[dynm]

I think the main content of this law (https://legiscan.com/MT/text/SB212/id/3212152) is just two paragraphs. I'd suggest reading them yourself rather than relying on secondary description:

"Government actions that restrict the ability to privately own or make use of computational resources for lawful purposes, which infringes on citizens' fundamental rights to property and free expression, must be limited to those demonstrably necessary and narrowly tailored to fulfill a compelling government interest."

"When critical infrastructure facilities are controlled in whole or in part by a critical artificial intelligence system, the deployer shall develop a risk management policy after deploying the system that is reasonable and considers guidance and standards in the latest version of the artificial intelligence risk management framework from the national institute of standards and technology, the ISO/IEC 4200 artificial intelligence standard from the international organization for standardization, or another nationally or internationally recognized risk management framework for artificial intelligence systems. A plan prepared under federal requirements constitutes compliance with this section."

In particular, I think the reporting is straight wrong that there's a shutdown requirement. That was in an earlier version (https://legiscan.com/MT/text/SB212/id/3078731) and remains in the title of this version, but seems to have been removed from the actual text.

[RobRivera]

So the government is afforded the opportunity to constrict compute if for a government interest.

This bill seems to expand powers, not restrict

[dynm]

Before the law, I think the state government or local governments could (by passing a law) restrict computing for any reason, even without a government interest. Now, they'd have to repeal this first.

[RobRivera]

How?

I know the whole 90s meme of 'I am a controlled munition' went around because cryptography was labeled an ordnance subject to export control laws, and therefore code that performed those kind of computations were forbidden to be sold abroad, liable to a felony.

What happens today? Government gets rights to source code, logs, and rubber stamps/rejects your code from executing in the cloud?

Government limits your access to commodity infrastructure?

[lokar]

djb had to (with the EFF) spend years in court to establish (on appeal) that writing crypto code was a speech issue:

https://www.eff.org/cases/bernstein-v-us-dept-justice

Laws like this make it much simpler for someone to challenge a law or regulation. They don't have to convince the judge (and possibly appeals court) that building or using a computer is a form of protected expression, this law says it is.

It may seem kind of flimsy or non-consequential, but while it's not a massive change, it is a really change and it's constructive.

[dynm]

How? By default, state governments can pass basically whatever laws they want. They don't have (theoretically) limited enumerated powers like the federal government.

[RobRivera]

Im not asking for policy mechanics, I'm asking for implementation detail clarification.

[torginus]

Ah, finally something that the common man wants. A mandatory risk management strategy compliant with ISO/IEC guidelines

[scuff3d]

When you contextualize the law with comments like this

"The initiative... contrasts with recent restrictive legislation efforts in states like California and Virginia. Zolnikov, a noted advocate for privacy, has been instrumental in pushing for tech-friendly policies that ensure individual liberties in an evolving digital landscape.

"'As governments around the world and in our own country try to crack down on individual freedom and gain state control over modern technologies,' Zolnikov said. 'Montana is doing the opposite by protecting freedom and restraining the government.'"

And it's the normal framing we always see with this crap. This is more an attempt to protect corporations from regulation then it is to protect individuals.

[toomanystraws]

"... the deployer shall develop a risk management policy after deploying the system...."

This is a complete sham. Anything really geared towards protecting people would have protections in place before deployment.

[tzs]

Hmmm. "[...] the deployer shall develop a risk management policy after deploying the system [...]".

I wonder why it is after rather than before?