Gil on Cyber Checks and Balances

Elad Gil (Hebrew University of Jerusalem – Faculty of Law) has posted “Cyber Checks and Balances” (Cornell International Law Journal, Forthcoming) on SSRN. Here is the abstract:

How does the digital era affect the ability of governments to ‘govern’? On the one hand, global connectivity and data-driven technologies provide governments with powerful new ways to exercise coercion. Digital surveillance, content takedowns (i.e., censorship), forced data ‘localization’, and hacking, to take a few examples, have become widely adopted techniques in the toolkits of many democratic states. These techniques enable encroachments on liberty that only two decades ago would seem unthinkable. On the other hand, the exclusive status of the state as “the sovereign” is challenged in cyberspace more than in any other arena by a variety of non-state actors, as well as foreign states. Scholarly accounts accordingly split between two narratives: some scholars view the digital era as the beginning of an era of awesome state power, while others see signs of state decline.

This Article challenges both narratives, arguing that ‘government power’ in cyberspace cannot be theorized as a static concept. Rather, it is determined by a web of interactions with and pressures from forces and actors that, although operating outside the constitutional structure, are akin in their effect to constitutional checks and balances. Aiming to fill a gap in the literature, this Article conceptualizes the cyber checks and balances ecosystem, identifies and analyzes its four principal components—the private sector, the ‘architecture’ of cyberspace, international law, and international politics—and examines the interwoven effects. It demonstrates how cyber checks and balances constrain the government in some ways but empower it in others, sometimes even enabling the government to circumvent legal limitations on its own authority. After mapping this ecosystem, the Article assesses its normative implications. Viewing the balance of power between the state and other forces in cyberspace as a system of checks and balances affords a more accurate and nuanced analysis of governmental exercises of power in the digital domain. More importantly, this Article shows that understanding how this ecosystem is shaping state power can help the traditional forces within the constitutional system—lawmakers, judges, and executive gatekeepers—optimize their checking and balancing, ensuring that government power in cyberspace is exercised effectively yet responsibly.

Swire & Kennedy-Mayo on The Effects of Data Localization on Cybersecurity

Peter Swire (Georgia Institute of Technology) and DeBrae Kennedy-Mayo (same) have posted “The Effects of Data Localization on Cybersecurity” on SSRN. Here is the abstract:

This paper is the first systematic examination of the effects of data localization laws on cybersecurity. This paper focuses on the effects of “hard” data localization, where transfer of data is prohibited to other countries. Other “softer” versions of data localization also exist, such as where a country requires a copy of data to be stored or mirrored in the country, but transfer of the data remains lawful. The discussion includes both de jure and de facto effects, including China’s explicit laws, recent enforcement actions in the European Union, and proposed privacy legislation in India. The focus is on effects on cybersecurity defense, rather than offensive cyber measures.

Part I provides background. Part II examines privacy and non-privacy reasons driving localization laws, including examining ways that cybersecurity might either reinforce privacy or exist in tension with it. Part III addresses the research for this paper. In addition to a traditional literature review, we reviewed approximately 200 comments submitted to the European Data Protection Board in late 2020 concerning data transfers. Approximately 25% of the comments discussed data localization or a similar concept.

Part IV provides a new categorization of the effects of data localization on cybersecurity. First, our analysis shows that data localization would threaten an organization’s ability to achieve integrated management of cybersecurity risk. 13 of the 14 ISO 27002 controls, as well as multiple sub-controls, would be negatively affected by data localization. As a specific finding, required localization in two or more nations clearly restricts the ability to conduct integrated cybersecurity management.

Second, the analysis explains how data localization pervasively limits provision of cybersecurity-related services by third parties, a global market of roughly $200 billion currently. Notably, data localization laws supported in the name of cybersecurity often undermine cybersecurity – purchasers in the locality are deprived of best-in-breed cybersecurity services, thereby making them systematically easier targets for attackers. Third, data localization threatens non-fee cooperation on cybersecurity defense. Notably, localization undermines information sharing for cybersecurity purposes, which policy leaders have emphasized as vital to effective cybersecurity.

Finally, until and unless proponents of localization address these concerns, scholars, policymakers, and practitioners have strong reason to consider significant cybersecurity harms in any overall analysis of whether to require localization.

Gervais on AI Derivatives: the Application to the Derivative Work Right to Literary and Artistic Productions of AI Machines

Daniel J. Gervais (Vanderbilt Law) has posted “AI Derivatives: the Application to the Derivative Work Right to Literary and Artistic Productions of AI Machines” (Seton Hall Law Review, Vol. 53, 2022) on SSRN. Here is the abstract:

This Article predicts that there will be attempts to use courts to try to broaden the derivative work right in litigation either to prevent the use of, or claim protection for, literary and artistic productions made by Artificial Intelligence (AI) machines. The Article considers the normative valence and the (significant) doctrinal pitfalls associated with such attempts. It also considers a possible legislative alternative, namely attempts to introduce a new sui generis right in AI productions. Finally, the Article explains how, whether such attempts succeed or not, the debate on rights (if any) in productions made by AI machines is distinct from the debate on text and data mining exceptions.

