Code’s New Regulator?
What Amazon Inspector has to do with improving regulatory oversight
“Code,” Larry Lessig famously argued, “is law.” The idea is that code, like law, can be a tool of governance and regulation. It sets the terms of the experience. For example, Apple regulates ads in Safari by choosing whether or not to support third-party content blockers in iOS. By supporting content blockers, or not, iOS expands or contracts the options available to developers and users. We can argue over whether the terms “law”, “governance” or “regulation” rightly apply here, but the point is clear enough: code can facilitate or constrain behavior, and make behaviors more or less costly. In this way, code is at least like law.
Code and law are not alone in their ability to facilitate or constrain behavior. Norms, the physical environment, and information each possess the capacity to constrain and facilitate behavior, too. Each is different, but they all can “set terms.” And they can be deployed in combination. One might see apps, web platforms, and mobile ecosystems as governments, using these tools to achieve (policy) aims and reduce undesirable side effects of those aims.
Sometimes, however, efforts to reduce side effects produce side effects themselves. As Wiener and Alemanno write, “wherever states deploy regulation, demand arises for oversight of the regulatory system” to reduce compliance costs, ancillary risks, rent-seeking, and so forth. We might think of this set of regulators as the guardians who oversee the guardians.
Last week Amazon announced Inspector, which automatically assesses apps for deviations from common security compliance standards. For example, if an app isn’t PCI DSS compliant, Inspector will flag the issue and provide a roadmap for remediating the deficiency. If code is law, then AWS Inspector might be its new regulator. Inspector is the guardian overseeing the guardian.
As regulation strives to be more efficient, more innovation friendly, and less subject to rent-seeking, regulators have increasingly looked to improve the quality of oversight. One approach has been the creation of new regulatory oversight boards. For example, the EU’s new Regulatory Scrutiny Board, for example, purports to perform “fitness checks” on legislation.
Another approach is to continue to create and improve new tools for monitoring the fitness of existing or proposed rules. From a certain perspective, we can see Inspector as a sort of regulatory oversight tool. If there’s any merit to this perspective (an open question!), then it might offer opportunities to learn as we go about constructing new oversight tools to be applied not just to code, but to law.