I had a chance to catch two amazing presentation in the past two days - cyber-security expert Bruce Schneier and distinguished computer scientist Moshe Vardi. Both talks argued a similar point, that in order for things to really change in the technology space, we need public policy or regulation. However, that doesn't mean there isn't a role for ethics.
Collective action to drive change in technology
Bruce Schneier recently spoke at the Canadian Internet Registration Authority AGM. His take is that we need collective action, not a market solution, to fix the problems in tech. Governments are the entities we use to solve a collective action problem. He cites many other industries (cars, restaurants, aviation) that required regulatory oversight in order to become safe. I don't think Schneier is against ethics, he just feels its not sufficient, and that it's perhaps too easy for industry to "ethics wash" and not really make substantive change. This makes sense, and Schneier was speaking at a meeting hosted by regulators, so it was definitely on point given the audience.
His talk also covered how security breaches are not only breaches of confidentiality, such as stolen data. His acronym, CIA, which stands for Confidentiality, Integrity and Availability sums up the triad of ways in which technology can be compromised. An integrity breach looks like maliciously changing data, for example, changing someone's medical prescription so they get the wrong drug or the wrong dose of a drug. An availability breach means making the technology unavailable to use, like blocking the breaking system on an autonomous vehicle. Schneier thinks that increasingly, cyber-attacks might look like integrity or availability breaches. He also talked about Canada being a "technology taker" - that is to say, we use the tech that others make. We get Facebook, Twitter, Amazon, TikTok, it's made and governed by other countries.
"The law floats on a seas of ethics" - Chief Justice Earl Warren
We need ethics to support law, as Chief Justice Earl Warren said so poetically. There needs to be a foundation of ethical values in order for laws to be upheld. Moshe Vardi talked about the economic value of trust. In countries where there is high trust, the "cost" of getting things done decreases. We've watched as Sweden (a high trust society) took a different approach to COVID-19. In other countries where societal trust is lower, the cost of getting things done increases, as there is more need for enforcement. This is something Martin Sandbu writes about in The Economics of Belonging.
Vardi agrees with Schneier, that ultimately, it will be regulation that gets big tech to change its ways. He sums this up as ethics being individual and regulation being societal. He does, however, see the interplay between the two and has worked to advance ethics education in computer science at Rice University where he teaches. He sees an important role for computer scientists to individually embrace ethical practices, though he stops short of committing to the idea that computer science should be an accredited profession in the way that engineering, medicine or law itself has a formal professional governing body.
I appreciated hearing these perspectives from two individuals who have been working to change the technology industry for many years. I think they make excellent points about incentives and the role of corporations. The primary stakeholder that corporations aim to serve are shareholders, institutionalizing Milton Friedman's Chicago School of Economics ideology, promoting free market thinking as the solution to everything, devaluing the role of government and defining responsibility of corporations in the fairly limited context of driving shareholder value. Fictional 1980's anti-hero Gordon Gekko embodied this ethos...
"The point is, ladies and gentleman, that greed -- for lack of a better word -- is good.
Greed is right. Greed works. Greed clarifies, cuts through, and captures the essence of the evolutionary spirit. Greed, in all of its forms -- greed for life, for money, for love, knowledge -- has marked the upward surge of mankind." - Gordon Gekko, Wallstreet
Ethics and Regulation
Like Justice Warren, I think we need both ethics and regulation to work together. We need individuals, especially those building the technology, to understand ethical considerations and apply ethical practices in the context of their work. AND, we also need to educate citizens about how the technology works, how the choices we make to "share" our data for access to "free" products plays into the surveillance capitalism business model. AND, we need to educate policy makers so they can act on behalf of the best interests of society through thoughtful regulation. Lastly, I believe that there is room for companies to voluntarily change. It may be not be wholesale abandonment of their business model (I am not that naive!) but between "do nothing" and "abandon business model", there is a big gap and much room to move in positive directions.
Thanks to CIRA and the University of Waterloo Cheriton School of Computer Science for hosting these speakers!
Moshe Vardi is a professor at Rice University and his website has a long list of links to both academic and non-academic writing on this topic.
I'm a huge fan of Bruce Schneier's many books and his blog - Schneier on Security