Tech Geopolitics and Digital Regulation
With Joshua Levine @ The Foundation for American Innovation
Commonweal Ventures backs top entrepreneurs building companies that matter for America in sectors like clean energy, defense, fintech, manufacturing, and health. In these markets, partnership with government can be a critical unlock. Commonweal helps founders mobilize public sector commitments to build category-winning companies. We focus on pre-seed and seed stage investments.
We spoke with Joshua Levine, Manager of Tech Policy @ FAI, about the future of digital regulation and tech competition with China.
Highlights:
How can the US reduce risks from potentially-compromised Chinese hardware?
It helps to have friends that can build innovative products with lower geopolitical risks (here’s to you, Japan!) and groups like the Defense Innovation Unit are on the case as well.
Why do different regulatory regimes around data and competition affect startups?
Data is innovation rocket fuel, but consumers need privacy too. Protecting rights AND protecting innovation is a delicate balancing act. When rules get extra complicated, big players who can afford the legal fees can box out the little guy.
What’s going on with TikTok?
Read more to find out. :)
Views and opinions expressed do not necessarily reflect the official position of Commonweal Ventures or its investment team.
You've written quite a bit about the FTC, how digital commerce is being regulated, and the American Privacy Rights Act. Starting from the basics—why NOT a standalone internet regulatory agency? Why are you against that?
If there's one specific place where laws and regulations are crafted, the largest companies will have the first say. They'll be the first through the door. An economist I used to work with, James Broughel, talks about how over time, regulations can accumulate over time and slow the pace of economic growth under the weight. When you have a digital-focused regulator, you start to add and layer different laws and regulations on the Internet, which keeps new companies and innovators from squirming out or finding new pathways to success.
The folks who are going to be able to comply are the largest companies, the incumbents. Something that's made the US tech sector so successful is our ability to disrupt incumbency and bring new people into the fold while still having incredibly innovative and powerful hyperscale companies. We should be celebrating that. I think a lot of the digital regulation talk immediately gets like, "We need to build an institution to take on these companies!" I don't necessarily see that as a positive development.
It's always funny to me when people talk about digital regulation because at this point, what ISN'T digital? It's like when media people use the phrase "new media" to describe social media. The verbiage is out of date. I hear your point about one regulatory agency piling on itself, but what about separate agencies all nibbling around the edges but never quite getting things done because they only see a piece of the puzzle? That doesn't seem effective.
That's a reasonable point and well taken. My contention with that would be that the greater the centralization, the greater the incentive for rent-seeking. That doesn't mean we shouldn't have cross-agency collaboration, which we do. There are a number of agencies in the government that can specialize and apply laws and regulations to their expertise. I like that a lot. We can have the FDA and HHS dealing with healthcare, for instance. There are always ways we can improve how the federal regulatory apparatus works, but I think the potential costs are going to outweigh any efficiency benefits that we would have from consolidating.
Tell me more about rent-seeking and digital regulators. What do you mean?
It's the idea that large companies can use the regulatory state to raise barriers to entry rather than beating their competitors in the market with a better product or better service. You'll lobby for a certain kind of tariff or licensing requirements because you, as a larger company, can absorb the costs of compliance (lawyers, lobbyists, etc.) that a small startup company or foreign competitor simply cannot. Because you have that advantage, it creates an incentive to tell the government "Yeah, of course, we need this regulation to keep people safe or to defend national interest." Which are reasonable things to do! We should be considerate and weigh those types of issues on their merit. But, when you centralize, the traditional critique of large regulatory institutions is that they're infiltrated by interests that want to lock out competition. Then you see barriers go up and people can start collecting monopoly rents. This can contribute to stagnation and consolidation.
I think a good example right now would be some of the online safety regulations for kids. Some companies were very opposed at the start, and now they're starting to tiptoe around saying "Well, if it has to happen, we'll comply and figure it out." That's because they're able to marshal moderators and content specialists, plus their lawyers and lobbying arms to comply with these laws. Rent-seeking should be top of mind for anyone thinking about digital regulation.
Let's talk TikTok. I've been thinking about cui bono (who benefits). In the event of a ban, does Meta just clean up the profits? Walk me through how you're thinking about this.
For folks who are unfamiliar, a few months ago President Biden signed legislation that would require Bytedance to divest TikTok and sell their controlling stake of its US business to some entity that is not based in a country of concern (China, North Korea, Iran, Russia, Cuba, Venezuela).
If Cuba was running TikTok we might have bigger problems.
Exactly. The idea is that Bytedance's connections with the CCP, which have been well-documented, give Chinese military intelligence access to Americans' data. Back to the question of who benefits from a divesture,
I don't buy the idea that we couldn't find a buyer that would be able to satisfy the law. We know there are willing buyers. Frank McCourt came out and offered to buy them at a market rate. Bobby Kotek, the former founder of Activision, too.
This app is incredibly popular because the algorithm is great. The tech is just fantastic. It wouldn't be such a highly used social media app among that key, coveted 18-25-year-old demographic if it wasn't.
I think the concerns around empowering Meta or Google or someone else are fine. Sure.
But if Bytedance is a profit-seeking company and the goal is to turn a profit for shareholders, why wouldn't you sell? Clearly, people are interested in buying this. So, I would turn it back on Bytedance and ask why they won't.
Essentially, they doth protest too much.
Right.
Even if the IP for TikTok isn't owned by an adversarial country, I feel like there's another conversation to be had on the collection of data, privacy, and online safety. How are you thinking about these issues on social media platforms?
Good question. Data privacy is really tricky, specifically because it's a spectrum. Cookies serve you ads to buy sneakers because they saw you visited a sneaker site. For me, I think that's pretty cool! Ad-based targeting enables a ton of content and platforms. Generally, I think the demonization of ads is misplaced.
