On geofencing at Polymarket

Last week prediction/betting platform Polymarket was in the news for a Justice Department raid, arising out of Polymarket allegedly accepting trades from US-based traders.  Suppose we stipulate that Polymarket betting is illegal for US users, and Polymarket must keep US users out, to the very best of its ability, to avoid liability under US law.  How exactly would it do so?

This question is familiar for me because my first service as a litigation expert, in February 2000, covered a surprisingly similar subject.  There, Canadian video streamer iCraveTV wanted (or purported to want) its service to be available to Canadians but specifically not to Americans.  I say “purported” because iCraveTV didn’t try very hard, and Americans could access the video easily — as I showed in two declarations as well as oral testimony.  In a 2001 regulatory comment, I pointed out that when there’s something valuable on the Internet that motivated users want to access, users have multiple methods to get the desired access.  My bottom line was if some body of material is so sensitive that a significant country rightly and properly disallows it, by far the easiest approach is to keep that content off the Internet altogether — as, to be sure, an injunction did to iCraveTV.

For Polymarket, the situation is somewhat different.  It seems many people agree that Polymarket is properly allowed in other countries, yet properly disallowed in the US. Fine: reasonable people, and reasonable countries, can disagree.  So, the engineering requirement is a system that robustly separates US users from international users — a geofence.  Importantly, the geofence must be strong enough that even motivated US users can’t climb over.  “Bob the Builder” fans, rejoice: Can we build it?  Yes we can!

Here’s how I’d approach robust geofencing in a scenario like Polymarket, where users register and provide substantial information.

1. Block all users whose network connection indicates a location in the United States.  Check a user’s IP address via standard geolocation services.  Easy enough.

2. Block users based on their registered physical addresses.  In any registration form that requests a street address, or any correspondence or other procedure that requests a street address, a US address is a clear indication of a US affiliation.  Gold standard here is to check that the address is truthful — not just that it exists, but that a person can receive a one-time PIN sent by mail to this address.

3. Block users based on their phone number.  A US phone number similarly indicates a US affiliation.  Check that the user really has this number via a one-time PIN sent by voice or SMS.

4. Block users based on payment mechanisms linked to their account.  Some might expect all Polymarket users to pay with a privacy-protecting payment mechanism such as crypto.  But in fact Polymarket supports debit and credit cards as well as bank transfer.   A payment instrument associated with a US financial institution indicates a US affiliation.

5. Block users based on geolocation in a desktop web browser.  Web pages can request a user’s geolocation using the W3C geolocation API.  Most web browsers ask their users if they want to share location.  If a user does share, and if the location says US, proceed no further.  It may seem implausible that users would voluntarily disclose, but one mistaken click could reveal — and a diligent site should at least try.  Maybe a site should require a user to grant geolocation permission in order to proceed — everyone has to be somewhere, and Polymarket could demand that users reveal.  On this theory, a failed geolocation API request would itself prevent login.

6. Block users based on geolocation in a mobile app.  In a mobile app, it’s much easier to seek a user’s geolocation — a common permission that users are accustomed to granting.  It might seem illogical for a user on a desktop device to have to switch to mobile just to confirm geolocation, but many sites require a switch to mobile for some aspect of security such as a secure photo upload, so this isn’t out of the question.  As usual, users can override device geolocation, but this requires increasing technical skill.

7. Detect proxy servers and VPNs.  A savvy user can use a proxy sever or virtual private network to bounce traffic through a server in a different country, then browse “from” there, with the server relaying requests and responses back and forth.  At first this might seem unworkable for a service like Polymarket: How would they know which IP addresses are used by proxies and VPNs?  But actually they have multiple reasonable paths:

  • The natural starting point is to ask the largest proxy and VPN makers to share their lists of IP addresses.  They may refuse, but the mere act of asking shows an attempt.
  • Test the largest proxy networks and VPNs to find representative IP address ranges (or pay a specialist to do so).  Hands-on testing also creates an opportunity to check whether there’s something unusual about their traffic (such as reverse DNS or a distinctive protocol-level header) that actually gives them away.  (In my testing, this happens surprisingly often.)
  • Look for implausible patterns in user IP address logins.  If a user is purportedly in Frankfurt at 8:00 and Seoul at 8:30, maybe the user is actually in neither place — and is actually bouncing back and forth via proxy or VPN.
  • Use these learnings to find others.  If a user is logging in from an IP address widely used by other users who bounce back and forth, the user is probably on a proxy or VPN.

