A viral paper sounds the alarm by abandoning nuance
A paper titled “How AI Destroys Institutions” by two Boston University Law professors, posted to SSRN and forthcoming in the UC Law Journal, has gone viral, with around 17,000 downloads. (The other day it was 9.) Papers in law do well if they get over a few hundred hits. This one was aided in part by Gary Marcus, a well-known gen AI skeptic, boosting it on social media, which is how I came across it.
After reading it, I don’t think it’s a cynical attempt to take an extreme position in the hope of going viral. But the paper is so sweeping, so feverish in its claims, that despite my reluctance to draw further attention to it, I feel compelled to comment.
Sometimes articulating a fear — facing it head on — helps us come to terms with it. The authors, Woodrow Hartzog and Jessica Silbey, point to real dangers here, across many fronts. But their certainty about the doom that lies ahead, about how serious a threat AI poses, comes at the expense of abandoning all nuance — of assuming that because something is possible in theory, it is likely to occur in practice.
Jan 14, 2026
If we want to reduce harm, we need to look upstream
In December, the federal government tabled the ‘Protecting Victims Act’ (Bill C-16) to fill a gap in Canada’s Criminal Code on the distribution of sexual deepfakes, and added a new offence of threatening to distribute an intimate image.
In this post, I ask: how prevalent is this conduct in Canada, and will these new offences make a difference? If not, what more should we do?
Briefly, the Criminal Code already makes it an offence to share an intimate image of an adult without consent, but it doesn’t capture deepfakes. Now it will. And while extortion is already an offence, it requires a threat made “with intent to obtain” something. The bill’s new offence of threatening to distribute an intimate image only requires that a threat be made.
The government has yet to release its Charter Statement, but David Fraser wonders whether the deepfake offence is too broad to survive a freedom of expression challenge. There’s a public interest defence, but does it protect satirical deepfakes of politicians? Should there be broader exceptions for this? Will the courts ‘read in’ these exceptions?
All good questions, but I want to address the conduct targeted here. How prevalent is it and will new law help? Short answer: the conduct is prevalent, but I doubt these new laws — or others on the way — will do much to curb it.
Dec 27, 2025
Critics of the bill are right to be concerned, so why the curious silence in the government’s Charter Statement?
Shortly after tabling bill C-2 in June, which I’ve written a few posts about, the government tabled Bill C-8, the Cyber Security Act. It too raises serious concerns about privacy but hasn’t attracted nearly as much attention.
In broad terms, the bill does two things. It amends telecommunications law to allow the Minister of Industry to order telcos like Shaw and Telus to make changes to their systems to bolster security and investigate breaches. It also creates a new framework for protecting “critical cyber systems” that support infrastructure like pipelines, banking networks, and commercial telecommunications.
With the bill now at second reading, digital rights advocates have argued before a standing committee that portions of the first part of the bill are especially concerning and likely violate section 8 of the Charter, which guarantees the right to be secure against unreasonable search or seizure.
The nub of the issue is the power in bill C-8 to order a telco like Shaw to do something that might involve the incidental collection of personal information or its disclosure to an agency like the Communications Security Establishment (CSE) investigating a cyberbreach.
To make this more vivid, consider the testimony of Simon Noël, Intelligence Commissioner of Canada, before the committee in October, where he said:
In my experience as IC—with over three years and 45 decisions rendered—for the CSE to analyze and understand a cyber-incident, it must have access to information about the incident. There may be situations where this information is only technical in nature and sharing it with the CSE raises no privacy concerns, as you were told when you met with other witnesses. However, to fully understand the cyber-incident, other situations may require the CSE to have access to information, including technical information, for which Canadians have a reasonable expectation of privacy. I’ve seen it. … I agree that it’s technical information, but I also know that if you want a positive result on an incident of such importance, they need to go into the content. I’ve seen it in every cyber-operation I’ve been involved in.
Critics of the bill point out important gaps in C-8 that fail to address the Commissioner’s concerns. They note features of the bill that might even make problems worse.
Dec 17, 2025
As it inches toward a majority in Parliament, the Liberal government is signaling its intention to move ahead with the controversial parts of the Strong Borders Act it chose to shelve back in October — in response to strong opposition from the other parties.
I’ve written about the various privacy-invasive powers in the bill briefly here, and in more detail here.
Last week I had the pleasure of attending a roundtable with the Honourable Minister of Public Safety, Gary Anandasangaree, who asked for ideas about how to improve the bill.
Here are five:
Oct 25, 2025
Earlier this month, when no other party would support the Liberals in passing Bill C-2—the ‘Strong Borders Act,’ with its controversial surveillance powers—the government shelved it.
More precisely, it split off the contentious parts of the bill from the customs and immigration provisions meant to appease our neighbours to the south and re-tabled those as Bill C-12.
But it didn’t withdraw C-2. The Minister of Public Safety insists that all of C-2 is still on the agenda.
Among the most concerning parts of C-2 that were temporarily shelved are the ‘lawful access’ provisions found in a new statute that the Bill would have brought about: the ‘Supporting Authorized Access to Information Act.’
As I’ve written earlier, this new law would have given the government the power to compel ‘electronic service providers’ like Shaw or Telus, or Apple and Google, to ‘install equipment’ or make technical modifications to give police and CSIS direct access to private data for real-time interception or seizure of stored communications. That’s your email, texts, and everything you have stored in iCloud, in case you were wondering.