Yesterday, a fabulous new tool launched — HelloVote:
HelloVote makes it easy easy easy to register to vote. Sign up w your phone number and do the whole thing over text.
This is great for a lots of reasons — from its immediate practicality, to its more general lesson that it’s possible to build new, accessible interfaces on top of our existing systems (civic or otherwise).
If you want to embed HelloVote in your site, you can do that here. If you run a large platform and want to partner with HelloVote to reach your audience, contact [email protected].
Side note: HelloVote is built on top of Twilio, through the Twilio.org partnership program, where nonprofits receive a $500 credit and 25% off of ongoing services.
To better support small businesses operating in regulated sectors, we should develop “alternative compliance” mechanisms — parallel regulatory regimes that achieve the goals of existing regulations but take an alternative, data-oriented approach to achieving them. Such an approach would be especially friendly to the smallest of small businesses, and would take advantage of available connectivity and data, simultaneously achieving the public goals of access to economic opportunity and public safety / consumer protection.
Access to work and jobs
Digital platforms are enabling new ways of working. It’s easier than ever to start a small business, whether that’s cutting hair, giving rides, running errands, making food, providing professional services, or making products. Financing platforms like Kickstarter, Indiegogo and CircleUp make it easier to raise capital (when that’s necessary), and marketplace platforms like Lyft, Thumbtack, Upwork, Etsy and Josephine not only make it easier to reach customers, but also provide trust & safety systems necessary to secure commerce.
The result is that it’s never been easier to find, get, or make-your-own, work. Digital platforms make onboarding fast and convenient, and give workers / makers / sellers the ability to get into market and build their reputations & businesses from there.
This is by and large a good thing. We want access to jobs and work; we want a broad diversity of products and services; we want more competition in the marketplace; we want quality and convenience for customers. Digital platforms give us all these things. It is a profoundly pro-small-business and pro-consumer moment in time.
The traditional regulatory model: barriers to entry
But of course, there is a catch. The process of quickly on-boarding via a digital platform, getting yourself out into the market, and building a reputation over time (tracked by data in a digital platform) is often at odds with our traditional mechanisms for regulating commerce, which have always employed a licensing / permission based model, where the main tool is creating barriers to entry.
Regular readers will recognize this diagram and the following one:
The traditional approach makes sense in a time when the ability to monitor and track compliance is limited and enforcement is expensive. For a long time (really, until just the last few years), this has been the case.
However, by its nature, this model is exclusionary — it is hard to get started, because it takes time and money to fulfill typical regulatory requirements. This has the effect of advantaging larger businesses over smaller ones, incumbents over startups, and companies over individuals.
Further, the overall effectiveness of this style of regulation is limited — once actors are in the market, ensuring for public safety and consumer protection is difficult and expensive, leading to a standard regime of occasional spot checking (think restaurant inspections) and attention only to the most egregious violations.
The web model: fewer barriers to entry, but more accountability
Given the real-time data infrastructure of the web, an alternative model is possible, which focuses on accountability over permission / barriers to entry:
This is how every web platform works: by increasing the use of data to increase accountability, we are now able to lower the initial barriers to entry.
The result is a powerful democratizing effect, across every industry (ride sharing, home sharing, manufacturing, cooking, professional services, etc), making it easier for small businesses to get started and reach customers. Consumers have more choices, and more competition on the supply side makes the market healthier.
It also leads to many (realized and potential) improvements in public safety and consumer protection, as constant performance monitoring leads to an unprecedented level of accountability. This comes not only in the form of peer review (ratings on eBay, Lyft, etc.) but also in the form of vast volumes of data (coming from apps, phones, sensors, etc.) that give us a granular, real-time view of what’s happening. This is brand new and very powerful from a regulatory and public policy perspective.
Conflicts between the traditional model and the web model
And now, in every regulated sector, we are seeing a clash between the traditional, permission + barriers-to-entry model and the web’s data + accountability model.
Here, we see the tension between independent food entrepreneurs (people selling prepared food from their home kitchens) and the traditional food safety regulators. While health departments have always cracked down on DIY food sales, the issue is exacerbated now by the addition of digital platforms further opening these markets, and providing systems to reduce friction from these transactions.
