| |
| META TOPICPARENT | name="FirstEssay" |
|---|
| | | Fool’s Gold | |
<
< | The first state to regulate recreational dispensaries is the first to dispense with unregulated AI. Commentators like EFF have called Colorado’s Artificial Intelligence Act (CAIA), enacted last summer, “comprehensive,” but Colorado’s law merely resembles the European Union’s AI Act. “The Revolution permanently put the major models of European governance off the table,”[1] but apparently, Denver took too little from Brussels, which put too much out of reach of the state. “Today, most commercial software includes open source components,”[2] and last year, researchers at Harvard Business School estimated that open-source software (OSS) produced at least $4.5T in economic value. As demonstrated by DeepSeek? , it is now more doubtful than ever that developing “high-risk AI” requires proprietary ownership, so before the CAIA goes into effect February 6, 2026, the omission of OSS from the CAIA is an open wound that Denver can still patch: (1) directly, by amending the CAIA to align better with the EU, or (2) indirectly, by amending the Colorado Privacy Act (CPA) to collaterally attack the issue as Sacramento has with the California Consumer Privacy Act (CCPA). Here, the direct approach is favored. | >
> | The first state to regulate recreational dispensaries is the first to dispense with unregulated AI. Commentators like EFF have called Colorado’s Artificial Intelligence Act (CAIA), enacted last summer, “comprehensive,” but Colorado’s law merely resembles the European Union’s AI Act. “The Revolution permanently put the major models of European governance off the table,”[1] but apparently, Denver took too little from Brussels and put too much out of reach of the state. “Today, most commercial software includes open source components,”[2] and last year, researchers at Harvard Business School estimated that open-source software (OSS) produced at least $4.5T in economic value. Now, with DeepSeek? , it is more doubtful than ever that developing “high-risk AI” requires proprietary ownership, so before the CAIA goes into effect February 6, 2026, the CAIA's omission of OSS is an open wound that Denver should patch. | | |
Open-source Opening | |
<
< | When DeepSeek? was released, Nvidia, a chips manufacturer, lost $1T in value, as its share price tumbled 17%.[3] Once the world’s most valuable company, Nvidia was chastened by news that massive amounts of compute power would no longer be necessary for cutting-edge development in AI—compared to OpenAI? ’s leading model, O1, DeepSeek? performed at least as well against a battery of tests at comparatively negligible costs. Originally, OpenAI? was founded as a nonprofit to promote open-source AI (ergo, OpenAI? ), but somewhere along the way, that founding mythos was lost—apparently, when humans could no longer handle the gift of knowledge, Prometheus returned to reclaim that fire (Washington State may have a different Mount Olympus, but some suggest lighting money on fire can be traced to Redmond).
As for the CAIA, the arrival of DeepSeek? was not so much a “sputnik” moment, as much as a lesson from Silicon Valley’s recent history. In 1979, Oracle released its first commercial relational database management system, called “Oracle Version 2,” and in 1996, researchers from Berkeley launched PostgreSQL, which became a much-beloved OSS alternative. Today, some industry studies indicate that the latter has more market share than Oracle’s current suite of tools. Even AlphaFold 3 (the model behind the 2024 Nobel Prize in Chemistry) is OSS, so Denver’s myopic view of the “developer” behind major breakthroughs misses the scientific process that underlies progress in software. To that end, where there are replicability issues in many scientific journals, OSS virtually sits in a state of truth, insofar as pull requests are hypotheses (merged, if true, or else restored to previous builds, if false). Thus, superior code is shipped where collaboration and criticism are hallmarks of distributed production. | >
