Law Proofing the Future – Harvard Journal on Legislation

Gregory M. Dickinson[*]

Abstract

Lawmakers today face continuous calls to “future proof” the legal system against generative artificial intelligence, algorithmic decision-making, targeted advertising, and all manner of emerging technologies. This Article takes a contrarian stance: it is not the law that needs bolstering for the future, but the future that needs protection from the law. From the printing press and the elevator to ChatGPT and online deepfakes, the recurring historical pattern is familiar. Technological breakthroughs provoke wonder, then fear, then legislation. The resulting legal regimes entrench incumbents, suppress experimentation, and displace long-standing legal principles with bespoke but brittle rules. Drawing from history, economics, political science, and legal theory, this Article argues that the most powerful tools for governing technological change—the general-purpose tools of the common law—are in fact already on the books, long predating the technologies they are now called upon to govern, and ready also for whatever the future holds in store.

Rather than proposing any new statute or regulatory initiative, this Article offers something far rarer, a defense of doing less. It shows how the law’s virtues—generality, stability, and adaptability—are best preserved not through prophylactic regulation, but through accretional judicial decision-making. The epistemic limits that make technological forecasting so unreliable and the hidden costs of early legislative intervention, including biased governmental enforcement and regulatory capture, mean that however fast technology may move, the law must not chase it. The case for legal restraint is thus not a defense of the status quo, but a call to preserve the conditions of freedom and equal justice under which both law and technology can evolve.

I. Introduction

Daily we hear calls to “future proof the law”¹ against this or that coming danger.² The phrase strikes the mind as wise and responsible—an expression of fidelity to progress and foresight. Yet, on reflection, the phrase’s implication is curious: that the law must be braced to preserve it against the future’s onslaught. This framing places law above the future, as if it is our duty to protect the law and shelter it against the damage of societal change. In truth, the relationship runs in the other direction. It is not the law that must withstand the future, but the future that must be preserved from the threat of law.³

This Article challenges the conventional wisdom that rapid technological change demands fresh, similarly rapid lawmaking. That view—deeply intuitive, widely held, and often wrong—treats technological development as a problem to be solved through prescriptive legislation and regulation. In times of innovation, we look to lawmakers for reassurance and intervention against new dangers. We tell ourselves that new tools raise novel dangers and that law must evolve to meet them. And so, from the printing press to social media and generative AI, we have called reflexively for new statutes, new rules, and new agencies.⁴ Sometimes, this is sensible. But more often, the instinct to legislate outruns its justification.⁵

The larger danger lies not in what technology might do, but in what we might do in response. When we rush to govern the new, we may inadvertently discard legal virtues so longstanding that they are overlooked—the law’s durability and generality, its applicability across time and circumstances to all persons, politically favored or not.⁶ As this Article argues, general-purpose law—our long-standing principles providing tort redress for harms, freedom to contract, due process protections for person and property, and criminal sanctions for lawbreakers—stands as ready to govern today’s technological change as it was to govern yesterday’s.⁷ To make that point, the Article employs tools from a variety of disciplines, from history and legal theory to political science, economics, and sociology. The Article begins by placing the modern impulse toward legal intervention in a broader historical pattern: the social cycle that follows in the wake of transformative technologies. We marvel, then we fear, then we regulate. From Gutenberg’s press to Facebook’s newsfeed and ChatGPT’s hallucinatory utterances, we observe the same arc—an initial burst of optimism followed by a public backlash, often culminating in legal restrictions aimed at controlling the unpredictable. Stanley Cohen’s theory of moral panic offers one sociological account of this pattern,⁸ one for which the historical record—for example, novels, comic books, film, radio, cable, and video games—supplies abundant examples.⁹ Legal responses to technology often resemble reactions to vice: panicked, preachy, and prone to overreach.¹⁰

The Article then turns to explore the insights that public choice theory and Austrian economics can offer for technology governance. A key insight is that legislative and administrative processes that produce laws to govern fast-paced technology are themselves neither neutral nor nimble. They are slow-moving, interest-group-driven systems prone to capture¹¹ by their most organized constituencies—in this context, Big Tech. The concentrated benefits and diffuse costs of poorly designed technology restrictions distort policy toward industry incumbents.¹² In the tech context, this means that the Googles and Facebooks of the world are likely to shape the very rules meant to constrain them.¹³

Yet by acting prematurely, legislatures often commit themselves to failure. Legislatures and regulatory agencies cannot possibly gather the vast, localized, dynamic information needed to make fine-grained, welfare-maximizing decisions.¹⁴ That limitation is all the more acute in fast-moving technological domains such as AI systems.¹⁵ Regulators must guess at the pace and path of innovation, codifying answers before the questions have even stabilized.¹⁶

Next, the Article examines the danger of legal “ossification”—the tendency of administrative rulemaking to become so procedurally encumbered that agencies are unable or unwilling to update rules in light of new circumstances, and the law becomes outdated.¹⁷ The ossification challenge is especially difficult in the context of quickly evolving technologies. As rulemaking has over the years become procedurally complex, legally risky, and politically fraught, agencies increasingly avoid rulemaking altogether.¹⁸ This has led not to a more responsive legal order, but to one in which guidance documents and informal enforcement actions displace deliberative lawmaking—a result that reduces transparency, undermines legitimacy, and insulates regulators from democratic accountability.¹⁹ Ironically, ossifications means that efforts to tailor rules to technology can produce a legal environment that is both less adaptable and less coherent.

Finally, even after considering the many challenges to technology governance, the Article concludes on a note of optimism. The point is not that law should never respond to new technology, but that a well-designed, time-tested system like our own rarely needs to. Legal change in response to even the most innovative technologies should be rare, modest, and general.²⁰ Just as well-written computer code is reusable, good law will apply across cases, actors, and epochs. Over time, the best legal systems are those that resist the temptation to engineer against every contingency. The law draws strength from abstraction, stability, and resistance to fads.²¹

This Article thus takes the path less followed in adopting a skeptical view of techno-legal exceptionalism. It suggests that the core problems posed by artificial intelligence, digital platforms, biotechnology, and other frontier technologies are not so different from those that the law has long confronted as to require radical reengineering.²² Fraud is still fraud. Harm is still harm. Rights, duties, and remedies still do their quiet work. In the end, it is not the law that is unprepared for technology but current policy discourse that is unprepared to offer legal stability.²³

The stakes are high. As societies increasingly govern through statute and regulation, the costs of legal error—especially legal overreaction—grow larger.²⁴ Premature regulation may lock in early designs,²⁵ stifle experimentation,²⁶ and entrench incumbents.²⁷ Over time, this can channel innovation away from contested domains and into less regulated spaces,²⁸ not because those areas are more fruitful, but because they are more legally tolerable.

This Article proceeds in three Parts. Part II traces the historical pattern of legal overreaction to new technologies, showing how initial enthusiasm often gives way to social panic and legal suppression. It draws on examples from print, broadcasting, video games, and the internet, illustrating the cyclical nature of technological scares and the legal responses they generate. Part III offers a defense of general-purpose law as well suited to manage technological change, emphasizing the virtues of abstraction, neutrality, and organic legal development. Part IV analyzes the institutional pathologies that lead to poorly designed technology law, drawing on public choice theory, the Hayekian knowledge problem, and the phenomenon of legal ossification. The Article concludes with a call for legal restraint—not as a rejection of technology regulation but as a higher form of it.

II. The Human Tendency Toward Fresh Lawmaking

The natural, perhaps inevitable response to new technology is first to marvel, briefly to hope for what might come, and ever after to fear the loss that change may bring. That is, until what was the shiny new becomes the old familiar and the cycle starts afresh. As the fear sets in, we throw into gear the lawmaking process to regulate the unknown. It is virtually impossible to ignore the impulse; it is what one’s gut commands and exactly how one will proceed unless the conscious mind can persuade otherwise. With that, this Article aims to help.

A. Gutenberg and the Machine That Launched a Thousand Laws²⁹

History shows the pattern repeating again and again: new technologies elicit initial marvel, followed by apprehension regarding potential societal change or ideological shifts, which in turn galvanizes lawmaking bodies to restrict the new and unknown. The process is a natural, almost inevitable human impulse.

Consider the reception of the printing press in Europe. Initially, the Roman Catholic Church viewed the invention as a valuable instrument for propagating the faith, even hailing it as a “divine art.”³⁰ The Church’s stance quickly shifted, however, as the Protestant Reformation gained momentum during the fifteenth and sixteenth centuries, and it became clear that the press could be put to many purposes beyond spreading orthodox doctrine. Indeed, Martin Luther’s Ninety-five Theses, famously affixed to the church door in Wittenberg in 1517, would likely have remained a localized protest without the amplifying power of the printing press.³¹ Instead, the document was rapidly reproduced and widely distributed, igniting a theological debate that fundamentally challenged the Church’s authority. The press thus emerged as a potent tool for dissenting voices, enabling religious reformers to circumvent traditional channels of control and circulate their ideas, Bible translations, and critiques of the ecclesiastical order directly to a burgeoning reading public.³² Demonstrating the feared power of the printed book, the Church aimed to stop the presses, even coining the new sin of “bibliolatry”—improper reverence for books so excessive as to interfere with one’s worship of God.³³ The widespread dissemination of heterodox teachings that the printing press enabled, perceived as dangerous to both clerical power and to the spiritual welfare of the populace, prompted Church officials to impose numerous restrictions,³⁴ including a requirement of papal authorization for new publications.³⁵

One direct response to this perceived threat was the infamous Index Librorum Prohibitorum, the Index of Prohibited Books—a comprehensive catalogue of publications deemed heretical or morally perilous, the reading of which by Catholics was strictly forbidden.³⁶ Ostensibly aimed at preserving public welfare, these measures sought to control the intellectual foundations of human society. An invention with immense power and potential thus quickly became entangled in a web of restrictions designed to safeguard existing authorities and, purportedly, protect the populace from itself. The Church’s initial embrace morphed into fear, producing a heavy regulatory response to what it could no longer control.

