Gun-toting androids are not what we need right now

The need to establish digital safeguards has never been greater. People today reveal unprecedented amounts of information online, and bad actors seek to take advantage.

In Massachusetts, the Office of Consumer Affairs and Business Regulation reports that data breaches affected personal information of 5.86 million residents in 2023 (a resident may have been affected by multiple breaches), including 2.1 million people who had personal and health data breached in a ransomware incident at Harvard Pilgrim Health Care, nearly 385,000 affected by hacking at pharmacy services company PharMerica, and more than 300,000 affected in each of two data breaches at gaming companies MGM Resorts and Caesars Entertainment. That represents a major increase from the 1.86 million residents affected by breaches in 2021 and 2.24 million in 2022.

Get The Primary Source

Globe Opinion’s weekly take on politics, delivered every Wednesday.

Massachusetts school districts have been shut down by ransomware attacks. Nationally, Iran-linked cybercriminals have attacked US water systems for using an Israeli-made computer system. Even among well-intentioned corporations, technology has been misused, like Rite Aid’s use of facial recognition technology to catch shoplifters, which falsely tagged customers, particularly people of color.

“From cybersecurity to AI, these are issues that are facing everyone and every aspect of everyone’s lives,” said state Senator Michael Moore, who chairs the Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity with state Representative Tricia Farley-Bouvier. “Shouldn’t we as a society want to make sure we have an understanding of what’s being used, the protocols, the direction in which technologies are being utilized?”

This board has previously called for statewide standards and resources to help school districts and municipal governments improve cybersecurity.

This bill would move in that direction by creating a new cybersecurity control board tasked with crafting cybersecurity standards related to things like authentication, data management, training, and incident response. A separate commission would study the use of automated decision-making systems. A loan fund would provide money for government projects to modernize information technology. The bill would impose new reporting requirements for cybersecurity incidents for any entity operating “critical infrastructure,” like utilities or transportation, and insurers could not prevent clients from reporting breaches. It would codify a Critical Incident Response Team that maintains protocols for responding to cybersecurity attacks on government systems.

But lawmakers will have to work out difficult details surrounding these provisions. If new cybersecurity standards impose a mandate on local governments, under state law, the state would have to fund them. As the bill is drafted, the standards would apply to public entities and private companies, with a small-business exemption. Attempting to have states regulate private companies’ cybersecurity is not necessarily bad but could spark difficult questions about which businesses fall under state jurisdiction, how to avoid unnecessarily duplicating federal requirements, and whether rules will stifle the state’s competitiveness or the growth of the technology industry. For example, a publicly traded hospital that has a data breach already has to report to three federal government entities, so state officials may want to piggyback on existing requirements to avoid unnecessary burdens.

The bill would also mandate cybersecurity training for public employees. A fund would be established to help public colleges train cybersecurity workers. In another initiative this board has called for, data security laws would be updated to better protect personal information like health data, location data, and biometric data, which now exist digitally in ways not envisioned when the laws were written.

Massachusetts would also become the first state to prohibit the manufacture, sale, or use of a robotic device or drone mounted with a weapon and to prohibit the use of robotic devices to threaten or harass someone. (A few states ban weaponized drones but none ban weaponized ground robots.) There would be exemptions for the US Department of Defense, military contractors, and police bomb squads. The legislation would require the police to obtain a warrant to send a robot onto private property, except in emergencies.

Already, online videos suggest people are giving robots guns. One YouTube poster described his novice — but successful — efforts to mount a gun on a robot dog and have it shoot a target. The technology is being eyed by the US military.

Boston Dynamics led five other robotics companies in pledging to not weaponize their robots and to prohibit their clients from doing so, with exceptions for defense and law enforcement. Boston Dynamics vice president of policy and government relations Brendan Schulman has been lobbying Massachusetts lawmakers to prohibit weaponized robots, and he hopes other states will follow. “To have advanced, autonomous, remotely controlled robots walking around harming people is not what the robotics industry stands for and damages the reputation of these lifesaving, highly beneficial new kinds of robots,” Schulman said. He said it is clearly a public safety risk to have a robot that is not designed as a weapons system running around, remote controlled by amateurs, with a weapon.

While hammering out a final bill will be challenging, it makes sense to provide a structure through which technology can be regulated — before gun-toting robots begin roaming the streets.

Editorials represent the views of the Boston Globe Editorial Board. Follow us @GlobeOpinion.

Read More

Editorial Board