From Law to Code: Translating Legal Principles into Digital Rules

17
From Law to Code: Translating Legal Principles into Digital Rules Michael Lang and Rónán Kennedy National University of Ireland, Galway [email protected] [email protected] Image: Karl-Ludwig Poggemann, https://www.flickr.com/photos/hinkelstone/

Transcript of From Law to Code: Translating Legal Principles into Digital Rules

Page 1: From Law to Code: Translating Legal Principles into Digital Rules

From Law to Code:Translating Legal Principles into Digital Rules

Michael Lang and Rónán KennedyNational University of Ireland, Galway

[email protected] [email protected]

Image: Karl-Ludwig Poggemann, https://www.flickr.com/photos/hinkelstone/

Page 2: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Overview• Public perceptions of the ‘Right to be

Forgotten’• Implementation challenges• Privacy in security policy implementation• Privacy in requirements analysis and design

2

Page 3: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Public Perceptions of the ‘Right to be Forgotten’

• Survey conducted by Clare Doherty & Michael Lang (NUIG), Autumn 2013 Objective: obtain a sense of how people feel

about the proposed right to be forgotten and how it might be implemented

• Respondent profile 260 respondents Ranged in age from 17 to 61, mean of 29 years 14 different counties (Ireland 82%, Others 18%) Employed persons 74%, Students 17%, Others 9%

3

Page 4: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Do you know what your privacy rights are?

Page 5: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Are existing controls effective against on-line reputational damage?

Page 6: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Are you in favour of “right to be forgotten” becoming law?

Page 7: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

What type of information should you have right to erase?

Page 8: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Implementation Challenges

• Legal rules:• Flexible, deliberately unclear, contested,

malleable• Digital:

• Rigid, clearly defined in advance, strictly operationalised, difficult to change

8

Page 9: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

ICT and Legal ProcessesLegal processes neither simple nor linearNot easily modelled by logic or expert systemsRisk of destructive feedback cycleICT as embedded and entrenched infrastructure

9

Page 10: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Translating Legal Principles into Digital Rules

Dangers of digital decision-making Closed, inflexible, unaccountable systems Containing assumptions, biases, mistakes

Formalising practices and knowledge is difficult

Need to ‘Get It Right First Time’

10

Page 11: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

“Privacy” in IS Security Risk Management

• Information systems risk management strategies are based on rational process:

What is likelihood of something going wrong? What is the severity: loss of life? loss of

money? loss of reputation? Cost-benefit analysis

• So, … do organisations really care about safeguarding privacy? Or is it worth taking a risk?

11

Page 12: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Information Systems Development:

The Importance of “Clear” Requirements• ISD Project Management: time / cost / quality challenge

(“software crisis” conundrum)

• “In nearly every software project that fails to meet performance and cost goals, requirements inadequacies play a major and expensive role in project failure” (Alford & Lawson, 1979)

• “The hardest single part of building a software system is deciding precisely what to build. No other part of the conceptual work is as difficult as establishing the detailed technical requirements ... No other part of the work so cripples the resulting system if done wrong.” (Brooks, 1987)

12

Page 13: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015 13

Getting the Requirements “Right”

Page 14: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Getting the Requirements Right:What Does “Privacy” Mean ?

14

Page 15: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Privacy as a “Requirement”

• Information systems developers don’t deal with laws, principles, rights, etc.

• They deal with “requirements”: clear, complete, consistent specifications of the behaviour of a system

Requirements definition: procedural logic, data attributes

Requirements prioritisation: feasibility, cost, “must have” versus “nice-to-have”

15

Page 16: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

“Privacy by Design”• Privacy by Design: vague set of principles

No methodological guidance: how do systems developers build privacy into design process?

• Privacy by Re-Design: retro-fitting existing systems Very expensive Computers are designed to share, retain, index,

and analyse information … They are not designed to “forget”. Even “erasure” is not straightforward.

Page 17: From Law to Code: Translating Legal Principles into Digital Rules

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Over to you …• Michael Lang1 & Rónán Kennedy2, NUI

Galway• 1. School of Business & Economics, NUI Galway

[email protected]

• 2. School of Law, NUI Galway [email protected]

17