Technology is never neutral. Depending on its use and context, every technology is capable of inflicting a variety of harms. At present, most laws and policies presume that technology is neutral and safe unless proven otherwise. Instead, policy interventions should presume harm and, in accordance with Principle 6 (below), compel caution. First and foremost, this means identifying and naming foreseeable risks and harms and anticipating unforeseeable ones. This also means placing the burden of proof on the owner, operator, or proponent of a technology to prove the absence, or effective mitigation, of specific kinds of risks and harms. Further, it may require imposing specific disclosure requirements about the risks and harms of a technology or practice, both to consumers through warning labels or certification schemes, as well as to regulators through certified corporate statements and mandatory reporting requirements.
- Data security proposals that only focus on ex-post breach notification miss the mark. A better proposal that presumes harm would impose ex-ante data security-related corporate disclosure requirements on tech companies, with potential criminal penalties for executives who falsify such disclosures (along the lines of the corporate fraud disclosures imposed by the Sarbanes-Oxley Act). Recognizing that all data-related activities present risks and have the potential to be harmful to consumers, the burden should be on companies to disclose these risks in advance and internalize the harms.