November 20, 2016

Law’s Great Leap Forward: How Law Found a Way to Keep Pace with Disruptive Technological Change

Randolph Kahn


The 21st century has been filled with a seemingly endless parade of disruptive technologies and emerging industries. Predicting how the law can and will respond is often speculative, to the detriment of clients and lawyers. When technological change limps slowly forward in a predictable manner, it is easier to anticipate how the law will react. When technological change leaps ahead, however, how will the law keep pace without being too reactive and/or restrictive? Until recently, it appeared as though the law was always playing catch-up, but this situation appears to be declining. The law in the United States is undergoing a transformation—one that will not inhibit the tail wagging the commerce dog into submission. These new legal paradigms offer a path toward technological adoption that augments society’s constantly morphing business landscape.

This article examines three current legal methods for dealing with modern technological innovation. Part I discusses how lawmakers have attempted to make new technology fit within a preexisting legal framework. Part II discusses how lawmakers have attempted to eliminate the need to continuously alter laws in the face of technological innovations through the use of “technologically neutral laws.” Finally, Part III examines how lawmakers have codified and planned for evolving the law as technologies mature by mandating the review and update of the regulation or law over time. Although admittedly there is no single skeleton key that will ensure the law keeps pace with modern technological changes, the three legal frameworks discussed in this article reveal how the law has begun to adapt to various types of disruptive technological change.

Part I: Borrowing from Existing Laws and Rounding Edges to Make New Technology Fit

One legal approach to dealing with new technologies is to make the existing legal frameworks work, even when new technologies are “disruptive” and do not fit neatly into old legal paradigms. Here, the laws of cyber warfare provide insight. Cyber warfare involves the use of technology by military personnel or other organizations to attack an adversary’s information, technology infrastructure, or systems for the organization’s advantage. The novelty and capability of emerging cyber warfare tools would seem to challenge the existing legal landscape pertaining, for instance, to an act of “aggression” under United Nations standards. In that regard, on May 9, 2016, U.S. Senator Mike Rounds introduced the Cyber Act of War Act of 2016, which seeks “[t]o require the President to develop a policy for determining when an action carried out in cyberspace constitutes an act of war against the United States, and for other purposes.”

Although there is a previously established 1,200-page Department of Defense Law of War Manual that deals with just about every conceivable war-related topic, it does not completely address the complex and nuanced issues around cyber warfare. What happens when a situation occurs that is not properly addressed within the manual?

For example, not long ago it was reported that someone hacked into the U.S. Office of Personnel Management and absconded with millions of records containing the identities of current and former U.S. government employees, including “secret” personnel. Reports made various claims about the perpetrator(s). A US News article by Tom Risen reported that, “[w]hat may be the largest breach of federal government data in history appears to have originated in China, according to reports citing US officials investigating the theft of employee records that affected up to 4 million current and former government workers.”

Before the United States can take action in response to the assault on its IT infrastructure, it must determine who the perpetrator was with some degree of certainty to validate the identity of the offender and satisfy national and international rules of engagement. Unlike kinetic warfare, however, knowing exactly who took action is not so simple. In cyber war, physical rockets are not being launched from a foreign nation, nor is anyone leaving any other visible “calling card” indicating who the aggressor is. To connect the Chinese cyber military unit with the theft of the personnel records likely will require sophisticated decoding and other computer sleuthing techniques. Understanding who, what, and why in the cyber warfare context usually is unclear on the face of the cyber action. Perhaps a more basic question is whether U.S. law or other international legal frameworks are sufficient and flexible enough to deal with cyber acts such as these? Answers to these increasingly complex questions will substantially impact if, how, and to whom the United States responds.

Although Senator Rounds and others take the perspective that existing U.S. laws are insufficient to deal with cyber warfare, global legal experts have attempted to make existing International Law fit in the context of cyber warfare. This work has culminated in the Tallinn Manual on the International Law Applicable to Cyber Warfare, written at the invitation of the NATO Cooperative Cyber Defense Centre of Excellence. After three years, the Tallinn Manual, an over 300-page tome, begins with a set of existing legal norms and principals and then applies these principles to cyber warfare. Tallinn 2.0, published in late 2016, is the next iteration. Both Tallinn Manuals make existing law answer the complex questions raised by a type of aggression that was not contemplated prior to the inception of the laws that provide the legal framework. Should such a method be the U.S. approach when addressing very real and dangerous threats to national security?

