This summer, the Supreme Court ruled in Carpenter v. United States that cell phone location information was subject to Fourth Amendment protections rather than the third party doctrine, which allows law enforcement to obtain such information with only a subpoena. In general, this ruling reflects contemporary norms about how we use today’s technology to share personal information with a third party without fully abolishing the third party doctrine.

By subjecting certain data to Fourth Amendment protections, the Court increased the standard that must be met for law enforcement to access such data as part of an investigation. Under the prior standard that only required a subpoena, it was easier for prosecutors and law enforcement to prove that such information was necessary to the investigation. For data protected by the Fourth Amendment, law enforcement must show probable cause and obtain a warrant from a judge before requesting such information. Ideally this will limit such requests to only the data actually relevant to the case and help provide a check on civil liberties.

The Court was quick to point out that the ruling should be considered narrow in its application, but many technologies provide the same or even more sensitive data than the cell phone location data at issue in Carpenter. Courts will likely be called to rule on these questions increasingly often in the future and will have to answer these often tricky legal questions.

Much like cell phones, wearable tracking technologies like FitBits and Apple Watches provide a good deal of information about a person’s location and activity at a specific time. Already, data from such wearable technologies have been used as evidence in a murder trial and to support a defendant’s alibi. Although not specifically mentioned, it is probably safe to assume that device location data collected would be subject to Fourth Amendment protections in the same way as the cell service location information at issue in Carpenter.

But many of these devices have the ability to collect more personal information than cell phones, such as pulse rates, that could also be used in investigations like the cases mentioned above. The Court based its decision in Carpenter on its previous findings that a person has a “reasonable expectation of privacy in the whole of their physical movements.” There are additional privacy requirements, such as HIPAA, regarding the sharing of medical information, but the narrow tailoring of such statutes often does not currently apply to a wearable device or an app creator when information is willingly shared. At what point one has or ceases to have a reasonable expectation of privacy in the data like heart rate and general activity uploaded via such devices will likely be an issue in coming years.

Questions surrounding the possible application of third party data to genetic databases created through products like 23andme or Ancestry DNA are also likely to arise in the coming years. Recently, the potential application of these DNA services to help solve cold cases has come to light with the Gold State Killer case. Law enforcement used an open source database, GEDMatch, and worked with genealogists to identify a suspect through existing DNA information and the information uploaded by potential relatives. Many would assume that genetic information such as genomic mapping should easily fall in the category of “reasonable expectation of privacy;” however, those individuals uploading the information to a searchable public database for genealogical purposes could reasonably be seen to have waived their rights to such privacy. In some cases the terms of service clearly indicate that such rights have been waived.

The use of such services raises unique questions not just of third party doctrine as with location data, but of fourth party consent. In cases of third party doctrine, one party knows or should know that they have given the information to someone not directly involved in the transaction and made that information public. But in these “fourth party” scenarios, the party whose information is discovered was not involved in the decision to give that personal information to someone else.

As R Street’s Lars Trautman and Nila Bala point out, “In these new fourth-party cases, we may not have given up the expectation of privacy.” By entering genetic information into an open source database, one is not only giving up his or her own genetic privacy, but at least some of the genetic privacy of all of his or her relatives. As such, it seems like a Carpenter-esque response protecting the genetic information of individuals who had not themselves been involved in providing information to such databases could be on the horizon. This could be grounded in the fact that, like cell phone location information, an individual is not knowingly providing access to their genetic information when an unknown second cousin chooses to waive such privacy.

As my colleague Jordan Reimchisel argued in his discussion of the Golden State Killer arrest, “The recent arrest of DeAngelo thanks to forensic genetics, and the reports of rapid increases in these techniques, make it clear that courts must rethink their application of the Fourth Amendment. Legislatures at all levels ought to also consider how they might implement new protections that go beyond current jurisprudence.” Carpenter shows that the Supreme Court is aware that our increasing willingness to share previously private data as part of our connected culture may shift our understanding of where the lines of public and private are.

It took the Supreme Court over 20 years to update its view of the Stored Communications Act and third party doctrine to cover cell phones. It is unlikely that clear answers on where and when information used with current disruptive technology like wearables, at-home genetic testing, and Internet of Things devices are coming soon. Still, while narrowly tailored, restricting Carpenter to only location data also seems unlikely.

These concerns also raise questions of how we should approach Fourth Amendment protections more generally. In some ways, they show just how difficult it is to determine what is and isn’t a reasonable expectation of privacy in our increasingly data-sharing world. But even a more traditional analysis of basic questions such as when there is a search and when there is a seizure become more complicated when the “real world” and cyberspace intersect.

Come Back with a Warrant: The Potential Impact of the Carpenter Decision Beyond Cell Phones was originally published in Plain Text on Medium, where people are continuing the conversation by highlighting and responding to this story.

Take note, San Francisco: Forward-thinking regulators have started to embrace soft law regulatory mechanisms to protect innovation and consumers.

By Trace Mitchell and Jennifer Huddleston Skees

Could the electric scooter movement be over before it has really had the chance to begin?

Dockless electric scooter rentals have been popping up in a variety of cities across the country and around the world, providing a cheap and convenient way to get around. These scooters could change daily transportation options in many densely populated areas. Yet this new industry has already faced a multitude of threats from local regulators. It’s a pattern we’ve seen before for disruptive technologies. If electric scooters are going to become part of the urban transportation market, regulators need to learn from past experiences and avoid unnecessarily harsh, preemptive regulation.

Electric scooters are one of the most recent parts of the “sharing economy” to emerge. Companies like LimeBike, Bird, and Spin offer apps that allow users to find a scooter and ride it to their desired location. The app then charges the user a price typically based on how long the scooter was used.

But these scooters are not just a novelty. This is a rapidly growing industry, and companies have raised more than a combined $255 million dollars from investors. Many cities are seeking new forms of transportation that won’t exacerbate congestion or environmental products. Much like bike shares, electric scooters provide an alternative, particularly in dense cities with wide sidewalks like Santa Monica. However, despite this excitement for electric scooters, regulatory threats are rapidly emerging that could make widespread implementation infeasible.