Ferrandis & Lizarralde on Open Sourcing AI: Intellectual Property at the Service of Platform Leadership

Carlos Muñoz Ferrandis (Max Planck Institute for Innovation and Competition; Universidad de Alicante; Global Innovation, Policy & Law Research Group (GIPLaw-UA)) and Marta Duque Lizarralde (TUM School of Management,Technical University of Munich) have posted “Open Sourcing AI: Intellectual Property at the Service of Platform Leadership” on SSRN. Here is the abstract:

Artificial Intelligence – AI – is one of the most strategic technologies of our century. Consequently, tech companies are adopting intellectual property strategies to protect their investment in the field, which encompasses copyright, patents and trade secrets. While the number of AI-related patent applications is increasing, the number of open source AI projects sponsored by major AI patent holders is also on the rise. This article explores the strategic reasons behind the growing adoption of open source licensing in the AI space. More precisely, it assesses how IP rights are articulated around “openness” as a competitive factor in ecosystem competition, and how some players are using open source licensing successfully to attract a critical mass of users and build an ecosystem around their AI platforms. Moreover, this article integrates the debate on the protectability of AI features by IP rights to assess the potential implications for open source. Finally, it analyses the most used open source licences in AI projects and highlights existing and future challenges from an IP and contractual law perspective.

Meurer on Bilski and the Information Age a Decade Later

Michael J. Meurer (Boston University – School of Law) has posted “Bilski and the Information Age a Decade Later” on SSRN. Here is the abstract:

In the years from State Street in 1999 to Alice in 2014, legal scholars vigorously debated whether patents should be used to incentivize the invention of business methods. That attention has waned just as economists have produced important new research on the topic, and just as artificial intelligence and cloud computing are changing the nature of business method innovation. This chapter rejoins the debate and concludes that the case for patent protection of business methods is weaker now than it was a decade ago.

Hine & Floridi on A Comparative Analysis of American and Chinese Governmental AI Policies

Emmie Hine (Oxford Internet Institute) and Luciano Floridi (Oxford Internet Institute; U Bologna Law) have posted “Artificial Intelligence with American Values and Chinese Characteristics: A Comparative Analysis of American and Chinese Governmental AI Policies” on SSRN. Here is the abstract:

As China and the United States strive to be the primary global leader in AI, their visions are coming into conflict. This is frequently painted as a fundamental clash of civilisations, with evidence-based primarily around each country’s current political system and present geopolitical tensions. However, such a narrow view claims to extrapolate into the future from an analysis of a momentary situation, ignoring a wealth of historical factors that influence each country’s prevailing philosophy of technology and thus their overarching AI strategies. In this article, we build a philosophy-of-technology-grounded framework to analyse what differences in Chinese and American AI policies exist and, on a fundamental level, why they exist. We support this with Natural Language Processing methods to provide an evidentiary basis for our analysis of policy differences. By looking at documents from three different American presidential administrations––Barack Obama, Donald Trump, and Joe Biden––as well as both national and local policy documents (many available only in Chinese) from China, we provide a thorough comparative analysis of policy differences. This article fills a gap in US-China AI policy comparison and constructs a framework for understanding the origin and trajectory of policy differences. By investigating what factors are informing each country’s philosophy of technology and thus their overall approach to AI policy, we argue that while significant obstacles to cooperation remain, there is room for dialogue and mutual growth.

Yueh-Ping Yang on When Jurisdiction Rules Meet Blockchain

Alex Yueh-Ping Yang (National Taiwan University – College of Law) has posted “When Jurisdiction Rules Meet Blockchain: Can the Old Bottle Contain the New Wine?” on SSRN. Here is the abstract:

The distributed nature of blockchain poses challenges to the existing legal system, notably the jurisdiction rules addressing court jurisdiction and governing laws. The In re Tezos case, a securities law dispute brought in the District Court of Northern District of California of the United States, was the case facing this particular challenge. In this paper, I conduct a case study of the In re Tezos case to illustrate how the distributed nature of blockchain impacts the determination of court jurisdiction and governing law in the securities regulation context. I argue that while the internet has already complicated those effect-based jurisdiction rules, blockchain further complicated those conduct-based jurisdiction rules. With this understanding, I offer several principles for addressing the jurisdiction issues in cases involving blockchain-based securities. Specifically, I propose an effect-based jurisdiction rule limited by a de minimis exception to mitigate blockchain’s impact, enhance legal certainty, and promote international coordination.