The logical final step is to require affirmative proof of nexus with a country where Polymarket’s service is lawful.  When creating an account with Wise, I was impressed by their multiple methods of verification — photo ID, proof address, even uploading a picture showing face and ID together.  These must hinder users’ account creation — every step and every click cause users to drop off.  Despite that cost, such methods provide particularly strong proof of a user’s nationality.  And if Wise can do it in their highly-regulated sector (money transmission), it’s hard to see why Polymarket should have lower standards.

I take no position on the wisdom of laws disallowing Polymarket and kin.  And reasonable people may disagree about which of the tactics above should be required — how much a site like Polymarket can be required to inconvenience some of its users, in order to keep US users out.  Fair questions!  But to the basic adversarial question, I answer decidedly in the affirmative: A motivated site operator can keep out most US users, and can make sure that even those who sneak through end up feeling uncomfortable.

A separate challenge is the prospect of a site going through the motions rather than making a good-faith effort (not to mention investing in genuine innovation in this area).  Certainly sites have every reason to tread lightly: Every user means growth, and every user contributes positive expected profit.  So turning away more users means correspondingly weaker economic results.  These factors create a direct economic incentive to look the other way.  Meanwhile, a high-functioning compliance team would need real resources including talented engineers and data scientists.  If I were evaluating whether a site truly did everything possible, I’d want to see real resources invested, multiple methods tried and compared, and multiple imperfect methods used in combination in order to increase overall effectiveness.

Multinationals in the Digital Economy

The Brookings Institution‘s Global Goliaths: Multinational Corporations in the 21st Century Economy includes my chapter Multinationals in the Digital Economy. The lead paragraph:

Modern digital services largely come from multinational corporations (MNCs) whose size and scope are unprecedented.  It has not always been this way.  Just a few decades ago, users typically turned to local firms for most kinds of information technology (IT).  And, historically, software was known for its low barriers to entry and the quick rise of startups and small firms.  This chapter examines the forces contributing to the rise of digital MNCs, as well as the challenges they face. 

An Introduction to the Competition Law and Economics of “Free” with Damien Geradin

Benjamin Edelman and Damien Geradin. An Introduction to the Competition Law and Economics of ‘Free’.  Antitrust Chronicle, Competition Policy International.  August 2018.

Many of the largest and most successful businesses today rely on providing services at no charge to at least a portion of their users. Consider companies as diverse as Dropbox, Facebook, Google, LinkedIn, The Guardian, Wikipedia, and the Yellow Pages.

For consumers, it is easy to celebrate free service. At least in the short term, free services are often high quality, and users find a zero price virtually irresistible.

But long-term assessments could differ, particularly if the free service reduces quality and consumer choice. In this short paper, we examine these concerns.  Some highlights:

First, “free” service tends to be free only in terms of currency.  Consumers typically pay in other ways, such as seeing advertising and providing data, though these payments tend to be more difficult to measure.

Second, free service sometimes exacerbates market concentration.  Most notably, free service impedes a natural strategy for entrants: offer a similar product or service at a lower price.  Entrants usually can’t pay users to accept their service.  (That would tend to attract undesirable users who might even discard the product without trying it.)  As a result, prices are stuck at zero, entry may be more difficult, effectively shielding incumbents from entry.

In this short paper, we examine the competition economics of “free” — how competition works in affected markets, what role competition policy might have and what approach it should take, and finally how competitors and prospective competitors can compete with “free.” Our bottom line: While free service has undeniable appeal for consumers, it can also impede competition, and especially entry. Competition authorities should be correspondingly attuned to allegations arising out of “free” service and should, at least, enforce existing doctrines strictly in affected markets.