Electric scooter companies have tended to follow the model of “act first, ask second” pioneered by many ride-sharing companies about a decade ago. They quietly begin in a new area, quickly establish a market demand, and then count on consumers to counter local regulators restrictive reactions. Kenneth Baer, a spokesman for Bird, said, “We enter markets where scooters aren’t prohibited, and we follow the laws on the books. But in most cities, the laws never anticipated this technology.”

Santa Monica, California was one of the first cities where Bird experimented with this concept. The company swooped in and placed hundreds of their electric scooters on the streets of Santa Monica overnight. They were met with an overwhelmingly positive response from most consumers, and the scooters were driven over 60,000 miles in only seventeen days. At the same time, other locals have complained that the scooters aren’t responsibly used and instead are blocking paths, disability access, and entrances.

In San Francisco, despite complaints about high costs of transportation and the need for more green options, some locals have been so annoyed by scooters that they have resorted to vandalism, including literally pooping on them. In many of these communities, there seems to be a classic “not in my backyard” problem emerging. NIMBYs love the abstract idea of having more green transportation options — so long as they don’t have to actually encounter them.

This unregulated state was short-lived. Regulators tried to impound the scooters and filed suit against the company for improper permits. Fortunately, the company was able to leverage its popularity to find a solution that would allow it to continue to operate.

A statement by the company explained: “Bird needed a mobile vending license — like a taco truck would have. We didn’t think that this was necessary as we are not selling tacos or hot dogs.” They went on to say, “This type of misunderstanding happens as old regulatory schemes need to adapt to new technologies.” Bird eventually settled the lawsuit with Santa Monica; however, they were forced to pay over $300,000 in fines and comply with a multitude of business licensing requirements and other laws subjecting riders to various licensing and safety requirements.

Some cities have embraced this technology as a potential solution to some of their transit issues, but unfortunately, many more have tried to prevent it. Miami, Nashville, and Denver have all issued cease-and-desist letters demanding that scooter companies stop their operations immediately. In the case of San Francisco, the authorities went as far as to impound the scooters.

However, scooter companies have established a large enough user base that they are often able to work with regulators after these initial tensions. For example, the San Francisco Municipal Transportation Agency (SFMTA) has since adopted a one-year pilot program for the scooters.

Imagine if these companies had to go through the process of getting shut down, fighting with regulators, and paying massive fines every time they wanted to open up shop in a new city. Such regulatory barriers yield major upfront costs that will drive up the price that users’ are charged. Scooter users like them as a cheap, efficient alternative and having to deal with such barriers is likely to make companies change the way the operate.

The problem of electric scooters is not unique. Often, technology and regulators face what is known as the “pacing problem,” which refers to the way technology evolves faster than regulators can develop appropriate regulations. This means that technologies like electric scooters may be disruptive before regulators can prevent them, but it can also mean that regulations don’t actually address the problems.

One solution has been to use “soft law” methods such as guidance and sandboxing, where regulators and innovators come to an agreement before deployment that allows operation with minimal regulatory interference — at least for a limited amount of time. These methods of regulation give both some certainty to innovators and flexibility for regulators. In general, this has emerged as a more pragmatic approach for technological regulation. In fact, this is very similar to the approach some cities have taken on scooters.

In Memphis, officials made sure that they were ahead of the game by introducing a 30-day operating agreement before Bird even offered services in the city. This allowed the company to transition smoothly into the area without incurring the risk that is associated with legal uncertainty. The chairman of the city council explained why they were so proactive when it came to this new technology: “This is just something that can prove to the world that Memphis is ready, that Memphis is open to business, and that Memphis makes accommodations for things we want.”

Approaches like this allow local administrators to maintain some level of control without placing undue burdens on emerging technologies. It also creates an incentive for other types of firms to conduct business in that area. An innovative company is far more likely to set up shop in a new city if it knows that the local officials tend to be supportive of innovation.

Regulators often cite safety issues as the justification for their concern about scooters. However, there are already formal mechanisms in place that would be much better suited to deal with those concerns. For example, there are laws on the books in all 50 states that govern the precautions an individual must take when riding a bike as well as what happens in the event of an accident. While it may be necessary to adapt some of these rules to better mesh with evolving technology, preemptive prohibitions are not the best solution. Local administrators should work towards finding more efficient remedies that are aimed at limiting the harm caused by these services while still encouraging innovation and keeping the barriers to entry relatively low.

We’ve seen all this play out before. As our Mercatus colleagues Chris Koopman and Adam Thierer discussed in 2014, some cities are taking the approach of “ban first and question second.” This cycle has repeated for many sharing economy disruptions including ride sharing, short-term home rentals, and even dog sitting. Unfortunately, it is often analogue industries — not consumers — asking policymakers to regulate these new young upstarts rather than seeking to deregulate themselves. As Thierer has argued, when policymakers look to promote innovation and its benefits, they should look to promote parity to a less-restrictive level of regulation, not the most burdensome.

If electric scooters are to be more than a fad, cities should look to promote them as an alternative rather than regulating away the option. While it may just be a few cities that are going after scooter companies right now, the impact of these regulations basically tells future innovators to look at something else to do. Cities should seek to develop a regulatory framework that says “new transportation innovation welcome here!” rather than “we’re fine with the status quo.”

Will the electric scooter movement lose its charge? It doesn't have to. was originally published in Plain Text on Medium, where people are continuing the conversation by highlighting and responding to this story.

By Jennifer Huddleston Skees and Trace Mitchell

What does it take to trespass on someone’s property? That’s the question courts are again starting to grapple with when considering the growth of augmented reality (AR) apps like “Pokémon Go.” These games can be a lot of fun, but they raise novel legal questions and may challenge centuries-old common law standards in some cases. The end goal should be a legal system that promotes new innovations without unnecessary legal burdens while also balancing the property rights of impacted individuals.

“Pokémon Go” is a mobile game created by Niantic that uses AR to superimpose Pokémon and Pokéstops at specified locations in the real world. A player tracks, views, and “catches” these Pokémon using their smartphone’s GPS and camera. Players can then go to one of the Pokéstops and battle other players with the Pokémon that they have previously caught. The game was exceptionally popular in the summer of 2016 and yet cases surrounding players’ actions are still making their way through courts. As a result, a “summer fad” has the potential to rewrite long-standing legal traditions.