Sokol on A Framework for Digital Platform Regulation

D. Daniel Sokol (USC Gould School of Law; USC Marshall School of Business) has posted “A Framework for Digital Platform Regulation” (Competition Law International Vol 17 2021) on SSRN. Here is the abstract:

In rapid succession, a number of jurisdictions have moved away from focusing on antitrust enforcement to the proposed regulation of digital platforms. Ostensibly, the regulatory focus is about competition and potential concerns that traditional ex post enforcement may be ill-equipped to address the power of digital platforms. This article focuses on the realities of what platform regulation might mean, and how to better frame and structure the nature of appropriate regulation. This article first identifies a number of the different approaches to regulation that various jurisdictions have put forward, and then lays out six basic principles for platform regulation to help address some of the potential harms that such approaches may unwittingly be pursuing. Without guiding principles, platform regulation will be counter-productive by destroying the value creating aspects of platforms – stifling innovation, increasing prices and potentially distorting non-price factors of competition such as quality.

Lee on Licenses for CryptoPunks NFTs

Edward Lee (Chicago-Kent College of Law) has posted “The Cryptic Case of the CryptoPunks Licenses: The Mystery Over the Licenses for CryptoPunks NFTs” on SSRN. Here is the abstract:

The CryptoPunks NFT collection, produced by Larva Labs, is the highest-grossing NFT collection to date. Sales have surpassed $1.6 billion. That figure is all the more astounding given that Larva Labs gave away all 10,000 CryptoPunks NFTs for free in 2017. Christie’s has described the CryptoPunks as “the alpha and omega of the CyptoArt movement.” Adding to their mystique is a legal mystery: What content license governs the use of the CryptoPunks artwork and characters? Shockingly, Larva Labs distributed the 10,000 CryptoPunks NFTs without any written content license in 2017. Apparently, one of the Larva Labs co-founders John Watkinson later adopted the open-source NFT License in 2019 to apply to the CryptoPunks NFTs. But that adoption was in a chat on Discord, a social media platform. Mysteriously, Larva Labs has not officially adopted the NFT License in the Terms and Conditions for the CryptoPunks NFTs on its website. This Article dissects the cryptic case of the CryptoPunks licenses.

Froomkin, Arencibia & Colangelo on Safety as Privacy

A. Michael Froomkin (University of Miami – School of Law; Yale ISP), Phillip J. Arencibia (Duane Morris LLP), and Zak Colangelo (Lewis Brisbois Bisgaard & Smith LLP) have posted “Safety as Privacy” on SSRN. Here is the abstract:

New technologies, such as internet-connected home devices we have come to call ‘the Internet of Things (IoT)’, connected cars, sensors, drones, internet-connected medical devices, and workplace monitoring of every sort, create privacy gaps that can cause danger to people. In Privacy as Safety, 95 Wash. L. Rev. 141 (2020), two of us sought to emphasize the deep connection between privacy and safety, in order to lay a foundation for arguing that U.S. administrative agencies with a safety mission can and should make privacy protection one of their goals. This article builds on that foundation with a detailed look at the safety missions of several agencies. In each case, we argue that the agency has the discretion, if not necessarily the duty, to demand enhanced privacy practices from those within its jurisdiction, and that the agency should make use of that discretion.

This is the first article in the legal literature to identify the substantial gains to personal privacy that several U.S. agencies tasked with protecting safety could achieve under their existing statutory authority. Examples of agencies with untapped potential include the Federal Trade Commission (FTC), the Consumer Product Safety Commission (CPSC), the Food and Drug Administration (FDA), the National Highway Traffic Safety Administration (NHTSA), the Federal Aviation Administration (FAA), and the Occupational Safety and Health Administration (OSHA). Five of these agencies have an explicit duty to protect the public against threats to safety (or against risk of injury) and thus – as we have argued previously – should protect the public’s privacy when the absence of privacy can create a danger. The FTC’s general authority to fight unfair practices in commerce enables it to regulate commercial practices threatening consumer privacy. The FAA’s duty to ensure air safety could extend beyond airworthiness to regulating spying via drones. The CPSC’s authority to protect against unsafe products authorizes it to regulate products putting consumers’ physical and financial privacy at risk, thus sweeping in many products associated with the IoT. NHTSA’s authority to regulate dangerous practices on the road encompasses authority to require smart car manufacturers include precautions protecting drivers from misuses of connected car data due to the car-maker’s intention and due to security lapses caused by its inattention. Lastly, OSHA’s authority to require safe work environments encompasses protecting workers from privacy risks that threaten their physical and financial safety on the job.

Arguably an omnibus, federal statute regulating data privacy would be preferable to doubling down on the U.S.’s notoriously sectoral approach to privacy regulation. Here, however, we say only that until the political stars align for some future omnibus proposal, there is value in exploring methods that are within our current means. It may be only second best, but it is also much easier to implement. Thus, we offer reasonable legal constructions of certain extant federal statutes that would justify more extensive privacy regulation in the name of providing enhanced safety, a regime that would we argue would be a substantial improvement over the status quo yet not require any new legislation, just a better understanding of certain agencies’ current powers and authorities. Agencies with suitably capacious safety missions should take the opportunity to regulate to protect relevant personal privacy without delay.