In the article, Sarah quotes me on an idea for “alternative compliance mechanisms” that could help bridge this divide, and that’s what I want to focus on here.
Bridging the gap: alternative compliance for web-enabled small businesses
Alternative compliance is a mechanism for achieving the goals of traditional consumer safety regulations, but using different tools & approaches. Same goals, alternative techniques.
I propose that in regulated sectors (housing, transportation, health, food, labor, etc), we seek to design, in parallel to existing regs, alternative compliance regimes that rely on data & accountability rather than up-front barriers to entry; in short: the ability to opt-out of existing regulations by opting-in to a data-sharing agreement.
Given any sector where such an alternative compliance mechanism exists, businesses could choose whether to be regulated under the traditional regime, or instead opt-into the alternative compliance regime. Doing so would relieve them of the traditional regulatory requirements, but would introduce new, data-oriented requirements. Note: this applies to existing businesses as well — so this is not just special treatment for small businesses or web companies, but rather an alternative regulatory paradigm that any company can opt-in to if they so choose.
For example, to build on the food safety example, here’s what traditional food safety regulation often looks like (emphasis mine):
“If you want to sell food in California, your kitchen needs to have a sink—at least 18 by 18 inches in length and width and 12 inches deep—exclusively for washing and preparing food. It needs another sink with at least three compartments (“with two integral metal drain boards”) for washing, rinsing, and sanitizing dishes. Countertops must be “nonabsorbent,” typically stainless steel, and the lightbulbs above where you prepare food should be “shielded, coated, or otherwise shatter-resistant.” Your can opener must have a “piercing part” that can be removed and cleaned. “It’s about a $50,000 effort,” says Peter Ruddock, the coordinator of the California Food Policy Council. “It would be a significant investment to turn your kitchen into something that you wouldn’t want [in your home].”
An alternative regime might look something like this:
Chefs must register with an online platform (Josephine, Homemade, or any other that complies with some basic standards — including possibly one run by a regulator) and create a profile.
All transactions must include a verified user review / rating.
Platforms must be transparent in disclosing data about cooks (level of experience, details of ratings, etc) to end customers.
Aggregate performance data must be shared by the platform with the health department. Specific inquiries can be facilitated based on evidence of specific harms. In return for providing this data, platforms receive immunity from intermediary liability. (Getting this right will be hard, but it is critical.)
Individual cooks must have access to their own data in downloadable/API form, thus limiting potential market power of any one online platform.
On an ongoing basis, adjustments to related policies can be made based on evidence gained from the data.
In addition to these general ideas, you could also include industry- or function-specific requirements, such as:
Require low-cost sensors (of some kind) in any active kitchens (for home cooked food)
Link OBD port for acceleration & other driving data (for on-demand drivers)
etc.
In alternate compliance mode, getting started as a home chef costs $100, vs $50,000 to build a traditional commercial kitchen. This is just a sketch, but it gets at the main point, which is that it’s possible to design a parallel system to support data-driven regulation where that’s possible.
In considering such an idea, we’d want to keep the following ideas in mind:
As good or better
Importantly, when we talk about “alternative” compliance, we should stress that doesn’t mean “worse” or “not at all”. In fact, the level of effectiveness that we should be shooting for is as good or better than existing regulations.
Exactly how “as good or better” is achieved depends on the context of the specific sector, but would be driven by the data (aggregate and individual, summary and real-time) collected by the various platforms and interpreted over time for policy development and enforcement.
Real-time response
One way in which data-driven regulatory systems can improve on traditional systems is the speed in which responses can be handled. When data is coming from many sources in real-time or near-real-time, responses (such as enforcement or policy adjustments) can happen much more quickly. In addition, trends can be noticed sooner, based on early signals from widespread data, giving regulators a chance to get further ahead of growing problematic situations.
Lower cost of operations & enforcement
Given the low marginal cost of additional data, alternative, data-driven regulatory regimes can be operated at a lower cost than traditional licensing-and-enforcement regimes. While there is significant up-front cost in designing and building such infrastructure (as is the case with building any web platform), the ongoing costs are exceedingly low. In the case of alternative compliance via partnership (with existing tech platforms) regulators can theoretically piggyback on platform investments made by companies already in market.