From the Digital to the Physical: Federal Limitations on Regulating Online Marketplaces with Abbey Stemler

Edelman, Benjamin, and Abbey Stemler. “From the Digital to the Physical: Federal Limitations on Regulating Online Marketplaces.” Harvard Journal on Legislation, Volume 56, Number 1, pp. 141-198.

Abstract:

Online marketplaces have transformed how we shop, travel, and interact with the world. Yet, their unique innovations also present a panoply of challenges for communities and states. Surprisingly, federal laws are chief among those challenges despite the fact that online marketplaces facilitate transactions traditionally regulated at the local level. In this paper, we survey the federal laws that frame the situation, especially §230 of the Communications Decency Act (CDA), a 1996 law largely meant to protect online platforms from defamation lawsuits. The CDA has been stretched beyond recognition to prevent all manner of prudent regulation. We offer specific suggestions to correct this misinterpretation to assure that state and local governments can appropriately respond to the digital activities that impact physical realities.

Informal introduction:

Perhaps the most beloved twenty-six words in tech law, §230 of the Communications Decency Act of 1996 has been heralded as a “masterpiece” and the “law that gave us the modern Internet.” It was originally designed to protect online companies from defamation claims for third-party speech (think message boards and AOL chat rooms), but over the years §230 has been used to protect online firms from all kinds of regulation—including civil rights and consumer protection laws. As a result, it is now the first line of defense for online marketplaces seeking to avoid state and local regulation.

In our new working paper, Abbey Stemler and I challenge existing interpretations of §230 and highlight how it and other federal laws interfere with state and local government’s ability to regulate online marketplaces—particularly those that dramatically shape our physical realties, such as Uber and Airbnb. §230 is sacred to many, but as Congress considers revising §230 and Courts continually reassess its interpretation, we hope our paper will encourage a richer discussion about the duties of online marketplaces.

Uber Can’t Be Fixed — It’s Time for Regulators to Shut It Down

Edelman, Benjamin G. “Uber Can’t Be Fixed — It’s Time for Regulators to Shut It Down.” Harvard Business Review (digital) (June 21, 2017). (Translations: Japanese, Russian.)

From many passengers’ perspective, Uber is a godsend — lower fares than taxis, clean vehicles, courteous drivers, easy electronic payments. Yet the company’s mounting scandals reveal something seriously amiss, culminating in last week’s stern report from former U.S. Attorney General Eric Holder.

Some people attribute the company’s missteps to the personal failings of founder-CEO Travis Kalanick. These have certainly contributed to the company’s problems, and his resignation is probably appropriate. Kalanick and other top executives signal by example what is and is not acceptable behavior, and they are clearly responsible for the company’s ethically and legally questionable decisions and practices.

But I suggest that the problem at Uber goes beyond a culture created by toxic leadership. The company’s cultural dysfunction, it seems to me, stems from the very nature of the company’s competitive advantage: Uber’s business model is predicated on lawbreaking. And having grown through intentional illegality, Uber can’t easily pivot toward following the rules.

Passenger Right to Record at Airports and on Airplanes? with Mike Borsetti

Passengers have every reason to record airline staff and onboard events–documenting onboard disputes (such as whether a passenger is in fact disruptive or a service animal disobedient), service deficiencies (perhaps a broken seat or inoperational screen), and controversial remarks from airline personnel (like statements of supposed rules, which not match actual contract provisions). For the largest five US airlines, no contract provision–general tariff, conditions of carriage, or fare rules–prohibits such recordings. Yet airline staff widely tell passengers that they may not record–citing “policies” passengers couldn’t reasonably know and certainly didn’t agree to in the usual contract sense. (For example, United’s policy is a web page not mentioned in the online purchase process. American puts its anti-recording policy in its inflight magazine, where passengers only learn it once onboard.) If passengers refuse to comply, airline staff have threatened all manner of sanctions including denial of transport and arrest. In one incident in July 2016, a Delta gate agent even assaulted a 12-year-old passenger who was recording her remarks.

