1. Legal and ethical perspectives on IT development Legal Liability, Litigation risk, ‘Professional’ standards, and Ethics David Vaile Co-convenor, Cyberspace Law and Policy Community UNSW Faculty of Law http://www.cyberlawcentre.org/http://www.cyberlawcentre.org/seng4921/

2. Outline Strange bedfellows: IT, Law & ethics Legal system Liability, ‘professional’ ethics Software development – immature? ‘It’s the risk, stupid’ IT project mgt central issue: risk, should drive everything ‘Spiral’ iterative disposable prototype for resolving risks Non-tech risks: human, data, political, regulatory, unknown Early rather than after disaster. Examples

3. Software, Law and Ethics Strange bedfellows How the law is made, and how it works Differing principles and standards Risks in software development Examples: ◦ Consumer protection ◦ Product liability ◦ Professional liability ◦ Anti-trust: abuse of monopoly ◦ Intellectual property: copyright, patents ◦ Spam ◦ Privacy, Uberveillance

5. Features of the legal system Main divide: Criminal v. the rest (Civil, Admin, etc.) Criminal ◦ Launched by state, trial, conviction or acquittal. Crimes/offences Civil ◦ Sued by other party, damages, restitution. Contracts, roles Sources ◦ Statutes ('Laws") set rules, Cases interpret them ◦ Jurisidiction: which laws and courts ◦ Appeals to higher court ◦ Precedent is critical in cases: follow higher/past authority ◦ Contracts: Making stuff up Obligations: from Statutes and Contracts Everything is arguable (if you lose, $$ costs) ‘Ignorance is no defence’: I click therefore I am Bound

6. What shapes the law? Ongoing struggle between interests Evidence-based policy, Parliamentary process Commercial reality Technical reality Public standards International effects (indirect) Clueless bozos on Facebook ‘Moral panics’?

7. Different standards/questions Liability: ◦ Against the law? Breach, offence, infringe… Litigation (or enforcement) risk: ◦ Will I get caught? (and sued or prosecuted)? ◦ Auditing, evidence, logging, investigation ‘Professional’ standards ◦ Will my peers/industry reject me? Insurable? Ethics ◦ Will my children and friends reject me? Getting away with one may not suffice...

9. What matters? Breaking the law? Liability Getting caught? Enforcement Losing your job? Professional Losing your reputation?Ethics Or just building crap?Self respect

10. Professional Liability Nature of profession? Membership of professional body Registration required to work? Self-regulation Insurance Peer attitudes Reputation True professions discipline rotten apples by expulsion, prevent working

12. Development risk factors Risk-centred methodology 20% coding and engineering – ignore? 80% analysis, communication, revision User-Centred Design & Risk Management Neglected but critical Early vs. late error discovery ‘User sovereignty’: it’s their lives, arms, data Remote effects – consequences are not local Unethical software giants pretending to be cool when they are just treating people as suckers?

13. When development mistakes blow up ‘Too soon old, too late smart’ Coding Feasibility and conception User requirements, analysis, communication Design Testing Revision Delivery ??? Too late!

14. Development quandaries Most big software projects fail on the 4 Proj Management variables: ◦ Cost/risk, Time, Scope, Quality (for user) Many break various standards, but... You could do it accidentally... Or be asked/tempted to deliberately Your own position Your employer’s position The victim’s position

15. How to navigate IT risk ‘Spiral’ iterative disposable prototype approach to resolving risks Inc. non-technical risks: human, data, political, regulatory, unknown User requirements central, get feedback at every stage Early discovery, rather than after disaster Value & reward mistakes, deprecate denial But... part of the problem? Facebook, G

16. ‘Move Fast and Break Things’ (Zuckerberg’s naughty teenager model to exploit ‘dumb **cks’) ‘See what you can get away with’ ‘See if you get caught’/ Ask Forgiveness not permission ‘We haven’t been caught [yet]’ Disposable prototyping, not Compliance What works for software does not work for personal or critical information Your secrets are not revocable, disposable Brutal ‘reality therapy’ from the law: Usmanov case: 6 months for FB GF photo

18. ‘Ethical Hacking’ Essence of Cybercrime: ‘Unauthorised’ Criminalisation of hacking, circumvention EH done w Good Intentions (See Road to Hell, paved with) But uses methods of malware, crackers Morris Worm 1990s: Jail for bug exposé Personal Information Security is critical Yoof disbelieve contract & consequence? Drive it by transparent risk management The right answer may be: Don’t do it!

19. Ethical Hacking Example Recent inquiry... Plan for great ethical hack Potential cybercrime, reputation, professional, etc. Solution: Get it out in the open to run the risk management paper prototype; If too dodgy to reveal, discuss: drop it!

21. Privacy ‘Right to be left alone’ Defeat of Australia Card, Privacy Act 1988 Limited rights of data subjects, few cases Restricts what technology can do Requires security Affects everyone But risk awareness is abysmal Facebook brain-washing re: over-sharing 2012 AGs Telecoms Data Retention plan

22. Privacy Hypothetical See hypothetical exampleexample

23. Tort/ Negligence Product liability Duty of Care, special relationship Act or omission Causation Forseeability of harm Proximity

24. Consumer Protection Based on consumer/vendor relation Assumes imbalance Statutory Warranties – fit purpose Contractual waiver? Misleading and deceptive conduct Unfair Contracts Can be Strict Liability – State Bank

25. Consumer protection hypothetical See hypothetical exampleexample

26. Anti-trust: Abuse of Monopoly Competition policy Monopoly Example: MS v DoJ re Netscape More recent: Google Books, Facebook Login Political involvement: companies seek help Practical significance

27. Anti-trust hypothetical See hypothetical exampleexample

28. Intellectual Property Purpose: Copyright Act: form, not substance ◦ No registration ◦ Digital Agenda Patents Act: the idea, not the form Circuit Designs Free Trade Agreement TPM, DRM, criminalisation

29. Copyright Copyright Act: ◦ Exclusive right to control exploitation No registration Actual text, code or implementation Licences with conditions and fees Technological Protection ◦ ‘Digital Rights Management’ tools ◦ DMCA and contracting away user rights

30. Copyright and Public Domain Differences in Australia, US... Fierce battle: (C) maximalist v PD? ‘Public Domain’ Open Source software: GPL, copyleft Open Content ◦ Creative Commons – US, global? ◦ Free for Education - Australian Business models

31. Patents and software Patents and software Right to deny access Requires registration Expensive to fight Patentable material? E-business patents ◦ Amazon 1-Click web shopping cart Gene sequence patents ◦ Bioinformatics – human genome race

32. Current patent battles Resistance to patentability of software EU Commission recommends, Parl. Rejects CSIRO v. US computer industry – wireless Linux? Why are software patents a danger? ◦ Locking up pure ideas? Mathematics? Stallman ◦ Not just open source ◦ Impossible to ascertain if infringing ◦ Patent Offices too lax and inexperienced? $$ motive ◦ Very expensive ◦ Only works if you have a huge portfolio

33. Spam Spam Acts: Australia, USA, California Unsolicited commercial electronic message Single message Address harvesting Penalties Surveillance Workplace privacy bill NSW

34. Spam hypothetical See hypothetical exampleexample

35. Questions?

36. Conclusion David Vaile Executive Director Cyberspace Law and Policy Centre Faculty of Law, University of NSW http://www.cyberlawcentre.org/