From Law to Code:Translating Legal Principles into Digital Rules

Michael Lang and Rónán KennedyNational University of Ireland, Galway

michael.lang@nuigalway.ie ronan.m.kennedy@nuigalway.ie

Image: Karl-Ludwig Poggemann, https://www.flickr.com/photos/hinkelstone/

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Overview• Public perceptions of the ‘Right to be

Forgotten’• Implementation challenges• Privacy in security policy implementation• Privacy in requirements analysis and design

2

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Public Perceptions of the ‘Right to be Forgotten’

• Survey conducted by Clare Doherty & Michael Lang (NUIG), Autumn 2013 Objective: obtain a sense of how people feel

about the proposed right to be forgotten and how it might be implemented

• Respondent profile 260 respondents Ranged in age from 17 to 61, mean of 29 years 14 different counties (Ireland 82%, Others 18%) Employed persons 74%, Students 17%, Others 9%

3

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Do you know what your privacy rights are?

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Are existing controls effective against on-line reputational damage?

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Are you in favour of “right to be forgotten” becoming law?

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

What type of information should you have right to erase?

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Implementation Challenges

• Legal rules:• Flexible, deliberately unclear, contested,

malleable• Digital:

• Rigid, clearly defined in advance, strictly operationalised, difficult to change

8

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

ICT and Legal ProcessesLegal processes neither simple nor linearNot easily modelled by logic or expert systemsRisk of destructive feedback cycleICT as embedded and entrenched infrastructure

9

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Translating Legal Principles into Digital Rules

Dangers of digital decision-making Closed, inflexible, unaccountable systems Containing assumptions, biases, mistakes

Formalising practices and knowledge is difficult

Need to ‘Get It Right First Time’

10

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

“Privacy” in IS Security Risk Management

• Information systems risk management strategies are based on rational process:

What is likelihood of something going wrong? What is the severity: loss of life? loss of

money? loss of reputation? Cost-benefit analysis

• So, … do organisations really care about safeguarding privacy? Or is it worth taking a risk?

11

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Information Systems Development:

The Importance of “Clear” Requirements• ISD Project Management: time / cost / quality challenge

(“software crisis” conundrum)

• “In nearly every software project that fails to meet performance and cost goals, requirements inadequacies play a major and expensive role in project failure” (Alford & Lawson, 1979)

• “The hardest single part of building a software system is deciding precisely what to build. No other part of the conceptual work is as difficult as establishing the detailed technical requirements ... No other part of the work so cripples the resulting system if done wrong.” (Brooks, 1987)

12

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015 13

Getting the Requirements “Right”

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Getting the Requirements Right:What Does “Privacy” Mean ?

14

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Privacy as a “Requirement”

• Information systems developers don’t deal with laws, principles, rights, etc.

• They deal with “requirements”: clear, complete, consistent specifications of the behaviour of a system

Requirements definition: procedural logic, data attributes

Requirements prioritisation: feasibility, cost, “must have” versus “nice-to-have”

15

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

“Privacy by Design”• Privacy by Design: vague set of principles

No methodological guidance: how do systems developers build privacy into design process?

• Privacy by Re-Design: retro-fitting existing systems Very expensive Computers are designed to share, retain, index,

and analyse information … They are not designed to “forget”. Even “erasure” is not straightforward.

Privacy: Gathering Insights from Lawyers and Technologists Maynooth University, July 1, 2015

Over to you …• Michael Lang1 & Rónán Kennedy2, NUI

Galway• 1. School of Business & Economics, NUI Galway

Michael.Lang@nuigalway.ie

• 2. School of Law, NUI Galway Ronan.M.Kennedy@nuigalway.ie

17