Regulating Digital Technologies
A Declaration of the Independence of Cyberspace - John Perry Barlow
Hypernudge Big Data as a Mode of Regulation by Design - Yeung
Law and Borders - The Rise of Law in Cyberspace
Nodes and Gravity in Virtual Space - Andrew Murray
[[ Nudge Improving Decisions About Health, Wealth, and Happiness - Thaler and Sunstein (Chapters 1-5) ]]
Nudge and Manipulation of Choice - Hansen and Jespersen
[[ Understanding Regulation: theory, strategy and practice (chapters 1-3, 7-8, 13) ]]
[[ What Larry Doesn’t Get Code, Law and Liberty in Cyberspace - David Post ]]
Collection of class notes
By regulation, we mean regulation that tries to regulate behavior: It is an attempt to let persons behave in certain (desirable) ways or prevent them from behaving in certain (undesirable ways) Behavior of both natural persons and legal persons Regulation of behavior of robots and AI?
→ Narrow approach: a specific set of commands - command and control → Broader approach: deliberate state influence (all state actions designed to influence behavior) → Broadest approach: all forms of social or economic influence (all mechanisms that affect behavior, whether state-based or from other sources. Both intentional and unintentional effects)
Desirable behavior depends on perspective: Legislators perspective Parliaments perspective Companies perspectives Users perspectives etc.
Command and Control Regulation (CAC) The legal approach Laws backed by sanctions Direct regulation By legislation State what is permitted and what is illegal Focus on compliance, enforcement and consequences/sanctions
Command and Control Regulation (C&C) (narrow approach) Command and Control Regulation is regulation through laws backed by sanctions. Direct regulation made through legislations States what is permitted and what is illegal Focus on compliance, enforcement and consequences/sanctions “The strengths of C & C regulation (as compared to techniques based, say, on the use of economic incentives such as taxes or subsidies) are that the force of law can be used to impose fixed standards with immediacy and to prohibit activity not conforming to such standards.”
→ Strengths: Fixed standards Possibility of strong enforcement Possibility of quick responses The regulator looks to be acting quickly
→ Weaknesses of CAC regulation? Lobbies/revolving door (regulatory capture) Legalism Regulatees may focus on the black-letter law, rather than the intentions behind it Compliance in theory but still the same actions in practice Unintended consequences, standard-setting Stifling competition and entrepreneurship. Over-regulation. Inflexible and complicated rules, standards may be hard to comply with Enforcement Enforcement can be complicated and burdensome when there are more rules and more detailed rules
What is Regulation? “The enterprise of subjecting human conduct to the governance of rules” L. Fuller (1964), The morality of Law Setting rules and making sure that people comply with the rules. → Narrow approach: a specific set of commands - command and control → Broader approach: deliberate state influence (all state actions designed to influence behavior) → Broadest approach: all forms of social or economic influence (all mechanisms that affect behavior, whether state-based or from other sources. Both intentional and unintentional effects) Why regulate new technologies anyway? To defend people’s rights, to direct the technology for some intended direction, to create legal certainty. The rules are necessary to make the system function as desired. According to Baldwin et. al: Information inadequacies Scarcity Human Rights Monopolies Public good Planning etc; What are positive aspects of regulation? Protect fundamental rights and freedoms Reflect social norms and values also online Increase trust, legal certainty Create an open, level playing field What are the negative aspects of (over) regulation? too many rules or too detailed rules Compliance burden Inflexible and complicated rules Limited/burdensome enforcement Legalism: focus on rules rather than underlying goals (innovation, protection of human rights, etc.)
Rules can be restrictive or facilitating Toolbox for regulation (Lessig): The object of regulation can be regulated through four modalities: Social norms Market forces Law and legislation Environment (architecture and code)
The markets, laws and norms are part of the Socially-mediated regulation modalities.
Design and architecture are environmentally-mediated regulation modalities.
Code is law. Code writers are increasingly larmakers.
Speed Bumps are an example of environmentally-based regulation.
Contrast between east coast code and west coast code: Speed limit (command and control) vs. Speed bumps (architecture) Walls, fences, locks, bars are all examples of environmentally-mediated regulation.
A locked door is not a command. A locked door is a physical constraint of freedom. Techno-regulation: Online examples of techno-regulation: Encryption, firewalls Gender boxes Computing performance, maximum storage capacity Accepting terms and conditions Profile settings (pre-programmed)
Privacy by Design: Design technology in such a way that privacy is protected automatically Restricted queries, anonymization, blurring faces, etc.