“Pokémon Go” has become one of the most successful mobile games ever created, having been downloaded over 800 million times and grossing nearly 2 billion in revenue. But not everyone is happy about it.

Some claim that “Pokémon Go” encourages players to trespass on private property in order to catch the Pokémon. A community church in Renton, Washington says players come all day and night to catch the Pokémon, leading them to be more concerned about theft and other security risks. As one property owner stated, “We don’t have a way to discern whether or not the adults who are coming to play the game are just here to play or ‘casing’ our location.”

Others claim that using AR to place Pokémon “on” private property is a form of “virtual trespass.” A group of property owners has actually filed a class action lawsuit against the game’s parent company based, in part, on this concept.

Typically, in order to trespass, a party must physically enter property that belongs to another without the owner’s permission. What makes the “Pokémon Go” case unique is that, while players may enter the land of another without the owner’s permission, while the game’s creators choose where to place these virtual creatures and locations, no one from the development team actually enters the property in the real world.

A Ninth Circuit judge allowed the case to continue due to in large part to the novel nature of this issue. If the plaintiffs succeed, eliminating the physical element usually required for trespass could impact far more technology than just “Pokémon Go”.

Virtual trespass has been used in other contexts to express a different concept, but for the sake of this post, we will focus exclusively on the impact of amending the concept of trespass to include a non-physical entry onto private property by a party without permission of the owner by a technology.

Niantic may have led players to commit trespassing under the traditional concept, but the company never physically entered the property in development of the game. The locations were chosen based on crowd-sourcing of player data and GPS mapping. Clearly, other AR games could result in similar concerns; however, without the physical requirement, so could GPS directions, traffic apps, or drones. After all, who hasn’t ended up at the wrong place when using technology from time to time?

Even the Internet itself could be guilty of “virtual trespass” if the doctrine is construed too broadly. Due to some faulty mapping, after all, an old farm in Kansas has become a hot spot for all sorts of virtual misdirection and lost connections. Even analogue era traditions like geocaching and letterboxing might find themselves subject to potentially crushing liability if such a broad concept of trespass becomes accepted. Some might argue that there is a distinction between these cases and “Pokémon Go” because these creators are specifically enticing entry onto others’ property, but it’s important to remember that Niantic never set foot on private property, players using its game did.

If the goal is to find some legal grounds to combat the harm caused to property owners by the disruption of having unknown individuals show up at all hours of the day (and night, then the real issue isn’t that Niantic has virtually trespassed. Rather, they may have created a nuisance to the owner of the property in encouraging others to trespass as a result of their product.

Nuisance violations are torts arising from the common law idea that possessors (not just owners) of real property are entitled to the quiet enjoyment of that property. Quiet enjoyment does not refer only to noise, but also includes a variety of activities that might be harmful or annoying to a reasonable owner of such property like dumping sewage into a shared water supply or burning materials that create a noxious odor. Unlike trespassing, these activities do not require the perpetrator of the nuisance to actually intrude into the property, but only that these harmful activities disturb the possessor of the property’s quiet enjoyment. Courts generally react to such claims by issuing an injunction to prevent further harm if the behavior is found to be a nuisance.

Courts are often far quicker to react to new technology than legislators, and generally this is good. The common law is law as understood by tradition and norms and is far more adaptable to new technology than a top-down legislative approach. However, as the saying goes, “Hard cases make bad law,” and courts to can be susceptible to the idea “something must be done” rather than relying on their traditional common law principles. In fact, we should be cautious of what might happen when courts start rewriting common law principles to include new technology as in the case of “virtual trespass.”

We’ve already seen what can happen when the courts attempt to make law fit a technology without carefully examining the elements of the law. In the early 1990s, in Stratton-Oakmont v. Prodigy, a New York court ruled that an Internet intermediary, like a message board or payment processor, could be held liable for defamation for claims made by users of the service since the comments on the message board were moderated. This decision had the potential to severely damage the fledgling technology by imposing catastrophic liability risks onto anyone who moderated a user-generated Internet service. Luckily, sensing the risk to a hugely beneficial technology, Congress intervened and established Section 230 immunity which allows intermediaries to engage in reasonable moderation and the establishment of community standards and retain liability protection. Without such a statutory intervention, the Internet would be a far different place than it is today.

Establishing a theory of “virtual trespass” runs the risk of doing the same thing to AR and artificial intelligence that Stratton-Oakmont would have done to the Internet. Virtual trespass could rewrite the common law and change what the average innovator could expect to be liable for. While far from an ideal solution, using a nuisance approach would be more aligned with the standards that currently exists.

Nuisance law requires the proof of damages or harmed suffered while trespass merely requires proof that the violation occurred. As a result, individuals harmed by AR games would have to show more than just players were showing up on their property to hold a company accountable. They would have to show that the company’s actions actually caused them harm such as requiring extra security and that such harm could be remedied if the behavior ceased.

Nuisance law also tends to be specific to the location involved making it necessary for the courts to consider the specific facts of the case rather than an overly-broad class as “virtual trespass” might allow. In either case, the question remains whether a Section 230-style intervention would be needed to allow innovation in AR technology to continue if the courts begin to file creators liable for their players’ violations.

There is no question that “Pokémon Go”, and other applications of AR technology, raise novel legal questions that will need to be addressed. However, courts should be wary of rewriting traditional common law principles without considering the effect that it might have on innovation.

Can you trespass without setting foot on a piece of property? was originally published in Plain Text on Medium, where people are continuing the conversation by highlighting and responding to this story.

What do a Dyson Vacuum, a John Deere Tractor, and an iPhone have in common?

Believe it or not, you might not be able to repair them yourself whenever or wherever you want. That’s why both farmers and technophiles have started pushing for right to repair legislation. It’s often not until a problem has arisen that a consumer realizes they can’t find the parts needed to fix it without going through an expensive and burdensome process with the original manufacturer and that they might violating copyright or computer fraud laws if they try to fix it without this process.

The “Right to Repair” movement started with automobiles in the early 2000s, but recently has started to gain momentum in regards to a variety of other consumer devices. In fact, in the last year, 17 states have proposed some form of Right to Repair laws.

