| |
| META TOPICPARENT | name="FirstEssay" |
|---|
| | | Fool’s Gold | |
<
< | The first state to regulate recreational dispensaries is the first to dispense with unregulated AI. Commentators like EFF have called Colorado’s Artificial Intelligence Act (CAIA), enacted last summer, “comprehensive,” but Colorado’s law merely resembles the European Union’s AI Act. “The Revolution permanently put the major models of European governance off the table,”[1] but apparently, Denver has taken too little from Brussels and put too much out of reach of the state. “Today, most commercial software includes open source components,” and now with DeepSeek? , it is more doubtful than ever that developing “high-risk AI” will require proprietary ownership. Before the CAIA goes into effect February 6, 2026, its omission of open source software (OSS) is an open wound that Denver can still patch: (1) directly, by amending the CAIA to align more closely with the EU, or (2) indirectly, by amending the Colorado Privacy Act (CPA) to collaterally attack the issue as Sacramento did with the updated California Consumer Privacy Act (CCPA). | >
> | The first state to regulate recreational dispensaries is the first to dispense with unregulated AI. Commentators like EFF have called Colorado’s Artificial Intelligence Act (CAIA), enacted last summer, “comprehensive,” but Colorado’s law merely resembles the European Union’s AI Act. “The Revolution permanently put the major models of European governance off the table,”[1] but apparently, Denver has taken too little from Brussels and put too much out of reach of the state. “Today, most commercial software includes open source components,”[2] and last year, researchers at Harvard Business School estimated that, conservatively, OSS produced at least $4.5T in economic value. Now with DeepSeek? , it is more doubtful than ever that developing “high-risk AI” will require proprietary ownership. Before the CAIA goes into effect February 6, 2026, its omission of open source software (OSS) is an open wound that Denver can still patch: (1) directly, by amending the CAIA to align more closely with the EU, or (2) indirectly, by amending the Colorado Privacy Act (CPA) to collaterally attack the issue as Sacramento did with the updated California Consumer Privacy Act (CCPA). | | |
Open-source Opening | | | Put differently, the CAIA says nothing about OSS like DeepSeek? . OSS is often provided as is with broad disclaimers against warranty, indemnity, or other liability, but DeepSeek? , for example, is offered on an MIT license, which also raises another issue within that world of free software. Apache, BSD, and MIT licenses, for instance, do not require the disclosure of source code—as opposed to GNU or Mozilla—so the fact that DeepSeek? ’s GitHub? repo exposes some of its source code is not required. Currently, there are no enforcement actions by Brussels under the full EU AI Act (which only comes into effect, August 2, 2026), but state regulators could probably promulgate rules on licensing without further changing the law.[5] Thus, the CAIA might read:
(7) "DEVELOPER" MEANS A PERSON DOING BUSINESS IN THIS STATE, whether for payment or free of charge, THAT DEVELOPS OR INTENTIONALLY AND SUBSTANTIALLY MODIFIES AN ARTIFICIAL INTELLIGENCE SYSTEM. | |
<
< | Such legislation and regulation would then cover companies like RedHat? (upselling their services, but not necessarily marketing their free AI), and again, by excluding OSS developers from sources of “high-risk AI,” the CAIA would tend to otherwise overlook industry-leading developers like DeepSeek? .[6] | >
> | Such legislation and regulation would then cover companies like RedHat? (upselling services, but not necessarily selling free AI), and again, by excluding OSS developers from sources of “high-risk AI,” the CAIA would tend to overlook industry-leading developers like DeepSeek? .[6] | | |
California Dreaming | | | Up the Mountain | |
<
< | Ultimately, proponents of AI reform should continue to call out the CAIA's continental drift. The EU’s state actors are not disinterested aggregators of source code—just swipe off the tram in Amsterdam! But by inserting OSS into the “developer” definition (or "provider" per the EU AI Act), Colorado will at least operationalize the other mechanisms it has borrowed from European regulators. That said, there is still complexity in the CAIA's design, as the law mandates a "deployer" implement frameworks like NIST's AI Risk Management Framework or ISO/IEC 42001, which are governance structures perhaps better suited for traditional corporate environments than decentralized development communities. Still, absent federal legislation, this first salvo in regulating AI by the states will greatly shape the national conversation as a whole. Hence, unless “comprehensive” language truly reflects the reality of a vast OSS underground, the CAIA will tend to see friends around the campfire... and everybody’s high. | >
> | Ultimately, proponents of AI reform should continue to call out the CAIA's continental drift. EU member states are not disinterested aggregators of data—just swipe off the tram in Amsterdam! But by ensuring that OSS is included when seeking source code from any "developer" (or "provider" per the EU AI Act), Colorado will at least operationalize the other mechanisms that it has borrowed from Europe (e.g. currently, per 6-1-1703, compliance for a "deployer" is parasitic on cooperation from a "developer," so a "deployer" using open-source AI where not all of the source code is available would be unable to comply). That said, there are still other issues in the CAIA's design, including how the law mandates a "deployer" follow frameworks like NIST's AI Risk Management Framework or ISO/IEC 42001, which are governance structures probably better suited for traditional corporate environments than decentralized development communities. Still, absent federal legislation, this first salvo in the states regulating AI will greatly shape the national conversation as a whole. However, unless more “comprehensive” language truly reflects the fact that "open source is eating software faster than software is eating the world,” the CAIA will tend to see friends around the campfire... and everybody’s high. | | | | | |
- Karen Friar and Ines Ferré, DeepSeek? sell-off reminds investors of the biggest earnings story holding up the stock market, Yahoo Finance (January 27, 2025), https://finance.yahoo.com/news/live/stock-market-today-nasdaq-clobbered-nvidia-sinks-17-while-dow-stages-comeback-as-ai-fears-shake-markets-210101592.html.
- See also, “(10) ‘making available on the market’ means the supply of an AI system or a general-purpose AI model for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;”
- The state AG—already empowered under the CAIA to issue rules for enforcement—could further specify appropriate licenses (e.g. CDDL, EPL, GPL, MPL, etc.).
| |
<
< |
- In February, DeepSeek? was the most downloaded app on the AppStore? and Google Play.
- Only 20 states have data privacy policies: thirteen have exemptions for data and entities under the Gramm-Leach-Bliley Act; four for just GLBA entities; and three (CO, OR, and MN) for GLBA data-only.
| >
> |
- In January, DeepSeek? was the most downloaded free app on the AppStore? and Google Play.
- Only 20 states have data privacy policies: thirteen have exemptions for data and entities under the Gramm-Leach-Bliley Act; four for just GLBA entities; and three (CO, OR, and MN) for GLBA data-only.
| | |
|
|