What are digital products? (P1)

Share

So much product safety and liability thinking hinges on the acceptance of the idea of digital products. Here is my latest thinking on them. (this is a highly edited version of a section of this paper: https://www.hks.harvard.edu/centers/carr-ryan/publications/product-safety-playbook-digital-age) I look forward to your comments on this proposed definition.

In writing on this topic, I will distinguish between digital and non-digital products. I don’t use the term “physical products” as the complement to digital products, as physical embodiment is not a clear distinguishing line between digital and non-digital products. I will also sometimes reference “mechanical products” as a subclass of non-digital products; mechanical products include any mechanical product that was produced without a computer and connectivity.

Interlude: Cars as Mechanical and Digital Products
It is instructive to look at automobiles as an example. Computers were first used in automobiles in the late 1960s/early 70s for use in controlling fuel injection and ignition timing, but as I define digital products below, these early applications of computers in cars don’t qualify as digital products. In the late 1990s, vehicles began to have wireless networking/connectivity, and this is a better proxy for the period when cars evolved from mechanical products to digital products. So, when the 1960 Corvair product design was proven to be flawed , endangering drivers and passengers, it was a case of demanding product safety for a mechanical product (i.e. cars) (Nader, 1965).

Products are things made available for consumer use by product-makers. This definition makes no distinctions about the type of business entity or individual who made the product; it can be a for-profit entity, a non-profit entity, a government, or an individual in their garage. The definition also doesn’t distinguish between a free product versus a paid-for product.

A key difference between digital and non-digital products is the ease of commercial deployment of digital products. The maker of a digital product needs only to create a single working version of a product; she needs not to be concerned about mass production at all (unlike physical products). Her distribution concerns are also minimized in comparison to physical products: mobile apps are mainly only available through mobile app stores (from Google and Apple). And if she wants, she can make her digital product freely and openly available for use {and further modification) via open-source platforms such as Github (owned by Microsoft). There are additional differences between the commercialization of digital products versus non-digital products which will be discussed in a later publication.

Digital Product Characteristics

Digital products differ from non-digital products due to the presence of three capabilities: (1) software-driven, (2) internet-connected, and (3) human-device interaction.

1.      Digital products are software-driven, meaning that the product includes and is animated by software. This is a crucial difference that must be addressed by product safety for the digital age: digital products behave autonomously, due to the inclusion of software. Non-digital products move, and some have immutable mechanical behaviors (e.g. the self-crashing 1960 Corvair (Nader, 1965)). Software is the key ingredient that causes an inanimate product to be animated and to have a wide variety of independent behaviors.

  • Software needs a hardware platform: Software requires a substrate; there is always a hardware platform involved.
  • Some software is infrastructure: We might be inclined to think of software as a multi-component product built from third party “parts”, but is this a correct view? Because virtually all software today is connected (point number three below), it is more accurate to view some software as infrastructure. Indeed, large language models and their massive computing power and high development costs are more like infrastructure than just a software “component”, though still behave as a software component. Software infrastructure has a kind of persistent, independent existence, separate from the application developer, on which the product depends. Note that infrastructure isn’t exempt from product safety demands.

2.      Digital products are wirelessly internet-connected. Internet connectivity provides the capability for constant, near real-time, bi-directional information exchange. On the plus side, this enables products to be updated in the field with virtually no user interaction. On the downside, these products have the capacity for constant user surveillance, collecting and uploading location information and user behavior information to name just a couple of the types of personal information that are commonly stockpiled and monetized by manufacturers. Note that the prevalence of wireless routers and short-range wireless networking protocols (such as Bluetooth and Near-field Communication (NFC) protocols) is a crucial part of the adoption and riskiness of digital products. For those of us who remember the pain of early twisted pair [i.e. landline telephone] based modem connectivity. Imagine a world where wireless connectivity was never invented. Digital products would be a totally different ball game than what we experience today.

  • Internet connectivity requires infrastructure. The pervasive availability of internet connectivity required the buildout of infrastructure. So accustomed to the availability of internet connectivity, especially as provided wirelessly, it appears as common as air to us today, but there is a massive worldwide deployment of routers, undersea cables, radio towers, computers, and data centers. All of these are powered and sustained through mostly commercial—not public—entities with their own profit motives.

3.      Digital products interact with humans and/or are configurable by the human user of the technology. Digital products interact with the human user of the technology, through one or more built-in modes of communication (a screen, physical button(s), a speaker, a microphone, etc.). There are some products like sensors that require a separate device for configuration[1]. An analogy with non-digital tools might be the grips or handles on a physical product: human usage is designed into the product.

A product must exhibit all three of these capabilities to be regarded as a digital product. Increasingly, even “dumb” products are being enhanced to include these three capabilities. For instance, a Bluetooth-enabled home pregnancy test was available for purchase in 2016 (Mlot, 2016).

