Legal and ethical perspectives
on IT development
Legal Liability,
Litigation risk,
‘Professional’ standards,
and Ethics
David Vaile
Co-convenor, Cyberspace Law and Policy Community
UNSW Faculty of Law
http://www.cyberlawcentre.org/it_ethics_and_law/
Outline
Strange bedfellows: IT/software dev., law and ethics
 Legal system
 Liability, ‘professional’ ethics
 Software development – immature?
 ‘It’s the risk, stupid’
 IT project mgt. central issue: risk, should drive everything
 ‘Spiral’ iterative disposable prototype for resolving risks
 Non-tech risks: human, data, political, regulatory, unknown
 Early rather than after disaster.
 But personal info. is not disposable prototype: error!
 Examples

Software, Law and Ethics





Strange bedfellows
How the law is made, and how it works
Differing principles and standards
Risks in software development
Examples:
◦
◦
◦
◦
◦
◦
◦
Consumer protection
Product liability
Professional liability
Anti-trust: abuse of monopoly
Intellectual property: copyright, patents
Spam
Privacy, ‘Uberveillance’
Features of the legal system
Main divide: Criminal v. the rest (Civil, Admin, etc.)
 Criminal

◦ Launched by state, trial, conviction or acquittal. Crimes/offences

Civil
◦ Sued by other party, damages, restitution. Contracts, roles

Sources
◦
◦
◦
◦
◦



Statutes (‘Laws’, Acts of Parl.) set rules;Cases interpret them
Jurisdiction: which laws and courts – Location? Control?
Appeals to higher court
Precedent is critical in cases: follow higher/past authority
Contracts: Making stuff up
Obligations: from Statutes and Contracts
Everything is arguable (if you lose, $$ costs)
‘Ignorance is no defence’: I click therefore I am Bound
What shapes the law?
Ongoing struggle between interests
 Evidence-based policy,
Parliamentary process
 Commercial reality
 Technical reality
 Public standards
 International effects (indirect)
 Clueless bozos on Facebook
 ‘Moral panics’?

Different standards/questions

Liability:
◦ Against the law? Breach, offence, infringe…

Litigation (or enforcement) risk:
◦ Will I get caught? (and sued or prosecuted)?
◦ Auditing, evidence, logging, investigation

‘Professional’ standards
◦ Will my peers/industry reject me? Insurable?

Ethics
◦ Will my children and friends reject me?
Getting away with one may not suffice...
What matters?
Breaking the law?
 Getting caught?
 Losing your job?
 Losing your reputation?
 Or just building crap?

Liability
Enforcement
Professional
Ethics
Self respect
Professional Liability
Nature of profession?
 Membership of professional body
 Registration required to work?
 Self-regulation
 Insurance
 Peer attitudes
 Reputation
 True professions discipline rotten apples
by expulsion, prevent working

Development risk factors









Risk-centred methodology
20% coding and engineering – ignore?
80% analysis, communication, revision
User-Centred Design & Risk Management
Neglected but critical
Early vs. late error discovery
‘User sovereignty’: it’s their lives, arms, data
Remote effects – consequences are not local
Unethical software giants pretending to be cool
when they are just treating people as suckers?
When development mistakes blow up
‘Too soon old, too late smart’
??? Too late!
Delivery
Revision
Testing
Coding
Design
User requirements, analysis, communication
Feasibility and conception
Development quandaries

Most (75%?) big software projects FAIL
on 4 Project Management variables,
◦ Cost/Risk, Time, Scope, Quality (for user)
Many break various standards, but...
 You could do it accidentally...
 ... or be asked/tempted to deliberately
 Your own position
 Your employer’s position
 The victim’s position

How to navigate IT risk
‘Spiral’ iterative disposable prototype
model to resolving risk in high risk proj.?
 Inc. non-technical risks: human, data,
political, regulatory, unknown
 User requiremts key, feedback every stage
 Early discovery, before not after disaster
 Value & reward mistakes, deprecate denial
 But is Personal Info as disposable as code?
 ‘Extreme’: part of problem? Facebook/ G