Strengths and Weaknesses of Techno-regulation: Strengths: Efficiente Cheap Foolproof Fair
Weaknesses: Not legitimate Not democratic Not transparent Not fair Architecture designed unfair Sometimes people should be treated differently rathar than the same (affirmative action, special need, etc. ) Erosion of moral agency: Respond automatically It makes us stupid
Key Characteristics of Techno- regulation: Highly coercive People must comply/no way to disobey No room for maneuver Nudging (Thaler & Sustein): You can push behavior in the right direction by making desirable behavior more attractive, without limiting the freedom of choice of people The goal is to (slightly) readjust behavior via choice architecture
Examples of online nudging: Default settings Personalization Attractive offers Opt-in versus opt-out
Default settings in software are powerful (5-10% change) Libertarian paternalism? Nudging can have illegitimate motives Nudge can act as deception method There is a lack of transparency in nudging → Libertarian paternalism is the idea that it is both possible and legitimate (for private and public institutions) to influence behavior while also respecting freedom of choice.
Nudges can be more or less transparent and also invoke reflection and not invoke reflection
State regulation: Advantages: Clear centralize process Setting uniform standards nation-wide scope transparency Based on democratic principles Checks and Balances
Disadvantages: Who is at the table? Bureaucracy Costly Transparency Regulation may be too general or over regulation
Self-regulation: Actors can regulate themselves Codes of conduct Certifications Erc. Intersubjective reference framework: All the partners that will decide the rules have subjective perceptions and perspectives. The end of the intersubjective reference framework is to make a decision on regulation that reflects most of the subject’s principles and objectives.
Advantages: Good PR for industry No costs for external enforcement Avoid reputational damage Setting your own norms may lead to better compliance Disadvantages: Conflict of interest may lead to failure Enforcement may be weak Scope may be limited Focus may be on business interests rather than consumer/citizen interest
Why self-regulate: The subjects of self-regulation already have the expertise on the field It may also be more efficient than C&C Mandates Increased level of accountability Fairness of procedures
Technology-neutral legislation Legislation not formulated specifically for technologies, but for: Groups of technologies Applications of technologies Functionality of technologies How? Different phrasing Different, sometimes wider scope
Examples: EU data protection law regulating personal data and data processing, not computers or databases Stand-alone databases to (online) interconnected databases EU e-commerce directive regulates information society services, not online shops or buying online Online shops sometimes no longer have offline shops Some online services are for free Convention on Cybercrime: computer systems, not computer, desktop, or laptop Internet connection also via smartphones, for example
Advantages: Sustainable legislation Changes are not always immediately necessary Legislation is more general May include new technologies
Disadvantages: Limited legal certainty General norms, latent ambiguity Not all new technological developments are foreseeable/predicable
Technology-neutral legislation is NOT vague legislation. Vague legislation is simply flawed legislation. Technology-neutral legislation uses different phrasing and may have a broader (but still clear!) scope
→ Do laws directed at tech companies serve as examples of technology-neutral legislation? No, if it’s not directed at the technology it is not technology-neutral legislation.
Complicating factors for regulation: Dematerialization Shift to other layers of regulation Different angles of regulation, regulating not the devices but the data, for example Example: phones are even smaller The device doesn’t need to store information, it only needs to access data storage (cloud) Things getting smaller makes them less visible Technology is moved to the background Internationalisation Technologies developed in different countries Drafting new rules Enforcing rules Data Colonization Technological turbulence Technology development is exponential, so the “next step” is unpredictable New technologies New applications Privatisation Most of the technology is being created by private actors Different landscape for regulation compared to “classic” government control Balance between self-regulation and top-down regulation by the State Self-regulating
Where would you regulate: Prohibition of child pornography? Content layer → define what child pornography is and set rules accordingly Code/application layer → child pornography is usually in the “dark web”, so an option is to prohibit the software and applications that give access to the sites Physical layer → harder, but could be blocked based on country for example. → What is the option when the prohibition is in the ISP? Is it the link layer?
4 different issues/challenges: Latent ambiguity Do written laws mentioning privacy of correspondence, telephone and telegraphs also apply to e-mail and video-calls without the law being updated? Literalism vs. teleological interpretation Gramatical (literal) interpretation: NO Teleological interpretation: YES In the Netherlands the interpretation was literal, so the constitution was updated in 2023: “Everyone has the right to privacy of correspondence and telecommunication” → technology-neutral phrasing Technology develops faster than law Initially, the regulation is clear, but in a later stage, interpretation issues emerge, for instance, due to new technologies. ‘applying old rules to new situations’ Not only applies to technology (for example same-sex marriage in Brasil)
Competing sovereigns Dematerialization + internationalization Sovereignty Establishing rules Enforcing rules
Example of competing sovereignty: The US government wants to have access to all personal data of passengers of planes coming into the US. This clashed with the EU’s regulation on personal data protection. What to do?