In a Petition for Rulemaking filed this week with the US Department of Transportation, Mike Borsetti and I ask DOT to affirm that passengers have the right to record what they lawfully see and hear on and around aircraft. We explain why such recordings are in the public interest, and we present the troubling experiences of passengers who have tried to record but have been punished for doing so. We conclude with specific proposed provisions to protect passenger rights.

One need not look far to see the impact of passenger recordings. United recently summoned security officers who assaulted passenger David Dao, who had done nothing worse than peacefully remain in the seat he had paid for.  The officers falsely claimed that Dao was “swinging his arms up and down with a closed fist,” then “started flailing and fighting” as he was removed.  United CEO Oscar Munoz’s falsely claimed that Dao was “disruptive and belligerent”.  Fortunately, five passenger recordings provided the crucial proof to rebut those claims.  Dao and the interested public are fortunate that video disproved these allegations. But imagine if United had demanded that other passengers onboard turn off their cameras before security officers boarded, or delete their recordings afterward and prove that they had done so — consistent with passenger experiences we report in our Petition for Rulemaking. Had United made such demands, the officers’ false allegations would have gone unchallenged and justice would not have been done. Hence our insistence that recordings are proper even–indeed, especially–without the permission of the airline staff, security officers, and others who are recorded.

Our filing:

Petition for Rulemaking: Passenger Right to Record

DOT docket with public comment submission form

English Translation of FAS Russia Decision in Yandex v. Google

In September 2015, the Russian Federal Antimonopoly Service announced its decision that Google had violated Russian law by tying its mobile apps to Google Play and setting additional restrictions on mobile device manufacturers, including limiting what other apps they install and how they configure those apps and devices. These topics are of great interest to me since I was the first to publicly distribute the Mobile Application Distribution Agreements, and because I explored related questions at length in my 2015 article Does Google Leverage Market Power Through Tying and Bundling? and more recently my working paper Android and Competition Law: Exploring and Assessing Google’s Practices in Mobile (with Damien Geradin).

For those who wish to understand the reasoning and conclusions of Russia’s FAS, one key limitation is that the September 2015 decision is available only in Russian. While the case document library summarizes key facts, allegations, and procedural developments, that’s no substitute for the full primary source documents.

In the course of expanding my Android and Competition Law paper, I recently obtained an English translation of the September 2015 decision. The decision is unofficial but, as best I can tell, accurate and reliable. It suffers redactions, but the original in Russian has the same limitation. I offer it here to anyone interested:

Yandex v. Google – Resolution on Case No. 1-14-21/00-11-15 – resolution of September 18, 2015 – unofficial English translation

EC Statement of Objections on Google’s Tactics in Mobile

Today the European Commission announced a Statement of Objections to Google’s approach to Android mobile licensing and applications. Broadly, the EC’s concerns arise from Google’s contractual restrictions on phone manufacturers — requiring them to install certain apps, in certain settings, if they want other apps; preventing customizations that manufacturers would prefer; requiring manufacturers to set Google Search as the sole and default search provider.

These questions are near and dear to me because, so far as I know, I broke the story of Google’s Mobile Application Distribution Agreement contracts, the previously-secret documents that embody most of the restrictions DG Comp challenges. I described these documents in a February 2014 post:

Google claims that its Android mobile operating system is “open” and “open source”–hence a benefit to competition. Little-known contract restrictions reveal otherwise: In order to obtain key mobile apps, including Google’s own Search, Maps, and YouTube, manufacturers must agree to install all the apps Google specifies, with the prominence Google requires, including setting these apps as default where Google instructs. It’s a classic tie and an instance of full line forcing: If a phone manufacturer wants any of the apps Google offers, it must take the others also.