Further, certain accountability functions can be crowdsourced. For example, imagine visitors at airbnb venues reporting on the existence of smoke detectors & fire extinguishers, much the same way that users of Foursquare crowd-source data about restaurants (what are the hours, do they accept credit cards, etc). By building infrastructure for end-users to report data, the centralized burden on monitoring and enforcement can be further reduced.
Either / or, not both
It’s important that such a system would need to be “either / or” — meaning, businesses (chefs, drivers, etc) would be regulated either by the old system or by the new one — not both. This is important, because the whole point of reducing barriers to entry is to allow market participants who wouldn’t have made it before under the permission/licensing based system. So, if we were to use an alternative compliance mechanism, but the newly available data to simply enforce the all of existing rules, then we’re missing the whole point.
For example, if we allow home-cooked food sales if it’s tracked by an online platform, but then use the data in the platforms to enforce existing home-cooked food laws and put the chefs out of business, all we are doing is creating a better enforcement system for existing laws, not broadening the scope of what’s possible and safe in the world, and really opening up markets to new entrants.
The big opportunity here is to give ourselves the space to explore new ways of doing things, to innovate, to experiment, while still reserving the right to make adjustments if the situation warrants it.
We need to give ourselves room to change our norms, policies and laws, over time, as we become comfortable with new technologies and new ways of doing things. This is what innovation is — and this is why it’s so important to not simply enforce the current laws to their maximum extent, but rather to give ourselves the space to explore new ways of doing things, while closely tracking the outcomes so we can manage for trust & safety.
Thus, participating in a digitally-enabled alternative compliance scheme should give market participants the chance to prove themselves outside of the existing rules — it must give them immunity from the existing rules, and the chance to prove that their businesses can be operated safely and in a trusted way, and monitored through data access.
Put another way, an alternative, data-driven compliance regime says “we’ll let you do this, so we can learn from it”.
For regulation that learns, data is an asset.
The trick, then, is to enable regulation that learns; regulation that’s dynamic, not static, that evolves and improves over time.
Critical to that goal is the mindset that data is an asset. The more open we are to new kinds of business operating, the more we have the opportunity to see data that comes from activities, the more we can learn from the data, and then iterate on policy. Thinking about policy and regulation this way therefore biases us towards encouraging activity to happen, rather than stopping it from happening.
Building on existing regulations
One approach might be to build on top of an existing regulatory but hack to make it more useful. For instance, perhaps within the context of, say, taxi licensing, one could construct an alternative approach to a single part of the process (perhaps vehicle inspection, or background checks — using a tool like Checkr). Taking a partial or incremental approach can have the dual benefits of a smaller scope, and building off of systems that are already understood and trusted).
Possible approaches to implementation
An alternative compliance regime could be executed a number of different ways, for example:
By partnering with commercial platforms/marketplaces (as in the above example) — let any online platform become a compliance partner by meeting some basic, open standards.
By regulators building their own online infrastructure to manage registrations, transactions, and data (more difficult, but not impossible)
By using third-party platforms that broker data and transactions between commercial actors and regulators (such as Airmap for drones)
By establishing open standards for data reporting (similar to existing reporting requirements)
The point being, that what’s necessary to implement such an alternative compliance mechanism is a data platform. In some cases that can be an existing platform, but it could be also be a new platform developed by the government.
Identifying suitable sandboxes
Bringing this high level idea down to earth, it makes sense to try and identify targeted areas where it would be possible to construct such an alternative regulatory environment.
An ideal sandbox would be a relatively narrow sector, with relatively low stakes in terms of public safety & consumer protection, in a jurisdiction where there’s sufficient local control and autonomy to try something new without having to do lots of coordination and negotiation across city/county/state/federal jurisdictions.
One of the areas I’ve been focused on here is the need for “regulatory tech”. In other words, tools & services to help broker the individual / government & corporation / regulator relationship.
In a nutshell: we are entering the information age, and as such our fundamental models for accomplishing our goals are changing. In the case of regulation, that means a shift from the industrial, permission-based model to the internet-native, accountability based model. This is an issue I’ve written about many many times before.
