This week I’ve been reading the latest drafts of the UK’s Investigatory Powers Act, which attempts to give UK law enforcement the power to ban security fixes, amongst other things (here’s a summary), and thinking about other famous regulatory disasters, and in turn thinking about what it means when people in an industry say ‘no!’
Whenever anyone proposes new rules or regulations, the people affected always have reasons why this is a terrible idea that will cause huge damage. This applies to bankers, doctors, farmers, lawyers, academics… and indeed software engineers. They always say ‘no’ and policy-makers can’t take that at face value: they discount it by some percentage, as a form of bargaining. But when people say ‘no’, they might actually mean one of three different things, and it’s important to understand the difference.
First, and this is the default, they’re saying no because they just don’t like it. They have their own opinion of how this should be done and don’t want outsiders making them change it. Quite possibly they already considered your plan and decided against it. The new policy is probably awkward, annoying and inconvenient, and will cost money (even if it’s not explicitly aimed at profits). It’s a pain in the arse. However, it is also possible, and not actually a big deal, and in the end it won’t really damage the product or the company. They can do it - they just don’t like it.
A good current example might be the EU DSA’s requirement that if you run a marketplace and can ban people from using it, you need to have some due process and right of appeal: if Airbnb kicks someone off and that affects their income, that can’t be entirely arbitrary. Airbnb or Uber might think this is unnecessarily bureaucratic and that their existing processes are fine, but life will go on. Social networks will have to offer chronological feeds, though the theory of harm behind this rule is at best poorly-evidenced and most normal users don’t actually like them. It’s annoying to people at Meta or Tiktok, in the abstract, but it doesn’t matter much either way. And the next iPhone will probably switch to USB-C because of a new EU rule that has little to no real engineering or environmental benefit. In the end, it doesn’t actually matter much, and life goes on. ‘No’ just means ‘that’s annoying’.
Second, though, the tech industry (or the doctors, or the farmers) might be saying no because this really will have very serious negative consequences that you haven’t understood.
My favourite example is California’s 2019 ‘AB5’ law. This aimed to classify ‘gig economy’ workers, especially (and deliberately) Uber drivers, as employees, with access to healthcare. This might or might not be a good policy objective (reasonable people can debate this), but the law itself was drafted so ineptly that it effectively made anyone who did any freelance work an employee, and hence in turn effectively banned freelance work. There followed a desperate scramble to exempt over 100 professions, from doctors to truck drivers to hairdressers, before the whole thing had to be abandoned. A lot of people told the politicians about the problem, but the politicians just said “everyone always says every law will be a disaster” and ignored them. Oops.
Tech has a lot of examples of this kind of thing. The Canadian government told Google and Meta that if a link to a newspaper story ever appears in search, or if a journalist ever posts a link to a story on Facebook, then they have to pay the newspaper for sending business to the newspaper. Most of the Canadian tech and indeed media industries pointed out how stupid this was, and Google and Meta said that given the choice, they’d stop letting news appear rather than pay a fee they could not control and that had no economic basis. The government thought this was the first kind of ‘no’ and a bluff, but actually, it was the second kind. Oops.
To give another EU example (because that’s where most of the laws are coming from right now) the initial drafts of the DMA required anyone running a messaging app to let ‘any’ third party interconnect and interoperate, and to give any such third party ‘all’ the same access to internal data as internal teams. That sounds sensible… until you realise that hundreds of groups are trying to connect to WhatsApp or iMessage to spam their users, and you’ve just told Meta and Apple to let them do that, and that dozens of intelligence agencies would love to have ‘all the data your internal teams have’. Fortunately, in this case, when the entire tech industry said ‘you’re out of your mind’ the EU did actually listen.
If the second kind of ‘no’ is ‘that’s a really bad idea’, the third kind is ‘we actually can’t do that’.
The perennial example here, of course, is encryption. For the last 25 years, engineers have said ‘we can make it secure, or we can let law enforcement have access, but that means the Chinese can get in too” and politicians reply “no, make secure but not for people we like”.
My old boss Marc Andreessen, back when he was on the internet, liked to call this the ‘nerd harder’ argument. The engineer says not “I don’t want to” nor “that’s a bad idea” but “I genuinely have no idea how to do that even if I wanted to” and the policy-maker replies “you’re an engineer - work it out!” “Work it out” is generally a demand to invent new mathematics, but sadly, mathematics doesn’t work like that. Your MPs’ WhatsApp group can be secure, or it can readable by law enforcement and the Chinese, but you cannot have encryption that can be broken only by our spies and not their spies. Pick one.
I think the structural problem here, across all three kinds of ‘no’, is that this is pretty new to most of us. I often compare regulation of tech to regulation of cars - we do regulate cars, but it’s complicated and there are many different kinds of question. ‘Should cars have different emissions requirements?’ is a different kind of question to ‘does the tax code favour too much low-density development?’ and both questions are complicated. It’s a lot easier to want less congestion in cities than to achieve it, and it’s a lot easier to worry about toxic content on social media than to solve it, or even agree what ‘solve’ would mean.
But we all grew up with cars. We have a pretty good idea of how roads work, and what gearboxes are, even if we’ve never seen one, and if someone proposed that cars should not come with seats or headlights because that’s unfair competition for third-party suppliers, we could all see the problem. When policy-makers ask for secure encryption with a back door, we do not always see that this would like be telling Ford and GM to stop their cars from crashing, and to make them run on gasoline that doesn’t burn. Well yes, that would be nice, but how? They say ‘no’? Easy - just threaten them with a fine of 25% of global revenue and they’ll build it!
A Californian optimist would say that we’ll age out of this. The policy class that got their staff to print their emails will age out and be replaced by the generation that grew up sending emojis, and understands that tech policy is just as nuanced, complex and full of trade-offs as healthcare, transport or housing policy. A European would ask how well California handles healthcare, transport or housing.