If the issues presented by new technologies (e.g., anonymity in the realm of cyber warfare) are not addressed in the preexisting legal framework, then attempting to make the old laws work may be more problematic than writing new ones. Additionally, such a method appears to continue the legal trend of “catching up” to technological changes. Finally, predictability of future legal changes is difficult, assuming technology is innovative to the point where the similarities of X, an act that falls under the preexisting legal framework, is discernably different than Y, an act that may or may not be perceived as falling within the preexisting legal framework. Thus, although borrowing from existing laws may work on some level and in some industries, it is a flawed solution to many 21st century technological advancements.

Part II: The Foresight of Technologically Neutral Laws

If one recent evolutionary change to U.S. law were responsible for improving predictability of law for new technologies, it would be the inception and implementation of “technologically neutral” laws. Laws that are technologically neutral do not stipulate the use of a particular technology, but rather prescribe the legal end-state and leave the technological method of reaching the legal end-state to the individuals and organizations involved. Such an approach assumes, of course, that there is more than one way to attain legal compliance. Some options to satisfy a given legal requirement may be more expensive, more labor intensive, or more dangerous, but in the end the consequences from the technological decision will inure to the decision-making parties. In some respects, the technologically neutral framework is the equivalent of the free market applied to the legal landscape. That said, although portions of the U.S. legal framework have evolved to become more technologically neutral, other jurisdictions take a more prescriptive legal approach when dealing with technology.

The American trend toward technologically neutral laws began with the passage of the Electronic Signatures in Global and National Commerce Act (ESIGN) in 2000. Although signatures and records have been necessary ingredients to business transactions for millennia, technological advancements in the past couple decades have dramatically changed the way business is transacted, especially in the digital domain. The way contracts are executed and ascent is manifested in the electronic context is obviously far from the manual wet signature and paper contracts of the past, and it was necessary to ensure that business would not be halted due to the lack of physical signatures or records. ESIGN is responsible for creating legal parity between electronic signatures/records and their paper counterparts.

Under ESIGN, an electronic signature is any “electronic sound, symbol or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” Such a definition allows for the use of typed names, digital signatures, clicking an “I agree” button, and using biometric processes, among other equivalent acts that can constitute a legally valid signature. In essence, the language of the law allows for the use of all kinds of new technologies or processes that satisfies the legal definition of “signature.” Some signatures are more secure, and others want for integrity, but that is the point of technological neutrality—the decision is left with the parties involved. Users are in the best position to choose the method that best protects their interests in a given transaction.

Without ESIGN, Internet transactions of all shapes and sizes would lack legal validity. Such a failure to rewrite a law as simple as what constitutes a “signature” would have substantially stymied e-business. ESIGN and its technological neutrality allows businesses to decide just what type of legal evidence they want to maintain for a given transaction without the government dictating the use of specific technology. Such an approach is logical as today’s state-of-the-art technology is tomorrow’s digital fossil. ESIGN is built with technological change in mind and leaves the flexibility for compliance in the hands of its users.

Although ESIGN exemplifies just how valuable technologically neutral laws can be for businesses, laws that are technologically neutral are, by necessity, open to interpretation. This in turn leads to questions regarding the validity of interpretation and intervention between the government and private entities. One recent debate that showcases this inherent conflict is the issue of how states and the federal government should deal with the use of strong encryption by cell phone manufacturers. The recent terror attack in San Bernardino and the government’s desire to investigate the contents of the killer’s cell phone alerted countless individuals to the implications that arise from judicial and statutory construction and interpretation based on a specific event. Whether a court may compel the creation of new software to circumvent a cell phone’s original encryption, whether encryption should be federally regulated, or whether technology companies should be required to install an encryption backdoor for law enforcement purposes are all specific legal questions that inherently conflict with the private sector’s desire to limit the government’s involvement in business decisions.

Nonetheless, over the past several years many laws and regulations that advance the idea of technological neutrality have and continue to be passed. Recently, the Burr-Feinstein Encryption Bill provides that “nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity.” Additionally, the bill does not prohibit encryption but merely requires that covered entities “are responsible only for the information or data that they (or another party on their behalf) have made unintelligible.”

Technologically neutral laws are favorable for businesses because the laws provide them with greater autonomy and legal predictability in the face of technological change. The success of such laws, however, depends on an upfront, in-depth evaluation of future advances in technology to ensure such technologies will satisfy the underlying laws. This means that business professionals who rely on technology professionals to make technology decisions will now have to also rely on legal professionals to assess how a particular law will be satisfied by a particular technology.

Part III: Building Future Changes in Technology into the Language of the Law

The previous section showed that one method of addressing rapid technological changes is by writing laws that are accommodating in the ways in which one can comply. Another innovative way that the law is changing is to allow an otherwise prescriptive legal framework to be more accommodating by building iteration and/or evolution into the language of the law. The Federal Aviation Administration’s (FAA) current regulation of drone use is one novel example of such a legal accommodation.