In order for this transition to happen, we need some new foundational technologies: specifically, tools and services that broker the data sharing relationship between government and the private sector. These can be vertical services (such as Airmap for drones), or horizontal tools (such as Enigma).
You can see the video of the talk (10min) here:
And the slides are here:
The timing is apropos because here in New York State, the senate & assembly just passed a bill banning advertising for short-term apartment rentals. This is a very very coarse approach, that declines to regulate using an accountability-based model rather than a permission-based model. Now of course, this particular issue has been fraught for a long time, including claims that Airbnb manipulated the data it shared with NYS regulators. But that situation is in fact a perfect example of the need for better tools & techniques for brokering a data-based regulatory relationship.
Here are two tech policy issues that don’t seem related but are: the FCC’s current push to open up the set-top-box, and the lawsuits challenging Uber’s and Lyft’s classification of drivers as independent contractors rather than employees.
The way to see the connection is through the lens of control vs. competition. More specifically, they are about breaking apart the service and the interface, and how that can benefit competition and innovation.
In the case of the set top box, the FCC wants to require that cable providers allow any set top box or tv to connect directly to the cable wire and decrypt the schedule and content — so that any box or TV of the user’s choosing can build an interface around the TV/video listings and video content.
Under the FCC’s plan, Comcast and other cable providers would not have the exclusive right to the interface, and would instead be required to let customers use a box or TV or their choosing. The FCCs reasoning here is twofold: the first reason is cost — consumers spend an average of $231 per year (or $20B total, annually) renting set-top boxes from cable companies; and the second is innovation: users of Comcast’s cable service will recognize this interface, which has existed unchanged (until very recently with the introduction of the X1 box) for at least a decade:
Because Comcast and other cable/video providers control both the service and the interface, and there’s no machine-readable API for accessing info through a third-party device, they’re able to charge high fees for the boxes, and are under no pressure to innovate on the interface.
So, how does that relate at all to what’s going on with Lyft and Uber and the worker classification lawsuits?
The focus of the ridesharing labor debate has been on classification of drivers as “independent contractors” or “employees”, which, at its heart, is about control. The more control that’s exerted, the more it looks like an employee relationship, the less that’s exerted, the more it looks like an independent contractor relationship.
What’s so confusing is that in an app-mediated world, where platforms straddle the line between being “services” and “marketplaces”, control looks different than it did in the industrial era. Alex Rosenblat from the Data & Society Institute has taken an interesting look at this. Her research examines the often subtle ways in which data-rich platforms exert control over their users/partners/workers. At the heart of it is the information asymmetry that exists between platforms and workers — which platforms make use of to exert control in subtle ways that look and feel very different than in the traditional employer / employee relationship.
The parallel, then, to the set-top box debate is that separating the service from the interface may be the most elegant regulatory intervention here, as opposed to the more traditional interventions proposed by labor advocates. My colleague Albert calls this the right to be represented by a bot.
Imagine a “driver bot” that could interface with ridesharing services on behalf of the driver, much the way that an AppleTV or Roku would interface with Cable programming under the FCC’s proposal. Such a bot would be able to ingest information from ridesharing services, including rides available, pricing information (surges, etc), ratings and transactional data, etc., and interact with the services on behalf of the driver.
Over time, and deployed across the entire ridesharing fleet, such a bot service would be able to counterbalance the information asymmetry that Rosenblat describes, by analyzing and interpreting data collected across the entire network, and presenting it to drivers in a transparent and consistent way.
Why would rideshare platforms want to go along with such a scheme? Because doing so would bolster their arguments that they really do have an arms-length, independent contractor relationship with their drivers — one that truly delivers freedom, flexibility and choice. And, because the alternative — using heavy-handed, outmoded labor law to force the square peg of platform workers into the round hole of W2 employees — would be a much tougher proposition.
I suspect that over time, more and more regulators outside of the telecom space will take this kind of information-centric approach, recognizing the power dynamics embedded in data-rich systems. It strikes me that such an approach will be necessary to move from a regulation 1.0 era to a regulation 2.0 era.
