatus-paper-on-public-policy-for-virtual-and-augmented-reality/#comments Mon, 25 Sep 2017 17:26:15 +0000 https://techliberation.com/?p=76192

The Mercatus Center at George Mason University has just released a new paper on,”Permissionless Innovation and Immersive Technology: Public Policy for Virtual and Augmented Reality,” which I co-authored with Jonathan Camp. This 53-page paper can be downloaded via the Mercatus websiteSSRN or Research Gate.

Here is the abstract for the paper:

Immersive technologies such as augmented reality, virtual reality, and mixed reality are finally taking off. As these technologies become more widespread, concerns will likely develop about their disruptive social and economic effects. This paper addresses such policy concerns and contrasts two different visions for governing immersive tech going forward. The paper makes the case for permissionless innovation, or the general freedom to innovate without prior constraint, as the optimal policy default to maximize the benefits associated with immersive technologies. The alternative vision — the so-called precautionary principle — would be an inappropriate policy default because it would greatly limit the potential for beneficial applications and uses of these new technologies to emerge rapidly. Public policy for immersive technology should not be based on hypothetical worst-case scenarios. Rather, policymakers should wait to see which concerns or harms emerge and then devise ex post solutions as needed.

To better explain why precautionary controls on these emerging technologies would be such a mistake, Camp and I provide an inventory of the many VR, AR, and mixed reality applications that are already on the market–or soon could be–and which could provide society with profound benefits. A few examples include: 

  • Education and museums. Immersing users in virtual environments allows Google’s Expedition Pioneer Program to provide 360-degree video tours of famous landmarks and ruins, and museums are already using AR technology to provide interactive content.
  • Worker training and systems monitoring. VR industrial simulators such as ForgeFX are being used to train workers to master a variety of complex tasks, while AR systems can be leveraged to help farmers with crop management from afar.
  • Healthcare. CT scans and MRIs are being converted into 3-D models to perform surgery that was once thought impossible, and the world’s first VR medical training facility opened in London in November of 2016.
  • Engineering. Virtual modeling technology is being combined with VR to allow touring of unbuilt vehicles and buildings, lowering the costs of construction and design.
  • Military. The military has used VR for combat simulations, medic training, flight simulators, vehicle simulators, and even the treatment of PTSD.

And that just scratches the surface of some of the many exciting applications out there. The virtual sky is the limit with immersive tech — so long, that is, as we don’t derail these life-enriching technologies with misguided, fear-based public policy restrictions. Please read the paper for more details.

]]> https://techliberation.com/2017/09/25/new-mercatus-paper-on-public-policy-for-virtual-and-augmented-reality/feed/ 1 76192 new Mercatus paper on “Artificial Intelligence and Public Policy” https://techliberation.com/2017/08/23/new-mercatus-paper-on-artificial-intelligence-and-public-policy/ https://techliberation.com/2017/08/23/new-mercatus-paper-on-artificial-intelligence-and-public-policy/#comments Wed, 23 Aug 2017 15:03:10 +0000 https://techliberation.com/?p=76180

The Mercatus Center at George Mason University has just released a new paper on, “Artificial Intelligence and Public Policy,” which I co-authored with Andrea Castillo O’Sullivan and Raymond Russell. This 54-page paper can be downloaded via the Mercatus website, SSRN, or ResearchGate. Here is the abstract:

There is growing interest in the market potential of artificial intelligence (AI) technologies and applications as well as in the potential risks that these technologies might pose. As a result, questions are being raised about the legal and regulatory governance of AI, machine learning, “autonomous” systems, and related robotic and data technologies. Fearing concerns about labor market effects, social inequality, and even physical harm, some have called for precautionary regulations that could have the effect of limiting AI development and deployment. In this paper, we recommend a different policy framework for AI technologies. At this nascent stage of AI technology development, we think a better case can be made for prudence, patience, and a continuing embrace of “permissionless innovation” as it pertains to modern digital technologies. Unless a compelling case can be made that a new invention will bring serious harm to society, innovation should be allowed to continue unabated, and problems, if they develop at all, can be addressed later.

]]> https://techliberation.com/2017/08/23/new-mercatus-paper-on-artificial-intelligence-and-public-policy/feed/ 2 76180 DOT’s Driverless Cars Guidance: Will “Agency Threats” Rule the Future? https://techliberation.com/2016/09/20/dots-driverless-cars-guidance-will-agency-threats-rule-the-future/ https://techliberation.com/2016/09/20/dots-driverless-cars-guidance-will-agency-threats-rule-the-future/#comments Tue, 20 Sep 2016 21:12:15 +0000 https://techliberation.com/?p=76082

Today, the U.S. Department of Transportation released its eagerly-awaited “Federal Automated Vehicles Policy.” There’s a lot to like about the guidance document, beginning with the agency’s genuine embrace of the potential for highly automated vehicles (HAVs) to revolutionize this sector and save thousands of lives annually in the process.

It is important we get HAV policy right, the DOT notes, because, “35,092 people died on U.S. roadways in 2015 alone” and “94 percent of crashes can be tied to a human choice or error.” (p. 5) HAVs could help us reverse that trend and save thousands of lives and billions in economic costs annually. The agency also documents many other benefits associated with HAVs, such as increasing personal mobility, reducing traffic and pollution, and cutting infrastructure costs.

I will not attempt here to comment on every specific recommendation or guideline suggested in the new DOT guidance document. I could nit-pick about some of the specific recommended guidelines, but I think many of the guidelines are quite reasonable, whether they are related to safety, security, privacy, or state regulatory issues. Other issues need to be addressed and CEI’s Marc Scribner does a nice job documenting some of them is his response to the new guidelines.

Instead of discussing those specific issues today, I want to ask a more fundamental and far-reaching question which I have been writing about in recent papers and essays: Is this guidance or regulation? And what does the use of informal guidance mechanisms like these signal for the future of technological governance more generally?

When Is “Voluntary” Really Mandatory?

The surreal thing about DOT’s new driverless car guidance is how the agency repeatedly stresses it “is not mandatory” and that the guidelines are voluntary in nature but then — often in the same paragraph or sentence — the agency hints how it might convert those recommendations into regulations in the near future. Consider this paragraph on pg. 11 of the DOT’s new guidance document:

The Agency expects to pursue follow-on actions to this Guidance, such as performing additional research in areas such as benefits assessment, human factors, cybersecurity, performance metrics, objective testing, and others as they are identified in the future. As discussed, DOT further intends to hold public workshops and obtain public comment on this Guidance and the other elements of the Policy. This Guidance highlights important areas that manufacturers and other entities designing HAV systems should be considering and addressing as they design, test, and deploy HAVs. This Guidance is not mandatory. NHTSA may consider, in the future, proposing to make some elements of this Guidance mandatory and binding through future regulatory actions. This Guidance is not intended for States to codify as legal requirements for the development, design, manufacture, testing, and operation of automated vehicles. Additional next steps are outlined at the end of this Guidance. [emphasis added.]