‘Move Fast and Break Things’
(Zuckerberg’s naughty teenager model to exploit ‘dumb **cks’)
‘See what you can get away with’
 ‘See if you get caught’/
‘Ask Forgiveness, Not Permission’
 ‘We haven’t been caught [yet]’
 Disposable prototyping, not Compliance
 What works for software does not work
for personal or critical information
 Your secrets are not revocable, disposable
 Brutal ‘reality therapy’ from the law:
Usmanov case: 6 months for FB GF photo

‘Ethical Hacking’
Essence of Cybercrime: ‘Unauthorised’
 Criminalisation of hacking, circumvention
 EH done w Good Intentions
 But uses methods of malware, crackers
 Morris Worm 1990s: Jail for bug exposé
 Personal Information Security is critical
 Yoof disbelieve contract & consequence?
 Drive it by transparent risk management
 The right answer may be: Don’t do it!

(See Road to Hell, paved with)
Ethical Hacking Example

Recent inquiry...
Plan for great ethical hack
 Potential cybercrime, reputation,
professional, etc.

Solution: Get it out in the open to run the
risk management paper prototype;
 If too dodgy to reveal, discuss: drop it!

Privacy
‘Right to be left alone’
 Defeat of Australia Card, Privacy Act 1988
 Limited rights of data subjects, few cases
 Restricts what technology can do
 Requires security
 Affects everyone
 But risk awareness is abysmal
 Facebook brain-washing re: over-sharing
 2012 AGs Telecoms Data Retention plan

Privacy Hypothetical
See hypothetical example
Tort/ Negligence
Product liability
 Duty of Care, special relationship
 Act or omission
 Causation
 Forseeability of harm
 Proximity

Consumer Protection
Based on consumer/vendor relation
 Assumes imbalance
 Statutory Warranties – fit purpose
 Contractual waiver?
 Misleading and deceptive conduct
 Unfair Contracts
 Can be Strict Liability – State Bank

Consumer protection hypothetical
See hypothetical example
Anti-trust: Abuse of Monopoly
Competition policy
 Monopoly
 Example: MS v DoJ re Netscape
 More recent: Google Books, Facebook
Login
 Political involvement: companies seek help
 Practical significance

Anti-trust hypothetical
See hypothetical example
Intellectual Property
Purpose:
 Copyright Act: form, not substance

◦ No registration
◦ Digital Agenda
Patents Act: the idea, not the form
 Circuit Designs
 Free Trade Agreement
 TPM, DRM, criminalisation

Copyright

Copyright Act:
◦ Exclusive right to control exploitation
No registration
 Actual text, code or implementation
 Licences with conditions and fees
 Technological Protection

◦ ‘Digital Rights Management’ tools
◦ DMCA and contracting away user rights
Copyright and Public Domain
Differences in Australia, US...
 Fierce battle: (C) maximalist v PD?
 ‘Public Domain’
 Open Source software: GPL, copyleft
 Open Content

◦ Creative Commons – US, global?
◦ Free for Education - Australian

Business models
Patents and software
Right to deny access
 Requires registration
 Expensive to fight
 Patentable material?
 E-business patents

◦ Amazon 1-Click web shopping cart

Gene sequence patents
◦ Bioinformatics – human genome race
Current patent battles
Resistance to patentability of software
 EU Commission recommends, Parl. Rejects
 CSIRO v. US computer industry – wireless
 Linux?
 Why are software patents a danger?

◦
◦
◦
◦
◦
◦
Locking up pure ideas? Mathematics? Stallman
Not just open source
Impossible to ascertain if infringing
Patent Offices too lax and inexperienced? $$ motive
Very expensive
Only works if you have a huge portfolio
Spam
Spam Acts: Australia, USA, California
 Unsolicited commercial electronic
message
 Single message
 Address harvesting
 Penalties
 Surveillance
 Workplace privacy bill NSW

Spam hypothetical
See hypothetical example
Questions?
Conclusion
David Vaile, Co-convener
Cyberspace Law and Policy Community
Faculty of Law, UNSW
http://www.cyberlawcentre.org/it_ethics_and_law/