|
Law in the Internet Society
|
|
Rocky Mountain High: Colorado’s AI Act and Hallucinations about Open-Source-- By MichaelMacKay - 25 Oct 2024Fool’s GoldThe first state to regulate recreational dispensaries is the first to dispense with unregulated AI. Commentators like EFF have called Colorado’s Artificial Intelligence Act (CAIA), enacted last summer, “comprehensive,” but Colorado’s law merely resembles the European Union’s AI Act. “The Revolution permanently put the major models of European governance off the table,”[1] but apparently, Denver has taken too little from Brussels and put too much out of reach of the state. “Today, most commercial software includes open source components,” and now with DeepSeek? , it is more doubtful than ever that developing “high-risk AI” will require proprietary ownership. Before the CAIA goes into effect February 6, 2026, its omission of open source software (OSS) is an open wound that Denver can still patch: (1) directly, by amending the CAIA to align more closely with the EU, or (2) indirectly, by amending the Colorado Privacy Act (CPA) to collaterally attack the issue as Sacramento did with the updated California Consumer Privacy Act (CCPA).Open-source OpeningWhen DeepSeek? , an OSS project from China, was released, Nvidia, a chips manufacturer, lost $1T in value, as share price tumbled 17%.[3] One of the world’s most valuable companies, Nvidia was chastened by news that massive amounts of compute power would no longer be necessary for cutting-edge development in AI—compared to OpenAI? ’s leading model, O1, DeepSeek? performed at least as well across a battery of tests at comparatively negligible costs. Originally, OpenAI? was founded as a nonprofit to promote the open source development of AI (ergo, OpenAI? ), but that founding mythos was lost somewhere along the way—apparently, when humans could no longer handle the gift of knowledge, Prometheus also returned to reclaim fire (Washington State may have a different Mount Olympus, but the ashes of lighting money on fire may yet be traced to Redmond). Hence, as for the CAIA and other aspiring regulators, the arrival of DeepSeek? was not so much a “sputnik” moment, as much as a wake-up call from Silicon Valley’s recent economic history. In 1979, Oracle released its first commercial relational database management system, called “Oracle Version 2,” and in 1996, researchers from Berkeley launched PostgreSQL, which became a much-beloved OSS alternative. Today, some industry studies indicate that the latter has more market share than Oracle’s current suite of tools. Even AlphaFold? 2 (the model behind the 2024 Nobel Prize in Chemistry) is OSS, so Denver’s narrow view of the “developer” behind major breakthroughs appears to miss the scientific process that underlies progress in software. Notably, where there are replicability issues in journals, OSS projects virtually rest in a state of truth, where pull requests are functionally hypotheses, extending the state of knowledge (merged, if true, or else restored to previous builds). Generally, superior code is shipped where collaboration and criticism are the defaults of production.Minding the GapUnder the CAIA, a “developer” or “deployer” of AI systems which interact with Coloradans is subject to AG sanctions if, within 90 days of learning how the “high-risk AI” system caused algorithmic discrimination, there is no follow-up disclosure. Inspired by Article 12(1) of the EU AI Act (“High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.”), Denver monitors the same range of “high-risk” activities outsourced to AI (e.g. deciding whom to hire, whom to give a home loan, etc.), but a closer read of one key provision in Section 1 (“Definitions”) betrays a wide chasm, as Colorado says: (7) "DEVELOPER" MEANS A PERSON DOING BUSINESS IN THIS STATE THAT DEVELOPS OR INTENTIONALLY AND SUBSTANTIALLY MODIFIES AN ARTIFICIAL INTELLIGENCE SYSTEM. Whereas Article 3 of the EU AI Act says: (3) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge;[4] Put differently, the CAIA says nothing about OSS like DeepSeek? . OSS is often provided as is with broad disclaimers against warranty, indemnity, or other liability, but DeepSeek? , for example, is offered on an MIT license, which also raises another issue within that world of free software. Apache, BSD, and MIT licenses, for instance, do not require the disclosure of source code—as opposed to GNU or Mozilla—so the fact that DeepSeek? ’s GitHub? repo exposes some of its source code is not required. Currently, there are no enforcement actions by Brussels under the full EU AI Act (which only comes into effect, August 2, 2026), but state regulators could probably promulgate rules on licensing without further changing the law.[5] Thus, the CAIA might read: (7) "DEVELOPER" MEANS A PERSON DOING BUSINESS IN THIS STATE, whether for payment or free of charge, THAT DEVELOPS OR INTENTIONALLY AND SUBSTANTIALLY MODIFIES AN ARTIFICIAL INTELLIGENCE SYSTEM. Such legislation and regulation would then cover companies like RedHat? (upselling their services, but not necessarily marketing their free AI), and again, by excluding OSS developers from sources of “high-risk AI,” the CAIA would tend to otherwise overlook industry-leading developers like DeepSeek? .[6]California DreamingAlternatively, if regulators are afraid of entering a deep sea of open-source development, they may try to align the Colorado Privacy Act with the California Privacy Rights Act (CPRA), but such an indirect approach to AI policy would likely fall short of the CAIA's goals. CPRA, which amended California’s CCPA in 2023, identified “automated decision-making” by AI, as a liability borne by the business. However, CPRA only required compliance from businesses earning $25 million in annual gross revenue, which belies how dimly OSS projects must have been viewed by the state. Of course, Californians’ amended CCPA is still stronger than Coloradoans’ CPA. For example, if a bank like Wells Fargo were to use AI in mortgage servicing, it could still found be found liable under California’s GLBA data-only exemption, but Colorado (like most states with privacy policies) would exempt the entire financial institution at the GLBA entity-level.[7] However, again, Sacramento's threshold of a for-profit business model likely warrants caution on taking an indirect approach to protecting data as opposed to "consequential decisions" from AI.Up the MountainUltimately, proponents of AI reform should continue to call out the CAIA's continental drift. The EU’s state actors are not disinterested in new technologies—just swipe off the tram in Amsterdam! But by inserting OSS into the “developer” definition (or "provider" definition like the EU), the state will at least help operationalize the other mechanisms borrowed from European regulators. That said, there is still complexity in the CAIA's administration, as the law mandates a "deployer" implement frameworks like NIST's AI Risk Management Framework or ISO/IEC 42001, which are governance structures better suited for traditional corporate environments than decentralized development communities. Still, absent federal legislation, this first salvo in the AI policy from the states will greatly shape the nation as a whole. Hence, unless “comprehensive” language truly reflects the reality of a vast OSS underground, the CAIA will tend to see friends around the campfire... and everybody’s high. Endnotes
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:
|
|