The agency continues on to request that “manufacturers and other entities voluntarily provide reports regarding how the Guidance has been followed,” but then notes how “[t]his reporting process may be refined and made mandatory through a future rulemaking.” (p. 15)

And so it goes throughout the DOT’s new “guidance” document. With one breath the DOT suggests that everything is informal and voluntary; with the next it suggests that some form of regulation could be right around the proverbial corner.

Agency Threats Are the Future of Technological Governance

What’s going on here? In essence, DOT’s driverless car guidance is another example of how “soft law” and “agency threats” are becoming the dominant governance models for fast-paced emerging technology.

As noted by Tim Wu, a proponent of such regimes, these agency threats can include “warning letters, official speeches, interpretations, and private meetings with regulated parties.” “Soft law” simply refers to any sort of informal governance mechanism that agencies might seek to use to influence private decision-making or in this case the future course of technological innovation.

The problem with agency threats, as my former Mercatus Center colleague Jerry Brito pointed out in a 2014 law review article, is that they are fundamentally undemocratic and represent a betrayal of the rule of law. The use of “threat regimes,” Brito argued, “places undue power in the hands of regulators unconstrained by predictable procedures.” Such regimes breed uncertainty by leaving decisions up to the whim of regulators who will be unconstrained by administrative procedures, legal precedents, and strict timetables. “[B]ecause it has no limiting principle,” Brito concluded, the agency threats model “leaves the regulatory process without much meaning” and “would obviously be ripe for abuse.”

The danger exists that we are witnessing gradual mission creep as the DOT’s “guidance” process slowly moves from being a truly voluntary self-certification process to something more akin to a pre-market approval process. Every “informal” request that DOT makes — even when those requests are just presented in the form of vague questions — opens the door to greater technocratic meddling in the innovation process by federal bureaucrats.

Coping with the Pacing Problem

Why are agencies like the DOT adopting this new playbook? In a nutshell, it comes down to the realization on their part that the “pacing problem” is now an undeniable fact of life.

I discussed the pacing problem at length in my recent review of Wendell Wallach’s important new book, A Dangerous Master: How to Keep Technology from Slipping beyond Our Control. Wallach nicely defined the pacing problem as “the gap between the introduction of a new technology and the establishment of laws, regulations, and oversight mechanisms for shaping its safe development.” “There has always been a pacing problem,” Wallach noted, but like other philosophers, he believes that modern technological innovation is occurring at an unprecedented pace, making it harder than ever to “govern” it using traditional legal and regulatory mechanisms.

Which is exactly why the DOT and whole lot of other agencies are now defaulting to soft law and agencies threat models as their old regimes struggle to keep up with the pace of modern technological innovation. As the DOT put it in its new guidance document: “The speed with which HAVs are advancing, combined with the complexity and novelty of these innovations, threatens to outpace the Agency’s conventional regulatory processes and capabilities.” (p. 8)  More specifically, the agency notes that:

The remarkable speed with which increasingly complex HAVs are evolving challenges DOT to take new approaches that ensure these technologies are safely introduced (i.e., do not introduce significant new safety risks), provide safety benefits today, and achieve their full safety potential in the future. To meet this challenge, we must rapidly build our expertise and knowledge to keep pace with developments, expand our regulatory capability, and increase our speed of execution. (p. 6)

Rarely has any agency been quite so blunt about how it is racing to get ahead of the pacing problem before it completely loses control of the future course of technological innovation.

But the DOT is hardly alone in its increased reliance on soft law governance mechanisms. In fact, I’m in the early research stages of a new paper about what soft law and agency threat models mean for the future of emerging technology and its governance. In that paper, I hope to document how many different agencies (FAA, FDA, FTC, FCC, NTIA, & DOT among others) are using some variant of soft law model to informally regulate the growing universe of emerging technologies out there today (commercial drones, connected medical devices, the Internet of Things, 3D printing, immersive technology, the sharing economy, driverless cars, and more.)

If nothing else, I would like to devise a taxonomy of soft law/agency threat models and then discuss the upsides and downsides of those models. If anyone has recommendations for additional reading on this topic, please let me know. The best thing I have seen on the issue is a 2013 book of collected essays on Innovative Governance Models for Emerging Technologies, edited by Gary E. Marchant, Kenneth W. Abbott and Braden Allenby. I’m surprised more hasn’t been written about this in law reviews or political science journals.

What Does It Mean for Innovation? And Accountable Government?

So, what does all this mean for the future of driverless cars, autonomous systems, and other emerging technologies? I think it’s both good and bad news.

The good news — at least from the perspective of those of us who want to see innovators freed up to experiment more without prior restraint — is that the technological genie is increasingly out of the bottle. Technology regulators are at an impasse and they know it. Their old regulatory regimes are doomed to always be one step behind the action. Thus, a lot of technological innovation is going to be happening before any blessing has been given to engage in those experiments.

The bad news is that the regulatory regimes of the future will become almost hopelessly arbitrary in terms of their contours and enforcement ceiling. Basically, in our new world of soft law and agency threats, you can tear up the Administrative Procedures Act and throw it out the window.  When regulatory agencies act in the future, they will do so in a sort of extra-legal Twilight Zone, where things are not always as they seem. Agencies will increasingly act like nagging nannies, constantly pressuring innovators to behave themselves. And sometimes that nagging will work, and sometimes it will even improve consumer welfare at the margin! It will work sometimes precisely because government still wields a mighty big hammer and no innovator wants to be nailed to the ground in the courts, or the court of public opinion for that matter. Thus, many — not all, but many — of those innovators will go along with whatever agencies like DOT suggests as “best practices” even if those guidelines are horribly misguided or have no force of law whatsoever. And because agencies know that many (perhaps most) innovators will fall in line with whatever “best practices” or “codes of conduct” that they concoct, it will reinforce the legitimacy of this model and become the new method of imposing their will on current or emerging technology sectors.

