Software and Ethics - Cyberspace Law and Policy Community
Download
Report
Transcript Software and Ethics - Cyberspace Law and Policy Community
Legal and ethical perspectives
on IT development
Legal Liability,
Litigation risk,
‘Professional’ standards,
and Ethics
David Vaile
Co-convenor, Cyberspace Law and Policy Community
UNSW Faculty of Law
http://www.cyberlawcentre.org/seng4921/
Outline
Strange bedfellows: IT, Law & ethics
Legal system
Liability, ‘professional’ ethics
Software development – immature?
‘It’s the risk, stupid’
IT project mgt central issue: risk, should drive everything
‘Spiral’ iterative disposable prototype for resolving risks
Non-tech risks: human, data, political, regulatory, unknown
Early rather than after disaster.
Examples
Software, Law and Ethics
Strange bedfellows
How the law is made, and how it works
Differing principles and standards
Risks in software development
Examples:
◦
◦
◦
◦
◦
◦
◦
Consumer protection
Product liability
Professional liability
Anti-trust: abuse of monopoly
Intellectual property: copyright, patents
Spam
Privacy, Uberveillance
Features of the legal system
Main divide: Criminal v. the rest (Civil, Admin, etc.)
Criminal
◦ Launched by state, trial, conviction or acquittal. Crimes/offences
Civil
◦ Sued by other party, damages, restitution. Contracts, roles
Sources
◦
◦
◦
◦
◦
Statutes ('Laws") set rules, Cases interpret them
Jurisidiction: which laws and courts
Appeals to higher court
Precedent is critical in cases: follow higher/past authority
Contracts: Making stuff up
Obligations: from Statutes and Contracts
Everything is arguable (if you lose, $$ costs)
‘Ignorance is no defence’: I click therefore I am Bound
What shapes the law?
Ongoing struggle between interests
Evidence-based policy,
Parliamentary process
Commercial reality
Technical reality
Public standards
International effects (indirect)
Clueless bozos on Facebook
‘Moral panics’?
Different standards/questions
Liability:
◦ Against the law? Breach, offence, infringe…
Litigation (or enforcement) risk:
◦ Will I get caught? (and sued or prosecuted)?
◦ Auditing, evidence, logging, investigation
‘Professional’ standards
◦ Will my peers/industry reject me? Insurable?
Ethics
◦ Will my children and friends reject me?
Getting away with one may not suffice...
What matters?
Breaking the law?
Getting caught?
Losing your job?
Losing your reputation?
Or just building crap?
Liability
Enforcement
Professional
Ethics
Self respect
Professional Liability
Nature of profession?
Membership of professional body
Registration required to work?
Self-regulation
Insurance
Peer attitudes
Reputation
True professions discipline rotten apples
by expulsion, prevent working
Development risk factors
Risk-centred methodology
20% coding and engineering – ignore?
80% analysis, communication, revision
User-Centred Design & Risk Management
Neglected but critical
Early vs. late error discovery
‘User sovereignty’: it’s their lives, arms, data
Remote effects – consequences are not local
Unethical software giants pretending to be cool
when they are just treating people as suckers?
When development mistakes blow up
‘Too soon old, too late smart’
??? Too late!
Delivery
Revision
Testing
Coding
Design
User requirements, analysis, communication
Feasibility and conception
Development quandaries
Most big software projects fail on the 4
Proj Management variables:
◦ Cost/risk, Time, Scope, Quality (for user)
Many break various standards, but...
You could do it accidentally...