I offered the HTC MADA and Samsung MADA, both as they stood as of year-end 2010. So far as I know, these are the only MADA’s available on the web to this day; while Google now admits that MADAs exist (a fact unknown to the public before I posted these documents), no one has circulated any newer versions. Occasional news reports discuss new versions, most notably a September 2014 piece from The Information’s Amir Efrati reporting new and growing requirements embodied in “confidential documents viewed by The Information” but unfortunately not available to the public. So the documents I posted remain the best available evidence of the relevant restrictions.

While news reports and the EC SO offer some sense of MADA requirements, there’s no substitute for reading the plain language of the underlying contracts. I cited and quoted key sections in my 2014 piece:

“Devices may only be distributed if all Google Applications [listed elsewhere in the agreement] … are pre-installed on the Device.” See MADA section 2.1.

The phone manufacturer must “preload all Google Applications approved in the applicable Territory … on each device.” See MADA section 3.4(1).

The phone manufacturer must place “Google’s Search and the Android Market Client icon [Google Play] … at least on the panel immediately adjacent to the Default Home Screen,” with “all other Google Applications … no more than one level below the Phone Top.” See MADA Section 3.4(2)-(3).

The phone manufacturer must set “Google Search … as the default search provider for all Web search access points.” See MADA Section 3.4(4).

Google’s Network Location Provider service must be preloaded and the default. See MADA Section 3.8(c).

“Naked exclusion” and impeding competition

Competition lawyers offer the term “naked exclusion” for conduct unabashedly intended to exclude rivals, for which a dominant firm offers no efficiency justification. That diagnosis matches my understanding of these tactics, as the MADAs give no suggestion that Google is trying to help consumers or anyone else. Rather, the MADAs appear to be intended to push Google’s own businesses and prevent competitors from getting traction.

Consider the impact on competing firms. Suppose some competing app maker sought to increase use of one of its apps, say Yahoo seeking greater usage of Yahoo Maps. Yahoo might reasonably offer a bonus payment to, say, Samsung as an incentive for featuring the Yahoo Maps app on new phones sold via, say, AT&T. To encourage users to give Yahoo Maps a serious try, Yahoo would want its service to be the only preinstalled mapping app; otherwise, Yahoo would rightly anticipate that many users would discard Yahoo Maps and go straight to the familiar Google Maps. For $2 per phone, Samsung might be happy to remove Google Maps and preinstall Yahoo Maps, figuring any dissatisfied consumer could download Google Maps. And if some of that $2 was passed back to consumers via a lower price for purchasing the phone, consumers might be pleased too. Crucially, Google’s MADA prevents this effort and others like it. In particular, the MADA requirements prevent Samsung from removing any of the listed Google apps, Google Maps key among them. And if Samsung can only offer Yahoo the option to be a second preinstalled mapping app, it’s much less clear that Yahoo is willing to pay. In fact, based on Yahoo’s reasonable projections of user response, there may no longer be a price that Yahoo is willing to pay and Samsung is willing to accept.

The first key effect of the MADAs, then, is that they prevent new entrants and other competitors from paying to get exclusive placement. This impedes competition and entry, and streamlines Google’s dominance.

Meanwhile, the MADAs correspondingly reduce pressure on Google to provide market-leading functionality and quality. Some competing apps might be a little bit better than Google’s offerings, and a phone manufacturer might correctly assess that consumers would prefer those alternatives. But phone manufacturers can’t switch to those offerings because the MADA disallows those changes. This barrier to switching in turn discourages competing app makers from even trying to compete. After all, if they can’t get traction even when their apps are genuinely better, they won’t be able to raise capital and won’t develop the improvements in the first place.

Finally, the MADAs prevent Google from needing to pay to get and retain preferred placements and defaults. On desktop computers, search engines pay to be a browser’s default — giving additional revenue to a computer manufacturer, and reducing device cost. But MADAs allow Google to require that it be the default search provider, and require that its apps be preinstalled and prominent, all without payment to phone manufacturers.

Assessing Google’s responses

This week reporters conveyed to me Google’s responses to the EC’s SO. First, Google argued that it is merely requiring that its apps be preinstalled, not ruling out the possibility that other apps may be preinstalled too. That defense has three key weaknesses.