Again, agency threats won’t always work because some innovators will continue to engage in rough forms of “technological civil disobedience” and just ignore a lot of these informal guidelines and agency threats. Agencies will push back and seek to make an example of specific innovators (especially the ones with deep pockets) in order to send a message to every other innovator out there that they better fall in line or else!

But what that “or else!” moment or action looks like remains completely unclear. The problem with soft law is that, by its very nature, it is completely open-ended and fundamentally arbitrary. It is really just “ non-law law.” That’s the “legal regime” that will “govern” the emerging technologies of the present and the future.

Isn’t Soft Law Better Than the Alternative?

Now, here’s the funny thing about this messy, arbitrary, unaccountable world of soft law and agency threats: It is probably a hell of lot better than the old world we used to live in!

The old analog era regulatory systems were very top-down and command-and-control in orientation. These traditional regimes were driven by the desire of regulators to enforce policy priorities by imposing prior restraints on innovation and then selectively passing out permission slips to get around those rules.

As I noted in my latest book, the problem with those traditional regulatory systems is that they “tend to be overly rigid, bureaucratic, inflexible, and slow to adapt to new realities. They focus on preemptive remedies that aim to predict the future, and future hypothetical problems that may not ever come about. Worse yet, administrative regulation generally preempts or prohibits the beneficial experiments that yield new and better ways of doing things.” (Permissionless Innovation, p. 120)

For all the reasons I outlined in my book and other papers on these topics, “permissionless innovation” remains the superior policy default compared to precautionary principle-based prior restraints. But I am not so naïve as to expect that permissionless innovation will prevail in the policy world all of the time. Moreover, I am not one of those technological determinists who goes around saying that technology is an unstoppable force that relentlessly drives history, regardless of what policymakers say. I am more of a soft determinist who believes that technology often can be a major driver of history, but not without a significant shaping from other social, cultural, economic, and political forces.

Thus, as much as I worry about the new “soft law/agency threats” regime being arbitrary, unaccountable, and innovation-threatening, I know that the ideal of permissionless innovation will only rarely be our default policy regime. But I also don’t think we are going back the old regulatory regimes of the past and we absolutely wouldn’t want to anyway in light of the deleterious impacts those regimes had on innovation in practice.

The best bet for those of us who care about the freedom to innovate is to make sure that these soft law governance mechanisms have some oversight from Congress (unlikely) and the Courts (more likely) when agencies push too far with informal agency threats. Better yet, we can hope that the pace of technological change continues to accelerate and pressures agencies to only intervene to address the most pressing problems and then largely leaves the rest of the field wide open for continued experimentation with new and better ways of doing things.

But make no doubt about it, as today’s DOT guidance document for driverless cars makes clear, “agency threats” will increasingly shape the future of emerging technologies whether we like it or not.

]]> https://techliberation.com/2016/09/20/dots-driverless-cars-guidance-will-agency-threats-rule-the-future/feed/ 2 76082 The 10 Most-Read Posts of 2015 https://techliberation.com/2015/12/30/the-10-most-read-posts-of-2015/ https://techliberation.com/2015/12/30/the-10-most-read-posts-of-2015/#comments Wed, 30 Dec 2015 19:08:33 +0000 http://techliberation.com/?p=75970

Another year in the books for the Technology Liberation Front. Many developments unfolded in 2015 in the technology world and we covered much of it (on TLF and in other outlets). The most popular posts this year revolved around the Internet of Things, privacy, unlicensed spectrum, and municipal and public broadband networks. Thanks for reading, and enjoy the year in review.

  1. What Cory Booker Gets About Innovation Policy, by Adam Thierer

In February, Adam appeared before the Senate Commerce Committee to testify about the Internet of Things and technology policy. During the hearing, Adam discovered a like-minded innovation advocate in Sen. Cory Booker (D-NJ). In his post, Adam recounts Sen. Booker’s statements during the hearing on the importance of promoting US leadership in technology, and rejecting policymaking based on techno-panics.

[P]erhaps most importantly, Sen. Booker stressed how essential it was that we reject a fear-based approach to public policymaking. As he noted at the hearing about these new information technologies, “there’s a lot of legitimate fears, but in the same way of every technological era, there must have been incredible fears.”
  1. Bipartisan Internet of Things Resolution Introduced in the Senate, by Adam Thierer

Adam commends a bipartisan Senate resolution in March that announced a strategy to incentivize the development of the Internet of Things in the US. Adam likens it to the light-touch Internet policy vision from the 1990s that made the US a leader in Internet-based technologies and media.

We got policy right once before in the United States, and we can get it right again with a policy vision like that found in this new Senate resolution for the Internet of Things.
  1. Unintended Consequences of the EU Safe Harbor Ruling, by Adam Thierer

In this post, Adam spells out some possible ill effects after the announcement that the European Court of Justice invalidated the 15-year old EU-US safe harbor agreement, which facilitated data transfers between the EU and US. Amongst the problems is that digital trade may suffer and the decision may accelerate the Balkanization of the Internet.

  1. New ITIF Study on Privacy Panics, by Adam Thierer

In September, Adam appeared at an Information Technology and Innovation Foundation event to discuss privacy panics as new technologies are deployed. In his post, Adam reviews ITIF’s report about the latest privacy scares and posts video of the event.

I think one of the most important takeaways from the study is that, as Castro and McQuinn note, “history has shown, many of the overinflated claims about loss of privacy have never materialized.”
  1. How the FCC Killed a Nationwide Wireless Broadband Network, by Brent Skorup

Clemson economist Thomas Hazlett and I published an article in the Duke Law & Technology Review about the bankruptcy of wireless carrier LightSquared and I summarized the piece in a blog post. We showed that FCC regulations regarding unlicensed spectrum often compel costly rent-seeking rather than parties’ reliance on market processes and Coasian bargaining.

The evaporation of billions of dollars of LightSquared funds was a non-market failure, not a market failure and not a technology failure. The economic loss to consumers was even greater than LightSquared’s. Different FCC rules could have permitted welfare-enhancing coordination between LightSquared and GPS. The FCC’s error was the nature of rights the agency assigned for GPS use. By authorizing the use of millions of unlicensed devices adjacent to LightSquared’s spectrum, the FCC virtually ensured that future attempts to reallocate spectrum in these bands would prove contentious.
  1. 5 Great Books on Innovation and Technology Policy, by Adam Thierer

In September, after inquiries from tech scholars and students after an event, Adam provided his top-5 list of books to read about the conflict of visions over the direction of technology policy.

