Legal and ethical perspectives on IT development

Liability, Litigation risk, ‘Professional' standards, and Ethics

Slides at http://cyberlawcentre.org/seng4921/

David VaileCo-convenorCyberspace Law and Policy Centre/CommunityFaculty of Law, University of NSWhttp://www.cyberlawcentre.org/

OutlineStrange bedfellows: IT, Law & ethicsLegal systemLiability, ‘professional’ ethicsSoftware development – immature? ‘It’s the risk, stupid’ IT project mgt central issue: risk, should drive

everything ‘Spiral’ iterative disposable prototype for

resolving risksNon-tech risks: human, data, political,

regulatory, unknownEarly rather than after disaster.Examples

Software, Law and EthicsStrange bedfellowsHow the law is made, and worksDiffering Principles and standardsRisks in software developmentExamples:

◦ Consumer protection◦ Product liability◦ Professional liability◦ Anti-trust: abuse of monopoly◦ Intellectual property: copyright, patents◦ Privacy◦ Spam

Legal System

Features of the legal systemMain divide: Criminal <-> the rest Criminal

◦ Launched by state, trial, conviction or acquittal. Crimes

Civil◦ Sued by other party, damages, restitution.

Contracts, rolesSources

◦ Statutes ('Laws") set rules, Cases interpret them ◦ Jurisidiction: which laws and courts ◦ Appeals to higher court◦ Precedent is critical in cases: follow higher/past

authority◦ Contracts: Making stuff up

Obligations: from Statutes and Contracts Everything is arguable (if you lose, $$ costs) ‘Ignorance is no defence’: I click therefore I

am Bound

What shapes the law?Ongoing struggle between

interestsEvidence based policy,

Parliamentary processCommercial realityTechnical realityPublic standardsInternational affects (indirect)Clueless bozos on Facebook

Different standardsLiability

◦Is it against the law?Litigation risk

◦Will you be caught, sued or prosecuted?

‘Professional' standards ◦Will your peers reject you?

Ethics◦Will your children & friends reject

you?

Why do I care?

What matters?Breaking the law?

LiabilityGetting caught? EnforcemtLosing your job?

ProfessionalLosing your reputation? EthicsOr just building crap? Self

respect

Professional LiabilityNature of Profession?Membership of Professional bodyRegistration required to work?Self-regulationInsurancePeer attitudesReputation

IT Risk

Development risk factors

20% coding and engineering – ignore?80% analysis, communication, revisionUser-Centred Design & Risk

Management Neglected but criticalEarly vs. late error discovery‘User sovereignty’

When development mistakes blow‘Too soon old, too late smart’

Coding

Feasibility and conception

User requirements, analysis, communication

Design

Testing

Revision

Delivery

??? Too late!

Development quandariesMost software projects fail, 4 PM

variables◦Cost, time, scope, quality (for User)

Many break various standards, but...

You could do it accidentally...Or be asked/tempted to

deliberatelyYour own positionYour employer’sThe ‘victim’s position’

How to navigate IT risk‘Spiral' iterative disposable

prototype approach to resolving risks

Inc non-technical risks: human, data, political, regulatory, unknown

User requirements central, get feedback at every stage

Early discovery rather than after disaster

Value & reward mistakes, deprecate denial

But...

‘Move Fast and Break Things’ (Zuckerberg’s naughty teenager model to exploit ‘dumb **cks’)

‘See what you can get away with’‘See if you get caught’‘We haven’t been caught [yet]’Disposable prototyping, not

complianceWhat works for software does not

work for personal or critical information

Your secrets are not revokable, disposable

Brutal ‘Reality Therapy’ from the law: Usmanov case: 6 months for FB GF photo

Examples:Legal and Ethical Impacts of IT Risk

‘Ethical Hacking’Essence of Cybercrime:

‘Unauthorised’Criminalisation of hacking,

circumventionEH done w Good Intentions (See Road to

Hell, paved with)

But uses methods of malware, crackers

Morris Worm 1990s: Jail for bug exposé

Personal Information Security is critical

Yoof disbelieve contract & consequence?

Drive it by transparent risk management

The right answer may be: Don’t do it!

Ethical Hacking ExampleRecent inquiry...

Plan for great ethical hackPotential cybercrime, reputation,

professional, etc.

Solution: Get it out in the open to run the risk management paper prototype;

If too dodgy to reveal, discuss: drop it!

Other Examples

Privacy‘Right to be left alone’Defeat of Australia Card, Privacy

Act 1988Limited rights of data subjects,

few casesRestricts what technology can doRequires securityAffects everyoneBut risk awareness is abysmalFacebook brain-washing re: over-

sharing2012 AGs Telecoms Data

Retention plan

Privacy Hypothetical

See hypothetical example

Tort/ NegligenceProduct liabilityDuty of Care, special relationshipAct or omissionCausationForseeability of harmProximity

Consumer ProtectionBased on consumer/vendor

relationAssumes imbalanceStatutory Warranties – fit purpose Contractual waiver?Misleading and deceptive

conductUnfair ContractsCan be Strict Liability – State

Bank

Consumer protection hypothetical

See hypothetical example

Anti-trust: Abuse of Monopoly Competition policy MonopolyExample: MS v DoJ re NetscapePolitical involvementPractical significance

Anti-trust hypothetical

See hypothetical example

Intellectual PropertyPurpose: Copyright Act: form, not

substance◦No registration◦Digital Agenda

Patents Act: the idea, not the form

Circuit DesignsFree Trade Agreement

Copyright Copyright Act:

◦Exclusive right to control exploitationNo registrationActual text, code or

implementationLicences with conditions and feesTechnological Protection

◦‘Digital Rights Management’ tools◦DMCA and contracting away user

rights

Copyright and Public DomainDifferences in Australia, US...Fierce battle: maximalist v PD?‘Public Domain’Open Source software: GPL,

copyleftOpen Content

◦Creative Commons – US, global?◦Free for Education - Australian

Business models

Patents and softwareRight to deny accessRequires registration Expensive to fightPatentable material?E-business patents

◦Amazon 1-Click web shopping cart Gene sequence patents

◦Bioinformatics – human genome race

Current patent battlesResistance to patentability of softwareEU Commission recommends, Parl. RejectsCSIRO v. US computer industry – wirelessLinux?Why are software patents a danger?

◦ Locking up pure ideas? Mathematics? Stallman◦ Not just open source◦ Impossible to ascertain if infringing◦ Patent Offices too lax and inexperienced? $$ motive◦ Very expensive◦ Only works if you have a huge portfolio

SpamSpam Acts: Australia, USA,

CaliforniaUnsolicited commercial electronic

messageSingle messageAddress harvestingPenaltiesSurveillanceWorkplace privacy bill NSW

Spam hypothetical

See hypothetical example

Questions?

Conclusion

David VaileExecutive Director

Cyberspace Law and Policy CentreFaculty of Law, University of NSWhttp://www.cyberlawcentre.org/