A similar story played out within secular governments, especially in England,³⁷ where concerns gravitated less toward religious dogma and more towards criticism of the monarch. The Crown, much like the Church, initially recognized the press’s usefulness for disseminating laws, proclamations, and official news.³⁸ Yet, political dissent, mirroring religious reform, also found a powerful new amplifier in printed materials.³⁹ Critiques of royal policy, calls for political reform, and even arguments for outright sedition could now be replicated and distributed with a speed and breadth unimaginable in the era of handwritten manuscripts. This presented an immediate threat to the realm’s stability and the monarch’s absolute authority.

As with the Church, the danger of the printing press was, of course, not expressly framed to the public merely as a risk to the King’s power. Instead, restrictions on printing were rationalized as being for the public good, aimed at preventing unrest and preserving governmental stability. The prevailing argument posited that unbridled speech, especially printed matter, could incite rebellion, corrupt public morals, or disseminate misinformation leading to societal chaos. For instance, the English Crown routinely targeted seditious and libelous statements to suppress any printed material criticizing the government or promoting ideas contrary to royal authority.⁴⁰

“Extreme times” called for extreme measures, or so the argument went. The Crown’s traditional punitive tools (including burning at the stake) proved insufficient on their own, given the terrific quantities of information that the printing press enabled. The sheer volume of printed material rendered post-publication punishment insufficient as a deterrent; by the time a seditious pamphlet could be identified and its authors or printers apprehended, countless copies might already be in circulation, having already done their ostensible damage.⁴¹ Consequently, the government shifted its approach to proactive control.⁴²

Post-publication physical punishment for content deemed treasonous or heretical was augmented by a system of prior restraint, which criminalized publication without explicit Royal preapproval.⁴³ This system entailed licensing printers, requiring them to secure official permission to operate, and establishing censors responsible for reviewing material prior to its release.⁴⁴ During this time the Star Chamber, the infamous English royal court, became a formidable instrument of censorship, issuing decrees that controlled printing, limited the number of authorized printers, and mandated licensing for all books.⁴⁵ Violations could lead to severe penalties for printers and authors alike, including imprisonment, substantial fines, and physical mutilation.⁴⁶

Importantly, these measures were not merely extensions of existing laws designed to maintain order; they represented a profound shift to control thought and expression, in direct response to a new technology that had revolutionized the dissemination of ideas. The fear by those in power was palpable, as an unregulated press held the potential to dismantle the existing social and political order. Both Church and State, facing a rapidly evolving information landscape, reacted naturally by regulating the unknown, often framing restrictions as essential for public welfare, even if their underlying, sometimes subconscious, motivation was preservation of established power.

B. Magazines and Brain-Rot Contagion

Somewhat closer to the present, consider also the later alarm over disposable print media. One delightful example comes from an article titled “Lively Comment Upon Dewey, the Newest Fads in Publishing and English Mass Meetings: Brain-Rot Contagion” published in 1899 in the Brooklyn Daily Eagle, which warned of a “brain-rot contagion” induced by the widespread circulation of magazines:⁴⁷

The number of people who think like birds, in little broken thoughts, will be greatly enlarged. Millions upon millions of American boys and girls and men and women will be, like their English cousins, unable to learn anything, to know anything well and to concentrate their minds upon anything.

This fear sounds distant, yet familiar. Cyclical apprehension of whatever media is new in the moment is not coincidental; it can be explained as a recurring sociological phenomenon known as a “moral panic.”⁴⁸ The phrase, coined by Stanley Cohen, describes a period of intense public fear and anxiety over a perceived threat to societal values or norms, which is often amplified by media representations and leads to calls for stricter control and regulation.⁴⁹ These panics often target specific groups or cultural forms, portraying them as “folk devils” that embody the perceived threat.⁵⁰ The arguments asserted in support of societal counteractions predictably frame the new or unfamiliar as inherently dangerous before calling for its restriction.⁵¹

Beyond the “brain-rot” attributed to magazines, historical anxieties have repeatedly coalesced around other forms of popular print media, deemed detrimental to public morals, intellectual rigor, or social order. The novel, for instance, was a significant target of such cultural opprobrium, particularly in Britain during the late eighteenth and early nineteenth centuries.⁵² Critics condemned novels for fostering idleness, especially among women, who were perceived as susceptible to the genre’s seductive narratives, which could distract them from their domestic duties and lead to their moral corruption.⁵³ It was feared that novels were so immersive (like virtual-reality headsets) that they permitted a dangerous escapism that would promote unrealistic expectations of life and incite social unrest by exposing readers to subversive ideas.⁵⁴ The prevailing sentiment was that such “pestiferous reading” undermined the social fabric by promoting emotional indulgence over rational thought and duty.⁵⁵

The division between supposedly corrupting popular literature, such as the common novel, and intellectually uplifting, “highbrow” literature, continues today and has been a perennial feature of media moral panics. Mass-produced, “lowbrow” print materials are scrutinized and condemned because of their accessibility to a broad populace and their perceived lack of artistic or intellectual merit.⁵⁶ The driving fear, often unstated, is that such easily digestible content bypasses critical faculties, leading to a passive, unthinking consumption that renders the public susceptible to manipulation or moral decay.⁵⁷

A vivid twentieth-century manifestation of such anxiety occurred in the 1950s with the widespread condemnation of comic books. What began as a burgeoning and largely unregulated industry soon faced intense public and political pressure, fueled by sensationalized media reports and the influential critiques by figures such as psychiatrist Fredric Wertham.⁵⁸ Wertham’s seminal 1954 book, Seduction of the Innocent,⁵⁹ posited a direct causal link between reading comic books and juvenile delinquency, violence, and sexual perversion. He argued that comics desensitized children to violence, glamorized crime, and introduced them to inappropriate sexual themes, thereby corrupting their morals and inciting antisocial behavior.⁶⁰ The pervasive fear was that these colorful, seemingly innocuous publications were actively contributing to a national crisis of youth crime and moral decay.

The ensuing public outcry and congressional hearings, most notably the 1954 Senate Subcommittee on Juvenile Delinquency,⁶¹ mirrored the earlier anxieties surrounding the printing press and novels. Testimonies and media narratives amplified the perceived dangers, creating a moral panic that ultimately forced the comic book industry to self-regulate by establishing the Comics Code Authority.⁶² This self-censorship mechanism, while ostensibly voluntary, was agreed to only under threat of coercive governmental regulation.⁶³ It imposed strict content guidelines that stifled creative expression and dramatically altered the landscape of American comic books for decades.⁶⁴ The case of comic books perfectly illustrates the cyclical nature of societal reactions to new media:⁶⁵ initial apprehension morphs into a moral panic, which then galvanizes a regulatory response, ostensibly to protect the public from itself, but often with profound implications for freedom of expression and cultural and economic development.

There has been a consistent historical pattern⁶⁶ of anxiety about new media, from the early condemnation of novels and “magazine brain rot,” to 1950s comic books and television brain rot,⁶⁷ and now of Generation Z’s⁶⁸ even scarier sounding “bed rotting.”⁶⁹ Across diverse historical episodes, societies consistently react with fear to evolving trends in media consumption, often reaching for the tools of regulation. Restrictions are rationalized as essential for public welfare, even if, in retrospect, history often reveals an underlying motivation to preserve incumbent power and political structures from destabilizing effects of information dissemination.⁷⁰ The persistent fear is that readily accessible, popular media formats possess an insidious power to corrupt individuals and unravel the fabric of society, thereby justifying stringent oversight and control.

C. Purveyors of Elevator Terror

For another example, consider elevators. Imagine how scary they must have been to their first riders. Even today, with a decades-long safety record, elevators are still common triggers of claustrophobia, acrophobia, agoraphobia, and other fears.⁷¹ Their emergence in the nineteenth century thus quite naturally provoked an initial response of fear in society, followed closely by regulation.

Prior to the mid-nineteenth century, vertical movement within multistory structures was a laborious affair, largely confined to staircases or rudimentary hoisting mechanisms that lacked even basic safety features.⁷² The very concept of a machine that could safely transport humans vertically within a building was, at its inception, profoundly counterintuitive. The idea challenged deeply ingrained perceptions of gravity and stability.⁷³ Early contrivances, primarily utilitarian lifts for freight, were notoriously unreliable, often with catastrophic consequences, which fostered public distrust of any vertical conveyance other than the power of one’s own two feet.⁷⁴ It was against this backdrop of pervasive skepticism and genuine peril that Elisha Graves Otis introduced his revolutionary “safety hoist.”⁷⁵

Otis, originally a master mechanic in a bedstead factory in Yonkers, New York, conceived of a simple yet ingenious device: a spring-loaded ratchet system designed to automatically engage with notched guide rails should the hoisting rope fail, thereby preventing the car from plummeting.⁷⁶ His innovation was not the elevator itself, which had existed in various forms for millennia, but rather the assurance of its safety.⁷⁷

Yet, given humanity’s general apprehension of change, convincing a wary public that his contraption was not a death trap required more than mere engineering prowess; it demanded the sort of theatrical demonstration typical of the times. The pivotal moment arrived at the 1854 Exhibition of the Industry of All Nations at New York’s Crystal Palace.⁷⁸ In a spectacle orchestrated with the flair of a showman, Otis, standing confidently on an open elevator platform suspended high above a throng of anxious onlookers, dramatically ordered an assistant to sever the single hoisting rope.⁷⁹ Gasps surely rippled through the crowd as the platform began its uncontrolled descent, only for the safety brake to engage, bringing the car to an abrupt and secure halt after a fall of mere inches. “All safe, ladies and gentlemen! All safe!” Otis proclaimed.⁸⁰ This audacious display, repeated countless times over subsequent months, helped transform public perception.⁸¹