  1. Don’t Hit the (Techno-) Panic Button on Connected Car Hacking and IoT Security, by Adam Thierer

Adam pushes back against the “panic-first” approach toward connected cars and the Internet of Things on display in a 60 Minutes segment and congressional hearings. Adam notes that most of the hype surrounding “car hacking” and malicious use of our connected devices are exaggerated. Further, market pressures and existing liability laws incentivize firms to act in ways that protect consumers and in these fast-moving industries, standards are rapidly improving as new IoT technologies enter the mainstream.

We are at the beginning of a long process. There is no final destination when it comes to security; it’s a never-ending process of devising and refining policies to address vulnerabilities on the fly. The complex problem of cybersecurity readiness requires dynamic solutions that properly align incentives, improve communication and collaboration, and encourage good personal and organizational stewardship of connected systems. Implementing the brittle bureaucratic standards that Markey and others propose could have the tragic unintended consequence of rendering our devices even lesssecure.
  1. Will LTE-U Mark the End of the Unlicensed Spectrum Commons?, by Brent Skorup

Technologies using unlicensed spectrum have come and gone over the years but 2015 marked the year when one unlicensed technology–LTE-U–received substantial attention from technologists and tech reporters. The testing and possible deployment of technologies like LTE-U and Globalstar’s TLPS received significant opposition because of concerns about interference to and competition with existing unlicensed spectrum technologies like Wifi and Bluetooth. Despite the coverage in 2015, many predicted this “spectrum NIMBYism” in unlicensed spectrum years ago. The FCC created these circumstances because it provides no interference protection to existing users but its open access policy makes interference conflicts likely. Whether and how the FCC gets involved in approving new technologies using unlicensed spectrum is increasingly an issue to watch. Will the FCC continue to allow permissionless innovation in unlicensed spectrum or will it declare the spectrum commons a failed experiment, rescind its existing rules, and require more from new entrants?

By law unlicensed spectrum users have no rights to their spectrum; unlicensed spectrum is a managed commons. In practice, however, existing users frequently act as if they own their spectrum and they can exclude others. By entertaining these complaints, the FCC simply encourages NIMBYism in unlicensed spectrum.
  1. Trouble Ahead for Municipal Broadband, by Brent Skorup

In early 2015, the Obama administration made publicly-funded broadband networks a major priority. I pushed back on the idea that public networks are good for consumers and taxpayers. I named several major operational and legal obstacles that municipal broadband operators can expect when they attempt to provide TV, Internet access, and telephone service.

If the federal government dropped over $100 million in a small city to build publicly-owned grocery stores with subsidized food, local grocery stores would, of course, strenuously object that this is patently unfair and harms private grocers. …The activists’ response to the carriers, who obviously complain about this “competition,” is essentially, “maybe now you’ll upgrade and compete harder.” It’s absurd on its face.
  1. My Writing on Internet of Things (Thus Far), by Adam Thierer

In the run-up to Adam’s Internet of Things talk at CES 2015, he outlined his thoughts about IoT policy issues to watch. He attached his popular presentation about IoT and wearable technologies, helping to make this the top-visited TLF post of 2015.

[T]he Internet of Things finds itself at the center of what we might think of a perfect storm of public policy concerns: Privacy, safety, security, intellectual property, economic / labor disruptions, automation concerns, wireless spectrum issues, technical standards, and more. …[W]hen a new technology potentially touches all of these issues, then it means innovators in that space can expect an avalanche of attention and a potential world of regulatory trouble. Moreover, it sets the stage for a grand “clash of visions” about the future of IoT technologies that will continue to intensify in coming months and years.
]]> https://techliberation.com/2015/12/30/the-10-most-read-posts-of-2015/feed/ 1 75970 Quick Thoughts on FAA’s Proposed Drone Registration System https://techliberation.com/2015/10/19/quick-thoughts-on-faas-proposed-drone-registration-system/ https://techliberation.com/2015/10/19/quick-thoughts-on-faas-proposed-drone-registration-system/#comments Mon, 19 Oct 2015 19:03:33 +0000 http://techliberation.com/?p=75907

DroneToday, the U.S. Department of Transportation and the Federal Aviation Administration (FAA) announced that it will soon require Unmanned Aircraft Systems (UAS) or private drones, used for both personal and commercial purposes, to be registered in a national database. To facilitate this process, the agencies announced the creation of a new federal task force that will develop recommendations for a UAS registration process. Rules are to be published by November 20th (presumably to cover new devices sold before Christmas).

Here are some quick initial reactions on the proposed registration rules:

  • The FAA is a creating a ‘show-us-your-papers’ regulatory regime for average Americans who own drones. Forcing all of us to register our devices with the authorities in a national drone owner’s database raises clear civil liberties concerns.
  • Americans are generally opposed to the idea of registering their technologies and a ‘DMV for Drones,’ which isn’t likely to be run any more efficiently than existing government registration systems.
  • Moreover, by demanding that all drones be registered, the FAA is opening the door to a potentially far greater regulatory threat since drones are, in essence, flying computers. We don’t have federal registration systems for computers or cameras, and we shouldn’t have such a regulatory regime for private drones.
  • It’s not unclear how the agency plans to enforce against existing users, but in response to a question at the press conference announcing the new rules, the head of the DOT said that the task force would determine how to enforce registration retroactively for existing drone owners. So apparently they will be brought under the new rules.
  • Mandatory registration of all drones also might raise some First Amendment-related issues for journalists, too, depending on how the FAA enforces its regulations. A government drone database could intimidate reporters (or potentially even private individuals and organizations) and make it harder for them to engage in whistle-blowing activities with the aid of drones.
  • Because of these problems, I would not be surprised if the FAA’s new drone registration regime leads to a rise in acts of technological civil disobedience among average Americans, many of whom will actively oppose such heavy-handed tactics and the creation of yet-another federal database of their private information.
  • Of course, it could be that the FAA handles objections by creating a long list of carve-outs and exemptions from the new database requirements. In fact, in the press release announcing the formation of the task force, the agency said that the task force “will advise the Department on which aircraft should be exempt from registration due to a low safety risk, including toys and certain other small UAS.” That could take some of the pressure off, but only by creating an even more convoluted regulatory regime.
  • Finally, as an administrative matter, the way the FAA to pushing hard to ram this all through before Christmas has led them to believe that they can just skirt the law in the process. As Marc Scribner of the Competitive Enterprise Institute notes, the agency “will likely be in violation of two different federal laws: the FAA Modernization and Reform Act of 2012 and the Administrative Procedure Act.” Read Marc’s full post for the details, but in a nutshell, the FAA cannot simply throw out standard operating procedures in terms of federal rule-making guidelines simply because they wish to suggest that there is some sort of imminent threat to public safety here. The real danger comes not from unregistered drones, but lawmakers and regulators who believe they can suspend the rule of law and ignore administrative accountability when it suits their desires.

