Post on 15-Apr-2017
From Law to Code:Translating Legal Principles into Digital Rules
Michael Lang and Rónán KennedyNational University of Ireland, Galway
michael.lang@nuigalway.ie ronan.m.kennedy@nuigalway.ie
Image: Karl-Ludwig Poggemann, https://www.flickr.com/photos/hinkelstone/
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
Overview• Public perceptions of the ‘Right to be
Forgotten’• Implementation challenges• Privacy in security policy implementation• Privacy in requirements analysis and design
2
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
Public Perceptions of the ‘Right to be Forgotten’
• Survey conducted by Clare Doherty & Michael Lang (NUIG), Autumn 2013 Objective: obtain a sense of how people feel
about the proposed right to be forgotten and how it might be implemented
• Respondent profile 260 respondents Ranged in age from 17 to 61, mean of 29 years 14 different counties (Ireland 82%, Others 18%) Employed persons 74%, Students 17%, Others 9%
3
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
Do you know what your privacy rights are?
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
Are existing controls effective against on-line reputational damage?
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
Are you in favour of “right to be forgotten” becoming law?
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
What type of information should you have right to erase?
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
Implementation Challenges
• Legal rules:• Flexible, deliberately unclear, contested,
malleable• Digital:
• Rigid, clearly defined in advance, strictly operationalised, difficult to change
8
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
ICT and Legal ProcessesLegal processes neither simple nor linearNot easily modelled by logic or expert systemsRisk of destructive feedback cycleICT as embedded and entrenched infrastructure
9
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
Translating Legal Principles into Digital Rules
Dangers of digital decision-making Closed, inflexible, unaccountable systems Containing assumptions, biases, mistakes
Formalising practices and knowledge is difficult
Need to ‘Get It Right First Time’
10
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
“Privacy” in IS Security Risk Management
• Information systems risk management strategies are based on rational process:
What is likelihood of something going wrong? What is the severity: loss of life? loss of
money? loss of reputation? Cost-benefit analysis
• So, … do organisations really care about safeguarding privacy? Or is it worth taking a risk?
11
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
Information Systems Development:
The Importance of “Clear” Requirements• ISD Project Management: time / cost / quality challenge
(“software crisis” conundrum)
• “In nearly every software project that fails to meet performance and cost goals, requirements inadequacies play a major and expensive role in project failure” (Alford & Lawson, 1979)
• “The hardest single part of building a software system is deciding precisely what to build. No other part of the conceptual work is as difficult as establishing the detailed technical requirements ... No other part of the work so cripples the resulting system if done wrong.” (Brooks, 1987)
12
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015 13
Getting the Requirements “Right”
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
Getting the Requirements Right:What Does “Privacy” Mean ?
14
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
Privacy as a “Requirement”
• Information systems developers don’t deal with laws, principles, rights, etc.
• They deal with “requirements”: clear, complete, consistent specifications of the behaviour of a system
Requirements definition: procedural logic, data attributes
Requirements prioritisation: feasibility, cost, “must have” versus “nice-to-have”
15
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
“Privacy by Design”• Privacy by Design: vague set of principles
No methodological guidance: how do systems developers build privacy into design process?
• Privacy by Re-Design: retro-fitting existing systems Very expensive Computers are designed to share, retain, index,
and analyse information … They are not designed to “forget”. Even “erasure” is not straightforward.
Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015
Over to you …• Michael Lang1 & Rónán Kennedy2, NUI
Galway• 1. School of Business & Economics, NUI Galway
Michael.Lang@nuigalway.ie
• 2. School of Law, NUI Galway Ronan.M.Kennedy@nuigalway.ie
17