  • Some MADA provisions explicitly do require that Google functions be the sole or default in their spheres. Consider the requirement that Google Search be the default search provider for all Web search access points (MADA Section 3.4(4)) and the requirement that Google’s Network Location Provider service must be preloaded and default (MADA Section 3.8(c)). One can hardly overstate the importance of these two functions. Search is the most natural way to monetize users’ activities and is the natural gateway to other functions and services. Meanwhile, location providers are the crucial translation between a phone’s sensors and its inferences about the user’s geographic location — collecting and aggregating location data with exceptional commercial value though of course also special privacy consequences. In these two crucial areas, Google does exactly what its defense claims it does not — requiring not only that its services be installed, but that they be installed as the sole and exclusive default. We are fortunate to be able to read the MADAs (HTC, Samsung) to see these requirements embodied in contract language.
  • The possibility of a more intrusive restriction does nothing to deny the harm from the approach Google chose. Google sketches a different restriction on competition that would cause even larger harm — requiring not just preinstallation of Google apps but explicit contractual exclusion of competitors. But the possibility of a worse alternative does not mean Google’s approach is permitted.
  • Google’s argument runs counter to settled European competition law. Consider experience from prior EC proceedings against Microsoft. Microsoft always allowed OEM’s to install other web browsers and other media players. Nonetheless Microsoft faced EC penalties for requiring that OEM’s include Microsoft’s browser and media player. The law of the land, for better or for worse, is that dominant firms may not invoke this approach.

Second, Google told reporters that its tactics are necessary to protect the health of the Android ecosystem and to build and retain consumer trust. But this argument strains credibility. Would the Android ecosystem truly be less reliable or trustworthy if some phones came with, say, Yahoo Maps? The better assessment is that Google imposes MADA restrictions to advance its business interests. To evaluate these alternative understandings of Google’s conduct, one might depose Google employees or better yet read contemporaneous documents. Beginning in 2010, Skyhook litigation revealed some of Google’s internal email discussions in this area, revealing reveal that their purpose is competitive — “using compatibility as a club to make them [phone makers] do things we want.” Further evidence against Google’s ecosystem/trust argument comes from Android’s other notable ecosystem weaknesses — from brazenly counterfeit apps to confusingly inconsistent user interfaces. Allowing those problems to fester for years, Google cannot plausibly claim significant consumer confusion or ecosystem harm from, say, a competing maps app clearly labeled as such.

Third, Google argued that dissatisfied phone manufacturers can always install core Android without any Google Mobile Services and hence without the MADA obligations. But this approach ignores commercial realities. In wealthy markets such as the EC and the US, few customers would accept an Android phone without Google Play, the app store necessary to install other apps. Without Google Play, consumers cannot get the Facebook app, the Pandora, Uber, and so on. Such a limited phone would be a nonstarter for mainstream users. Amazon’s Fire flop reveals that even Amazon, with a trusted name and distinctive positioning, could not offer a viable phone without Google Play access to install other apps. Conversely, consider how much more attractive users would have found Fire had they been able to use Google Play to get the benefit of third-party apps alongside the distinctive features Amazon provided. But Google’s MADA exactly prohibited that approach — converting a promising potential competitor into a weakling that quickly collapsed.

Looking ahead

One crucial next step is discussion of remedies — what exactly Google must do in order to correct the distortions its MADAs have created. Bloomberg reports Google reducing the number of apps phone manufacturers are required to preinstall and feature — but dropping losers like Google Plus is just tinkering around the edges.

The obvious first step is that Google should withdraw the MADA restrictions. With no more MADA, phone manufacturers could take the distinct Google apps that they want, and not others. Google has no proper reason to prevent a phone manufacturer from combining Google Play with, say, Yahoo Maps and Bing Search. Indeed, with Google’s search dominance increasingly protected from competition as Yahoo stumbles and Microsoft withdraws, these combinations are the most promising way to increase competition in mobile.