Still, the elevator took time to earn the public’s trust. In 1857, the Haughwout department store in New York was the first to install a passenger elevator, which it envisioned its customers would use to travel between the levels of its five-story building.⁸² The plan was scrapped, however, and the elevator removed because customers refused to use it.⁸³ Slowly, however, utility overcame fear, and elevators became widely accepted. Hotels, for example, found their patrons to be somewhat more receptive to the new machines. With the help of elevators, guests found it much easier to transport luggage to their rooms, a benefit that perhaps helped to make them more willing to brave the perceived danger.⁸⁴

Public apprehension remained, however, and efforts came quickly to restrict and regulate elevator use.⁸⁵ Despite Otis’s compelling demonstration and Haughwout’s subsequent installation of the first passenger safety elevator, deep-seated anxieties persisted. The notion of enclosed elevator cars rapidly ascending and descending must have remained unsettling to many, giving rise to popular fears and calls for elevator-specific lawmaking.⁸⁶

The legal response to this nascent technology was swift and, as is typical with disruptive technologies, reactive and somewhat fragmented.⁸⁷ Early court decisions regarding elevators grappled with how to fit the new passenger elevator into existing doctrinal frameworks, especially those governing master-servant liability, negligence, and premises liability.⁸⁸ James Avery Webb’s treatise, The Law of Passenger and Freight Elevators, went through two editions between 1896 and 1905,⁸⁹ carefully documenting and systematizing the judiciary’s efforts to integrate the invention into the existing legal structure.⁹⁰ Elevator construction, it was explained, was to be undertaken with adequate care, by using “materials and workmanship . . . such as will stand the work for which it is intended” and “exercis[ing] due diligence in making the elevator reasonably safe.”⁹¹ Industry custom regarding elevator construction would be relevant to that determination, but “the usage of others is not the sole criterion,” and compliance with industry custom would not support a conclusion as a matter of law that a defendant acted with due diligence.⁹²

To any lawyer or student of the law, these principles are eminently familiar: a party must act with reasonable care to avoid causing physical harm to foreseeable victims of her carelessness.⁹³ That is true whether it is piles of hay,⁹⁴ schoolhouse kicks in the shin,⁹⁵ or newfangled elevators at issue. Thus, it was largely the general principles of the common law, as elaborated by the courts, that governed the early use of elevators. And yet the very existence of Webb’s specialized legal treatise at such an early stage underscores the public’s uneasiness with the new technology and the perceived necessity for specially tailored rules.⁹⁶

As is so often the case, generally applicable principles of law did not assuage public concern, and legislatures soon advanced more particular lawmaking to restrict the new devices. An avalanche of legislation followed. Early laws often focused on highly granular operational details, such as rope tensile strength, brake mechanisms, and the qualifications of elevator operators, reflecting a preoccupation with the visible mechanical aspects of safety.⁹⁷ Even elevator operators were deemed at risk. In many states, it was made illegal for someone under the age of eighteen to operate an elevator that traveled faster than 200 feet per minute (just over 2.2 miles per hour).⁹⁸ New York state law prohibited women from working as elevator operators before 7:00 AM and required they be provided seats, apparently to protect the delicate sex⁹⁹ from the dangers of early-morning labor.¹⁰⁰ And Minnesota adopted a (slightly) more nuanced statute, which required that elevators be operated by licensed attendants, but only in cities with populations over 50,000—a law surely satisfying to the Elevator Operators’ union,¹⁰¹ but which apparently conceded that rural folk were hardy enough to look after themselves.¹⁰²

Initial public apprehension, fueled by a combination of genuine risk and an understandable fear of the unknown, compelled legislative bodies to create specific, detailed laws. The tendency towards overly prescriptive and fragmented legislation, often based on an incomplete or shortsighted understanding of the technology or an overreaction to perceived dangers, resulted in cumbersome, rapidly outdated, and sometimes comically misguided legal requirements. The story of the elevator thus serves as a cautionary tale to those who would contemplate particularized enactments to govern today’s rapidly evolving technologies.

III. AI Technologies and the Law’s Static Ideal

None of this means that new technology does not sometimes require legal innovation. Very often it does.¹⁰³ Typically, however, there will be no need to change substantive law, merely to clarify, where it is not already obvious, how the new technology fits within the existing legal framework. Think, for example, of the torts of conversion and assault. Whether a tortfeasor takes a plaintiff’s property by sword or by 3D-printed ghost gun matters not in the least, for the wrongfulness of assault and conversion lies in putting the plaintiff in fear of her safety and depriving her of her property and liberty, not the employment of any particular tool in doing so.¹⁰⁴

A. Large Language Models and Defamation

To take on what may seem like a trickier case, consider the emergence of large language models that can engage in human conversation, produce written content indistinguishable from human-authored material,¹⁰⁵ and even pass the bar exam.¹⁰⁶ They also sometimes err and make false and disparaging statements that can cause significant reputational harm. Two leading examples are the mistaken assertion by OpenAI’s ChatGPT that Brian Hood, a mayor in Australia, had been imprisoned for bribery,¹⁰⁷ and by Meta’s Llama that political activist Robby Starbuck participated in the January 6, 2021, riot in Washington, D.C.¹⁰⁸

It may seem at first that such a technological advance would require a correspondingly significant legal innovation. Who, before now, ever heard of defamation by machine? Yet, as Eugene Volokh has discussed in a pair of recent articles, even here the long-standing law of defamation provides the necessary tools for analysis.¹⁰⁹ No new legal rights or categories (and no legislation or regulation) are required.¹¹⁰ That is so because common-law liability for defamation has never required that the defendant have penned or typewritten the defamatory words herself or even that she have spoken or written any words at all.¹¹¹ Rather, liability arises when a defendant publishes or continues to publish a defamatory statement about the plaintiff while possessing the required mental state¹¹² (typically at least negligence under modern law).¹¹³ It does not matter whether the mistake is the result of a human mental slip or the careless operation or design of a machine subject to her control.¹¹⁴ Either will suffice because it is culpability and publication, not human authorship, that ground the tort.¹¹⁵

Applying these principles to LLMs in particular, defamation law will impose liability on an LLM creator if publication of the defamatory content was the result of a defective product design.¹¹⁶ Similarly, liability will arise where the LLM’s design is not defective (that is, no superior product design was available at the time of the product’s design), but where the LLM creator is made aware of the defamatory content but nonetheless continues to publish it despite an opportunity to correct the error.¹¹⁷ Existing defamation principles already govern even the novel case of LLM defamation because the law does not depend on the origin of the statement—whether composed by a person, copied from a wire service,¹¹⁸ or generated by code—but on the human actor’s design error or knowledge and continued publication. The facts may be unfamiliar, but the legal inquiry is not. The common law of defamation is already structured to do the work.

B. Liability for AI Systems

The same is true in tort law more broadly. Questions about accountability for AI systems—whether in cars, hospitals, or homes—are not categorically different from questions courts have answered for centuries. They require adaptation, not fresh lawmaking. Consider harms caused by AI-driven products, such as self-driving cars, virtual assistants, automated medical equipment, for which negligence and products liability law, as discussed below, already offer the basic legal tools.

To take one prominent example, when an autonomous vehicle causes an accident, courts need not depart from long-standing doctrine to assign responsibility. If the incident can be traced to flawed design, programming, or inadequate instructions, standard products liability rules suffice.¹¹⁹ Similarly, accidents traceable to error by human drivers of semiautonomous vehicles are well-governed under standard negligence law.¹²⁰ In both contexts, the underlying principles remain consistent with existing law: manufacturers bear responsibility for defects,¹²¹ users for harms caused by negligent use,¹²² and courts and juries for evaluating reasonableness under the circumstances.¹²³ That framework functions effectively wherever harm can “fairly be attributed to some act or omission by a human that can be said to have ‘caused’ the accident.”¹²⁴

At the same time, AI does introduce new challenges that require careful development of our system’s legal principles. For example, some machine behaviors, including those of autonomous vehicles, may defy easy attribution of fault either to operator or manufacturer, particularly where no single design flaw or programming misstep can be pinpointed.¹²⁵ Consider a self-driving car that abruptly swerves to avoid a phantom obstacle detected by its sensors, colliding with another vehicle. Was the harm caused by a coding choice, by imperfect training data, or by an unforeseeable interaction of multiple subsystems? Likewise, an autonomous truck might continue accelerating into a traffic jam because its deep-learning navigation system misclassified stopped cars as background scenery—an error traceable only to the inscrutable weightings of a neural network rather than to any discrete programming decision. Other scenarios extend beyond the roadway: an automated rideshare fleet could collectively reroute into a dangerous area due to flawed real-time mapping data, or a robotic delivery vehicle might fail to recognize a pedestrian in low light until too late. Each case involves a black-box chain of perception and action where traditional fault-finding tools falter.

