| |
| META TOPICPARENT | name="FirstEssay" |
|---|
| | | Fool’s Gold | |
<
< | The first state to regulate recreational dispensaries is the first to dispense with unregulated AI. Commentators like EFF have called Colorado’s Artificial Intelligence Act (CAIA), enacted last summer, “comprehensive,” but Colorado’s law merely resembles the European Union’s AI Act. “The Revolution permanently put the major models of European governance off the table,”[1] but apparently, Denver took too little from Brussels and put too much out of reach of the state. “Today, most commercial software includes open source components,”[2] and last year, researchers at Harvard Business School estimated that open-source software (OSS) produced at least $4.5T in economic value. Now, with DeepSeek? , it is more doubtful than ever that developing “high-risk AI” requires proprietary ownership, so before the CAIA goes into effect February 6, 2026, the CAIA's omission of OSS is an open wound that Denver should patch. | >
> | The first state to regulate recreational dispensaries is the first to dispense with unregulated AI. Commentators like EFF have called Colorado’s Artificial Intelligence Act (CAIA), enacted last summer, “comprehensive,” but Colorado’s law merely resembles the European Union’s AI Act. “The Revolution permanently put the major models of European governance off the table,” but apparently, Denver took too little from Brussels and put too much out of reach of the state. “Today, most commercial software includes open source components,”[1] and last year, researchers at Harvard Business School estimated that open-source software (OSS) produced at least $4.5T in economic value. Now, with DeepSeek? , it is more doubtful than ever that developing “high-risk AI” requires proprietary ownership, so the CAIA's omission of OSS is an open wound that should be patched before the law's effective date, February 6, 2026. | | |
Open-source Opening | |
<
< | When DeepSeek? was released, U.S. stocks lost $1T in value.[3] Once the world’s most valuable company, Nvidia was chastened by news that its most advanced chips might not be as necessary for cutting-edge AI—compared to OpenAI? ’s leading model, O1, DeepSeek? performed at least as well at comparatively negligible costs (ironically, OpenAI? was founded as a nonprofit to promote open-source AI, ergo, "OpenAI").As for the CAIA, the arrival of DeepSeek? then was not so much a “sputnik” moment as much as a lesson from Silicon Valley's history. In 1979, for example, Oracle released its first commercial relational database management system, called “Oracle Version 2,” and in 1996, researchers from Berkeley launched PostgreSQL, a much-beloved OSS alternative. Today, some industry studies indicate that the latter has more market share than Oracle’s current suite of tools. Even AlphaFold 3 (behind the 2024 Nobel Prize in Chemistry) is OSS. To that end, where there are replicability issues in the sciences, OSS virtually sits in a state of truth, so apparently, Denver missed how developers tend to ship superior code wherever there is real collaboration and criticism as with free software. | >
> | When DeepSeek? was released, U.S. stocks lost $1T in value, as Nvidia was chastened by news that its chips might not be as necessary for developing AI. Compared to OpenAI? ’s leading model, O1, DeepSeek? performed at least as well for relatively negligible overhead costs. As for the CAIA then, the arrival of DeepSeek? was not so much a “sputnik” moment as much as another lesson from recent history. In 1979, Oracle released its first commercial relational database management system, called “Oracle Version 2,” and in 1996, researchers from Berkeley launched PostgreSQL, a much-beloved OSS alternative. Today, some industry studies indicate the latter has more market share than Oracle’s current suite. Even AlphaFold 3 (behind the 2024 Nobel Prize in Chemistry) is OSS, and where replicability issues in the sciences abound, OSS virtually sits in a state of truth. Thus, Denver should acknowledge how the collaborative conditions of free software enable superior code. | | | | |
<
< | Minding the Gap | >
> | Brussels' Boilerplate | | | | |
<
< | Inspired by Article 12(1) of the EU AI Act (“High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.”), Denver monitors the same range of “high-risk” activities outsourced to AI (e.g. deciding whom to hire, whom to give a home loan, etc.), but there is a wide chasm between the EU AI Act and the CAIA's language per Section 1 (“Definitions”): | >