While the proposed legislation varies from state to state, in general, right to repair laws seek to protect owners’ property rights in their technology and provide equal access to information and parts for anyone seeking to repair a device without fear of violating the law. But as complex technology becomes more integrated into our lives, the pros and cons of such laws become less black and white.

Advocates for such laws champion the idea that if you own a device, you should be able to do with it what you want — including repair it. They argue that limiting the number of people who are able to repair a device by limiting access to information or replacement parts infringes on customer rights, decreases accessibility of repairs, and drives up prices.

It is far more difficult for consumers in certain rural areas to access authorized repairs. For example, there’s only one Apple store in Kansas and none in Vermont, which means consumers in need of repairs must travel hours to the nearest location, attempt to determine if an authorized shop is otherwise nearby, or ship the product to the manufacturer and manage without it for days or weeks.

For larger devices like tractors, shipping the product off is not an option. It may require a longer wait for consumers farther from an authorized repairperson to receive service or a replacement. While allowing “unauthorized” repairs would not completely solve the burdens on rural consumers, right to repair laws allow the option of DIY repairs by the consumer or local shop without concerns that it might void any continued protection on the product.

Additionally, such laws allow entrepreneurs to expand their businesses and aid the companies by limiting the requests for repairs for minor issues and reduce the burden on authorized repairmen to only handle the more complicated issues. Many companies already have ways for independent repairmen to become authorized; however, these often involve lengthy and expensive certification processes and the use of more expensive parts that continue increase cost and limit access to consumers.

Of course, right to repair laws affect far more than repairs. Such laws also enable (or empower) consumers to tinker with their own devices. DIY options like making a tractor more efficient or a phone work on a different network are often prohibited under the Digital Millennium Copyright Act (DMCA) or Computer Fraud and Abuse Act (CFAA).

Similarly, such hacks could be considered in violation of the intellectual property rights of the initial developers in some cases. As all devices become more technologically enabled, customers will desire the choice to self-repair or modify everything from Xboxes to lawnmowers without the fear that what they’re doing is illegal.

Several companies, including Apple, Dyson, and AT&T, object to right to repair laws. Their concerns are not merely attempts to prevent consumers from accessing cheaper options. Granted, some of the arguments about rogue unlicensed vacuum cleaner repairmen preying on innocent consumers seem far-fetched. But the companies are largely motivated by a desire to protect their own property rights and legitimate concerns about the consequences of shoddy repairs.

First, these companies argue that allowing unapproved modifications can create safety risks. For example, they point to the dangers in handling lithium batteries as an example of why consumers might not be adequately prepared for the risks involved in repairing their own devices.

However, it’s not just physical safety concerns. Those opposing right to repair laws also are concerned that poorly “jailbroken” devices may put the technological ecosystem at risk.

While this may seem like a stretch, with so many devices now connected to each other through the Internet, a bad line of code or unintended malware could unintentionally spread like wildfire to other devices. Indeed, many cybersecurity attacks have been carried through networked devices.

These concerns are also related to fears of liability if a consumer poorly tries to fix or modify his or her own device or if such a change affects other devices. In some cases, poor tinkering to a tractor or vehicle could result in catastrophic damage that could kill or maim the consumer or a third party. While in many cases arguments regarding substantial modification may provide legal protection, the cost of even having to settle such claims could be expensive in both financial and brand image costs.

Second, there are legitimate concerns about what unauthorized changes might do to a brand’s image. This is part of why intellectual property laws like the DMCA were created. Brands invest significant capital in the development of their systems and technology, including the diagnostic tools to fix it. The provision and control of these tools allows them to recoup some of the expenses related to their development and ensure brand integrity.

Particularly for brands that have incorporated certain quality standards into their brand’s image, like John Deere and Apple, there are legitimate concerns that poorly-repaired devices might diminish the overall view of the brand’s capabilities. At the same time, such laws have complicated common standards of consumer protection, contract law, and property rights. With the continued growth of software and its imbedding into a wider variety of products, courts will have to examine the impact of such legislative interventions into more traditional common law views of contract and ownership.

Finally, there are questions about when a warranty would be voided and an original creator would no longer be responsible for harm caused by a modified device under such laws. Companies also worry that a consumer whose product was ruined by a faulty third-party repair would have no recourse should the device fail.

In general, product liability law already protects the manufacturer from liability for devices that have be substantially modified, so it is unlikely a manufacturer would liable for a customer’s decision to use unauthorized repair. However, the risks a customer might not be able to recover for an unofficial repair are still present even without a right to repair law. If anything, a customer might be more likely to have recourse against an “unauthorized” repairperson under a right to repair law, then they would without one.

Technology has already changed many aspects of our lives. Right to repair laws show how, in some cases, technology can complicate longstanding legal questions over what rights are included in creation or ownership.

At the same time, given that only a small percentage of the population has the ability to actually tinker with the advanced technology in an iPhone or a John Deere tractor, it is unclear how much would actually change as a result of right to repair laws for the average consumer.

A right to repair doesn’t and shouldn’t guarantee a quick and easy fit for a new, advanced technology. A balance needs to be struck that enables creators to trust that their intellectual property rights are not at unnecessary risk from DIY consumers, while still allowing consumers to do as they wish with their own property. This balance should be focused more holistically on what will enable technology to improve the most rapidly and likely lies between the current situation and a total, unqualified right-to-repair or modify as the consume sees fit.

Should you be able to fix your own iPhone? was originally published in Plain Text on Medium, where people are continuing the conversation by highlighting and responding to this story.

A new National Academy of Sciences report concludes the agency needs to relax and learn to love drones

The FAA has identified the integration of drones into the American airspace as one of its top priorities, and its administrators have spoken regularly about the bold and radical rethinking that must be undertaken to allow the fledgling drone industry to thrive. However, a new report from the National Academy of Sciences (NAS) finds that the agency’s approach to drones has been more of the same overzealous precautionary thinking that has defined the agency for decades.