Indeed, courts have already begun to confront these difficulties. In Huang v. Tesla, Inc., litigation followed the death of a driver whose Tesla, operating on autopilot, steered into a highway barrier; while plaintiffs argued the crash reflected a design defect in Tesla’s semi-autonomous system, the company maintained that driver misuse and inattentiveness were to blame.¹²⁶ Similar issues surfaced in Nilsson v. General Motors LLC,¹²⁷ where a motorcyclist struck by a self-driving test vehicle alleged negligence, but the precise role of the human safety driver versus that of the autonomous system was hotly contested. Even detailed investigation, such as that which followed Uber’s fatal 2018 Arizona crash involving a self-driving test vehicle, may be insufficient to determine whether causation flowed from failures of human oversight, inadequate sensor programming, or systemic flaws in AI systems.¹²⁸ These disputes underscore how negligence and design-defect frameworks strain when the causal chain runs through opaque algorithmic processes rather than identifiable human error. How can negligence or design-defect products liability law govern where fault cannot be identified and assigned? Yet even in such cases, the law’s basic structure is resilient, offering a menu of possible approaches.¹²⁹ One option, of course, is to change nothing. Not every person who suffers an automobile accident is entitled to a compensatory legal award, only those who are injured by another’s wrongful conduct.¹³⁰ If an injured party has not been wronged or cannot prove that she has been wronged, there is no legal basis for recovery from a third party.¹³¹ However, that rule can produce harsh results where we intuit that the defendant must have made some mistake or should bear liability regardless, but AI’s complexity makes the factual details of any negligence murky, which precludes the plaintiff from satisfying her burden of proof.

For such cases, the common law offers other paths. Since the mid-twentieth century, for example, tort law has accommodated plaintiffs’ difficulty proving product manufacturers’ negligence by adopting a strict products liability regime that reduces or eliminates the burden to prove negligence where a plaintiff is injured by a defective product.¹³² Over time, “strict” products liability doctrine has drifted toward a negligence standard, at least when applied to design and warning defects, where the plaintiff must show a reasonable alternative design or failure to provide an adequate warning.¹³³ But a truly strict liability regime (like that applied to manufacturing defects) that imposes liability without proof of fault remains a viable path for AI systems that cause physical injuries to their users or bystanders and has the recommendation of some leading scholars in the field.¹³⁴

Another potential legal tool for analyzing liability for AI systems is the doctrine of res ipsa loquitur, which presumes the defendant’s carelessness and shifts the burden of proof to the defendant to show that she acted with adequate care if the accident is the sort of thing that ordinarily happens only as a result of negligence by someone in the defendant’s position.¹³⁵ The doctrine is not only for law-school hypotheticals and pedestrian barrel-hoisting injuries,¹³⁶ but serves a crucial burden-shifting role in many modern medical malpractice¹³⁷ and products liability¹³⁸ cases where direct evidence of negligence or causation is difficult to obtain. The res ipsa loquitur doctrine has proven useful in products liability cases involving vehicles’ automated driving features, most prominently in the massive litigation that followed numerous instances of automatic, sudden acceleration of Toyota vehicles in the 2010s.¹³⁹

Finally, it is even possible to carve a middle ground between strict liability and negligence-based fault that does not require inquiry into the sometimes-inscrutable workings of AI systems. Mihailis Diamantis has, for example, proposed a hybrid negligence standard that would gauge the reasonableness of AI performance in comparison to both humans and other algorithms.¹⁴⁰ Under his approach, “an AI engaged in some task is reasonable if it causes less harm than the weighted average of harm that all actors—both AI and human—cause while engaged in that task.”¹⁴¹ This formulation would preserve negligence law’s existing fault-based structure while updating the comparator class to reflect AI’s nonhuman character.

The point here is not to press for any particular solution. Many could work, and there may be a role for several schemes depending on context. The broader point is that despite the novelty of AI systems, the problems of protecting against unavoidable, but unpredictable losses, and of assigning legal liability under uncertain and difficult facts are not new ones. They do not require rethinking from the ground up. Existing law offers a bevy of options, all long studied, with well-understood tradeoffs, and in some instances centuries of judicial experience in application.¹⁴²

C. Dark Patterns, Deep Fakes, and Consumer Protection

A third frontier of digital technology that might initially seem to require a radical rethinking of the law is digital commerce, which today is saturated with what are sometimes called “dark patterns”—user interface designs that pressure or manipulate users into making choices they would not otherwise make.¹⁴³ These designs may obscure relevant information, exploit behavioral biases, or impede users’ ability to decline options disfavored by the app maker or website.¹⁴⁴ However, although the phrase is relatively new, the practice is not.¹⁴⁵ From a legal standpoint, these tactics fall squarely within long-standing consumer protection law, including common-law fraud, the FTC Act,¹⁴⁶ and state consumer protection statutes.¹⁴⁷

Dark patterns operate by shaping the “choice architecture” presented to users—how options are framed, which defaults are preselected, and which clicks or scrolls are required to make choices.¹⁴⁸ Their methods vary,¹⁴⁹ but their objective is consistent: to shift user behavior in ways that benefit the app maker or website, sometimes at the user’s expense.¹⁵⁰ For example, a website might present an interface that requires users to affirmatively decline an option by clicking “No, thanks. I don’t like saving money” while highlighting a preferred option in bright green.¹⁵¹ These techniques range from quite mild to aggressive or downright deceptive.

On the mild end of the spectrum are, for example, forms with the email opt-in box preselected as the default choice (as if that would be most users’ preference) and warnings during checkout that a purchase is “unprotected” alongside an offer to buy insurance, sometimes for products the full cost of which barely exceeds the cost of the insurance.¹⁵² These tactics are annoying, but safely navigable, and can be policed by consumers choosing to take their business elsewhere if the annoyance outweighs the benefit of the product or bargain.

On the other end of the spectrum are tactics that achieve their results by confusing, misleading, or outright lying. Such tactics include fake countdown timers (“Only 10 minutes left!”) when in reality there is no time limit to a sale; fabricated scarcity alerts (“5 left in stock”); hidden, prechecked boxes for recurring subscriptions; and intentionally confusing double negatives (“Do you not wish to opt out?”).¹⁵³ Like traditional, in-person sales strategies, these techniques often leverage information asymmetries, user search costs, and deceptive phrasing to influence user behavior.¹⁵⁴ The result is distorted and inefficient market outcomes: individuals subscribe to services they did not want, pay more than they intended, or consent to data sharing they did not realize was a requirement of the service.¹⁵⁵

None of these tactics, however, is beyond the reach of the law. To the contrary, the common law of fraud already prohibits commercial misrepresentations made with the intent to defraud.¹⁵⁶ The form of the deception—verbal, written, or visual—is immaterial. Modern state and federal consumer protection statutes reach the same result, even eliminating the requirement that the plaintiff prove fraudulent intent. Section 5 of the FTC Act and analogous state consumer protection laws¹⁵⁷ declare unlawful all “unfair or deceptive acts or practices” in or affecting commerce, which the FTC has long interpreted to prohibit any representation “likely to mislead the consumer acting reasonably in the circumstances.”¹⁵⁸ Misleading user interfaces fall comfortably within this framework and, indeed, have been a focus¹⁵⁹ of recent FTC actions regarding online sellers.¹⁶⁰

In short, although online fraud has proliferated in recent years, powered by advances in targeted advertising and a general shift to online shopping, lawmaking in this area is a mistake,¹⁶¹ for consumer law is well situated to address the problem. The law’s response to dark patterns, like their low-tech forebears, depends on the substance of the defendant’s conduct, not the method of deceptive communication. Consumer protection law is already equipped to do the work. Dark patterns are simply digital tools for the sorts of deception that have never been lawful.¹⁶²

* * *

This Part has shown how even in some of the fastest moving and innovative fields, existing law, while not yet settled in its precise application to those technologies, is well situated to accommodate the new factual scenarios these technologies bring, without fundamental change to substantive law. Far from limiting technological advancement, the law’s capacity to absorb new facts without rethinking and rebuilding its foundation is a virtue, for the law thereby continues to guarantee existing rights and freedoms while providing the legal predictability required to encourage investment and innovation.¹⁶³ Social change and “variations in individual tastes and conduct can all take place within a persistent set of legal rules.”¹⁶⁴

IV. Dangers of Technology-Specific Lawmaking

Even if, after reading Parts II and III, you are convinced that the law can evolve slowly and naturally, you might wonder whether we could speed up the process with small doses of technology-specific legislation. Part IV explains why technology-specific lawmaking is often a mistake.

A. Introduction: Particularization and Reconsideration of Generally Applicable Law

When technological change disrupts the familiar, lawmakers often feel compelled to respond. The elevator, the printing press, and now generative AI have all prompted calls for new legal controls. Yet, new technologies are not born into a legal vacuum; each is born into a full-fledged legal system already in operation. There are, for example, general rules of tort, contract, property, fraud, consumer protection, civil procedure, and due process—time-tested principles widely applied across all manner of contexts and waiting in the wings to govern whatever new technology arises. And so, when legislators act, they do not simply fill a void; they supplant or supplement what already exists. That is, they enact particularized law.

At first blush, particularization may seem prudent. Might statutes tailored to novel technologies govern them more effectively than general-purpose common law? Typically, the answer is no.¹⁶⁵ Particularized law often adds complexity without adding clarity. It raises compliance costs by layering new obligations atop existing ones.¹⁶⁶ It generates inconsistencies by regulating one technological path while leaving nearly identical conduct, accomplished some other way, untouched.¹⁶⁷ Worse, it opens the door to reconsideration of foundational legal principles, often at the behest of whatever special-interest group currently holds political sway.¹⁶⁸ Particularized statutes do not merely coexist with the common law; they place it on the table for negotiation, replacing settled norms with ad hoc compromises that, over time, erode the coherence and generality that make law predictable and just.¹⁶⁹

This phenomenon is not hypothetical. As discussed previously,¹⁷⁰ history is replete with examples of lawmakers enacting bespoke rules in the wake of technological panic. From printing presses to comic books to deep fakes, the pattern is consistent. A new tool is feared, then targeted with legislation, often in ways that reflect political alignments more than policy wisdom. These efforts rarely age well. Technologies evolve, use cases proliferate, and the bespoke statute, once cutting-edge, becomes a relic, poorly matched to modern practice but difficult to repeal.¹⁷¹ The resulting ossification of the legal system, which is stuck trying to regulate a world that no longer exists, reflects what Cass Sunstein calls a structural bias in lawmaking toward overreaction: “[E]lected officers ordinarily face strong incentives to respond to excessive fear, perhaps by enacting legislation that cannot be justified by any kind of rational accounting.”¹⁷²

Even worse, particularized lawmaking poses deeper, institutional risks. The political process that produces new statutes and regulations is not technocratic or dispassionate. It is shaped by interest-group lobbying, skewed incentives, and limited information. Lawmakers act under pressure, often with imperfect understanding, and the laws they produce tend to entrench incumbent interests, privilege visible harms over invisible costs, and congeal into legal regimes that frustrate rather than facilitate innovation.¹⁷³ Each new legislative enactment is a wager that our current understanding is sufficient to regulate the future. It rarely is.