> | Embracing Article 12(1) of the EU AI Act (“High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.”), Denver monitors the same range of “high-risk” activities outsourced to AI (e.g. deciding whom to hire, whom to give a home loan, etc.), but a wide chasm exists between the EU and Colarado per the CAIA's Section 1 (“Definitions”): | | | (7) "DEVELOPER" MEANS A PERSON DOING BUSINESS IN THIS STATE THAT DEVELOPS OR INTENTIONALLY AND SUBSTANTIALLY MODIFIES AN ARTIFICIAL INTELLIGENCE SYSTEM. | |
<
< | Whereas the EU AI Act's Article 3 says: | >
> | By contrast, the EU AI Act's Article 3 says: | | | | |
<
< | (3) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge;[4] | >
> | (3) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge [emphasis];[2] | | | | |
<
< | Put differently, the CAIA does not countenance OSS like DeepSeek? . Typically, OSS is provided as-is for free with broad disclaimers against warranty, indemnity, or other liability, but where DeepSeek? is offered on an MIT license, there is also a related issue. Apache, BSD, and MIT licenses, for instance, do not require the disclosure of source code—unlike GNU or Mozilla—so the fact that DeepSeek? ’s GitHub? repo exposes some of its source code is unnecessary. Colorado's AG could promulgate rules on proper licensing without further changing the European framework:[5] | >
> | Put differently, the CAIA does not countenance OSS. Typically, OSS is provided as-is for free with broad disclaimers against warranty, indemnity, or other liability, but where DeepSeek? is offered on an MIT license, there is also another issue. Specifically, Apache, BSD, and MIT licenses do not require the disclosure of source code—unlike GNU or Mozilla—so the fact that DeepSeek? ’s GitHub? repo reveals some source code is not required. Nevertheless, Colorado's AG can promulgate rules around proper licensing without further changing Europe's framework, which should be adopted:[3] | | | (7) "DEVELOPER" MEANS A PERSON DOING BUSINESS IN THIS STATE, whether for payment or free of charge..." | |
<
< | However, until the full EU AI Act goes into effect August 2, 2026, there will be certain unknowns in enforcement. Nevertheless, forking the full legal code makes more sense for Colorado where there are known quantities like RedHat? (an OSS developer, upselling some services but not necessarily core products that could become industry leaders in AI).[6] | | | California Dreaming | |
<
< | Alternatively, Denver may attack the issue collaterally by looking to the California Privacy Rights Act (CPRA), but such a roundabout solution is arguably unwise. CPRA, which changed California’s CCPA in 2023, identified “automated decision-making” by AI, as a liability borne by the business. However, CPRA only required compliance from businesses earning $25 million in annual gross revenue, betraying how dimly OSS projects must have been viewed by the state. Of course, the CCPA is more robust than the CPA generally. If Wells Fargo were to use AI in mortgage servicing, for instance, it could be found liable under California’s GLBA data-only exemption, but Colorado (like most states with privacy policies) would exempt such a financial institution at the GLBA entity-level.[7] But as a matter of public policy, Sacramento's for-profit focus probably does not warrant imitation, as bots' imitations are probably more problematic when available for free. | >
> | Alternatively, Denver can attack the issue collaterally by looking to the California Privacy Rights Act (CPRA), but such a roundabout solution is arguably unwise. CPRA, which changed California’s CCPA in 2023, identified “automated decision-making” by AI, as a liability borne by the business. But CPRA only required compliance from businesses earning $25 million in annual gross revenue, betraying how dimly OSS must have been viewed by the state.[4] Of course, the CCPA is more robust than the CPA. For instance, if Wells Fargo were to use AI in mortgage servicing, it could still be found liable under California’s GLBA data-only exemption, whereas Colorado would exempt it at the GLBA entity-level.[5] Still, as a matter of public policy, Sacramento's for-profit focus probably does not warrant imitation, especially as bots' imitations are probably most pernicious when available for free (n.b. the commercial success of RedHat? ). | | | Up the Mountain | |