Or be asked/tempted to deliberately
Your own position
Your employer’s position
The victim’s position
How to navigate IT risk
‘Spiral’ iterative disposable prototype
approach to resolving risks
Inc. non-technical risks: human, data,
political, regulatory, unknown
User requirements central, get feedback
at every stage
Early discovery, rather than after disaster
Value & reward mistakes, deprecate denial
But... part of the problem? Facebook, G
‘Move Fast and Break Things’
(Zuckerberg’s naughty teenager model to exploit ‘dumb **cks’)
‘See what you can get away with’
‘See if you get caught’/
Ask Forgiveness not permission
‘We haven’t been caught [yet]’
Disposable prototyping, not Compliance
What works for software does not work
for personal or critical information
Your secrets are not revocable, disposable
Brutal ‘reality therapy’ from the law:
Usmanov case: 6 months for FB GF photo
‘Ethical Hacking’
Essence of Cybercrime: ‘Unauthorised’
Criminalisation of hacking, circumvention
EH done w Good Intentions
But uses methods of malware, crackers
Morris Worm 1990s: Jail for bug exposé
Personal Information Security is critical
Yoof disbelieve contract & consequence?
Drive it by transparent risk management
The right answer may be: Don’t do it!
(See Road to Hell, paved with)
Ethical Hacking Example
Recent inquiry...
Plan for great ethical hack
Potential cybercrime, reputation,
professional, etc.
Solution: Get it out in the open to run the
risk management paper prototype;
If too dodgy to reveal, discuss: drop it!
Privacy
‘Right to be left alone’
Defeat of Australia Card, Privacy Act 1988
Limited rights of data subjects, few cases
Restricts what technology can do
Requires security
Affects everyone
But risk awareness is abysmal
Facebook brain-washing re: over-sharing
2012 AGs Telecoms Data Retention plan
Privacy Hypothetical
See hypothetical example
Tort/ Negligence
Product liability
Duty of Care, special relationship
Act or omission
Causation
Forseeability of harm
Proximity
Consumer Protection
Based on consumer/vendor relation
Assumes imbalance
Statutory Warranties – fit purpose
Contractual waiver?
Misleading and deceptive conduct
Unfair Contracts
Can be Strict Liability – State Bank
Consumer protection hypothetical
See hypothetical example
Anti-trust: Abuse of Monopoly
Competition policy
Monopoly
Example: MS v DoJ re Netscape
More recent: Google Books, Facebook
Login
Political involvement: companies seek help
Practical significance
Anti-trust hypothetical
See hypothetical example
Intellectual Property
Purpose:
Copyright Act: form, not substance
◦ No registration
◦ Digital Agenda
Patents Act: the idea, not the form
Circuit Designs
Free Trade Agreement
TPM, DRM, criminalisation
Copyright
Copyright Act:
◦ Exclusive right to control exploitation
No registration
Actual text, code or implementation
Licences with conditions and fees
Technological Protection
◦ ‘Digital Rights Management’ tools
◦ DMCA and contracting away user rights
Copyright and Public Domain
Differences in Australia, US...
Fierce battle: (C) maximalist v PD?
‘Public Domain’
Open Source software: GPL, copyleft
Open Content
◦ Creative Commons – US, global?
◦ Free for Education - Australian
Business models
Patents and software
Right to deny access
Requires registration
Expensive to fight
Patentable material?
E-business patents
◦ Amazon 1-Click web shopping cart
Gene sequence patents
◦ Bioinformatics – human genome race
Current patent battles
Resistance to patentability of software
EU Commission recommends, Parl. Rejects
CSIRO v. US computer industry – wireless
Linux?
Why are software patents a danger?
◦
◦
◦
◦
◦
◦
Locking up pure ideas? Mathematics? Stallman
Not just open source
Impossible to ascertain if infringing
Patent Offices too lax and inexperienced? $$ motive
Very expensive
Only works if you have a huge portfolio
Spam
Spam Acts: Australia, USA, California
Unsolicited commercial electronic
message
Single message
Address harvesting
Penalties
Surveillance
Workplace privacy bill NSW
Spam hypothetical
See hypothetical example
Questions?
Conclusion
David Vaile
Executive Director
Cyberspace Law and Policy Centre
Faculty of Law, University of NSW
http://www.cyberlawcentre.org/