The law’s strength lies in its generality. Common-law principles endure not because they are forever static, but because they are flexible.¹⁷⁴ They apply across contexts, technologies, and generations, adapting to new facts without requiring wholesale reinvention. Part III makes the case that this generality is a feature, not a flaw—and that technology-specific lawmaking, however well-intentioned, often trades that virtue for a mirage of relevance that quickly fades. In a world of rapid technological change, humility in lawmaking is not weakness, but wisdom.

B. AI’s Knowledge-Problem Paradox

It is tempting, when faced with technological disruption, to reach for the tools of legislation. A problem appears novel, the facts uncertain, and our instincts urge us toward control. The assumption is that new laws will preserve order. But this impulse, however natural, overlooks a profound limitation in human affairs: we do not, and cannot, know enough to legislate wisely, especially in fast-changing environments. This is the essence of the so-called “knowledge problem,” first articulated by Nobel-laureate economist Friedrich Hayek in 1937.¹⁷⁵ It is a challenge not of technology, but of epistemology, of the nature of knowledge itself, and nowhere is that challenge more salient today than in legislative efforts to regulate AI.

Hayek’s knowledge problem begins with a simple insight: “[T]he knowledge of the circumstances of which we must make use never exists in concentrated or integrated form, but solely as the dispersed bits of incomplete and frequently contradictory knowledge which all the separate individuals possess.”¹⁷⁶ More specific to the lawmaking context, to design a general welfare-maximizing statute or regulation, a lawmaking body would require access both to scientific information and also to information regarding individual circumstances and preferences. For example, to regulate autonomous vehicles, legislators would need scientific information about the current capabilities and limitations of visual, radar, and lidar sensors; real-time decision-making algorithms; and machine-learning systems.¹⁷⁷ That information would be hard enough to come by on its own, and acquiring and understanding it would risk regulatory capture.¹⁷⁸ But even if it could be acquired, lawmakers would also need granular, localized knowledge about how people in different communities interact with traffic norms, how much risk each individual is willing to tolerate, what tradeoffs each prefers between convenience and safety, and what infrastructural idiosyncrasies—such as local road quality or weather patterns—might affect implementation in each case.¹⁷⁹

Even when the required scientific knowledge could, in theory, be collected and acted upon, the knowledge of circumstances of time and place is unavailable, and unattainable even in principle. This is not merely a claim about information scale, but about kind. Much of the most valuable knowledge in society is tacit, contextual, and unarticulated.¹⁸⁰ It emerges only through individual trial, error, and adaptation. Even the individuals themselves whose interests are concerned do not know it until circumstances force them to decide. What specific combination of cloud computing resources at a given price point will minimize my company’s research costs while maintaining performance that I find acceptable under a fluctuating workload? Or, how much fire-insurance coverage is optimal given my specific home’s construction, my local fire department’s response times, and my personal risk aversion? Having recently purchased a new home, I now know the answer (or at least I have made a decision). But up until the moment of decision, neither I nor anyone else knew or could have known the answer to that question.

The paradox is that even as big data and the AI revolution have made it possible for policy makers to collect more and better information than ever before, central decision makers remain handcuffed by a fundamental inability to obtain the requisite information for optimized lawmaking. No legislature or any other central decision maker—however expert and however advanced its AI—can access, comprehend, and act upon the information that would be needed to guide society’s complex interactions. Centrally created rules will necessarily misfire, not out of malice, but out of epistemic impossibility. The relevant information simply cannot be collected and centralized for consideration.

This insight is not merely theoretical. Recent examples illustrate the cost and likelihood of legislating without the requisite knowledge. Public health guidance on alcohol consumption, for instance, has shifted markedly over time—from moderate drinking as heart-healthy, to a focus on cancer risk, to skepticism about benefits of any kind.¹⁸¹ Even with very comparatively robust econometric data and at least a century of interest in the question, we still do not know whether moderate drinking is good for us, bad for us, or neither.¹⁸² And that is just the scientific question! Truly informed lawmaking would also require information regarding the social benefits to humans of alcohol consumption, differing risk preferences and tolerances between individuals and across circumstances, likely substitute behaviors, and, of course, similarly detailed scientific and particularized information regarding those substitute behaviors.

If we cannot resolve these questions about a behavior as old and studied as drinking, what hope is there of writing wise laws today about generative AI tools? Of course we can guess at what the best answers might be. But there is significant danger in treating temporary guesses as the basis for coercive law. Legislative or regulatory restrictions, once enacted, ossify guesses into rules and punish deviation. Error becomes law.

That risk now looms in the domain of AI. In recent years, many states have enacted laws targeting everything from AI-generated media and deep fakes¹⁸³ to dark patterns,¹⁸⁴ algorithmic decision-making,¹⁸⁵ and data-sharing arrangements that make it all run.¹⁸⁶ These laws reflect well-intentioned concerns. But it is far from clear, to put it mildly, that lawmakers possess the knowledge to write such rules wisely—or that the benefits of intervention outweigh the costs of suppressing valuable experimentation. Does the value of reducing deep-fake political ads that deceive some voters outweigh the loss of some compelling AI-generated political parody that might have persuaded others, but never made it to the marketplace of ideas for fear of legal liability? No one knows. How about forgone experimentation with intuitive user-interface designs for fear of inadvertently creating a “dark pattern” (whatever that might mean to an aggressive enforcement agency). Or the loss of innovative, not-yet-known apps never created because they cannot be financed without the traditional data-sharing and targeted-advertising revenues that drive the market for online services?¹⁸⁷ Do the gains from dark-pattern and data-privacy legislation outweigh these losses? No one knows that either. But we now have legislation on the books that presumes such knowledge.¹⁸⁸

Hayek anticipated this danger. The problem with central planning, he argued, is not merely inefficiency, but ignorance.¹⁸⁹ Planners act on the assumption that the relevant knowledge is available to them. But the knowledge required to make wise decisions is not fixed or centralized. It is distributed, situational, and often inarticulable.¹⁹⁰ The proper role of law, then, is not to mandate behaviors based on intuitions and uncertain predictions, but to preserve the conditions under which decentralized discovery can occur.¹⁹¹ The common law’s generality is its virtue. Courts will adapt long-standing legal principles to new technologies without requiring the legislature to anticipate and regulate every innovation.

C. Big Tech and Regulatory Capture

In recent years, public anxiety over AI, algorithmic decision-making, and data privacy has fueled calls for legislative and regulatory intervention.¹⁹² Often these demands arise from an understandable concern about safety, fairness, and privacy. But in their haste to protect the public from perceived technological threats, lawmakers may unwittingly expose the public to the subtler and more enduring danger of regulatory capture. The very platforms and app makers whose companies make prompt calls for regulation often play a decisive role in shaping the statutes and rules designed to regulate them, thereby securing legal environments that entrench incumbents, suppress competition, and convert public fears into private moats.

Regulatory capture describes the process by which regulatory agencies or legislative bodies come to be dominated by the industries they are charged with overseeing.¹⁹³ In the words of George Stigler, who famously formalized the theory, “as a rule, regulation is acquired by the industry and is designed and operated primarily for its benefit.”¹⁹⁴ This does not mean that all regulation is futile or malign. It means rather that regulation will tend over time to reflect the preferences of concentrated industry groups rather than the interests of the general public. That is so because industry groups have both superior resources and greater interest in influencing legislation than the diffuse public.¹⁹⁵

The tendency toward regulatory capture is amplified in sectors characterized by rapid technological innovation, information asymmetry between industry and regulators, and a high degree of resource concentration, of which modern digital platforms and AI tools are prime examples.¹⁹⁶ Unlike conventional industries, Big Tech operates in spaces where the underlying technologies evolve at breakneck speed and where technical fluency is essential even to frame meaningful questions, let alone draft or implement sound legal rules.