The Mercatus Center at George Mason University has published several reports and agency filings discussing the problems associated with the regulation of private and commercial drones. Most recently, Mercatus filed comments with the FAA as part of it proceeding on “Operation and Certification of Small Unmanned Aircraft Systems.”

Additional Reading:

]]> https://techliberation.com/2015/10/19/quick-thoughts-on-faas-proposed-drone-registration-system/feed/ 3 75907 White House Support for Strong Encryption Could Discourage Digital Protectionism https://techliberation.com/2015/10/09/white-house-support-for-strong-encryption-could-discourage-digital-protectionism/ https://techliberation.com/2015/10/09/white-house-support-for-strong-encryption-could-discourage-digital-protectionism/#comments Fri, 09 Oct 2015 14:57:38 +0000 http://techliberation.com/?p=75859

This Wednesday, TechFreedom joined Niskanen Center and a coalition of free market groups in urging the White House to endorse the use of strong encryption and disavow efforts to intentionally weaken encryption, whether by installing “back doors,” “front doors,” or any security vulnerabilities into encryption products.

The coalition letter concludes:

We urge your Administration to consider the full ramifications of weakening or limiting encryption. There is no such thing as a backdoor that only the US government can access: any attempt to weaken encryption means making users more vulnerable to malicious hackers, identity thieves, and repressive governments. America must stand for the right to encryption — it is nothing less than the Second Amendment for the Internet.

The White House’s silence on encryption is deafening,” said Tom Struble, Policy Counsel at TechFreedom. “The President’s hitherto failure to endorse strong encryption has given ammunition to European regulators seeking to restrict cross-border data flows and require that data on EU citizens be stored in their own countries. Just yesterday, the European Court of Justice struck down a longstanding agreement that made it easier for Europeans to access American Internet services. If the White House continues to dawdle, it will only further embolden ‘digital protectionism’ across the pond.”

The letter’s signatories include: Niskanen Center, TechFreedom, FreedomWorks, R Street Institute, Students For Liberty, Citizen Outreach, Downsize DC, Institute for Policy Innovation, Less Government, Center for Financial Privacy and Human Rights, and American Commitment.

]]> https://techliberation.com/2015/10/09/white-house-support-for-strong-encryption-could-discourage-digital-protectionism/feed/ 2 75859 Unintended Consequences of the EU Safe Harbor Ruling https://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/ https://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/#comments Tue, 06 Oct 2015 15:12:58 +0000 http://techliberation.com/?p=75831

The big news out of Europe today is that the European Court of Justice (ECJ) has invalidated the 15-year old EU-US safe harbor agreement, which facilitated data transfers between the EU and US. American tech companies have relied on the safe harbor to do business in the European Union, which has more onerous data handling regulations than the US. [PDF summary of decision here.] Below I offer some quick thoughts about the decision and some of its potential unintended consequences.

#1) Another blow to new entry / competition in the EU: While some pundits are claiming this is a huge blow to big US tech firms, in reality, the irony of the ruling is that it will bolster the market power of the biggest US tech firms, because they are the only ones that will be able to afford the formidable compliance costs associated with the resulting regulatory regime. In fact, with each EU privacy decision, Google, Facebook, and other big US tech firms just get more dominant. Small firms just can’t comply with the EU’s expanding regulatory thicket. “It will involve lots of contracts between lots of parties and it’s going to be a bit of a nightmare administratively,” said Nicola Fulford, head of data protection at the UK law firm Kemp Little when commenting on the ruling to the BBC. “It’s not that we’re going to be negotiating them individually, as the legal terms are mostly fixed, but it does mean a lot more paperwork and they have legal implications.” And by driving up regulatory compliance costs and causing constant delays in how online business is conducted, the ruling will (again, on top of all the others) greatly limits entry and innovation by new, smaller players in the digital world. In essence, EU data regulations have already wiped out much of the digital competition in Europe and now this ruling finishes off any global new entrants who might have hoped of breaking in and offering competitive alternatives. These are the sorts of stories never told in antitrust circles: costly government rulings often solidify and extend the market dominance of existing companies. Dynamic effects matter. That is certainly going to be the case here.

#2) Cross-border digital trade suffers: This conclusion follows from point #1, of course. Writing just before the decision was announced, lawyers as Norton Rose Fulbright’s Data Compliance Report blog noted that if the safe harbor was invalidated, “the impact on the world economy would be immense.” Well, here we are.  Dan Castro of ITIF hopes that EU and US officials can pull back from the brink of this impending disaster and “finish the process of creating a Safe Harbor 2.0 with terms that give comfort to all parties.” I suspect that many tech companies are hoping for the same miracle to occur. But don’t hold your breath. The Europeans have decided that this is the hill that they will die on. They haven’t shown too much interest in preserving an innovative tech market or enhancing global digital trade flows in the past due to heightened concerns about privacy, and there’s no reason to think they will back down now with a more measured approach. Importantly, as I noted in my earlier essay, “How Attitudes about Risk & Failure Affect Innovation on Either Side of the Atlantic,” this trans-Atlantic clash of vision transcends the debate over privacy law. It’s about broader cultural and political attitudes toward risk-taking and disruption. Most leaders in Europe value stability–both economic and cultural stability–more than US officials and citizens. This tension was always bound to reach a breaking point and the Digital Economy and data handling policies is where the you-know-what is finally hitting the fan.

#3) Web Balkanization accelerates: This is just another blow to the idea of a seamless global Internet. But as tech lawyer Tiffany C. Li pointed out on Twitter this morning in response to the decision, while Web pundits decry balkanization in other contexts, many of them seem to be cheering it on in this case because this decision deals with privacy and data regulation, which they favor more regulation of. But you can’t have your cake and eat it to. Indeed, the great irony of so many “Internet freedom” debates today is that pundits absolutely hate the idea of Internet control and Web balkanization… right up until the point where they absolutely love it! Think of this as the tech policy world’s selective morality problem. (I elaborated on these themes in my essays “When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed,” and “Copyright, Privacy, Property Rights & Information Control: Common Themes, Common Challenges.”)

