Rocky Mountain High: Colorado’s AI Act and Hallucinating about Open-Source

-- By MichaelMacKay - 25 Oct 2024

Fool’s Gold

The first state to regulate recreational dispensaries is the first to dispense with unregulated AI. Commentators like EFF have called Colorado’s Artificial Intelligence Act (CAIA), enacted last summer, “comprehensive,” but Colorado’s law merely resembles the European Union’s AI Act. “The Revolution permanently put the major models of European governance off the table,” but apparently, Denver took too little from Brussels and put too much out of reach of the state. “Today, most commercial software includes open source components,”[1] and last year, researchers at Harvard Business School estimated that open-source software (OSS) produced at least $4.5T in economic value. Now, with DeepSeek? , it is more doubtful than ever that developing “high-risk AI” requires proprietary ownership, so the CAIA's omission of OSS is an open wound that should be patched before the law's effective date, February 6, 2026.

Open-source Opening

When DeepSeek? was released, U.S. stocks lost $1T in value, as Nvidia was chastened by news that its chips might not be as necessary for cutting-edge AI. Compared to OpenAI? ’s leading model, O1, DeepSeek? performed at least as well for relatively negligible overhead costs. As for the CAIA then, the arrival of DeepSeek? was not so much a “sputnik” moment as much as another lesson from recent history. In 1979, Oracle released its first commercial relational database management system, called “Oracle Version 2,” and in 1996, researchers from Berkeley launched PostgreSQL, a much-beloved OSS alternative. Today, some industry studies indicate the latter has more market share than Oracle’s current suite. Even AlphaFold 3 (behind the 2024 Nobel Prize in Chemistry) is OSS, and where replicability issues in the sciences abound, OSS virtually sits in a state of truth. Thus, Denver should acknowledge how the collaborative conditions of free software enable superior code.

Brussels' Boilerplate

Embracing Article 12(1) of the EU AI Act (“High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.”), Denver monitors the same range of “high-risk” activities outsourced to AI (e.g. deciding whom to hire, whom to give a home loan, etc.), but a wide chasm exists between the EU and Colorado per the CAIA's Section 1 (“Definitions”):

(7) "DEVELOPER" MEANS A PERSON DOING BUSINESS IN THIS STATE THAT DEVELOPS OR INTENTIONALLY AND SUBSTANTIALLY MODIFIES AN ARTIFICIAL INTELLIGENCE SYSTEM.

By contrast, the EU AI Act's Article 3 says:

(3) ‘provider’ means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge [emphasis];[2]

Put differently, the CAIA does not countenance OSS. Typically, OSS is provided as-is for free with broad disclaimers against warranty, indemnity, or other liability, but where DeepSeek? is offered on an MIT license, there is also another issue. Specifically, Apache, BSD, and MIT licenses do not require the disclosure of source code—unlike GNU or Mozilla—so the fact that DeepSeek? ’s GitHub? repo reveals some source code is not required. Nevertheless, Colorado's AG can promulgate rules around proper licensing without further changing Europe's framework,[3] which should be adopted:

(7) "DEVELOPER" MEANS A PERSON DOING BUSINESS IN THIS STATE, whether for payment or free of charge..."

California Dreaming

Alternatively, Denver can regulate AI indirectly by looking to the California Privacy Rights Act (CPRA), but such a roundabout solution is arguably unwise. CPRA, which changed California’s CCPA in 2023, identified “automated decision-making” by AI, as a liability borne by the business. But CPRA only required compliance from businesses earning $25 million in annual gross revenue, betraying how dimly OSS must have been viewed by the state.[4] Of course, the CCPA is more robust than the CPA. For instance, if Wells Fargo were to use AI in mortgage servicing, it could still be found liable under California’s GLBA data-only exemption, whereas Colorado would exempt the bank at the GLBA entity-level.[5] Still, as a matter of public policy, Sacramento's for-profit focus probably does not warrant imitation, especially as bots' imitations are likely more pervasive when available for free (n.b. the commercial success of RedHat? ).

Up the Mountain

Ultimately, the current White House may view regulation skeptically, but Denver's proponents of AI reform should probably reconsider the CAIA's continental drift. EU member states are not disinterested actors—just swipe off the tram in Amsterdam! But by gathering and analyzing all relevant source code from any relevant "developer" (or "provider" per the EU), Colorado will at least ensure that what it has borrowed from Europe works (e.g. per 6-1-1703 of the CAIA, compliance for a "deployer" depends on cooperation from a "developer"). Surely, other issues remain relevant, particularly how the CAIA confers a rebuttable presumption of reasonable care where a "deployer" follows frameworks like ISO/IEC 42001 or NIST's AI Risk Management Framework that OSS projects may struggle to implement. Yet, absent federal legislation, this first salvo from the states will shape the national conversation as a whole, as evidenced by Texas imitating Colorado. However, so long as the CAIA fails to acknowledge that "open source is eating software faster than software is eating the world,” legislators will probably just see friends around the campfire and everybody’s high...

Endnotes:

  1. David Tollen, The Tech Contracts Handbook, Appendix 2 (ABA Publishing, 2021).
  2. See also, “(10) ‘making available on the market’ means the supply of an AI system or a general-purpose AI model... whether in return for payment or free of charge;”
  3. As Colorado's AG is empowered under the CAIA to issue rules for enforcement, Denver could also say which licenses satisfy required disclosure (e.g. CDDL, EPL, GPL, MPL, etc.).
  4. DeepSeek? was recently the most downloaded free app on Apple's App Store and Google Play.
  5. Only 20 states have data privacy policies: thirteen exempt Gramm-Leach-Bliley Act entities and data; four, GLBA entities only; and three, just GLBA data.

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.