According to the NAS committee that produced the report, the FAA’s drone regulations as written and currently enforced will greatly curb the development of numerous beneficial services. Under the current Part 107 regulatory process, firms and entrepreneurs who wish to operate drones in proof-of-concept experiments that go against current FAA restrictions must receive a waiver. Flying a drone at night, having a single operator control multiple drones, and flying a drone beyond the operator’s line of sight are all use cases that require express permission from the FAA.

When considering waiver applications, the report says the agency often demands evidence that the drones won’t cause harm under any and all contingencies. This creates an obvious catch-22: Entrepreneurs need to run tests to produce data and improve their technologies and services, yet the regulatory agency that must green-light those tests expects air-tight evidence that those technologies and services cannot fail.

Further, the NAS writes that placing the burden on drone operators to show they are prepared for anything that might go wrong creates a “near-zero tolerance” regulatory environment that is built on subjective and “overly conservative” risk estimates that inflates costs and minimizes or flatly ignores benefits.

A 2015 Mercatus comment submitted to the FAA by Eli Dourado, Ryan Hagemann, and Adam Thierer pointed out this very problem when the FAA considered several prohibitions for sUAS activity. For instance, when making its case for a rule prohibiting sUAS from carrying external loads (e.g., packages), the FAA included no discussion or attempted calculation of the benefits that drones carrying external loads would have despite their obvious relevance to drone delivery, photography, and even lifeguard rescue.

Further, the NAS report points out that acceptable risk levels vary by activity. For instance, the FAA has long tolerated a higher risk level for general aviation than for commercial flight. A 2015 report produced by an FAA task force made a similar recommendation when it proposed the risk level associated with general aviation activity as an appropriate benchmark for evaluating sUAS risk. Using that benchmark in a 2016 Mercatus report, Dourado and Sam Hammond estimate that the collision risk posed by sUAS is acceptable, even in the most extreme case that all drone strikes result in fatalities.

Yet the FAA has not heeded the advice that it lower its expectations to be consistent with the appropriate risk tolerance for sUAS, nor has it followed through on its promises to lower regulatory barriers. Instead, the agency has recently considered tightening requirements for drone registration and manufacturing mandates that would enable drone tracking. Further, Pres. Trump signed into law requirements that extended registration requirements to noncommercial drones, which previously fell under exemptions for model aircraft operators that have been targeted by commercial drone trade groups. The version of the 2018 FAA Reauthorization that passed the House includes an amendment that would require even noncommercial drone operators to obtain a license.

The FAA’s precautionary attitude was summarized well in a recent statement by its Acting Director Dan Elwell: “We need assurances that any drone, any unmanned aircraft, operating in controlled airspace is identifiable and trackable.”

But as Dourado and Hammond argue in a 2016 comment to the FAA, the claim that drones operating illegally can only be identified by law enforcement if they prominently display their registration number is contradicted by the feedback the agency received from law enforcement.

[I]n the vast majority of instances, owners of downed sUASs are readily identified even without a registration system in place. The FAA requested information from various law enforcement agencies and notes: “We received feedback that the majority of incidents do not require extensive amounts of time to track down sUAS owners, as they are normally with the sUAS or self-identify if the device crashes.”

In sum, Dourado and Hammond conclude that a drone registry’s compliance costs and deterrence effects far outweigh its at best minimal benefits. In a separate comment to the FAA, the two offer a permissionless innovation framework that would “liberalize most small UASs” as an alternative that promotes drone adoption without posing tangible dangers. Almost three years later, this framework still stands in stark contrast to the FAA’s cautious approach to drones that is out of touch with any reasonable notion of acceptable risk and fails to weigh the vast benefits against only credible safety risks.

Though scathing of the status quo, the NAS report, which was requested by Congress and the FAA, is cause for optimism. As Adam Thierer writes in a detailed summary of the NAS report at Tech Liberation Front, the NAS proposes several promising FAA reforms that would help foster a regulatory environment of permissionless innovation.

H/T Jordan Reimschisel and Adam Thierer. Thanks to Adam and Andrea O’Sullivan for comments.

The FAA's Precautionary Approach to Drones Defies Reasonable Risk Tolerance was originally published in Plain Text on Medium, where people are continuing the conversation by highlighting and responding to this story.

By Alice Calder and Anne Hobson

Lately, the internet is awash with emails and pop-up messages about privacy, data policies or subscriptions. These emails herald the long-dreaded arrival of the expansive new regulations under the EU’s General Data Protection Regulation (GDPR) that go into effect today. The GDPR is a wolf in sheep’s clothing. The obligations to comply with the numerous and vague rules are harming innovation and experimentation and are disproportionately burdensome to smaller businesses, while providing only minimal gains in privacy and control over your data.

The GDPR defines and aims to protect the rights of individuals with regards to their data. As well as keeping data safe, companies that hold individual’s data are also obliged to keep data collection to a minimum and acquire clear affirmative consent to collect data. This last point is one of the trickiest parts of the GDPR and is why you may have received emails asking you to re-subscribe to certain mailing lists. The new regulations require valid, freely given, specific, informed and active consent which is hard to determine in practice. The GDPR also gives individuals the right to erasure, to remove themselves from certain search engine results, and the right to access data which has been collected concerning them.

Although it is an EU rule, the global nature of the Internet means that it will affect both companies and individuals worldwide. One survey suggested that 52 percent of US companies possess data on EU citizens which makes them liable for implementing the required privacy practices. It also applies to any company no matter the size or scope of their operation, including self-employed entrepreneurs, charities and research firms. Given that the fine for non-compliance is €20 million or 4% of global revenue, whichever is highest, businesses globally are scrambling to put plans in place that meet the guidelines.

Data protection is undeniably important, but the regulations introduced in the GDPR are so onerous, expansive and vague that the compliance costs far outweigh the potential gains to privacy. Those who are hardest hit are small businesses without the resources to ensure they meet the new rules. A recent PwC survey found that 88% of companies surveyed spent more than $1 million on GDPR preparations, and 40% more than $10 million. As well as the financial costs involved small businesses face a myriad of other problems bigger companies can avoid.

