I don’t know if you’ve ever had the experience of running for a train that’s just started to move? I’ve had to do it a few times. Yes, I was younger and more foolish then. But it was usually within seconds of the train moving that I was on it. It’s only in old movies that you see the protagonists dashing down the platform as the train picks up speed. Usually, you just have the platform length and the problem is that the train is accelerating. There is a finite window of opportunity after which you’re just going to be left on the platform. This is my very long-winded analogy for regulators and technology. As technology accelerates – it’s getting harder for regulators to keep pace and in fact, in many areas they are just like the proverbial train chasers, running desperately after an accelerating train – often in a futile bid to control a business or industry that is on the verge of leaving the station of regulatory comfort. You can pick from a range of visual metaphors – a man trying to control seven unruly horses, or grabbing a tiger by the tail, but you get the idea. Regulators are in a fix.
The sight (and sounds) of the congressional hearing of Mark Zuckerberg did not bode well for regulators. They should have had Zuckerberg dead to rights over it’s (willing or unwilling) culpability in the Cambridge Analytica imbroglio. Yet he came out with barely a scar to show for 2 days of grilling. Many of the people asking him questions came across as the stereotypical grandparent trying to figure out the internet from their grandchild, even if these are very exaggerated caricatures. There is arguably a 40 year age gap between the average lawmaker and the average entrepreneur. But the age challenge is just a minor problem. Here are some bigger ones.
Technology businesses are shape-shifting enterprises invariably redefining industries. Platforms cannot be regulated like their industrial counterparts. Uber is not a taxi company. Facebook is not a media business. Airbnb is not a hotel. No matter how convenient it might be to classify and govern, or how often someone points out that the world’s biggest taxi company doesn’t have taxis. No, these are data and services platforms, and they need an entirely new definition. You could argue that the trouble with Facebook has come about because they were being treated like a media organisation, rather than a data platform. And let’s not forget that the only reason Facebook was in the dock is because of the success of Cambridge Analytica in actually influencing an election. Not for the misuse of customer data on a daily basis which may have gone on for months and years by Cambridge Analytica as well as other similar firms. While governments’ focus on Uber stems largely from incumbent and licensed taxi services, nobody seems to be worried that Uber knows the names, credit card details and the home and office residences of a majority of its users.
Tech businesses, even startups, are globally amorphous from a very early age. Even a 20 person startup barely out of its garage can be founded in California, have it’s key customers in Britain, its servers in Russia, its developers in Estonia and pay taxes in Ireland. Laws and governments are intrinsically country bound and struggle to keep up with this spread of jurisdiction. Just think of the number of torrent services that have survived by being beyond the reach of regulation.
These are known problems and have existed for a while. Here’s the next challenge which is a more fundamental and even an existential one for lawmakers. With the emergence of machine learning and AI, the speed of technology change is increasing. Metaphorically speaking, the train is about to leave the station. If regulators struggle with the speed and agility of technology companies today, imagine their challenge in dealing with the fast-evolving and non-determinate outcomes engendered by AI! And as technology accelerates, so do business models, and this impacts people, taxes, assets, and infrastructure. Imagine that a gig-economy firm that delivers food home builds an AI engine that routes its drivers and finds a routing mechanism that is faster but established as being riskier for the driver. Is there a framework under which this company would make this decision? How transparent would it need to be about the guidance it provides to its algorithms?
I read somewhere this wonderful and pithy expression for the challenge of regulation. A law is made only when it’s being broken. You make a law to officially outlaw a specific act or behaviour. Therefore the law can only follow the behaviour. Moreover, for most countries with a democratic process, a new law involves initial discussion with the public and with experts, crafting of terms, due debate across a number of forums and ultimately a voting process. This means we’re talking in months, not days and weeks. And if technology is to be effectively regulated and governed, a key challenge to address is the speed of law-making. Is it possible to create an ‘agile’ regulatory process? How much of the delay in regulation is because the key people are also involved with hundreds of other discussions. Would lawmaking work if a small group of people was tasked to focus on just one area and be empowered to move the process faster in an ‘agile’ manner? We are not talking about bypassing democratic processes, just moving through the steps as quickly as possible. A number of options are outlined in this piece from Nesta website – including anticipatory regulation (in direct contravention of the starting point of this paragraph), or iterative rather than definitive regulation. All of these have unintended consequences so we need to tread cautiously. But as with most businesses, continuing as present is not an option.
Then there’s the data challenge. The big technology platforms have endless access to data which allows them to analyse them and make smarter decisions. Why isn’t the same true of regulators and governments? What would true data-driven regulation look like? We currently have a commitment to evidence-driven policymaking in the UK (which has sometimes been unkindly called policy driven evidence making!) but it involves a manual hunt for supporting or contradicting data, which is again time-consuming. What if a government could analyse data at the speed of Facebook, and then present that to the experts, the public, and legislators in a transparent manner? The airline industry shares all the data about every incident, accident and near miss, across its ecosystem, competitors, and regulators, and this is a significant contributor to overall airline safety. (Outlined in the book Black Box Thinking, by Matthew Syed.) Why isn’t the same true for cybersecurity? Why isn’t there a common repository for all the significant cyber attacks, which can be accessed by regulators armed with data science tools and skills, so that they can spot trends, model the impact of initiatives and move faster to counter cyber attacks? If attacks seem to originate from a specific territory or impact a specific vulnerability of a product, pressure can be brought to bear on the relevant authorities to address those.
These are non-trivial challenges and we need to be aware of risks and unintended consequences. But there is no doubt that the time has come for us to think of regulation that can keep pace with the accelerating pace of change, or governments and regulators will start to feel like the protagonists of movies where people run after trains.