> | When DeepSeek? was released, U.S. stocks lost $1T in value.[3] Once the world’s most valuable company, Nvidia was chastened by news that its most advanced chips might not be as necessary for cutting-edge AI—compared to OpenAI? ’s leading model, O1, DeepSeek? performed at least as well at comparatively negligible costs (ironically, OpenAI? was founded as a nonprofit to promote open-source AI, ergo, "OpenAI").As for the CAIA, the arrival of DeepSeek? then was not so much a “sputnik” moment as much as a lesson from Silicon Valley's history. In 1979, for example, Oracle released its first commercial relational database management system, called “Oracle Version 2,” and in 1996, researchers from Berkeley launched PostgreSQL, a much-beloved OSS alternative. Today, some industry studies indicate that the latter has more market share than Oracle’s current suite of tools. Even AlphaFold 3 (behind the 2024 Nobel Prize in Chemistry) is OSS. To that end, where there are replicability issues in the sciences, OSS virtually sits in a state of truth, so apparently, Denver missed how developers tend to ship superior code wherever there is real collaboration and criticism as with free software. | | |
Minding the Gap | |
<
< | Under the CAIA, a “developer” or “deployer” of AI systems which interact with Coloradans may be subject to AG sanctions if, within 90 days of learning how the “high-risk AI” system caused algorithmic discrimination, but here, there is an open gap for OSS. Modeled after Article 12(1) of the EU AI Act (“High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.”), Denver appears to monitor the same range of “high-risk” activities outsourced to dice-rolling AI (e.g. deciding whom to hire, whom to give a home loan, etc.), but a closer read of one key provision in Section 1 (“Definitions”) betrays a chasm in Colorado: | >
> | Inspired by Article 12(1) of the EU AI Act (“High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.”), Denver monitors the same range of “high-risk” activities outsourced to AI (e.g. deciding whom to hire, whom to give a home loan, etc.), but there is a wide chasm between the EU AI Act and the CAIA's language per Section 1 (“Definitions”): | | | (7) "DEVELOPER" MEANS A PERSON DOING BUSINESS IN THIS STATE THAT DEVELOPS OR INTENTIONALLY AND SUBSTANTIALLY MODIFIES AN ARTIFICIAL INTELLIGENCE SYSTEM. | |
<
< | Whereas Article 3 of the EU AI Act says: | >
> | Whereas the EU AI Act's Article 3 says: | | | (3) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge;[4] | |
<
< | Put differently, the CAIA cannot bind OSS like DeepSeek? . Typically, OSS is provided as-is with broad disclaimers against warranty, indemnity, or other liability, but where DeepSeek? is offered on an MIT license, there is a related issue. Apache, BSD, and MIT licenses, for instance, do not require the disclosure of source code—unlike GNU or Mozilla—so the fact that DeepSeek? ’s GitHub? repo exposes some of its source code is not a requirement. Still, Colorado's AG could promulgate rules on licensing without further changing the law beyond embracing OSS:[5] | >
> | Put differently, the CAIA does not countenance OSS like DeepSeek? . Typically, OSS is provided as-is for free with broad disclaimers against warranty, indemnity, or other liability, but where DeepSeek? is offered on an MIT license, there is also a related issue. Apache, BSD, and MIT licenses, for instance, do not require the disclosure of source code—unlike GNU or Mozilla—so the fact that DeepSeek? ’s GitHub? repo exposes some of its source code is unnecessary. Colorado's AG could promulgate rules on proper licensing without further changing the European framework:[5] | | | (7) "DEVELOPER" MEANS A PERSON DOING BUSINESS IN THIS STATE, whether for payment or free of charge..." | |
<
< | Still, until the full EU AI Act goes into effect August 2, 2026, there will inevitably be unknowns in enforcement. However, Denver can more fully fork the legal code to better address problems posed by even mature OSS developers like RedHat? (upselling services but not necessarily core products, which could be AI).[6] | >
> | However, until the full EU AI Act goes into effect August 2, 2026, there will be certain unknowns in enforcement. Nevertheless, forking the full legal code makes more sense for Colorado where there are known quantities like RedHat? (an OSS developer, upselling some services but not necessarily core products that could become industry leaders in AI).[6] | | |
California Dreaming | |
<
< | Alternatively, if regulators fear a deep sea of OSS, they may align the Colorado Privacy Act with the California Privacy Rights Act (CPRA), but such an roundabout approach to regulation is arguably unwise. CPRA, which amended California’s CCPA in 2023, identified “automated decision-making” by AI, as liability borne by the business. However, CPRA only required compliance from businesses earning $25 million in annual gross revenue, which belied how dimly OSS projects were viewed. Of course, Californians’ CCPA provides more protections than Coloradoans’ CPA. If Wells Fargo were to use AI in mortgage servicing, it could still found be found liable under California’s GLBA data-only exemption, but Colorado (like most states with privacy policies) would exempt that financial institution at the GLBA entity-level.[7] Still, as a matter of public policy, Sacramento's for-profit focus means it probably does not warrant imitation where bots can be even more problematic pretenders when offered for free. | >