In such an environment, policymakers face two knowledge deficits. First, they may lack internal expertise.¹⁹⁷ Even well-resourced agencies (or Microsoft, for that matter!)¹⁹⁸ struggle to recruit and retain specialists with up-to-date knowledge of machine-learning systems or emerging targeted-advertising technologies.¹⁹⁹ Second, even if agency staff members possess the relevant technical expertise, they will lack contextual understanding of how it is being deployed in the industry.²⁰⁰ It is not simply that the government lacks technical knowledge, but that the most relevant information—how users behave, how algorithms are fine-tuned in deployment, and how firms weigh tradeoffs—is local, tacit, and not easily transferred from firm to state.²⁰¹

This knowledge imbalance creates a natural opportunity for the regulated to become the regulators. Policymakers, recognizing their own ignorance, seek expertise from those who have it.²⁰² But the very actors supplying this expertise—dominant tech companies—are not disinterested. They have powerful incentives to frame problems in ways that support rules they are best positioned to satisfy. Often, they promote regulatory standards that mirror their own internal practices, presenting these as “best practices” or “responsible tech,” knowing that competitors with different architectures or fewer resources will struggle to comply.²⁰³

Differing concentrations of economic interest between the public and regulated market participants further encourage regulatory capture. Regulated companies have a very large stake in the content of a new law governing their industry, whereas, although the effects in the aggregate may be large, each voter has comparatively little individual interest.²⁰⁴ As Sam Peltzman observed, regulation tends to arise when concentrated beneficiaries are able to mobilize for favorable outcomes and when the diffuse public is unlikely to perceive or resist the cost.²⁰⁵ Big Tech firms are ideally situated to mobilize and deploy resources to acquire beneficial legislation. They command vast lobbying budgets,²⁰⁶ maintain close relationships with key decisionmakers, and possess both the technical knowledge²⁰⁷ and legal talent necessary to shape draft language, comment on rules, and litigate the boundaries of interpretation.²⁰⁸

A recent episode that illustrates these dynamics involves California’s landmark privacy legislation, the California Consumer Privacy Act (CCPA).²⁰⁹ Initially passed in 2018, the CCPA was widely hailed as a step toward stronger privacy rights in the digital era.²¹⁰ But the statute’s path to enactment reveals a more complicated story. The legislative process was catalyzed not by deliberate policymaking, but by a threatened ballot initiative funded by a wealthy real estate developer.²¹¹ Lawmakers feared that robust individual privacy protections would be approved by California voters by ballot initiative.²¹² In response, legislators hurriedly passed the CCPA to forestall that initiative, relying in part on language and guidance drafted by lobbyists and industry insiders, which softened the law’s requirements.²¹³ The result was a law with vague definitions and exceptions that favored industry participants over voter preferences.²¹⁴

One key provision in early drafts defined “personal information” so broadly that it threatened the business models of many smaller ad tech firms—but left open pathways for dominant platforms to argue that their practices were outside the scope of regulation.²¹⁵ Moreover, while the statute imposed new compliance burdens across the board, large firms were better positioned to absorb the costs, which would lead smaller competitors to exit the market or forego certain services altogether.²¹⁶ Industry groups lobbied not to kill the bill, but to shape it—blunting its most aggressive provisions, embedding favorable definitions, and creating a regulatory framework that reinforced their existing advantages.²¹⁷

The same pattern played out in the implementation stage. As enforcement authority transitioned to the newly formed California Privacy Protection Agency, major tech firms actively engaged with regulators, commenting on proposed rules, funding white papers, and hiring former government officials to lead their compliance divisions.²¹⁸ At each stage, the process was influenced by a difficult information asymmetry: Regulators relied on the regulated to explain the law’s effects, the regulated offered interpretations that advanced their interests, and the resulting explanations hardened into law.²¹⁹

This is not to say that the CCPA was pointless or even that anyone acted in bad faith at any stage of the process. Businesses naturally pressed for lawmakers to craft the legislation in a way that would not undermine their business models. And legislators naturally relied on industry participants’ advice to avoid inadvertently crafting a disastrously over-restrictive bill. That is how the legislative process works. And despite business influence, the law did meaningfully expand user rights and even prompt other jurisdictions to consider similar legislation. But the CCPA also exemplifies the capture risks endemic to tech regulation. When lawmakers act without full understanding of the technologies at issue, as they must always do, and when they depend on incumbent firms for technical advice and political support, as, again, they must always do, the resulting laws are likely to bear the marks of their true authors.

The lesson is not that regulation is futile, nor that industry input should be shunned. Rather, the lesson is cautionary. In domains where technical complexity is high and policy knowledge is low, the likelihood of capture rises. Regulators may find themselves implementing the strategic preferences of dominant firms, mistaking them for neutral expertise. And legislation intended to constrain power may instead entrench it. In the end, the choice is not between the status quo and enlightened, welfare-enhancing policy, but between the status quo and whatever Google might wish the law to be.

D. The Nirvana Fallacy: Biased Enforcement and Other Principal-Agent Problems

Legislation enacted in response to novel technologies often proceeds as if omniscience exists. Policymakers frame statutes with seeming confidence, treating uncertainty as a problem that can be solved rather than a natural limitation to be respected.²²⁰ But in doing so, they may fall prey to what Harold Demsetz famously called the “Nirvana Fallacy”—the logical flaw of comparing the imperfect present not to a realistically achievable alternative, but to a hypothetical ideal.²²¹ The fallacy is not merely one of optimism, but of method. It discounts tradeoffs that are implicit within new legislative proposals and hides institutional constraints.²²² Regulatory capture, already discussed,²²³ is one such constraint. Others are the risks of biased and self-interested enforcement, discussed below.

1. Bias and Selective Governmental Enforcement

All enforcement regimes face a resource constraint. No agency can investigate or prosecute every technical violation of law.²²⁴ Enforcement is necessarily selective. But selectivity opens the door to bias. That bias may arise from political influence, institutional ideology, or individual discretion.²²⁵ In any case, it raises the risk that rules will be enforced not impartially, but strategically. As Justice Jackson observed decades ago, “[t]he most dangerous power of the prosecutor” is not the power to charge wrongdoing, but that “he will pick people he thinks he should get, rather than pick cases that need to be prosecuted.”²²⁶ With the vast, uncountable number of civil and criminal provisions on the books, enforcers can just “pick[] the man, and then search[] the law books . . . to pin some offense on him.”²²⁷

Public choice theory predicts and explains this result.²²⁸ Agencies, like other political actors, do not pursue pure, abstract goals of justice.²²⁹ They are influenced, sometimes decisively, by interest groups, congressional overseers, and shifting political coalitions.²³⁰ Enforcement decisions are no exception. A regulator’s decisions, including whether and whom to prosecute, often reflect personal concerns and powerful economic and political interests, rather than an impartial assessment of public harm.²³¹

Discretion in enforcement, in other words, may be a practical necessity, but it is also a deep structural vulnerability. Discretion can be used to protect allies, punish enemies, or advance ideological projects under the guise of neutral law enforcement. For example, Kent Barnett has shown how administrative adjudicators, many of whom are hired, paid, and promoted by the agencies whose actions they are charged with reviewing, can be structurally biased in favor of the government’s enforcement priorities.²³² In practice, this means the agency can take enforcement action against disfavored parties while shielding itself or its allies from meaningful review.

The problem is compounded by information asymmetries and the opacity of enforcement decision-making. Agencies often rely on internal guidelines or informal norms, making it difficult for the public to assess whether like cases are treated alike.²³³ As Keith Hawkins has observed, discretion in enforcement is not rule-free, but it is often structured by organizational routines and expectations that operate below the surface of formal law.²³⁴ These underlying constraints do not always track legal merit. They may reflect risk aversion, bureaucratic habit, or political calculation as much as they reflect justice.²³⁵ The result is a system that may appear neutral in form but is deeply selective in practice. And that selectivity, once normalized, undermines the rule-of-law ideal that government should proceed by publicly known, generally applicable, and consistently enforced rules.

One example is the IRS, which seems as if it ought to be the paragon of neutrality, yet has faced allegations of targeting politically disfavored groups, such as Tea Party–affiliated not-for-profit organizations under the Obama administration.²³⁶ Similarly, under the Trump administration, the Department of Education opened Title VI investigations into elite universities—including Harvard, Yale, and Columbia—in ways that critics charged were politically motivated.²³⁷ These are not anomalies. In areas where discretion is broad and stakes are high, enforcement becomes a means for the exercise of power. That concern is magnified in rapidly evolving technological domains, where factual uncertainties give regulators still more room to maneuver.

This dynamic calls into question the wisdom of granting new discretionary enforcement powers over technologies like artificial intelligence, user interfaces, or data-sharing contracts. Enforcement decisions, like regulations themselves, will be shaped by institutional pathologies. Legislation that assumes otherwise invites disappointment at best and injustice at worst.

2. Principal-Agent Problems in Bureaucracy

Even where outright bias and political motivations are absent, agencies and their staff suffer from internal misalignments of a more general sort. The classic principal-agent problem arises whenever the objectives of the agent (the agency or its employees) diverge from those of the principal (Congress or the public).²³⁸ These problems are endemic in bureaucratic structures. As William Niskanen explained, bureaucrats cannot be assumed to operate purely in the public interest.²³⁹ They are humans and, like employees of any other entity, will seek when possible to further their own interests, such as reduced workloads, career advancement, prestige, and job security, not just the public welfare. Because their performance is difficult to measure, and because external accountability is weak, bureaucrats may make enforcement decisions that serve personal goals over statutory objectives.²⁴⁰

One consequence is risk-averse over-enforcement. Agency staff who fear adverse headlines or individual blame have an incentive to interpret rules expansively and demand more than the law requires, to reduce the risk of a public backlash for which they may personally suffer career consequences.²⁴¹ The same logic drives corporate compliance officers, who may recommend to their superiors compliance beyond what the law requires.²⁴² Better to over-comply than take any risk of a negative outcome for which they personally may suffer consequences. Such cautiousness, however, although personally beneficial, imposes real costs on innovation, which may be hindered by rules that were never really intended by Congress.²⁴³

Similarly, careerism may affect not just the level of agency enforcement, but how companies are selected for targeting. Enforcement decisions may be shaped not by policy merits but by the publicity they generate.²⁴⁴ An ambitious regulator might pursue headline-making enforcement actions against popular targets, while neglecting more systemic but less visible harms. Worse, the so-called “revolving door” of employees leaving government service for industry and vice versa creates incentives to avoid taking action against firms where one hopes to land a job.²⁴⁵

A particularly vivid example is the U.S. Food and Drug Administration (FDA). The FDA is widely regarded as extraordinarily stringent in approving new drugs.²⁴⁶ This strictness is not necessarily a reflection of superior risk assessment, but could instead reflect asymmetrical reputational incentives.²⁴⁷ If the FDA approves a drug that later proves harmful, the agency is publicly blamed and its credibility damaged. But if the FDA delays or denies approval of a beneficial drug, the costs—measured in lost lives or prolonged suffering—are diffuse and largely invisible. Those denied a treatment they never received cannot be counted. The agency’s staff face little reputational or career risk from excessive caution, but considerable risk from a visible mistake. As a result, regulators often favor caution even where it may harm the public more than it protects them.