Next, it goes nearly without saying that Google should pay a substantial penalty. Billion-dollar fines have become routine in Europe’s competition cases against American tech giants, including for conduct far less brazen and less obviously calculated to impede competition. Anything less at this point would seem to be a slap on the wrist undermining the importance of the EC’s effort.

Most of all, a full remedy requires affirmative efforts to undo the harm from Google’s years of improper conduct. After Microsoft’s browser tactics were deemed unlawful, the company was for five years obliged to present a “ballot box” in which consumers affirmatively chose among the five most popular browsers — presented in random order with no default. It’s easy to envision a similar approach in mobile: Upon first activating a new smartphone, a user would choose among the top five maps apps, top five search engines, top five geolocation services, and so forth. These obligations would most naturally track all the verticals that Google has targeted through its MADA restrictions. As users saw these options, competing app makers would get a prominent opportunity to attract users at modest expense — beginning to restore the competition that Google has improperly foreclosed.

Finally, a remedy should undo the secrecy Google has imposed. I wrote in 2014 about the remarkable steps required to obtain the MADAs — documents whose very existence was purportedly confidential, and whose terms contradicted the public statements (and sworn testimony) of Google’s leaders. This secrecy prevented app developers, competitors and the general public from knowing and debating Google’s tactics and raising concerns for a prompt regulatory response. Furthermore, secrecy emboldened Google to invoke methods that would have been less attractive had they been subject to public scrutiny from the outset. As part of competition proceedings, Google should be compelled to publish key contracts, facilitating analysis and discussion by the interested public. Meanwhile, as John Gapper writes in the FT, it’s ironic for Google to claim that EU officials “could be better informed” when Google itself limits distribution of the most important documents.

When Your Competitors Ignore the Law

Last fall I flagged the problem of transportation network companies (Uber and kin) claiming a cost advantage by ignoring legal requirements they considered ill-advised or inconvenient. But the problem stretches well beyond TNCs. Consider Airbnb declining to enforce (or, often, even tell hosts about) the insurance, permitting, tax, zoning, and other requirements they must satisfy in order to operate lawfully. Or Zenefits using selling insurance via staff not trained or certified to do so (and, infamously, helping some staff circumvent state-mandated training requirements). Or Theranos offering a novel form of blood tests without required certification, yielding results that federal regulators found “deficient” and worse. The applicable requirements may be clear — get commercial insurance before driving commercially; be zoned for commercial activities if you want to rent out a room; be trained and licensed to sell insurance if you intend to do so. Yet a growing crop of startups decline to do so, finding it faster and more expedient to seek forgiveness rather than permission. And the approach spreads through competition: once one firm in a sector embraces this method, others have to follow lest they be left behind.

A first question is how violations should be sanctioned. I’ve long thought that penalties could appropriately be severe. Consider the Pennsylvania Public Utility Commission’s $49 million civil penalty against Uber for its intentional operation in violation of a PUC order. The PUC discussed the purpose of this penalty: “not just to deter Uber, but also [to deter] other entities who may wish to launch … without Commission approval.” Their rationale is compelling: If the legal system requires a permit for Uber’s activity, and if we are to retain that requirement, sizable penalties are required to reestablish the expectation that following the law is indeed compulsory. Now suppose every state and municipality were to impose a penalty comparable in size. Despite Uber’s wealth, the numbers add up — 100 such penalties would take $4.9 billion from Uber’s investors, a sizable share of Uber’s valuation and plausibly more than the company’s cash on hand.

Meanwhile, competitors are compelled to respond. For a typical taxi fleet owner or driver, or anyone else trying to compete with a law-breaking entrant, it’s little answer to hope that regulators may some day impose penalties. (And indeed there’s scant evidence that Pennsylvania’s approach will prevail more broadly.) What to do? Damien Geradin and I offer a menu of suggestions in two recent articles:

Spontaneous Deregulation: How to compete with platforms that ignore the rules – Harvard Business Review

Competing with Platforms that Ignore the Law – HBR Online