For the past few weeks, I’ve been following the FBI / Apple phone unlocking case, and digging deep into the debate around encryption, security and privacy.
This debate is as old as the sun, and the exact same arguments we’re going through now were fought through 20 years ago during the first crypto wars and the US government’s effort to deploy the Clipper Chip as a way of sharing crypto keys between industry and government. The stance of the tech industry has always been “strong crypto or else, because Math” and the stance of the government has been “come on guys, let’s figure something out here“.
At USV, we’ve been trying to look at this round of the fight with fresh eyes, to the extent possible. What we’ve been wondering is: is there something different this time around?[1] Has anything changed that might make us reconsider these dug-in, partisan-esque positions? Are there unintended consequences that the tech industry hasn’t been considering?
To paraphrase my colleague’s arguments, Fred points out that trust, safety and security are serious issues within and around web platforms, and platform operators do have a civic duty to cooperate with law enforcement when it’s necessary and lawful (on the surface this is not controversial — it all depends on the whys and hows). Albert adds to that, and has also written extensively about the general concerns of crypto trench wars leading us down the path to a spy vs spy society where information and knowledge are locked up, rather than an open society that benefits from collective intelligence and open knowledge.
The part I really want to dig into is an apparent parallel here between data security and DRM. With DRM, there’s been a 30 year battle to lock down the entire software and hardware ecosystem in the name of controlling access to content. Internet / free culture advocates have long pointed out that the more enlightened approach is to understand that information wants to be free, and we can all be better off if adapt our culture, expectations, and business models to a world where remixing is allowed.
Now, as we look at data security and privacy, I feel a lot of those same forces coming to bear: in the name of data security and privacy, we need to all get on board with a controlled software / hardware model where companies, rather than users themselves, control data flows. This is best exemplified by Apple’s security model, which stores encryption keys in a separate “secure element” and only allows software to be installed that’s signed by Apple — conforming not only to their security policies but to their control policies.
This, I think, is where some of us have gotten uncomfortable. What we don’t want is the cause of security and privacy to lead us down the path to lockdown and the war against general purpose computing, the way that DRM has. A risk here seems that many of the folks who are fighting for copyright reform & device unlocking, may also be unwittingly undermining those same causes in the crypto/privacy/security fight.
So what I’ve been trying to do is parse apart the issues of security and control. Can we have one without the other, and can we talk about them, and advocate for (or against) them separately?
(And, for bonus points, can we find ways to have both security and access to knowledge — for example as secure data processing projects such as Enigma, LeapYear and Inpher are exploring)
Amazingly, as I’ve been chewing on this part specifically, I came across this announcement about the effort to assemble a secure, open, mobile OS + app + app store stack. What we’ve got here is a hardened operating system built on Android (Copperhead OS), a set of secure applications (from the Guardian Project), and a distributed app store (F-Droid) with no central gatekeeping.
Why is this important? Because it shows that it’s possible to have verifiable security without the anti-innovation control that comes from centralized app stores. For example: one of our portfolio companies recently realized that by shifting from an app-store model to an API-based model, they could increase their product iterations by 1000% — shipping new code instantly, rather than waiting weeks for app store approval. This is the kind of innovation we want, and it’s just not possible with the controlled app store model.
It’s also important for other kinds of security — specifically, the ability for users to audit and inspect the devices and services they use. This was a key outcome of the VW emissions scandal, and will be increasingly important as more Internet of Things devices do more things with more data. If we move towards a world of DRM-style data lockdown, we’ll have less knowledge of how products work and less control over our information.
This has been a long post, so I’ll just summarize by saying: I think it would do everyone good to keep looking at the encryption issue not simply through the lens of privacy and security, but also through the lens of openness and innovation, and make sure that whatever policies and technologies we support coming out of this strike the best possible balance.
—
[1] the best resources from the academic community on the subject are Keys Under Doormats, an MIT publication pointing out the security risks of “key escrow” systems that the government prefers, and Don’t Panic, a Berkman Center report pointing out the extent to which the “going dark” framing is misleading, since the overall surface area for digital surveillance has grown dramatically at the same time that strong encryption has made some data inaccessible.