Without trained legal teams entrepreneurs struggle to even understand what they need to do to comply with GDPR, and must dedicate huge amounts of time to combing through the information available which is confusing and contradictory. So confusing that members of the government of the UK, who were able to attend training sessions on the issues, are unclear on their responsibilities. Add to this the fact that even the regulators in charge of ensuring compliance are not ready to fulfill their duties, and the task of understanding the new rules seems like an impossible task.

Already, companies are responding negatively to the risk of operating under the guidelines, either because of the costs of compliance, or over fear that despite their best efforts they still might face the crippling fines. Many have chosen instead to shut down, withdraw from European markets, or block access to individuals in the EU. London-based website Streetlend, which permitted users to borrow and lend tools at no fee, shut down because of the added cost of GDPR compliance. For those sites that did not shut down, compliance costs are likely to come in the form of higher transaction fees for users.

Whilst small businesses are buckling under the pressure, large companies are able to mobalize company legal teams and come up with largescale solutions. Facebook changed their terms of service and transferred 1.5 billion users from the jurisdiction of their Irish HQ to the U.S. so as to avoid changing data practices in line with GDPR.

Businesses exiting the market and the billions of dollars spent on compliance are the visible costs of the new regulation, but just as important are the unseen consequences. GDPR makes experimentation costly, companies in the cybersecurity industry have already expressed concerns that the obligations will make exploring new technologies, such as cloud-based apps, too risky. Unseen outcomes of the GDPR include the reduced ability of small businesses to compete with large firms as well as potential innovations that are never realised because entrepreneurs are dissuaded from taking on the risk of compliance tasks and fines.

Data privacy comes at a price. The costs that the GDPR will bring upon both companies and individuals are substantial, and the regulatory environment it will generate will suppress innovation. For the internet, an industry characterized by growth and entrepreneurship, this is a bad omen.

Alice Calder is an MA Fellow and Anne Hobson is a Program Manager at the Mercatus Center at George Mason University

Data Privacy at a Price was originally published in Plain Text on Medium, where people are continuing the conversation by highlighting and responding to this story.

The website known for popularizing amateur food reviews has been a vocal critic of Google’s business practices

On Tuesday, Yelp announced that it filed a formal antitrust complaint against Google with the EU. In recent years, Yelp, the website known for its crowd-sourced business ratings, has joined the chorus of ad-driven businesses decrying Google’s business practices. Through the press and lobbying, Yelp has pushed lawmakers and regulators to take action against Google.

Yelp’s working of the press was on full display this past Sunday, when CBS’s 60 Minutes ran a story on Google’s market power. The report contrasts the EU’s aggressive enforcement actions against Google with American regulator’s findings that the firm’s search or advertising practices do not merit intervention. Steve Kroft, who reported the story, features an interview with Yelp co-founder and CEO Jeremy Stoppelman.

In a clumsy demonstration any viewer can recreate in his web browser, Stoppelman shows Kroft the behavior of Google’s search engine that is the subject of Yelp’s complaint to the EU. In particular, Google searches for businesses and restaurants display most prominently a Google Maps view indicating nearby locations that satisfy the query, say “thai food.” Below the map graphic is a list of those same businesses that includes a 5-star rating score sourced from Google users that have written reviews, much like how Yelp creates business ratings from its user reviews.

Stoppelman, as well as Yelp’s vice president of public policy Luther Lowe, believes Google’s prioritization of its Maps results over Yelp’s business ratings webpages is an abuse of its market position in search. Writing in the Wall Street Journal, Lowe argues that Google has created a “walled garden” that hurts competitors. By keeping Google search users within Google’s web services rather than serving results that drive traffic to third-parties like Yelp, Google harms Yelp by denying it the traffic needed to generate ad revenue. A 2017 financial disclosure reported that most of Yelp’s web traffic is generated by search results from Google, Bing, and the like.

Yelp never explicitly states that its webpages should be given priority in Google search, yet the implication is clear that Yelp wishes to regain top search result status for business-related Google searches, whether by a future update to Google’s page-ranking algorithm or by government fiat. With no control over the former, Yelp has opted to devote its time and energy pursuing the latter.

Yelp has had no victories against Google in the U.S. to date — a multi-year FTC investigation ended with no complaints being filed against the company. Yet Yelp has renewed optimism following a recent $2.7 billion fine issued against Google by the EU and growing interest in tech regulation in the U.S. When leveling the fine against Google in 2017, the EU antitrust regulator sided with arguments similar to Yelp’s made by other Google competitors, determining that Google had illegally prioritized its own comparison shopping service over similar competing services.

The EU’s example raises serious concerns that should be heeded by those who wish U.S. regulators would give Yelp a fair hearing. The EU has rewarded firms that have spent tireless energy lobbying for regulatory action against competitors rather than improving their own products. The investigation that led to the large Google fine in 2017 was kicked off by a complaint from European online search firm Foundem, written all the way back in 2009. In the intervening years, Foundem “temporarily” disabled its search services until “the level playing field required for competition and innovation to thrive has been restored.” Despite Google having taken steps to fall into compliance with the EU’s order, Foundem has not yet continued service but instead petitioned the EU competition chief in Feb. 2018 to take further steps to make Google comply with its order.

This shows that competitors will not settle for anything less than draconian measures against Google that either require the tech giant to prop up its competitors or discontinue key components of its web services. In order to ensure that Google gives competing services a “fair shake” in its search results, one or some combination of these rules would need to be enforced:

1. Algorithmic transparency, so that the neutrality of Google’s page-ranking algorithm can be monitored by competitors and regulators. Alleged “search bias” was at the heart of both the FTC’s closed investigation and the EU’s investigation that led to the momentous fine.
2. Interoperability mandate. In the Wall Street Journal article, Lowe suggest that under such a mandate, “Google could power its local searches with services like TripAdvisor, ZocDoc and Yelp.”

Yelp striking a deal with Google to serve online business ratings and reviews to its search results would be very lucrative, as the Yahoo-Bing search deal showed. But it’s unreasonable to expect that forcing Google to shut down its own web services and contract with a competitor is pro-competition (as opposed to pro-competitor).

