Today at USV, we are hosting our 4th semiannual Trust, Safety and Security Summit. Brittany, who manages the USV portfolio network, runs about 60 events per year — each one a peer-driven, peer-learning experience, like a mini-unconference on topics like engineering, people, design, etc. The USV network is really incredible and the summits are a big part of it.
I always attend the Trust, Safety and Security summits as part of my policy-focused work. Pretty much every network we are investors in has a “trust and safety” team which deals with issues ranging from content policies (spam, harassment, etc) to physical safety (on networks with a real-world component), to dealing with law enforcement. We also include security here (data security, physical security) here — often managed by a different team but with many overlapping issues as T&S.
What’s amazing to witness when working with Trust, Safety and Security teams is that they are rapidly innovating on policy. We’ve long described web services as akin to governments, and it’s within this area where this is most apparent. Each community is developing its own practices and norms and rapidly iterating on the design of its policies based on lots and lots and lots of real-time data.
What’s notable is that across the wide variety in platforms (from messaging apps like Kik, to marketplaces like Etsy and Kickstarter, to real-world networks like Kitchensurfing and Sidecar, to security services like Cloudflare and Sift Science), the common element in terms of policy is the ability to handle the onboarding of millions of new years per day thanks to data-driven, peer-produced policy devices — which you could largely classify as “reputation systems”.
Note that this approach works for “centralized” networks like the ones listed above, as well as for decentralized systems (like email and bitcoin) and that governing in decentralized systems has its own set of challenges.
This is a fundamentally different regulatory model than what we have in the real world. On the internet, the model is “go ahead and do — but we’ll track it and your reputation will be affected if you’re a bad actor”, whereas with real-world government, the model is more “get our permission first, then go do”. I’ve described this before as “regulation 1.0” vs. “regulation 2.0”:
I recently wrote a white paper for the Data-Smart City Solutions program at the Harvard Kennedy School on this topic, which I have neglected to blog about here so far. It’s quite long, but the above is basically the TL;DR version.
I mention it today because we continue to be faced with the challenge of applying regulation 1.0 models to a regulation 2.0 world.
Here are two examples:
First, the NYC Taxi and Limousine commission’s recently proposed rules for regulating on-demand ride applications. At least two aspects of the proposed rules are really problematic:
- TLC wants to require their sign off on any new on-demand ride apps, including all updates to existing apps.
- TLC will limit any driver to having only one active device in their car
On #1: apps ship updates nearly every day. Imagine adding a layer of regulatory approval to that step. And imagine that that approval needs to come from a government agency without deep expertise in application development. It’s bad enough that developers need Apple’s approval to ship iOS apps — we simply cannot allow for this kind of friction when bringing products to market.
On #2: the last thing we want to do is introduce artificial scarcity into the system. The beauty of regulation 2.0 is that we can welcome new entrants, welcome innovations, and welcome competition. We don’t need to impose barriers and limits. And we certainly don’t want new regulations to entrench incumbents (whether that’s the existing taxi/livery system or new incumbents like Uber)
Second, the NYS Dept of Financial Services this week released their final BitLicense, which will regulate bitcoin service providers. Coin Center has a detailed response to the BitLicense framework, which points out the following major flaws:
- Anti money laundering requirements are improved but vague.
- A requirement that new products be pre-approved by the NYDFS superintendent.
- Custody or control of consumer funds is not defined in a way that takes full account of the technology’s capabilities.
- Language which could prevent businesses from lawfully protecting customers from publicly revealing their transaction histories.
- The lack of a defined onramp for startups.
Without getting to all the details, I’ll note two big ones, which are DFS preapproval for all app updates (same as with TLC) and the “lack of a defined on-ramp for startups”.
This idea of an “on-ramp” is critical, and is the key thing that all the web platforms referenced at the top of this post get right, and is the core idea behind regulation 2.0. Because we collect so much data in real-time, we can vastly open up the “on-ramps” whether those are for new customers/users (in the case of web platforms) or for new startups (in the case of government regulations).
The challenge, here, is that we ultimately need to decide to make a pretty profound trade: trading up-front, permission-based systems, for open systems made accountable through data.
The challenge here is exacerbated by the fact that it will be resisted on both sides: governments will not want to relinquish the ability to grant permissions, and platforms will not want to relinquish data. So perhaps we will remain at a standoff, or perhaps we can find an opportunity to consciously make that trade — dropping permission requirements in exchange for opening up more data. This is the core idea behind my Regulation 2.0 white paper, and I suspect we’ll see the opportunity to do this play out again and again in the coming months and years.