Principal-agent dynamics ensure that such preferences will not always align with public interest. Sometimes, agency staff may be too cautious; sometimes, too aggressive. But they will not be neutral. That reality stands in contrast to the nirvana ideal often implicitly assumed by proponents of new tech regulation. When considering new laws to govern emergent technologies, it is not enough to ask what an ideal enforcement regime would do. One must ask who will do the enforcing, under what incentives, and with what information. Bias and misalignment are not unfortunate exceptions. They are features of real institutions. And any serious regulatory proposal must reckon with them.

3. Case Study: The Computer Fraud and Abuse Act

The Computer Fraud and Abuse Act (CFAA)²⁴⁸ stands as a cautionary example of what can go wrong when lawmakers respond to technological change with sweeping legislation. Enacted in 1986, the statute was originally conceived to address a narrow and novel threat: the rise of computer hacking.²⁴⁹ But over time, its ambiguous language and expanding reach allowed prosecutors and civil litigants to repurpose the law in ways far removed from its original aim.²⁵⁰ Only recently have courts restored a more limited interpretation to the Act.

Congress enacted the CFAA in 1986 as an amendment to earlier computer crime legislation in the Comprehensive Crime Control Act of 1984.²⁵¹ The 1986 Act was designed to target “the technologically sophisticated criminal who breaks into computerized data files,”²⁵² an archetype that would have brought to mind Cold War fears of Soviet espionage and sabotage. At the time, computers were unfamiliar and symbolically powerful. To access them without permission was to trespass on sensitive government or financial networks. The CFAA therefore criminalized “unauthorized access” to systems “operated for or on behalf of the Government of the United States”²⁵³ and prohibited users from “exceeding authorized access” to obtain data from such systems.²⁵⁴

But the statute’s limited scope did not last. In 1996, the Economic Espionage Act²⁵⁵ dramatically expanded the CFAA’s reach by extending its coverage to any “protected computer,”²⁵⁶ defined broadly to include any device used in or affecting interstate or foreign commerce—essentially any internet-connected machine.²⁵⁷ That same amendment also added to the CFAA’s criminal liability provisions a private right of action, meaning that any person who “intentionally accesses a computer without authorization or exceeds authorized access” could now be subject not only to imprisonment for up to ten years,²⁵⁸ but also to civil liability for any “damage or loss” caused.²⁵⁹ As amended, the CFAA in effect created a federal trespass to chattel action for unauthorized access to any internet-connected data or computer system.²⁶⁰

Since the amendment, the legal architecture of the CFAA has remained the same, but society has continued to change around it. By the late 1990s, and certainly by the early 2000s, computers were no longer the province of elite operators, government contractors, or Cold War spies. They were in every office, on every desk, and, with the advent of smartphones, in every pocket. Employees used them routinely to send emails, check calendars, and access company files. Being the property of corporate employers, and not the employees themselves, employees’ access to and use of those systems was often subject to usage policies, employment contracts, or terms-of-service agreements.²⁶¹ The problem was that the CFAA’s language, under which “exceed[ing] authorized access” constitutes a violation,²⁶² could plausibly be read to criminalize and create civil liability for deviation from employer usage policies. An employee might violate the CFAA by something as simple as checking her email or logging into a social media account from her workplace computer.²⁶³ Ordinary workplace conduct became grounds for civil or even criminal liability.

The CFAA’s breadth created two distinct problems when applied to modern society in which computers are such commonplace tools.²⁶⁴ First, the CFAA became a favored claim for private litigants to pursue business and workplace disputes under a federal anti-hacking statute designed for a different era.²⁶⁵ Second, the statute handed prosecutors expansive discretion. With broad statutory language regarding unauthorized access, and computer systems now a ubiquitous technology, nearly any undesirable conduct involving computers could plausibly be framed as a CFAA violation.²⁶⁶ This allowed enforcers to selectively invoke the statute against disfavored individuals and to attach significant criminal penalties to otherwise routine matters.²⁶⁷

The issue simmered for decades in the lower courts until, in 2021, the Supreme Court addressed the CFAA for the first time in Van Buren v. United States.²⁶⁸ In that case, the defendant, a police officer, had accessed a license plate database for personal reasons in violation of his department’s policy.²⁶⁹ He had permission from the department to access the system, but only when used for legitimate purposes.²⁷⁰ The government argued that although he was authorized to use the database, he had violated the CFAA by using the database in a manner contrary to his department’s policy.²⁷¹ A divided Supreme Court disagreed.²⁷² The Court held that a person “exceeds authorized access” only by accessing information that she is not entitled to obtain, not when using accessible information for an improper purpose.²⁷³

In support of its conclusion, the Van Buren Court emphasized that the government’s interpretation would “criminalize everything from embellishing an online-dating profile to using a pseudonym on Facebook,” all based on breaches of terms of use.²⁷⁴ That result, it concluded,²⁷⁵ would render the CFAA dangerously vague and overbroad—precisely the concerns that had animated academic and judicial criticism for years.²⁷⁶

Yet the case was not an easy decision. The basic question had split the federal circuit courts for decades²⁷⁷ and ultimately divided the Van Buren Court 6-3.²⁷⁸ The majority was partly seeking to avoid criminalizing such a broad swath of ordinary computer activity,²⁷⁹ and the dissenting Justices were concerned that by contemplating the CFAA’s consequences as applied to modern society’s routine computer usage, the majority improperly assumed that a Cold War-era Congress of the 1980s was aware of how computers would be used in 2021.²⁸⁰ The case thus illustrates another difficulty of lawmaking in the face of technological change: even a well-intentioned law designed to combat what at the time was a narrow problem may come to (poorly) govern a much broader range of human conduct than was ever intended as society’s use of that technology shifts.

E. Ossification and Technological Change

Legal ossification poses still another problem to lawmakers in an age of technological change. As discussed in the prior section,²⁸¹ even narrow, well-intentioned laws can outlive their usefulness and come to distort entire domains of conduct if the role the governed technology plays in society changes over time. That is a type of legal ossification, but the problem goes beyond merely allowing outdated rules to persist. It may even prevent legal systems from accomplishing lawmaking in the first place. Put differently, the problem is not only that legislative and regulatory law may be slow to catch up, but also that it may be structurally incapable of doing so. This section discusses the problems that legal ossification poses in the context of rapidly changing technology, especially for laws structured as rules rather than standards.

1. The Pacing Problem of Innovation and Regulation

In administrative law, ossification refers to the increasing procedural and institutional rigidity that impedes the timely development of new law.²⁸² As Thomas McGarity described in his foundational account, the rulemaking process has become “increasingly rigid and burdensome,” weighed down by layers of analytical mandates, judicial doctrines, and internal agency review that frustrate efforts to regulate even modest issues.²⁸³ These constraints can transform a process once envisioned as nimble and participatory into one marked by delay, overcautious drafting, and institutional inertia. The dominant view among administrative law scholars is that these delays are not incidental, but structural, and symptomatic of a process that has become “so heavily laden with additional procedures, analytical requirements, and external review mechanisms”²⁸⁴ that its comparative advantage over case-by-case adjudication has eroded.²⁸⁵ Even routine agency rules now require substantial time and legal resources, as officials prepare not only for public comment but for inevitable legal challenges from courts, overseers, and stakeholders alike.²⁸⁶

The causes of ossification are many. The cumulative layering of analytical mandates, cost-benefit requirements, environmental assessments, and executive oversight has made informal rulemaking functionally indistinct from formal adjudication in its complexity. Agency lawyers, operating in what Thomas McGarity has called the “team model,” play a central role in this process by working to ensure that proposed rules are not just substantively defensible but procedurally impeccable.²⁸⁷ In this context, lawyers are empowered to “veto aspects of proposed rules that they find to be unlawful” or even to reshape them “to fit their own policy preferences or what they deem to be the policy preferences of the reviewing judges.”²⁸⁸ The result is often paralysis by anticipation—rules written not just for public comment but for imagined litigation.

This phenomenon is troubling enough in stable domains. In dynamic domains, such as AI, digital commerce, or cybersecurity, it is catastrophic. In these contexts, technology changes not just the application of the law but the very contours of the problem to which law might respond. A regulation that was narrowly tailored to one form of digital deception, for example, may be useless or even counterproductive by the time it takes effect.²⁸⁹ Moreover, each law passed to curb some new undesirable practice may foreclose entirely different innovations before they are even born.²⁹⁰ The result is a legal landscape simultaneously rigid and misaligned—incapable of regulating the present and incapable of anticipating the future. Technological change thus exacerbates ossification’s most damaging effects. The problem is not merely that rulemaking is slow, but that it assumes a world that no longer exists by the time the rule arrives. The gap is visible in fields as diverse as biotechnology and copyright law. In biotechnology, legislative responses have struggled to keep pace with rapid technological advances in DNA processing capacity, leaving regulators either to apply outdated statutes or to improvise through guidance documents.²⁹¹ In copyright, Congress’s attempt at technology-neutral drafting in the 1976 Act was undermined as new communications technologies such as home video recorders and digital streaming produced disputes unforeseen by lawmakers.²⁹² This general obstacle to lawmaking is known as the “pacing problem,” in which law’s slowness collides with the velocity of innovation.²⁹³ The resulting bind is that lawmakers are forced to choose between “reckless action (regulation without sufficient facts)” or “paralysis (doing nothing at all).”²⁹⁴

2. Rules and Standards in Technology Regulation

Ossification is especially problematic when lawmakers adopt rule-based rather than standard-based statutes and regulations.²⁹⁵ Rules employ a highly definite test of applicability. Determining whether a rule applies requires resolution only of simple questions of fact²⁹⁶—for example, whether a defendant used a specified prohibited technology or dataset when evaluating applications for credit or home loans.²⁹⁷ Definite rules of this sort are often preferable to flexible standards because they make it possible for regulated parties to organize their affairs with greater certainty and at lower cost.²⁹⁸ For example, most drivers prefer posted speed limits to a prohibition on driving at an “unreasonable rate of speed.”²⁹⁹ Yet rules, as Louis Kaplow famously explains, “are more costly than standards to promulgate because rules involve advance determinations of the law’s content, whereas standards are more costly for legal advisors to predict or enforcement authorities to apply because they require later determinations of the law’s content.”³⁰⁰ Rules’ ex ante clarity is thus their greatest strength, but it becomes a liability in contexts of rapid change, where the costliness of the rulemaking process inhibits adaptation.

