Code is Law… But Law is Pretty Important Too

In our “There’s an app for that!” world, it seems hard to believe that you can’t just “code away” any privacy problems that might arise with the use of information technology. Shouldn’t it be possible to prevent the rogue government official from using law enforcement databases to stalk his ex-wife? Can’t we build a system that recognizes when someone is about to inadvertently electronically share information with another individual that should have been kept confidential? At the end of the day, however, protecting privacy in the IT world requires more than just ones and zeroes.

Over a decade ago, Harvard Law professor (and generally all-around smart guy) Lawrence Lessig articulated what he saw as the state of regulation of cyberspace:

The single most significant change in the politics of cyberspace is the coming of age of this simple idea: The code is law. The architectures of cyberspace are as important as the law in defining and defeating the liberties of the Net. Activists concerned with defending liberty, privacy or access must watch the code coming from the Valley—call it West Coast Code—as much as the code coming from Congress—call it East Coast Code.

We can probably safely extend Lessig’s maxim beyond merely the Internet and to most of the information technology world—the architecture of the many devices we now use in our everyday lives governs a significant part of how we engage with business, government, and each other. Indeed, given the ubiquity of these devices, even the most technophobic among us cannot avoid the influence of West Coast Code on our daily lives.

Thus, in a world increasingly dominated by technology, which code—if any—has proven to be an effective means of protecting our privacy and civil liberties?

Lessig predicted that “the future of Net regulation will be more West Coast Code,” and to a large extent he has been correct—again both for the Internet and the broader IT space. The reasons for government inaction are myriad. Technology is rapidly developed, often far outpacing the rate at which legislation and policy can be drafted and enacted, thus limiting its ultimate effectiveness. In addition, government leaders are sometimes hesitant to act out of fears that too much regulation might stifle innovation by dictating technological outcomes and preventing the development of potentially better solutions down the road. Even those willing to take on such legislation could easily be daunted by the technical complexity of the questions they must consider. As a result of these and other factors, critical “IT-heavy” legislation has not been updated to reflect changing technology. (See, for example, the Electronic Communications Privacy Act (ECPA), which determines the procedures by which federal law enforcement agencies can collect different types of electronic communications. ECPA has not been substantially updated since its original enactment in 1986, resulting in a disjointed legal regime that confuses law enforcement as much as it does the public.)

In the absence of East Coast Code, the limitations of West Coast Code when it comes to protecting privacy and civil liberties are clear. It’s difficult—if not impossible—to write code in a way that absolutely prohibits a certain activity. In many cases, the very nature of the application raises the privacy concern. Take for example one of the scenarios suggested above—the rogue user stalking his ex-wife. Data analysis platforms like the ones Palantir develops are designed to aggregate data and make it easily searchable for users. Remove this ability and you avoid the privacy risk of a “bad actor” misusing the data for nefarious ends, but you also take away the ability for law enforcement to effectively investigate crimes.

And so we return to Lessig, who has refined his “code is law” thinking and suggests that some might have missed the point a decade ago:

The lesson of “code is law” is not the lesson that we should be regulating code, the lesson of “code is law” is to find the right mix between these modalities of regulation to achieve whatever regulatory objective a government might be seeking.

In other words, East Coast Code and West Coast Code must complement each other. The architecture of the IT world should offer law and policymakers the tools they need to effectively protect privacy and civil liberties. And lawmakers need to develop law and policy that makes use of those tools—just because you have a hammer in your toolbox doesn’t mean you always use it when you should.

In order for both to work effectively together, the “East Coast” needs to understand technology and the “West Coast” needs to understand the law. This is why Palantir has civil liberties engineers, and it’s why we will frequently return to this subject in this blog.