There is a vital fourth characteristic of digital products that is inextricable from digitization itself and the presence of the first three characteristics and that is:

4.       “Packaged information” or “packaged content”.

If software is the brain and nervous system, interaction is sensory perception, and connectivity is communication or language, then information is the life’s blood of digital products, the digital product exists to manage the blood supply. [This might be too forced a metaphor, in retrospect.] A digital product is architected around a digitized representation of the world; it performs the capture, presentation, and two-way transmission of packaged information. One might be tempted to characterize this fourth property as emergent from the three necessary functionalities described above, but this is incorrect. It is, in fact, the original design objective of digital products and it is inseparable from the bundle of the three capabilities built to achieve the aim of information transmission. All digital products are information processing products.

As will be seen, each of these four characteristics of digital products usher in novel harms, distinct from the safety risks in non-digital products (examined in detail in a later publication).

Table 1 summarizes the four characteristics of digital products.

Table 1: The Marks of Digital Products

Function Name

Capabilities

Risks

Created & controlled by

Governed by

Software-driven

Operational logic & automated decision-making; data collection & derivation; data sharing;

·         Acts without human control.

·         Increasingly  complex, non-deterministic, unpredictable.

·         Innately opaque.

Manufacturer and all chosen third parties.

Privacy laws

Connectivity

Two-way communication between the digital product, the first party and all third-parties.

·         Facilitates consumer surveillance.

·         Facilitates sharing of packaged information with unintended, unexpected, and unwanted entities.

Manufacturer.

Privacy laws

Interactive

Increasingly multi-modal and human-like interaction between the digital product and the user.

·         Deliberately manipulative product design (incl user interface)

·         Prioritizes manufacturer’s objectives over human user’s needs; subverts user’s intentions

·         Deliberately addictive

 

Manufacturer.

Privacy laws (weirdly)

Packaged Information

Text, image, video, audio, source code, etc.

Created by: users, generative AI (synthetic content), commercial entities

 

·         Toxic content

·         Age-inappropriate content

·         Counterfeit/deep fakes

·         Disinformation

·         Misinformation

 

Manufacturer.
Generative AI.

Digital Product users.

·         Copyright laws,

·         Obscenity, CSAM, CDA Section 230, FOSTA-SESTA

·         State laws

·         State AADC laws re: adult subject matter

Digital Product Ingredients

In “The Laws of Thought: The Quest for a Mathematical Theory of the Mind” (Griffiths, 2026) cognitive scientist Tom Griffiths describes a thought experiment he gives to his students. They are to imagine a novel object [which is somehow obviously an information processing device] and articulate how they would figure out how the device works without destroying or disassembling the object. Griffiths proposes that there are three domains for assessing how the information processing device works:

  1. Physical structure of the device
  2. Internal processes within the device
  3. Functional behavior of the device

These are also the three facets of concern when it comes to understanding potential risks in digital products. Note that assessing internal processes within the object is referred to as white box testing (or clear or glass box testing). For digital products, the manufacturer is virtually the only entity situated to perform this kind of assessment. Assessing the functional behavior of a digital product is called black box testing.  The work at Internet Safety Labs (ISL) (and the labels at https://appmicroscope.org) utilize primarily black box testing methods to determine the “ingredients” of a digital product and the behavioral risks in a product.  

The “physical structure of the object” is the facet that needs the most work, especially since many digital products are not embodied in distinct physical packaging. From our work at ISL, I propose that, aside from any physical housing, digital products are comprised of three key “ingredients”: (1) 3rd party data processors, (2) personal information of users, and (3) packaged information.

Digital Product Ingredients

  1. Many 3rd party software components (aka data processors).
  2. Personal information of all users and potential users of the digital products. Personal information is obtained by the manufacturer from four sources:
  • Volunteered by the user [including communication in communication products]
  • Observed by the manufacturer; e.g. analytics collected while the user uses the digital product
  • Derived by the manufacturer and/or third parties
  • Purchased by the manufacturer and/or third parties.
  1. Packaged content: this is as described earlier and can be:
  • Content created by digital product users, such as on a social media platform, or
  • Commercially created content, such as in video streaming platforms, eBooks, marketing materials, etc.
  • An important subclass of commercially created content is synthetic content produced by so-called generative AI digital products.

Figure 1 depicts the three ingredient types and how they relate to well-known privacy and protected speech concerns.

Figure 1: Digital product ingredients

Digital Product Architecture

Another difference between digital and non-digital products is understanding where digital products begin and end.