There are many markets and industries that would benefit from the use of drones; whether surveying storm damage for an insurer or delivering a package to an online purchaser, drones hold great promise for current and future businesses. However, there are numerous issues, such as public safety, privacy, the impact on navigable airspace, etc., that impact their commercial use.

Given that the FAA is responsible for aggressively regulating “navigable airspace” and manned flight above 500 feet, one would expect that the FAA would take a similar approach with drones. Instead, as discussed below, Congress and the FAA have built a new and flexible approach to regulating drones that may reduce the law’s stigma as something that is reactive and an impediment to new technology implementation. In passing the FAA Modernization and Reform Act of 2012 (2012 Act), Congress and the FAA advanced a new approach to technological advances, and specifically drone technology, by drafting into the regulation that the regulator must review the regulation against the advancement of drone technology at specific points in time according to a schedule delineated within law.

For example, section 332 of the 2012 Act provides that government officials and industry representatives “shall develop a comprehensive plan to safely accelerate the integration of civil unmanned aircraft systems into the national airspace system.” Likewise, section 5 provides that “[n]ot later than 1 year after the date of enactment of [the 2012 Act], the Secretary shall approve and make available . . . a 5-year roadmap for the introduction of civil unmanned aircraft systems into the national airspace system . . . .”

Rather than rushing to deny or even prescriptively manage the use of drones, the law provided built-in, time-sensitive mechanisms that ensured the legal framework’s evolution and review was both proactive and predictable. This deference thereby reduced the government’s obstruction to the rapid growth of the drone industry and any industries seeking to use drones in their business endeavors as drone technology becomes more advanced and presumably safer.

The deference present in the 2012 Act appeared to pay off earlier this year. On June 21, 2016, the FAA took another leap forward with the issuance of Part 107, which provides additional specific rules regarding small, unmanned aircraft use. The new rule is a major positive step toward the widespread commercial use of drones—in other words, another iterative step in the right direction. Although Part 107 provides certain definite restrictions, such as limiting the weight of commercial drones to 55 pounds, the time of drone flight to daytime, and the height of drone flights to 400 feet, the new rules are loosening the tethers in a nascent industry poised to, quite literally, take off. So while Amazon cannot deliver packages quite yet under this evolving regulatory regime, it is likely going to happen in the not too distant future.

On a broader level, such a forward-thinking construct bodes well for new technologies. If the government continues to fashion laws that provide deference for rapid technological changes, then later laws can better accommodate a more finalized technology, instead of early prototypes. Two similar “accommodating” approaches are currently playing out in the ride- and house-sharing industries of Uber and Airbnb.

On October 10, 2015, The Atlantic published an article by Brendan Sasso discussing the targeted regulation of Uber and Airbnb. The article references a speech at Fordham University Law School where FTC Chairwoman Edith Ramirez “warned that imposing ‘legacy regulations on new business models’ can stifle competition and ultimately leave consumers worse off . . . . Ramirez emphasized that “[w]e must allow competition and innovation in the form of these new peer-to-peer business models to flourish.” From the article, it is clear that the federal government recognizes the need to balance regulation with stymieing growth and stifling creativity.


Lawyers have long been accused of being impediments to change and technology laggards. Historically, regulations and laws have reacted and usually adapted, albeit slowly, to innovations and disruptive technologies. Given how fast and furious technological change is happening, however, new legal paradigms are evolving to meet and promote a new economy with innovations to drive change. There is no single solution ensuring that the law maintains pace with disruptive changes in technology. This article has shown, however, that a number of legal paradigms exist that may help to reduce the law’s burdening effect on growth and innovation in modern industries. From technologically neutral laws to statutory deference to legal evolution, technology may be better for and promoted by changes in the way the law deals with technology. What this change means for business could be profound, as the law may finally make way for change and not act to limit it. The more “user-friendly” approach to legal change in the face of technology also presents unique opportunities for the legal profession. Perhaps the profession is poised to shift its perceived role as an obstructionist to more of a strategic advisor and partner. For this to come to fruition, however, lawyers and lawmakers alike must evolve their own thinking about technological change.

Randolph Kahn

Randolph A. Kahn is a lawyer and advisor to global organizations on legal and governance issues related to information ( He teaches The Law of Electronic Information at Washington University School of Law in St. Louis and the Politics of Information at the University of Wisconsin-Madison. He is a two-time recipient of the Britt Literary Award and author of dozens of published works, including “Email Rules,” “Information Nation: Seven Keys to Information Management Compliance,” “Information Nation Warrior,” “Privacy Nation” and “Chucking Daisies.” Mr. Kahn has been an expert witness in major court cases on information-related issues.