Example on enforcement: The Dutch public prosecution service wants to prosecute a Russian hacker for distributing ransomware in the Netherlands. Russia does not want to extradite. What to do?
Regulability/Anonymity Who is doing what and where? Regulation must be concrete, it is also an enforcement problem Attribution problems: Who is behind a particular IP-address? Who created a specific malware? To whom does an e-mail address belong?
Property/ownership Who owns the internet? Who owns the hardware and the software? Who owns the data in Cloud computing? → EULA and Terms of Use?
Exercise Gambling Company Explain to the Board of Directors that if the EU Commission wants to use a Lessigian approach for regulating gambling it will probably cover actions to nudge the market, the social norms, the architecture and legislation.
The possible actions could be: Market: Taxes on gambling profits, off-shore tax reform → money laundering Price ceiling Social norms: Campaigns against gambling Education Health campaign to try to help with gambling addiction Architecture: Demand ISP providers to block access to The River Flop Five website Promote use of VPN, change IP address and create different websites Demand the app is taken down from app store and google play store Create public commotion against this measure Enforce control over gambling age via identity requirements Claim this infringes on personal freedom and creates a burden on the end-to-end principle if used on the ISP layer Set timers and limits to the amount of money spent by user
Legislation: Ban the advertisement of gambling platforms in different medias or completely → Hire advertisement in social media through influencers, covert advertising → Lobbying against the legislation based on free-market libertarian ideologies, campaign that the legislation is going to diminish freedom online and Demand the company to have legal representatives in the EU Legislation on taxes for the company and the user
Tax evasion, money laundering, create different companies
Critique on Lessig Cyberlibertarians vs. cyberpaternalists Key questions from previous lectures: Should you regulate? Can it be regulated? Which aspects should be regulated? Who should regulate? Where should regulation take place?
Cyberlibertarianism: Maximizing autonomy Freedom Freedom of expression Free trade Civil Rights Self-regulation (minimal state)
Key proponents: John Perry Barlow David Johnson and David Post
Key Thesis: Laws are constrained by borders, the internet is not Law could never be effective in cyberspace Cyberspace cannot be regulated
Cyberpaternalism: Put controls in place Create a safe environment Promote people’s own good More focus on well-being than on welfare
Key proponents: Jack Goldsmith Yochai Benkler Joel Reidenberg Lawrence Lessig
Key Thesis: Cyberspace is controlled by code used to create environment Regulation through code is always effective (control through design) Cyberspace is perfectly regulable
Defining regulation: Lessig: Broader approach; “regulability means the capacity of a government to regulate behavior within its proper reach” Murray (network communitarianism): Broadest approach; “All forms of social control, state and non-state, intended and unintended”
Examples of problems in Lessig’s model: Law: Regulated by sanctions The sanctions are always ex post, which may not prevent certain behaviours Social Norms: How one ought to behave Who decides? What if a community does not engage in feedback?
Lawmakers have had to resort to indirect regulation through mandated code designs: In the US: Communications Decency Act, The Child On-Line Protection Act, The Digital Millennium Copyright Act In Europe: Electronic Signatures Directive, Copyright & Related Rights in the Information Society Directive, etc.
→ This does not fit into Lessig’s model: is it regulation by law or by code? (Both)
Who determines the nature of cyber-regulatory settlements? Usually the company and developers Question of Legitimacy
Are architectural controls too unforgiving? No need for separate detectors and effectors? No way for the user to add to the design, you either accept it and use it or you don’t use it at all
Are code-makers too US-centric?