//platform.twitter.com/widgets.js //platform.twitter.com/widgets.js //platform.twitter.com/widgets.js //platform.twitter.com/widgets.js

#4) But the big dogs won’t bolt out of Europe: But this should also be another reminder that there are no “John Galt moments” in the world of tech, as some tech libertarians hope. The biggest players won’t pack their bags and head home because there’s still too much money sitting on the table in Europe. Big firms will instead scramble to comply, just as they are trying to do with the so-called Right to Be Forgotten ruling. Of course, this just exacerbates problem #1 already discussed above: The big dogs stay and do their best to comply with the costly regulatory regime while smaller players get crushed by the rules and all the other potential new entrants just stay home.

#5) The decision ignores the real problem: widespread government surveillance: I don’t often find myself agreeing with Cory Doctorow on much, but he gets it exactly right when he notes that, “this doesn’t mean that Europeans won’t be subjected to mass surveillance, including mass surveillance by the NSA.” He elaborates:

If the European Court of Justice wants to end mass surveillance of Europeans, it can only do so by banning mass surveillance — by ruling that laws that treat foreigners’ data as fair game are unconstitutional. If US tech giants want to get loose from a farcical, expensive, and pointless exercise that continues to treat them as adjuncts to the world’s spy agencies, they need to lobby the US government to change the laws under which it treats foreigners as fair game.

Thus, it would certainly be nice if, as CDT suggested in response to the ruling, that the “EU Safe Harbour Ruling Should Reinvigorate Surveillance Reform Efforts.” Of course, that requires that tech companies muster the courage to stand up to public officials here in the States who always want them to (literally) hand over the keys to the kingdom. That’s why the current debate over crypto backdoors is so essential. It’s good to see a number of tech companies pushing back on that front and refusing to get rolled by law enforcement and national security agencies the way that far too many telecom and tech companies have been in the past. Following today’s ECJ ruling, tech companies are realizing just how serious this problem really is because now European officials are striking out against the safe harbor agreement as a surrogate for their general frustrations with US surveillance more generally. Indeed, in a press release following today’s ECJ ruling, the Internet Association, which represents major US tech firms, noted that, “The Internet industry has consistently supported surveillance reform” and the Association pushed for swift congressional action to clarify and limit existing surveillance powers. It remains to be seen whether the US tech sector and other related industries will be able to push back effectively against the growing surveillance state leviathan, but it’s more clear today than ever before why that’s a fight worth having.

]]> https://techliberation.com/2015/10/06/unintended-consequenses-of-the-eu-safe-harbor-ruling/feed/ 2 75831 Tech Policy Threat Matrix https://techliberation.com/2015/09/24/tech-policy-threat-matrix/ https://techliberation.com/2015/09/24/tech-policy-threat-matrix/#comments Thu, 24 Sep 2015 15:52:56 +0000 http://techliberation.com/?p=75757

On the whiteboard that hangs in my office, I have a giant matrix of technology policy issues and the various policy “threat vectors” that might end up driving regulation of particular technologies or sectors. Along with my colleagues at the Mercatus Center’s Technology Policy Program, we constantly revise this list of policy priorities and simultaneously make an (obviously quite subjective) attempt to put some weights on the potential policy severity associated with each threat of intervention. The matrix looks like this: [Sorry about the small fonts. You can click on the image to make it easier to see.]

 

Tech Policy Issue Matrix 2015

I use 5 general policy concerns when considering the likelihood of regulatory intervention in any given area. Those policy concerns are:

  1. privacy (reputation issues, fear of “profiling” & “discrimination,” amorphous psychological / cognitive harms);
  2. safety (health & physical safety or, alternatively, child safety and speech / cultural concerns);
  3. security (hacking, cybersecurity, law enforcement issues);
  4. economic disruption (automation, job dislocation, sectoral disruptions); and,
  5. intellectual property (copyright and patent issues).

I realize that some of these five categories could be sub-divided and refined. I also understand that these five groupings may not encapsulate the full range of potential policy issues out there, but I’ve tried to avoid having too many categories to keep this as conceptually tidy as is possible. However, I might need to add a separate category for civil rights and disabilities-related policy issues eventually. Likewise, “psychological considerations” might deserve its own category because they do not necessarily perfectly fit into either the privacy or safety buckets right now, even though that’s where I have them currently. For example, some privacy activists call for regulation of “big data” and large databases based on fears about how all that data collection makes people feel about themselves. I consider that a privacy-related concern now, but you could imagine that being in a separate category. Meanwhile, there’s long been calls to regulate various types of media content (music, movies, video games, online porn, etc) based on the psychological impact they have on children. Those “media effects” theories have always been considered a child safety issue, which is where I currently have them slotted, but they could probably be its own category that also included concerns about distraction and addiction (which could come to haunt VR technologies in the future).

Anyway, my colleagues and I use this current matrix to help us determine what we should be paying more attention to and what sort of scholarly outputs are needed to address regulatory threats on each front. Generally speaking, this is the portfolio of issues I try to stay on top of full-time at Mercatus as part of our ongoing “Permissionless Innovation” project.

Several people who have seen that matrix in my office tell me I should do something more with it, but I’m not really sure what that something would be. In any event, I thought it might make sense to post it here to give others a feel for the current set of emerging tech policy issues that interest us at Mercatus. I will try to upload new versions of the matrix as that giant whiteboard in my office morphs over time and the list of technologies and regulatory threats changes or grows.

Incidentally, I am often asked to explain the relative weights I’ve assigned to each potential regulatory threat, so I will try to justify some of those rankings here briefly. (Again, it’s all quite subjective and I’m always open to hearing the case for tweaking the rankings.)