Further, the full extent to which Google must make its search service interoperable will be almost impossible to parse. Besides crowd-sourced business ratings, would Google need to contract with Expedia to serve travel search results, with MapQuest to serve turn-by-turn navigation searches, or with eBay or Amazon to serve e-commerce results? Requiring Google to outsource its search services to dozens of search boutiques may sound hyperbolic, but the 19 signers of Feb. 2018 letter asking for greater EU enforcement against Google includes firms or trade groups representing firms in travel search, digital mapping, comparison shopping, and news publishing.

While Yelp’s efforts to lobby for similar moves in the U.S. are an understandable move motivated by self-preservation, it’s a great shame that the American press continues to cast Yelp as a sympathetic underdog fighting for the American public rather than a self-serving, rent-seeking business. Its top employees continue to call for regulation despite the fact that anyone can find Yelp’s ratings on the first page of relevant Google searches, at the top of Google’s results by appending “yelp” to any search, or by directly using the search tool featured at the top of Yelp.com.

The idea that Yelp could ease its dependence on Google’s page rankings by focusing on improving its service and driving growth through direct web traffic and its mobile app is not beyond the pale. Consider that Amazon has made significant gains on Google in e-commerce search — studies from last year estimate that about half of online product searches now begin on Amazon. Google’s dominant share in search overall need not be destiny for search in travel or restaurant reviews, no matter what Google’s struggling competitors tell regulators.

Yelp: The Firm Who Cried "Monopoly" was originally published in Plain Text on Medium, where people are continuing the conversation by highlighting and responding to this story.

By Jennifer Huddleston Skees and Jordan Reimschisel

Each day seems to bring a new “data privacy scandal.” During his testimony before Congress, Facebook’s Mark Zuckerberg was repeatedly pressed on whether the United States should adopt the zealous privacy standards of the European Union’s General Data Protection Regulation (GDPR).

But these stringent privacy standards come with high trade-offs, particularly for emerging healthcare technologies. While most people probably believe that health information deserves the utmost protection, we should stop and ask whether such stringent privacy regulations pass the “do no harm” test.

The GDPR is set to go into effect next Friday, May 25, 2018. Many companies are struggling to comply in time. In fact, one survey found that 60% of companies are not expected to be able to reach the May 25 deadline. Even EU member regulators themselves say they aren’t truly ready for the law to go into effect as they realize the high cost of enforcement.

Then there’s the question of interpretation. As Allison Cool pointed out in the New York Times, “what the regulation really means is likely to be decided in European courts, which is sure to be a drawn-out and confusing process.” That kind of regulatory uncertainty is particularly burdensome for those involved in emerging, disruptive healthcare technologies such as genetics, smartphone apps, or wearable Internet of Things (IoT) devices.

There is a way to balance privacy with health innovation. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) was designed to protect patient data in the digital age and allow patients more control over their records. However, it applies in limited circumstances that mostly focus on true medical records stored by healthcare professionals. This is a reasonable compromise between access to data and privacy in most circumstances. The GDPR, in contrast, employs health data definitions and requirements that are far broader and likely classify direct-to-consumer products like FitBits, MapMyRun, and 23andMe as having health information.

This may create two major downsides. First, existing health tech products may pull out of the EU market. Second, new innovations may never take off because of ill-worded privacy rules. For example, Facebook has been unable to roll out its suicide prevention alert in Europe, which many analysts link to GDPR restrictions. The GDPR may prevent or delay other new life-saving technology or applications.

Consider the GDPR’s effects on genetic services. Larger companies are preparing to comply, though many haven’t been clear exactly how. When asked about such efforts, 23andMe declined to explain until after the May 25 deadline had passed. It does seem one strategy is to hire more compliance officers to navigate GDPR’s vague and confusing rules, as a recent company job posting suggests. The description specifically asks for familiarity with GDPR. The rules have the potential to solidify the market power of these major industry players who have the ability to spend the money necessary to comply.

Smaller companies who do not have the same resources are also feeling pressure. Roberta Estes, the founder of a company that analyzes DNA sequencing results and genealogical inquiries, reports that several small projects and companies have chosen to close rather than try to navigate the uncertain regulatory waters of GDPR.

Beside closing altogether, small companies could choose to exclude customers in the areas covered by GDPR and take their services elsewhere. Our colleague Adam Thierer calls such regulatory considerations “innovation arbitrage.” Ironically, 23andMe itself engaged in this kind of arbitrage when it launched its personal health risks test in the U.K. after being barred from marketing the test in the U.S. by the Food and Drug Administration. The vague and burdensome rules of GDPR could have a similar chilling effect on firms that do not have the resources to hire knowledgeable compliance officers.

It is also possible that applications of existing genetic technologies may be frustrated by the GDPR. Take, for example, a service like GEDmatch, which provides free tools to enhance DNA and genealogy research. This service was recently used by law enforcement in California to apprehend the man they believe was the notorious Golden State Killer. Investigators were only able to apprehend the suspect thanks to the open nature of the GEDmatch database, along with the willingness and desire of its users to freely share their personal data. GDPR will likely restrict such extensive sharing even if users desire openness. Such restrictions, though ostensibly for public good, could actually make it harder to identify and apprehend criminals

Much of the focus on GDPR has been on its impact on social media platforms, but the Internet is much broader than a forum for sharing cat photos. It is a powerful tool generating live-saving health technologies. In its rush to dictate privacy practices, the EU is sacrificing access to knowledge that empowers people to make healthier, more evidence-based decisions about their well-being. While we should make informed decisions about with whom we share our valuable data, individuals must be allowed to make those choices themselves. Instead, GDPR forces “protection” on those who don’t want it and would rather have more information and resources available.

GDPR and Me: how the EU data rules could impact genetic testing was originally published in Plain Text on Medium, where people are continuing the conversation by highlighting and responding to this story.

The major problems with the Internet identified by the public, policy experts, and regulators appear to all be rooted in the fairly centralized nature of the network. In short, you don’t need to be a libertarian or cypherpunk to think that a more decentralized Internet protocol would be preferable.

The most pressing economic concern about the Internet economy is the problems of “data capitalism.” I’ve shared my skepticism about claims that big data prove too big an entry barrier for competition to thrive. Nonetheless, the idea that maybe our Internet experience shouldn’t be curated by only a handful of firms appeals to both conservatives and progressives.