Murray & Scott More focus on accountability: Maybe Lessig does not focus enough in the level of accountability Obligation to give account of one’s actions to someone else Often balanced with responsibilities of others
Lack of accountability is fatal to the concept of design controls as a regulatory modality
Lack of human interaction found in design control negates accountability
Network communitarianism
Examines the problems of online regulation from a different perspective rto Lessig and the Digital Realist or Cyberpaternalist School Checar Slides
Cyberspace environment is not analogous with physical environment of real space People (companies, users) respond to regulation, to social norms, to architecture. Moving jurisdictions online VPNs Changing product or company Circumvent methods
Lessig’s pathetic dot becomes Murray’s active dot inside of a network, not alone
From control to community? To many regulators see the community as ‘the problem’ Peer-to-peer DRM engineering Reselling Parallel Importation Attempts are made to control community Community seen as passive. Communitarians disagree, they want to introduce the opinion and suggestions of the community to the regulatory process Failure to force change = regulatory failure Active community Opportunity to harness community regulation
Symbiotic Regulation: Checar Slides
Laidlaw: proposed regulatory gravity Players are not equal, some of them have more gravity (gatekeepers such as ISP providers, the government, special interest groups, Platforms) Single individuals can make impact in numbers even without gravity
Gatekeeper theory Platforms on the Internet Powerful gatekeepers regarding the information that is provided Selection, filtering, editing, personalisation, blocking, content moderation, curation, ways of presentation Construction of the Algorithm Facilitating or hindering fundamental rights
Gatekeepers are a good starting point for regulation Digital Services Act (DSA): VLOPs = Very Large Online Platform (17 in 2023) VLOSEs = Very Large Online Search Engines (2 in 2023) Digital Markets Act (DMA): Gatekeeper = core platform Core platform services: search engines, social networks, etc. Exercise “Territorial laws are unable to effectively regulate Cyberspace”
Discuss this from the following perspectives: Cyberlibertarian Perspective Governments shouldn’t regulate. Governments have no moral right to rule cyberspace nor the methods of enforcement necessary to rule. Complete independence between territorial law and cyberspace regulation, which means the ‘real world States’ have no authority over cyberspace, no legitimacy and no consent. Internet design and architecture make regulation impossible Cyperpaternalist perspective Cyberpaternalists believe that it is necessary to regulate in order to maintain values However, cyberpaternalists such as Lessig believe that other means of regulation are necessary or even more effective; Network Communitarianism Regulation is effective as long as its embraced by the community Regulation can be effective if it is directed at the gatekeepers, for example However, communitarianists also consider the different means of regulation other than law Rational actor model Homo economicus (Econs) THe model takes in consideration the notion that human beings act rationally, through rational decision-making processes This doesn’t take in account the fact that our brains take shortcuts, use biases, etc.
People tend to make options: Out of convenience Considerably more likely to accept pre-selected choice options Decisions are dependant on context Based on biases and misjudgement
‘Display Induced Decision Bias’ Studies show that the display of a screen can change the focus of the user. Adaptive technologies and A/B testing are examples of how the display induced decision bias is used by companies to nudge users/consumers Challenges of Online environments:
Differences in structure and functionality Network size permanence personalization power of design Differences in perception and behavior Social cues and Communication Cues for epistemic quality Social Calibration Self-disclosure vs. privacy Norms of Civility Dissolution of Shared Perceptions
Attention Economy Challenge to attention and cognitive control The digital environments have been optimized to monopolize and comodigy human attention and online behaviors Choice architectures Strategic design of online environments and user interfaces to affect people’xs choices in order to steer behavior Persuasive and manipulative choice architectures thath steer in service of commercial interests (privacy-intruding default settings) Algorithmic Curated Content AI-powered algorithmic tools that filter/meduate information online Dissolutions of shared perceptions Misinformation and Disinformation
Psychological insights behavioral economics our brains have two different systems System 1 - intuitive question (fast) System 2 - rational thinking (slow)
Heuristics Strategies for: Making judgements Making decisions Finding solutions We can use both parts of the brain, depending on the kinds of decisions we need to make
We have great brains, but prone to bias
2 Schools of Heuristics: Fast and Frugal: Optimistic in nature Modular heuristics Focus on when is it appropriate to leave information out Heuristic strategies Heuristics and Biases Humans have limited computational capacities Pessimistic in nature Susceptible to making poor judgments resulting in systematic biases and errors
Examples of biases: Availability bias People tend to overestimate probabilities when they know an specific example of something
Representativeness bias If two objects or events are similar we assume their frequency is similar Representative bias in courts are problematic Anchoring and Adjustment bias Start information The information with which you start a thinking pattern can change the results
New online specific errors and biases?
- Online we do not have enough information to make fully informed choices, which make fully rational decisions online impossible
Network effect bias Visual preference heuristic People like seeing images over more complete text-based descriptions Data authenticity bias? Too much reliance on data from digital resources and digital tools Always over-value way data is presented in any decision-making process
Dark patterns: extremely manipulative online architecture shape and prompt user behavior benefit an online service by coercing, steering, or deceiving users into making unintended and potentially harmful decisions choosing lenient privacy settings to increase user engagement Misdirection, applying social pressure, inciting sense of urgency and scarcity