<
< | Ultimately, there are drawbacks to any new regime, but Denver's proponents of AI reform should probably reconsider the CAIA's continental drift. EU member states are not disinterested aggregators of data—just swipe off the tram in Amsterdam! But by gathering and analyzing all relevant source code from any "developer" (or "provider" per the EU AI Act), Colorado would at least ensure what has been borrowed from Europe actually works (e.g. per 6-1-1703 of the CAIA, compliance for a "deployer" depends on cooperation from a "developer"). Surely, other issues remain like how the CAIA confers a rebuttable presumption of reasonable care on any "deployer" that follows frameworks like ISO/IEC 42001 or NIST's AI Risk Management Framework, which may be unrealistic for decentralized developer communities outside the US. Yet, absent federal legislation, this first salvo from the states will likely shape the national conversation as a whole, as shown recently by Texas looking to the CAIA for guidance. Still, unless new “comprehensive” language truly reflects the fact that "open source is eating software faster than software is eating the world,” legislators will tend to just see friends around the campfire and everybody’s high... | >
> | Ultimately, the current White House may view any regulation skeptically, but Denver's proponents of AI reform should probably reconsider the CAIA's continental drift. EU member states are not disinterested actors—just swipe off the tram in Amsterdam! But by gathering and analyzing all relevant source code from any relevant "developer" (or "provider" per the EU), Colorado will at least ensure what it has borrowed from Europe works (e.g. per 6-1-1703 of the CAIA, compliance for a "deployer" depends on cooperation from a "developer"). Surely, other issues remain relevant, particularly how CAIA confers a rebuttable presumption of reasonable care where a "deployer" follows frameworks like ISO/IEC 42001 or NIST's AI Risk Management Framework that OSS projects may find hard to implement. Yet, absent federal legislation, this first salvo from the states will shape the national conversation as a whole, as evidenced by Texas imitating Colorado. However, so long as the law does not acknowledge that "open source is eating software faster than software is eating the world,” legislators will probably just see friends around the campfire and everybody’s high... | | | | |
>
> | Endnotes: | | | | |
<
< | Endnotes:
- Robert W. Gordon, The Citizen-Lawyer - A Brief Informal History of a Myth with Some Basis in Reality, 50 Wm. & Mary L. Rev. 1169 (2009), https://scholarship.law.wm.edu/wmlr/vol50/iss4/4, p. 1182.
| | |
- David Tollen, The Tech Contracts Handbook, Appendix 2 (ABA Publishing, 2021).
| |
<
< |
- Karen Friar and Ines Ferré, DeepSeek? sell-off reminds investors of the biggest earnings story holding up the stock market, Yahoo Finance (January 27, 2025), https://finance.yahoo.com/news/live/stock-market-today-nasdaq-clobbered-nvidia-sinks-17-while-dow-stages-comeback-as-ai-fears-shake-markets-210101592.html.
- See also, “(10) ‘making available on the market’ means the supply of an AI system or a general-purpose AI model for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge;”
- The state AG—already empowered under the CAIA to issue rules for enforcement—could further specify appropriate licenses (e.g. CDDL, EPL, GPL, MPL, etc.).
- In January, DeepSeek? was the most downloaded free app on the AppStore? and Google Play.
- Only 20 states have data privacy policies: thirteen have exemptions for data and entities under the Gramm-Leach-Bliley Act; four for just GLBA entities; and three (CO, OR, and MN) for GLBA data-only.
| >
> |
- See also, “(10) ‘making available on the market’ means the supply of an AI system or a general-purpose AI model... whether in return for payment or free of charge;”
- As Colorado's AG is empowered under the CAIA to issue rules for enforcement, Denver could also say which licenses satisfy required disclosure (e.g. CDDL, EPL, GPL, MPL, etc.).
- DeepSeek? was recently the most downloaded free app on Apple's App Store and Google Play.
- Only 20 states have data privacy policies: thirteen exempt Gramm-Leach-Bliley Act entities and data; four, GLBA entities only; and three, just GLBA data.
| | |
|
|