  • Big Data / Online Marketing / the Internet of Things (IoT): Privacy is the #1 policy threat for these sectors. From a public policy perspective, what unifies these technologies is a growing concern about how expanding private sector data collection efforts could affect our privacy or reputations. We’ve already seen a flurry of legislative and regulatory activity here in the U.S. aimed at placing restrictions on data collection or use. And it goes without saying that other countries, especially in Europe, already impose a wide variety of controls on data collection in the name of privacy protection. There also exists a variety of closely-related security concerns here. But the rise of IoT technologies have introduced safety concerns into the mix in a major way, too. That’s especially true because of the large number of Big Data services and IoT devices that are health and medical related.  Taken together, this is the issue set I spend the majority of my time covering because the privacy and security implications of a data-driven economy already occupies the attention of countless regulatory activists and public policymakers across the globe. I think that will continue to be the case for many years to come.
  • Robotics: Safety concerns tend to be the biggest driver of calls for regulation of robotic and autonomous technology. For example, new laws and regulations are already being proposed for driverless cars based on fears about the hacking of connected vehicles. And commercial drones attract policy attention based on safety-related concerns such as whether a drone could strike an airplane, or even just fall on our heads. Proposals have been floated to mandate the equivalent of DRM for drones, which would force drone innovators to embed federally-approved technological controls into their systems designating where they are allowed to fly. Even if most of these concerns are overstated or are currently being dealt with, we can expect more safety-related policy proposals for robotic tech in coming years.  Economic concerns would be a close second here due to the increasing worry that robots will eat all our jobs. At least so far, however, that concern has tended to be more of an academic nature rather than a public policy consideration. And it remains unclear what the policy prescription would be in this regard without becoming a neo-Luddite, “smash-the-machines” sort of proposal. That could change in coming years, however. It all depends on the labor market situation over time. Meanwhile, academics are floating the idea of a Federal Robotics Commission to provide greater policy “expertise” in the form of yet another technocratic Beltway bureaucracy.
  • Additive manufacturing / 3D printingSafety is probably the #1 concern here, although depending on what type of 3D-printed object we are talking about, it could be the case that intellectual property concerns will be a bigger driver of calls for regulatory intervention. A lot of the policy-related concerns around 3D printing today are being driven by worries over things like 3D-printed guns. That’s mostly a safety concern, of course. But it we are talking about the replication of branded commercial objects (3D-printed toys or other things, for example), then IP tends to be the bigger concern. The question of product liability also looms large here and it remains unclear how claims might be sorted out when there are fewer large, deep-pocketed intermediaries to go after in a world of decentralized production. Hopefully, those liability norms will be left to the courts and common law to sort out over time, but I wouldn’t be surprised to see more calls for preemptive legislative interventions here in both directions: i.e., some will call legislators to impose greater liability on certain parties while others will push to immunize intermediaries from punishing forms of liability for the downstream actions of others (like a Sec. 230 norm for 3D printing).
  • Medical tech innovation: It goes without saying that traditional safety concerns will drive policy for advanced medical technologies, just as they have for earlier drugs, devices, and treatments. As software continues to “eat the world” and invade the world of health and medicine, regulators are increasingly going to be trying to figure out how to pigeonhole new technologies into old regulatory constructs. That’s why I have been watching how the FDA continues to deal with 3D-printed prosthetics and mobile medical apps on our smartphones. Eventually, the continuing decentralized democratization of 3D printing (driven by rapidly falling costs) will collide with old medical device regulatory realities and a century’s worth of FDA command-and-control style regulation. Oh my, what a fight that will be! And then chemical printers will become more widespread and this issue will get even more intense. The policy fight here is even more interesting because of all the thorny ethical issues pertaining to the rise of embeddable technology, biohacking, and genome innovation. I have a feeling that my policy portfolio will shift rapidly in this direction in coming years as the modern info-tech revolution spreads to the world of medicine and health. I already have two new papers coming out on these issues in the next few weeks.
  • Sharing economyEconomic disruption is clearly the big policy issue here. Specifically, many policymakers and incumbent industries aren’t very happy about new entrants coming into their sectors and offering consumers services without strictly complying with traditional regulations. But safety issues often pop up in these debates when regulators or advocates claim we can’t trust sharing economy operators. What’s particularly interesting about this space is how these policy battles are playing out at almost every level of government: federal, state, local, and international. At least thus far, sharing economy innovators tend to be winning most of those battles. But the fight continues.
  • Crypto & Bitcoin: I think safety would probably be the biggest issue here, in the sense that policymakers fear a world of unregulated crypto and decentralized blockchain applications are a world in which the “bad guys” will be able to use those technologies to harm the public in some fashion. We’ve heard this all before, of course, but (going all the way back to the Clipper Chip wars) you can always bank on law enforcement officials resorting to Chicken Little claims about terrorists and child predators thriving in a world of unregulated crypto. In many ways, this is the most important of all these policy fights because if the government can regulate crypto and blockchain technologies, it severely undermines the fabric of almost all the other technologies and platforms discussed herein. This is why the current debate over government-mandated “backdoors” is so important; it has profound ramifications for every other tech regulation debate that follows.
  • Immersive Tech (VR and augmented reality): This is an amorphous and evolving area that I am getting increasingly interested in, but the policy issues here have yet to come into clear focus. However, when Google Glass was launched, there was a brief technopanic of sorts over its privacy and security ramifications. Those concerns have subsided a bit as Google Glass has seemingly faded away (probably because of its high price point more than because of its privacy concerns), but I suspect that future iterations of augmented reality technologies will raise similar concerns. That will especially be true as more sophisticated biometric (and facial recognition) capabilities are integrated into them. Academics are already wondering how to enforce “notice and consent” privacy norms and rules in a world where everyone is wearing miniature body cams and heads-up displays in their sunglasses. I’m not sure it’s even possible, but that debate will continue and include all sorts of calls for technological controls. OK, that’s augmented reality, but what about virtual reality technologies? I think safety concerns could drive some policy proposals as critics grow concerned about the psychological implications of people (especially kids) spending more and more time in immersive virtual worlds. In that sense, we might see a replay of the earlier debate over violent video games and/or video game addition. But it remains to be seen.

Incidentally, I use this matrix and provide more context to it in my big presentation on “Permissionless Innovation & the Clash of Visions over Emerging Technologies.” [It’s embedded below.] And I discuss most of these issues in more detail in my book, Permissionless Innovation: The Continuing Case for Comprehensive Technological FreedomI am in the process of finishing up the second edition of that book and will be expanding the case studies about the issues discussed above. Finally, I discussed many of these policy threats during my recent appearance on the Andreessen Horowitz podcast.

Update 10/2/15: For another take on various new technology trends and the potential policy issues they raise, check out this report from the World Economic Forum, Deep Shift: Technology Tipping Points and Societal Impact. The WEF report identifies 21 technology “shifts” and then groups them into six “mega-trend” categories. Almost all these issues are on my matrix above, but the WEF report provides some nice additional context on why each technology trend will be so disruptive.

