
Here are two tech policy issues that don't seem related but are: the FCC's current push to open up the set-top-box, and the lawsuits challenging Uber's and Lyft's classification of drivers as independent contractors rather than employees. The way to see the connection is through the lens of control vs. competition. More specifically, they are about breaking apart the service and the interface, and how that can benefit competition and innovation. In the case of the set top box, the FCC wants to require that cable providers allow any set top box or tv to connect directly to the cable wire and decrypt the schedule and content -- so that any box or TV of the user's choosing can build an interface around the TV/video listings and video content. Under the FCC's plan, Comcast and other cable providers would not have the exclusive right to the interface, and would instead be required to let customers use a box or TV or their choosing. The FCCs reasoning here is twofold: the first reason is cost -- consumers spend an average of $231 per year (or $20B total, annually) renting set-top boxes from cable companies; and the second is innovation: users of Comcast's cable service will recognize this interface, which has existed unchanged (until very recently with the introduction of the X1 box) for at least a decade:

Because Comcast and other cable/video providers control both the service and the interface, and there's no machine-readable API for accessing info through a third-party device, they're able to charge high fees for the boxes, and are under no pressure to innovate on the interface. So, how does that relate at all to what's going on with Lyft and Uber and the worker classification lawsuits? The focus of the ridesharing labor debate has been on classification of drivers as "independent contractors" or "employees", which, at its heart, is about control. The more control that's exerted, the more it looks like an employee relationship, the less that's exerted, the more it looks like an independent contractor relationship. What's so confusing is that in an app-mediated world, where platforms straddle the line between being "services" and "marketplaces", control looks different than it did in the industrial era. Alex Rosenblat from the Data & Society Institute has taken an interesting look at this. Her research examines the often subtle ways in which data-rich platforms exert control over their users/partners/workers. At the heart of it is the information asymmetry that exists between platforms and workers -- which platforms make use of to exert control in subtle ways that look and feel very different than in the traditional employer / employee relationship. The parallel, then, to the set-top box debate is that separating the service from the interface may be the most elegant regulatory intervention here, as opposed to the more traditional interventions proposed by labor advocates. My colleague Albert calls this the right to be represented by a bot. Imagine a "driver bot" that could interface with ridesharing services on behalf of the driver, much the way that an AppleTV or Roku would interface with Cable programming under the FCC's proposal. Such a bot would be able to ingest information from ridesharing services, including rides available, pricing information (surges, etc), ratings and transactional data, etc., and interact with the services on behalf of the driver. Over time, and deployed across the entire ridesharing fleet, such a bot service would be able to counterbalance the information asymmetry that Rosenblat describes, by analyzing and interpreting data collected across the entire network, and presenting it to drivers in a transparent and consistent way. Why would rideshare platforms want to go along with such a scheme? Because doing so would bolster their arguments that they really do have an arms-length, independent contractor relationship with their drivers -- one that truly delivers freedom, flexibility and choice. And, because the alternative -- using heavy-handed, outmoded labor law to force the square peg of platform workers into the round hole of W2 employees -- would be a much tougher proposition. I suspect that over time, more and more regulators outside of the telecom space will take this kind of information-centric approach, recognizing the power dynamics embedded in data-rich systems. It strikes me that such an approach will be necessary to move from a regulation 1.0 era to a regulation 2.0 era.
For the past few weeks, I've been following the FBI / Apple phone unlocking case, and digging deep into the debate around encryption, security and privacy. This debate is as old as the sun, and the exact same arguments we're going through now were fought through 20 years ago during the first crypto wars and the US government's effort to deploy the Clipper Chip as a way of sharing crypto keys between industry and government. The stance of the tech industry has always been "strong crypto or else, because Math" and the stance of the government has been "come on guys, let's figure something out here". At USV, we've been trying to look at this round of the fight with fresh eyes, to the extent possible. What we've been wondering is: is there something different this time around?[1] Has anything changed that might make us reconsider these dug-in, partisan-esque positions? Are there unintended consequences that the tech industry hasn't been considering? To paraphrase my colleague's arguments, Fred points out that trust, safety and security are serious issues within and around web platforms, and platform operators do have a civic duty to cooperate with law enforcement when it's necessary and lawful (on the surface this is not controversial -- it all depends on the whys and hows). Albert adds to that, and has also written extensively about the general concerns of crypto trench wars leading us down the path to a spy vs spy society where information and knowledge are locked up, rather than an open society that benefits from collective intelligence and open knowledge. The part I really want to dig into is an apparent parallel here between data security and DRM. With DRM, there's been a 30 year battle to lock down the entire software and hardware ecosystem in the name of controlling access to content. Internet / free culture advocates have long pointed out that the more enlightened approach is to understand that information wants to be free, and we can all be better off if adapt our culture, expectations, and business models to a world where remixing is allowed. Now, as we look at data security and privacy, I feel a lot of those same forces coming to bear: in the name of data security and privacy, we need to all get on board with a controlled software / hardware model where companies, rather than users themselves, control data flows. This is best exemplified by Apple's security model, which stores encryption keys in a separate "secure element" and only allows software to be installed that's signed by Apple -- conforming not only to their security policies but to their control policies. This, I think, is where some of us have gotten uncomfortable. What we don't want is the cause of security and privacy to lead us down the path to lockdown and the war against general purpose computing, the way that DRM has. A risk here seems that many of the folks who are