What's Wrong with Current Attempts at Governing Digital Products?
I am not a lawyer, nor do I play one on TV. Neither am I a policy expert. I am a digital product expert, however, and have thoughts on the current state of attempts at governing digital products. Starting with:
Problem #1: Current attempts don't actually govern digital products.
Most of the attempts at governing digital products spend more time "governing" [and I use the term loosely] the behavior of manufacturers of digital products and precious little time governing either digital product ingredients or behavior. Historically, laws govern the behavior of individuals and organizations, and that appears to be the "happy place" for policymakers. Product safety laws were the first to govern the behavior of products, and we see it in regulation of drugs, chemicals, and mechanical products.
Most of the regulations around digital products today govern the behavior of organizations that build digital products and not the behavior of the products themselves. We have found in our research at ISL (Internet Safety Labs) that corporate behavior isn't a guarantee of safe digital products. The example I use is that a company can claim to follow Privacy by Design principles and still deliver leaky by design digital products.
In the earliest days of ISL (circa 2019), our mission was to establish an organizational Code of Practice. We also started off assessing consumer risks by evaluating privacy policies. We did exactly two of these time-consuming and expensive assessments before we realized that the privacy policies were flawed: inaccurate and designed to protect the manufacturer not the consumer. We got about as far with the Code of Practice before we realized that we didn't want to be in the business of auditing corporations. As software experts, we wanted to focus on auditing digital products.
Because digital products can behave, they can harm.
So we quickly pivoted to focusing our energies on developing methods to assess the riskiness of digital products--both their ingredients and their behavior (see this post for more information on digital product behaviors and ingredients).
Problem #2: Laws aren't being written by people with deep technical understanding of digital products.
Late last year we started to map definitions across various AI laws, and recently I did the same with digital product safety laws in the EU. The terms simply don't match up. The AI definitions are more than just inconsistent though, they are also woefully imprecise, which in turn, hampers enforceability.
Problem #3: The laws don't include viable and meaningful enforcement.
Many legal experts have asserted that we don't need more or new laws to govern digital products, we just need to apply and enforce the laws we have. There's deep truth in this. We seem to be floundering on the enforcement side.
This problem relates to both previous problems. If the laws orient more around organizational behavior than digital product behavior (Problem #1), enforcement of corporate behavior is muddier and more slippery than empirical measurement of product behaviors. Laws that mandate digital product behavior (and ingredients) are starting to also mandate independent product audits. In the coming years, this will become the norm. But for now, lawmakers are struggling with the practicalities of the audits (cost, expertise, resources, content of audits, etc.), and since it's new territory, costs aren't well understood.
Relating to Problem #2, we should be bringing more independent technologists [i.e. not affiliated with manufacturers] to the policymaking tables because we should be figuring out how to apply technology to the problem of enforcement at scale. In a recent rant, I observed that privacy laws grant manufacturers a ridiculously generous amount of time to respond to consumer data requests. California law, for instance, allows the manufacturer 45 days to respond. I don't understand why we aren't mandating an instantaneous [technology-assisted] response. It's remarkable how manufacturers can, on one hand, claim that the wonders of "AI" can automate coding and replace workforce and then on the other hand, when it comes time for law-making, suddenly behave as if they've got human workers trundling paper files by wagon train across continents to respond to customer data requests. Policymakers are too easily convinced by the "hardships" presented by digital product manufacturers and their lobbyists and they rarely have technologists on staff to call BS.
If you've read anything in this blog, you already know that my thesis is: the adaptation and application of product safety demands to digital products will, from a technology governance perspective, be more effective and efficient in the long run. The more we play technology governance whack-a-mole with a proliferation of state chatbot laws, privacy laws, dark pattern laws, AI laws, and AADC laws the more it feels like policy theater: chalk up a seeming "W" with another law, never mind if it's redundant, weak, inconsistent [with other laws], unenforceable, insufficiently funded, or merely impractical.
I remain as staunchly consumer protection oriented as ever, but could digital product safety framing actually benefit both industry and consumers in the long haul?