In March 2024, the US Federal Communications Commission published a call for comments on proposed rulemaking for an IoT cybersecurity label (FCC, 2023). A substantial point of discussion concerned “eligible devices or products” and the scope of a device:

“For such purposes we could define an IoT product consistent with the NIST definition as follows: An IoT device and any additional product components (e.g., backend, gateway, mobile app, etc.) that are necessary to use the IoT device beyond basic operational features. We seek comment on this proposed definition of an IoT product eligible for an IoT label.” (FCC, 2023)

In other words, where did the IoT product begin and end? The scope of the digital product is not just the boundary of the IoT hardware device, it is everything involved in determining the behavior of the product. After processing the comments, the FCC determined to use the original baseline definitions from the NIST IR 8425, “Profile of the IoT Core Baseline for Consumer IoT Products” (NIST, 2022)

IoT device:  Devices that have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth) for interfacing with the digital world.
IoT product: An IoT device or IoT devices and any additional product components (e.g., backend, mobile app) that are necessary to use the IoT device beyond basic operational features.
IoT product component: An IoT device or other digital equipment or service (e.g., backend, mobile app) used to create IoT products.

In the early years of commercial software development, software was largely written strictly in-house. Software developers did not have access to vast open-source libraries, or hundreds of commercial software development kits (SDKs) and application programming interfaces (APIs) at the ready to be integrated into software. But in today’s world, digital products contain multitudes.

When it comes to digital products, the boundaries of the product can in fact have a global footprint. One study from 2019 found that on average, Android apps include 18.2 SDKs—that is 18.2 third-party software components (Gontovnikas, 2020). ISL found that the number of SDKs fails to accurately reflect how many third-party companies communicate with apps; some apps (namely, those with behavioral ads) communicated with an additional 33.7 third-party companies (ISL, 2024b).  Figure 2 below illustrates how a single digital product can include many third-party software “components”. Though not all depicted, hundreds of third parties are involved when a person uses a web page in the browser or an app on a mobile device.[2]

Figure 2: The elusive boundaries of digital products

Other Observations About Digital Products

It is worth underscoring that digital products require a hardware platform on which to run, because some digital products like apps and websites feel like there’s no physical platform, but of course, they run on personal computers and smart phones as apps or via the browser. This likely contributes to the feeling that they are not products.

As noted earlier, digital products also exhibit another peculiarity in that the adoption and penetration rate of certain categories of digital products is inexorably tied to the rate of hardware platform adoption, as is the case for mobile applications (“apps”) and websites. The former required sufficient adoption of smart phones, and the latter required widescale adoption of both personal computing devices and browsers.  The idea of an “application ecosystem” is an important product strategy in digital products. Ecosystems are a kind of holy grail to the owner or controller of the ecosystem (for instance Apple and Google and their app stores). Successful ecosystems provide large volumes of recurring revenue for the ecosystem controller at little incremental cost. Thus, their universal appeal.

One final noteworthy characteristic of digital products is that once there is sufficient penetration of hardware platforms, the market for applications can be lightning-fast and unbounded in a way that is not possible for physical products. Apps can gain substantial market penetration virtually overnight. TikTok, launched in 2016, went from zero subscribers to 2.1 billion users in nine years (Winter, 2024), with US subscriber growth rate of nearly 90% in 2019, only three years after initial product launch (Ceci, 2024) and ChatGPT 3.0 grew to 100M users just two months after launch (Hu, 2023).

Types of Digital Products

There is a wide and ever-growing variety of digital products. Table 2 provides a list of representative digital products, sorted by how integrable to humans they are, starting with the least to the most internalized. The products are organized in this way because product safety risks tend to be more impactful the more integrable the product.

Table 2 Digital Products

DIGITAL PRODUCTS

THINGS WE USE

Computers

Mobile Phones

Vehicles

Smart TVs

AV equipment

Household appliances

Smart home equipment

Apps

Video Games

Social Media

THINGS WE WEAR ON/IN OUR PERSON

Smart watch

Medical devices

Smart glasses

THINGS WE CONSUME

Digital Media

Digital News

Digital Education

Digital Conversations, Discussions

The Unbearable Reductivism of Digitalization

There is one final aspect of digital products that bears mentioning: the reduction of people, places, and things to digitized representations of themselves. All information borne by digital products are digital reproductions of real-world things, and digitization is by design lossy, meaning that it is a model or representation of something. It is the map and not the terrain.[3] Digital resolution depends on the capabilities of both the resolution of the digitization (the media) as well as the rendering capabilities of the media player hardware and software. A 4K resolution video will not render 4K quality media on a television incapable of playing 4K video, but if we are not aware that the limitation is in the device and not the digitized media, we misunderstand the nature of the situation. In general, digitization can be a poor facsimile of the real world and its inhabitants.

 

 


[1] Amazon Echo Dot is another popular example of a device that doesn’t have a screen and is configured via a separate mobile app.

[2] This number comes from: (1) all the third-party entities in the device’s firmware and native software, and (2) the third parties involved in the app or website.

[3] John Cheney-Lippold examines the many costs associated with the lossy, industry-defined reductions of information and people in his book, “We Are Data: Algorithms and the Making of Our Digital Selves” (Cheney-Lippold, 2017).

Read more