We’ve volunteered considerable amounts of information about ourselves that, in retrospect, we may take back had we known what we know today. I attribute this mea culpa for the data economy largely to scapegoating following unsavory election results, but the feelings in support of a need for change are relevant insofar as they initiate political intervention, which they already have done and will likely continue to do so.

When I consider the most pressing policy concern about the Internet, I’d likely say regional fragmentation. This could be reasonably attributed to each government’s means of coping with the economic concerns stated above. Though America and Europe won’t be at the level of China’s “Great Firewall” or strict data localization rules anytime soon, the patchwork of polity-specific tech regulations will essentially fragment the global network into a series of clusters defined by the boundaries of the nation-state, far short of any Internet luminaries vision of a global network truly free from government oversight.

A common refrain in tech policy circles is that the EU has become de facto global regulator of the world’s tech firms. It is true that Brussels has exerted influence from afar on the current global giants like Facebook, Google, Apple, and Amazon, but fledgling startups and other data-centric firms have shown a willingness to simply refuse service in the European Union in light of the forthcoming GDPR rules. Like Justice Potter Stewart, EU regulators won’t really know violations until they see it. Unclear enforcement paired with fines equalling 4 percent of global revenues are enough to make firms stop serving EU clients and wait to see how the EU’s bite compares to its bark.

Further, America’s crackdown on online “issue” speech, exemplified by the Honest Ads Act that would require anyone taking out digital “issue” ads to verify their American identity, sets a poor example for how governments should treat online speech that I think has been understated.

A decentralized Internet may be a cure for both problems. As my former colleague Eli Dourado wrote for this blog, a content-based Internet protocol like the InterPlanetary File System (IPFS) removes strict control of the Internet’s content from both the companies that host content and the governments that control the territory in which servers and data centers happen to reside.

A move away from the location/IP-address based Internet we have now may also clear up one of the most pressing security concerns about the Internet: botnets and memcached servers producing massive DDOS attacks that take down core Internet infrastructure.

While IPFS and other decentralized peer-to-peer networks are not silver bullets to all these problems, they are a step in the right direction in resolving these issues that may get a serious hearing sooner than we expect.

Do All Roads Lead to a Decentralized Internet? was originally published in Plain Text on Medium, where people are continuing the conversation by highlighting and responding to this story.

Yesterday, members of the Trump administration, industry leaders, and experts met at the White House for a summit on artificial intelligence. This marks the first time that any significant action on the subject has been undertaken by this administration.

At the event, Michael Kratsios, the deputy chief technology officer of the administration, announced the creation of a new task force called the Select Committee on Artificial Intelligence that will investigate how to unleash the full potential of AI technology for the American people.

This event came as a surprise when the Washington Post broke the news several days ago. Leading up to this point, President Trump rarely, if ever, spoke about AI. Many of his policy positions, like bringing back manufacturing jobs that have been automated, seem to be at odds with the technology. Additionally, Steven Mnuchin, a member of Trump’s cabinet, previously noted that AI and its effects on the future of work were not even on the administration’s “radar screen.”

Recently, there have been several big AI announcements from France, Germany, and the U.K. pledging huge investments into the technology and offering strategic plans to capitalize on the “Fourth Industrial Revolution.” European leaders have acknowledged the role that AI will play in the future of the global economy and are rushing to make sure they aren’t left behind by the U.S. and China. President Trump’s apparent indifference to AI and his lack of any action on the subject starkly contrast with the Asian and European obsession.

This event seems to be a delayed response to these announcements, as if only happening because of Trump’s fear of missing out and his aversion to being outdone. Trump himself was likely not heavily involved, if he was involved at all. He did not attend or talk about the event, nor were any of his cabinet officials in attendance. Most of the companies involved similarly chose not to send their CEOs to the event, instead opting for lower level deputies.

Based on the reporting, the general sense seems to be “too little, too late.” I would agree. Sure, it is positive that the administration had an AI event, but very little came out of the meeting beside another government task force. It still seems as though the executive branch is not taking AI seriously.

Part of the disappointment stems from the contrast between the focus on the future in European countries and the focus on the past in the Trump administration. While Emmanuel Macron of France and Angela Merkel of Germany advanced bold visions of their respective country’s place in the AI future, Kratsios celebrated the very small steps that the administration has already taken.

Some accomplishments touted by the administration at the event do not seem to be thanks to President Trump at all. The first bullet point in the fact sheet posted to the White House website in conjunction with the event talks about how the federal government’s investment in AI research has grown. Yet the starting date for the statistic is 2015, meaning that AI-related funding activity during the last two years of the Obama administration is being attributed to Trump. And Obama’s White House was quite active on AI in his last two years. One of the documents that the fact sheet links to is the FY 2017 budget request supplement that President Obama submitted in his final year in office. This establishes a brand new Program Component Area (PCA) dedicated to robotics and AI. Trump’s FY 2018 budget request supplement (which is also linked in the fact sheet) actually decreases the amounts requested in this PCA, especially for non-military research-granting agencies.

Again, the Trump administration has taken some small steps forward — the FDA’s work on AI and digital health is a bright spot — but its negative moves overshadow any gains.

Trump has repeatedly proposed deep cuts to the agencies that fund AI research like the National Science Foundation and the National Institutes of Health, only paring back the plan in the wake of Congress lifting spending caps. I understand needing to trim some spending, but there are several other prime candidates for cuts. For example, military spending does not need to keep growing every year. We already spend more on our military than the next seven countries combined. Trimming waste in the Department of Defense could allow for cost reduction and continued funding for AI research. Trump’s immigration policies similarly hurt AI by inhibiting America’s ability to attract the brightest talent from around the world.

To be fair, the administration has no specific goal to restrict AI. They have generally adopted a wait-and-see approach to regulating the technology, which can promote innovation. Even so, the negatives detract from such restraint.

Hopefully, this event was only a start. Ideally, the Council will have some serious discussions and recommendations that informs how the administration moves forward on AI.

The best thing the administration could do would be just that: to focus on the future. An explicit vision of an AI future and a commitment to fostering that would be a great start.

AI, Welcome to the White House was originally published in Plain Text on Medium, where people are continuing the conversation by highlighting and responding to this story.