fighting for copyright reform & device unlocking, may also be unwittingly undermining those same causes in the crypto/privacy/security fight. So what I've been trying to do is parse apart the issues of security and control. Can we have one without the other, and can we talk about them, and advocate for (or against) them separately? (And, for bonus points, can we find ways to have both security and access to knowledge -- for example as secure data processing projects such as Enigma, LeapYear and Inpher are exploring) Amazingly, as I've been chewing on this part specifically, I came across this announcement about the effort to assemble a secure, open, mobile OS + app + app store stack. What we've got here is a hardened operating system built on Android (Copperhead OS), a set of secure applications (from the Guardian Project), and a distributed app store (F-Droid) with no central gatekeeping. Why is this important? Because it shows that it's possible to have verifiable security without the anti-innovation control that comes from centralized app stores. For example: one of our portfolio companies recently realized that by shifting from an app-store model to an API-based model, they could increase their product iterations by 1000% -- shipping new code instantly, rather than waiting weeks for app store approval. This is the kind of innovation we want, and it's just not possible with the controlled app store model. It's also important for other kinds of security -- specifically, the ability for users to audit and inspect the devices and services they use. This was a key outcome of the VW emissions scandal, and will be increasingly important as more Internet of Things devices do more things with more data. If we move towards a world of DRM-style data lockdown, we'll have less knowledge of how products work and less control over our information. This has been a long post, so I'll just summarize by saying: I think it would do everyone good to keep looking at the encryption issue not simply through the lens of privacy and security, but also through the lens of openness and innovation, and make sure that whatever policies and technologies we support coming out of this strike the best possible balance. -- [1] the best resources from the academic community on the subject are Keys Under Doormats, an MIT publication pointing out the security risks of "key escrow" systems that the government prefers, and Don't Panic, a Berkman Center report pointing out the extent to which the "going dark" framing is misleading, since the overall surface area for digital surveillance has grown dramatically at the same time that strong encryption has made some data inaccessible.
Earlier this week, I was at SXSW for CTA's annual Innovation Policy Day. My session, on Labor and the Gig/Sharing Economy, was a lively discussion including Sarah Leberstein from the National Employment Law Project, Michael Hayes from CTA's policy group (which reps companies from their membership including Uber and Handy), and Arun Sundararajan from NYU, who recently wrote a book on the Sharing Economy. But, that's not the point of this post! The point of this post is to discuss an idea that came up and a subsequent session, on Security & Privacy and the Internet of Things. The idea that struck me the most from that session was the tension -- or depending on how you look at it, codependence -- between the "freedom to innovate" and the "freedom to investigate". Defending the Freedom to Innovate was the Mercatus Center's Adam Thierer. Adam is one of the most thoughtful folks looking at innovation from a libertarian perspective, and is the author of a book on the subject of permissionless innovation. The gist of permissionless innovation is that we -- as a society and as a market -- need the ability to experiment. To try new things freely, make mistakes, take risks, and -- most importantly -- learn from the entire process. Therefore, as a general rule, policy should bias towards allowing experimentation, rather than prescribing fixed rules. This is the foundation of what i call Regulation 2.0[1]. Repping the Freedom to Investigate was Keith Winstein from the Stanford CS department (who jokingly entered his twitter handle as @Stanford, which was reprinted in the conference materials and picked up in the IPD tweetstream). Keith has been exploring the idea of the "Freedom to Investigate", or, as he put it in this recent piece in Politico, "the right to eavesdrop on your things". In other words, if we are to trust the various devices and services we use, we must have a right to inspect them -- to "audit" what they are saying about us. In this case, specifically, a right to intercept and decrypt the messages sent between mobile / IoT devices and the web services behind them. Without this transparency, we as consumers and a society have no way of holding service providers accountable, or of having a truly open market. The question I asked was: are these two ideas in tension, or are they complimentary? Adam gave a good answer, which was essentially: They are complimentary -- we want to innovate, and we also need this kind of transparency to make the market work. But... there are limits to the forms of transparency we can force on private companies -- lots of information we may want to audit is sensitive for various reasons, including competitive issues, trade secrets, etc. And Kevin seemed to agree with that general sentiment. On the internet (within platforms like eBay, Airbnb and Uber), this kind of trade is the bedrock of making the platforms work (and the basis of what I wrote about in Regulation the Internet Way). Users are given the freedom to innovate (to sell, write, post, etc), and platforms hold them accountable by retaining the freedom to investigate. Everyone gladly makes this trade, understanding at the heart of things, that without the freedom to investigate, we cannot achieve the level of trust necessary to grant the freedom to innovate! So that leaves the question: how can we achieve the benefits of both of these things that we need: the freedom to experiment, and the freedom to investigate (and as a result, hold actors accountable and make market decisions)? Realistically speaking, we can't have the freedom to innovate without some form of the freedom to investigate. The tricky bit comes when we try to implement that in practice. How do we design such systems? What is the lightest-weight, least heavy-handed approach? Where can this be experimented with using technology and the market, rather than through a legal or policy lever? These are the questions. [1] Close readers / critics will observe an apparent tension between a "regulation 2.0" approach and policies such as Net eutrality, which I also favor. Happy to address this in more depth but long story short, Net Neutrality, like many other questions of regulations and rights, is a question of whose freedom are we talking about -- in this case, the freedom of telcos to operate their networks as they please, or the freedom of app developers, content providers and users to deliver and choose from the widest variety of services and programming. The net neutrality debate is about which of those freedoms to prioritize, in which case I side with app developers, content providers and users, and the broad & awesome innovation that such a choice results in.