]]> https://techliberation.com/2015/09/24/tech-policy-threat-matrix/feed/ 2 75757 The Challenge of Defining Privacy Harm https://techliberation.com/2015/06/19/the-challenge-of-defining-privacy-harm/ https://techliberation.com/2015/06/19/the-challenge-of-defining-privacy-harm/#respond Fri, 19 Jun 2015 18:12:30 +0000 http://techliberation.com/?p=75593

On Thursday, it was my great pleasure to participate in a Washington Legal Foundation (WLF) event on “Online Privacy Regulation: The Challenge of Defining Harm.” The entire event video can be found on YouTube here, but down below I pasted the clip of just my remarks. Other speakers at the event included:  FTC Commissioner Maureen K. Ohlhausen, Commissioner; John B. Morris, Jr., the Associate Administrator and Director of Internet Policy athe U.S. Department of Commerce’s National Telecommunications and Information Administration; and Katherine Armstrong, Counsel at the law firm of Hogan Lovells. Glenn Lammi of the WLF moderated the session.

My remarks drew upon a few recent law review articles I have published relating digital privacy debates to previous debates over free speech and online child safety issues. (Here are those articles: 1, 2, 3).

]]> https://techliberation.com/2015/06/19/the-challenge-of-defining-privacy-harm/feed/ 0 75593 New Filing & Working Paper on the Regulation of the Sharing Economy https://techliberation.com/2015/05/26/new-filing-working-paper-on-the-regulation-of-the-sharing-economy/ https://techliberation.com/2015/05/26/new-filing-working-paper-on-the-regulation-of-the-sharing-economy/#comments Tue, 26 May 2015 17:41:04 +0000 http://techliberation.com/?p=75562

Along with colleagues at the Mercatus Center at George Mason University, I am releasing two major new reports today dealing with the regulation of the sharing economy. The first report is a 20-page filing to the Federal Trade Commission that we are submitting to the agency for its upcoming June 9th workshop on “The “Sharing” Economy: Issues Facing Platforms, Participants, and Regulators.” We have been invited to participate in that event and I will be speaking on the fourth panel of the workshop. The filing I am submitting today for that workshop was co-authored with my Mercatus colleagues Christopher Koopman and Matt Mitchell.

The second report we are releasing today is a new 47-page working paper entitled, “How the Internet, the Sharing Economy, and Reputational Feedback Mechanisms Solve the ‘Lemons Problem.'” This study was co-authored with my Mercatus colleagues Christopher Koopman, Anne Hobson, and Chris Kuiper.

I will summarize each report briefly here.

In our new filing to the FTC, we address the five questions the Commission set forth in its workshop annoucement. Those five questions are as follows:

  • How can state and local regulators meet legitimate regulatory goals (such as protecting consumers, and promoting public health and safety) in connection with their oversight of sharing economy platforms and business models, without also restraining competition or hindering innovation?
  • How have sharing economy platforms affected competition, innovation, consumer choice, and platform participants in the sectors in which they operate? How might they in the future?
  • What consumer protection issues—including privacy and data security, online reviews and disclosures, and claims about earnings and costs—do these platforms raise, and who is responsible for addressing these issues?
  • What particular concerns or issues do sharing economy transactions raise regarding the protection of platform participants? What responsibility does a sharing economy platform bear for consumer injury arising from transactions undertaken through the platform?
  • How effective are reputation systems and other trust mechanisms, such as the vetting of sellers, insurance coverage, or complaint procedures, in encouraging consumers and suppliers to do business on sharing economy platforms?

We provide detailed answers to each of these questions as well as one additional major question that was not posed by the Commission in its workshop notice but which is, no doubt, on the minds of many at the agency and outside it: What should the FTC do about state and local barriers to entry and innovation that might be thwarting the growth of the sharing economy? (I blogged about that issue here a couple of weeks ago and our filing includes that discussion.)

Please take a look at our filing for detailed answers to each of these questions. (Incidentally, our filing is an extension of an earlier working paper that Koopman, Mitchell, and I released late last year on “The Sharing Economy and Consumer Protection Regulation: The Case for Policy Change.”) But, to briefly highlight the thrust of our argument, here’s a passage from our new filing:

As the debate surrounding the sharing economy moves forward, policymakers must keep in mind that merely because regulations were once justified on the grounds of consumer protection does not mean they accomplished those goals or that they are still needed today. Even well-intentioned policies must be judged against real-world evidence. Unfortunately, the evidence shows that many traditional consumer protection regulations hurt consumers; in the words of New York Attorney General Eric Schneiderman, they are often “cumbersome, and some are just plain protectionist.” Markets, competition, reputational systems, and ongoing innovation often solve problems better than regulation when they are given a chance to do so. There are two reasons for this. First, market imperfections create powerful profit opportunities for entrepreneurs who are able to find ways to correct them. Second, regulatory solutions too often undermine competition and lock in inefficient business models.

We continue on to explain exactly why that is the case, while also offering some constructive solutions to other issues that are on the minds of regulators.

Meanwhile, the new working paper we are releasing today provides much greater detail on the fifth of the five questions the FTC posed in its workshop notice regarding reputation systems and other trust mechanisms. Here is the abstract from the paper:

This paper argues that the sharing economy—through the use of the Internet and real time reputational feedback mechanisms—is providing a solution to the lemons problem that many regulators have spent decades attempting to overcome. Section I provides an overview of the sharing economy and traces its rapid growth. Section II revisits the lemons theory as well as the various regulatory solutions proposed to deal with the problem of asymmetric information. Section III discusses the relationship between reputation and trust and analyzes how reputational incentives affect commercial interactions. Section IV discusses how information asymmetries were addressed in the pre-Internet era. It also discusses how the evolution of both the Internet and information systems (especially the reputational feedback mechanisms of the sharing economy) addresses the lemons problem. Section V explains how these new realities affect public policy and concludes that asymmetric information is not a legitimate rationale for policy intervention in light of technological changes. We also argue that continued use of this rationale to regulate in the name of consumer protection might, in fact, make consumers worse off. This has ramifications for the current debate over regulation of the sharing economy.

We believe that our research makes it clear “how the sharing economy relies upon—and has helped spur the growth of—sophisticated reputational feedback mechanisms that facilitate online trust and commerce, overcoming many of the information asymmetries that seemed intractable… just a generation ago. In combination with online review services and other information-sharing technologies enabled by the Internet,” we conclude, “these reputational tools can help create more effective, and largely self-regulating, markets that provide more information to more individuals than ever before.”

We look forward to continuing engagement with officials at the FTC and other policymakers at the federal, state, and even international level on these issues. We hope our research will help legislators and regulators find sensible ways to adjust policy for the sharing economy so as not to derail the sort of “permissionless innovation” that has thus far powered this exciting sector and produced the many pro-consumer benefits flowing from it. Check out our filing and new paper for more details.

]]> https://techliberation.com/2015/05/26/new-filing-working-paper-on-the-regulation-of-the-sharing-economy/feed/ 1 75562