> | Alternatively, Denver may attack the issue collaterally by looking to the California Privacy Rights Act (CPRA), but such a roundabout solution is arguably unwise. CPRA, which changed California’s CCPA in 2023, identified “automated decision-making” by AI, as a liability borne by the business. However, CPRA only required compliance from businesses earning $25 million in annual gross revenue, betraying how dimly OSS projects must have been viewed by the state. Of course, the CCPA is more robust than the CPA generally. If Wells Fargo were to use AI in mortgage servicing, for instance, it could be found liable under California’s GLBA data-only exemption, but Colorado (like most states with privacy policies) would exempt such a financial institution at the GLBA entity-level.[7] But as a matter of public policy, Sacramento's for-profit focus probably does not warrant imitation, as bots' imitations are probably more problematic when available for free. | | | Up the Mountain | |
<
< | Ultimately, proponents of AI reform should call out the CAIA's continental drift. EU member states are not disinterested actors—just swipe off the tram in Amsterdam! But by ensuring that open-source AI is envisaged when seeking out the source code from any "developer" (or "provider" per the EU AI Act), Colorado will better act on what it has already borrowed from Europe (e.g. per 6-1-1703, compliance for a "deployer" depends on cooperation from a "developer"). Of course, there are still other issues in the CAIA's design like how it mandates a "deployer" follow frameworks like NIST's AI Risk Management Framework or ISO/IEC 42001, which are governance structures maybe better suited for traditional corporate environments than decentralized communities. Absent federal legislation, though, first salvo from the states will shape national conversation as a whole, especially as Texas considers its own bill based on Colorado's. However, unless new “comprehensive” language truly reflects the fact "open source is eating software faster than software is eating the world,” the CAIA will tend to see friends around the campfire... and everybody’s high. | >
> | Ultimately, there are drawbacks to any new regime, but Denver's proponents of AI reform should probably reconsider the CAIA's continental drift. EU member states are not disinterested aggregators of data—just swipe off the tram in Amsterdam! But by gathering and analyzing all relevant source code from any "developer" (or "provider" per the EU AI Act), Colorado would at least ensure what has been borrowed from Europe actually works (e.g. per 6-1-1703 of the CAIA, compliance for a "deployer" depends on cooperation from a "developer"). Surely, other issues remain like how the CAIA confers a rebuttable presumption of reasonable care on any "deployer" that follows frameworks like ISO/IEC 42001 or NIST's AI Risk Management Framework, which may be unrealistic for decentralized developer communities outside the US. Yet, absent federal legislation, this first salvo from the states will likely shape the national conversation as a whole, as shown recently by Texas looking to the CAIA for guidance. Still, unless new “comprehensive” language truly reflects the fact that "open source is eating software faster than software is eating the world,” legislators will tend to just see friends around the campfire and everybody’s high... | | | | |
<
< | Endnotes
- Robert Gordon, The Citizen Lawyer, A Brief Informal History of Myth with Some Basis in Reality, p. 1182.
| >
> | Endnotes:
- Robert W. Gordon, The Citizen-Lawyer - A Brief Informal History of a Myth with Some Basis in Reality, 50 Wm. & Mary L. Rev. 1169 (2009), https://scholarship.law.wm.edu/wmlr/vol50/iss4/4, p. 1182.
| | |
- David Tollen, The Tech Contracts Handbook, Appendix 2 (ABA Publishing, 2021).
- Karen Friar and Ines Ferré, DeepSeek? sell-off reminds investors of the biggest earnings story holding up the stock market, Yahoo Finance (January 27, 2025), https://finance.yahoo.com/news/live/stock-market-today-nasdaq-clobbered-nvidia-sinks-17-while-dow-stages-comeback-as-ai-fears-shake-markets-210101592.html.
- See also, “(10) ‘making available on the market’ means the supply of an AI system or a general-purpose AI model for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;”
|
|