Standards, by contrast, delay specificity. They articulate general principles (for example, reasonableness, good faith, or fairness) and leave their application to future decisionmakers who can consider the facts as they unfold.³⁰¹ This design makes standards better suited for environments of uncertainty, where context matters more than categorical prediction. In practice, this means that when the facts change faster than Congress or agencies can react, courts interpreting broadly worded statutes or common-law doctrines will typically prove more responsive than legislatures.³⁰²

* * *

This Part has detailed multiple pathologies³⁰³ that afflict statutory and regulatory lawmaking. The point of doing so is not to condemn positive lawmaking or legal change, both of which are necessary parts of our legal system, but to explain why the common law and similarly broad “common law statutes” are often better positioned to respond to technological change than are more particular enactments.

Legislators may feel compelled to “do something” to confront each new abuse of technology. Yet in doing so, they do not make the mistake merely of repetition—of “double banning” practices already prohibited by general law. The point of this Part has been to show how, by enacting law specific to new technologies, legislators are also likely to do positive harm. By even attempting prophylactically to prohibit or limit the use of certain technologies, lawmakers, who are necessarily acting on incomplete information, may succumb to regulatory capture, introduce opportunities for biased and self-serving enforcement by agency bureaucrats, and hinder the development of innovative technologies, all in pursuit of a nirvana that cannot exist.

V. Conclusion: Directions for a Law-Proof Future

The human impulse to legislate in response to technological change is entirely natural, but it is very often misguided. Through the lenses of history, economics, and political science, this Article has urged that the default response to innovation—new statutes, new agencies, and new prohibitions of limitless variety—should be resisted, not merely out of caution but out of principle. The history of technological progress is not a record of disasters narrowly averted by preemptive legislation. It is, instead, a chronicle of steady social change and legal adaptation—often slowly, sometimes in spurts, but effective. The challenge for lawmakers is to channel that adaptive capacity without undermining it in the name of precise control or Pyrrhic political victories. This Article thus concludes by stepping beyond critique to offer some direction for a law-proofed future. If particularized lawmaking is doomed to failure, how then should emerging technology be governed? Four principles offer a starting point.

Default to Generality—First, even in the highest of high-tech industries, lawmakers should default to generality. The genius of the common law lies in its resistance to specificity. Property, tort, and contract are not obsolete doctrines awaiting replacement by algorithmically applied chapters and subchapters of the U.S. Code. They are simple frameworks, yet capacious enough to accommodate all manner of change because they are designed around relationships, not technologies.

The desire for granularity—fresh statutes for social media, generative AI, and targeted advertising—is understandable but misplaced. The law can best provide stability, certainty, and fairness only if it is allowed to apply generally, to all persons, in all contexts,³⁰⁴ not piecemeal according to who can exert the greatest sway among lawmakers.³⁰⁵ This is not a defense of the status quo for its own sake. It is a recognition that specificity and durability are in balance. To hard code today’s concerns into tomorrow’s legal environment is to invite obsolescence and inflexibility at scale.

In a dynamic world, general rules endure. To allow them to operate, we must resist the allure of bespoke laws tailored to current technologies.³⁰⁶ If a new tool causes harm, the question is not “What new law shall we make?” but “What general principles apply here?” Often, the right answer will be found not in congressional novelty but in common-law continuity.

Institutional Humility—A second key principle is institutional humility—a recognition that legislatures, regulators, and experts alike operate under conditions of radical epistemic constraint. We do not know the full effects of new technologies. But more importantly, we cannot know them in advance. The knowledge problem, as articulated by Friedrick Hayek, is not merely about access to facts. It is about the structure of knowledge itself—dispersed, tacit, contextual, and emergent.³⁰⁷

Our lack of knowledge calls for restraint. The public law of the future must respect its own cognitive limits. When regulators act as if they can anticipate downstream consequences, they risk freezing innovation based on upstream fears. The history of moral panics around media technologies—printing, novels, radio, comic books, television, and social media—demonstrates a pattern of fear and a recurring failure of foresight.³⁰⁸ Policymakers imagined catastrophe; what followed was adaptation and social betterment not because of, but in spite of, their actions.³⁰⁹

Institutional humility requires understanding that attempts to engineer outcomes through top-down legislation often fail, not because legislators’ intentions are bad, but because the available information is insufficient. It requires recognizing that the costs of mistaken precaution can outweigh the risks of cautious permission.

Let Courts Do Their Work—Third, the legal system must be allowed the space and time to adapt to change incrementally, via the adaptive mechanism it already contains—the judiciary. Courts, which resolve actual disputes with known facts between opposing parties, each of whom has an interest in persuading the court of its position, are well-situated in contrast with forward-looking legislatures to gradually integrate new facts into existing law without reengineering the law’s fundamental architecture. They do so not by inventing new rules for each new technology, but by applying existing ones to novel contexts. The doctrines of trespass, negligence, products liability, fiduciary duty, misrepresentation, and fraudulent inducement of contract are not frozen. They are frameworks designed to accommodate change and all manner of social wrongs, both those known and those still unknown.

Richard Epstein has called this the “static conception” of the common law, and he is right to emphasize the law’s continuity both as a descriptive and prescriptive matter.³¹⁰ But the term can also be misleading. Static does not mean stagnant. It means stable enough to allow society to change without requiring the law to constantly remake itself.³¹¹ It is the legislature more often than the judiciary that imagines that each new tool demands a new rule. Indeed, the power of the judiciary lies precisely in its capacity to adjudicate the unknown without attempting to control it. Litigation is retrospective, fact-sensitive, and limited in scope. Judicial decision-making, not prescriptive legislation, should be the leading tool of governance in a world of experimentation.

Let Innovation Proceed by Default—Finally, we should resist the increasingly common view that innovation must earn its legality in advance. The better default is the opposite: that innovation proceeds unless and until it demonstrably causes harm. This is the foundational premise of what Adam Thierer has dubbed “permissionless innovation.”³¹² It is not an anti-law posture; it is a jurisprudential allocation of burdens. It says that new ideas and new technologies are presumptively allowed, that is, that the legal system will respond to real injuries when they occur but will not presume them into existence beforehand.

The permissionless approach does not imply regulatory abdication. It implies sequence. It allows society to discover the benefits of experimentation before moving to restrict it. The alternative is to require innovators to secure ex ante approval—a process that will inevitably entrench incumbents, delay entry, and suppress small-scale experimentation. This posture is especially important because the benefits of innovation are usually unorganized, distributed, and slow to surface, while the risks are often immediate, visible, and exaggerated. As Thierer has emphasized, the cost of regulatory precaution is not just foregone efficiency. It is also lost possibility.³¹³ “When public policy is shaped by precautionary principle reasoning,” he writes, “it poses a serious threat to technological progress, economic entrepreneurialism, social adaptation, and long-run prosperity.”³¹⁴

The lesson is not that innovation should go unregulated. It is that legal restrictions should follow innovation, not precede it. If injury occurs, the law can respond through remedies—through tort, through contract, through consumer protection, or through public enforcement. But those responses should come after the harm, not before the idea. The case for permissionless innovation is not that technology will never produce harm. It is that human judgment—legal, ethical, commercial, and social—is more effectively exercised once the shape of the problem is known. Governing the unknown through preemptive statutes requires speculative fear, and speculative fear is a poor substitute for reasoned response. The general rule should be simple: innovation is allowed. If some new technology violates a duty, deceives a consumer, invades a right, or causes some other compensable harm, the law will hold the innovator accountable. But the law should not require permission in advance.

* * *

Innovation, then, need not be lawless, and the law need not be hostile to innovation. A system committed to both liberty and progress must place its trust not in anticipatory design, but in adaptive response to human innovation. This is the genius of general law: it allows society to experiment boldly while preserving the stable principles needed to resolve conflict and protect rights. Our task is not to anticipate the future by code or statute, but to preserve the conditions under which law and society can meet that future—one case, one controversy, and one insight at a time, building over years a body of rules that is both durable and capable of growth. In that way, the law remains a steady companion to change rather than a brittle obstacle to it.

[*] Assistant Professor of Law and, by courtesy, Computer Science, University of Nebraska; Nonresident Fellow, Stanford Law School, Program in Law, Science & Technology; Murry & Polly Bowden Nonresident Fellow, University of Texas at Austin School of Law, Bech-Loughlin First Amendment Center; J.D., Harvard Law School. This Article expands on remarks prepared for the Regulation of Algorithms discussion at the 2025 AALS Annual Meeting on January 10, 2025, in San Francisco, California. Thanks for their comments to Dhruva Krishna, Christina Mulligan, Saurabh Vishnubhakat, Eugene Volokh and participants of the Central States Law Schools Association (CSLSA) Conference and the International Center for Law & Economics (ICLE) Law & Economics Fellows Meeting in October 2025. Thanks also to Linnea Jorgenson and Hannah-Kate Kinney for their research assistance.

View PDF Version