That being said, there's other data out there that is way more concerning, like geolocation and biometric data. Separating those in a thoughtful manner is really important.
Zac, you probably have a good appreciation for this as someone who's in VC working to find companies who are trying to challenge incumbents and provide a new product. GDPR set the global floor for data privacy regulation. It's become the model in other countries, even for places like California and Virginia. Frankly, if you look at the research around that, the folks who are hardest hit are startups + SMEs that are unable to get data. They're unable to transfer and process it in ways that would be beneficial for customers. The folks who already have access and are sitting on troves and troves of user data, they'll figure it out. They benefit once again because they can comply. They'll pay the fines occasionally because it's the cost of doing business.
When we think about what's next and how we can continue to keep a dynamic tech sector in the United States, access to data is critical. Especially with AI right now, that's one of the biggest tradeoffs. The kinds of really high-quality data we can get access to from around the world are the engines for all kinds of tech that people want to build. The opportunity of closing off access to that data is tremendous.
To quote Jen Huddleston at Cato, data privacy is the Groundhog Day of tech policy problems. Is this the year we get data privacy laws? At a certain point, people will have to compromise. What I'm most concerned about is how we ensure that restricting the flow of data doesn't just create positive effects for companies in a strong incumbency position.
I agree that being purely adversarial with Big Tech doesn't feel productive, but they have accumulated an insane amount of data. On one hand, there are monopolistic dynamics on who has data to train models, but you argue that the European approach might close off access to startups. This is a tricky circle, so let's talk about some places to start.
On the international front, the USTR recently revoked support for zero tariff barriers for digital trade at the WTO. For as long as this has been an issue, the US along with many other OECD countries have advocated for the free flow of data. You shouldn't unduly restrain the movement of information digitally around the world because the benefits are so vast and it creates so many opportunities for American innovation and dynamism. The United States is less engaged and less of a supporter of this than it was a few years ago. We should affirm that we are supporting the open Internet and flow of information.
Thinking about how to ensure that large companies provide access for startups to get in, I think API access and greater access to researchers can help. Post Cambridge Analytica, people got really nervous about giving companies access to their data. This company misused things and it exploded into a massive firestorm. And I think that's very reasonable to be upset about. When people do bad things, the FTC and DOJ can bring enforcement actions. I don't want to come across as someone who thinks government should be totally defanged. We need strong enforcers, which is why I personally support the staffing of the Office of Technology, the FTC, bringing more economists and experts who can help regulators understand how technologies change the way we do commerce.
I've been reading the book Exponential Age by Azim Azar. He talks about how we need to start thinking a little bit differently.
There isn't just one entry point, there are a lot of different ones that are constantly moving. There are a lot of nodes in this network. Making regulations so binary doesn't work and is kind of old-fashioned. We need to start thinking about data access problems in a more networked way.
Moving from data to tangible hardware; if I go to Walmart, most of the drones on the shelf are going to be Chinese-made. It's a fact of the market. If these all go away, I'm going to be pretty upset as a consumer. How should we think about products that the US simply isn't making when there are national security concerns about the countries that are making them?
For drones and other hardware, there needs to be a bit of a bifurcation. That's the problem of dual-use technology, right? A drone at Walmart is fantastic for taking pictures and racing around. But they can also take videos of critical infrastructure. That's really concerning.
The government shouldn't be buying Chinese drones, and it doesn't. FAI has done some work on this, helping prevent those purchases in the DOD. DARPA and the DIU act as internal VCs and give people money to build out these national interest techs in the United States. That's a pretty good solution for the public side of things.
Moving to the private side, that's where things get difficult. These drone companies like DJI and Autel have massive economies of scale. There's a reason they're a market leader—the tech is really good.
If we want to find specific areas in the supply chain where we can be aggressive and unlock American ingenuity, we absolutely should. But to build a viable market for it, we need to bring our friends with us, allies with big innovation industries like Japan and Singapore. There are some amazing companies doing things with 3D printing, chip fabs, etc., taking all that innovation we have in the world of bits and moving it back into the world of atoms.
Tell me a bit about the Routers Act and what you hope it accomplishes.
The ROUTERS Act would require the Department of Commerce to do a study on potential vulnerabilities in foreign-made routers. This is specifically in response to concerns around TP-Link, which is a China-affiliated company. They are one of the most popular providers of wireless internet routers and modems in the world. You can buy them on Amazon, at Best Buy.
I'm pretty sure mine is, now that you mention it.
For most people, it may not be a concern. The problem with TP-Link, as it's been documented in the press and the NIST National Vulnerability Database (a great resource for anyone interested in this stuff), is that there are hardware and software vulnerabilities that can be exploited. They have been in the EU—officials were targeted by Chinese cyber espionage teams looking to extract information and surveil people.
The ROUTERS Act would launch a study. How serious of a threat is this? Do we need to take a similar approach to what the government did with Huawei and ZTE and rip out that tech from our stack? If so, this is the first step to doing that.
A study like this helps create a robust record, which I think is really important. When you're making arguments about national security that some people will argue are protectionist, you need to have information and evidence behind that assertion. It can also provide the public with a better understanding of these subjects. Let's say you're working from home. You're dealing with proprietary information about an investment, or maybe you're dealing with personal financial or health data. If it's on a TP-Link router or something similar and your hardware is insecure, that poses a real threat you can't mitigate by yourself.
Also, it's not just a specific brand of insecure routers, it's about updating our technology and buying new stuff. Hackers have compromised water treatment plans and energy infrastructure. That wasn't because they were using TP-Link Routers, it was because they were using end-of-life Cisco and people hadn't pushed through firmware updates. If something sits out for long enough, hackers will find bugs. No tech is perfect, but we can take steps to mitigate and get as close as we can.