(Part 2 of the University of Hertfordshire Tech Ethics Course << Part 1 | Part 3 >>)
The 101 of ethical behaviour is: don’t break the law. That might seem obvious; it's not sufficient; but it is necessary. The laws of each country codify a subset of its ethical rules. If you're breaking them, you're probably acting unethically so the foundation of responsible tech development is to obey the laws that apply to you.
In this post, we're going to cover some of the regulations you need to follow as a techie.
I'm not a lawyer and I'm not giving legal advice. I am commenting as a layman who has experienced most of these rules in my engineering career. If you need expert advice on any of this stuff talk to an actual lawyer. You may have one in your firm but if you don't your insurer can often help.
(Note: for every new project someone usually needs to do a bit of legal research: at least do some searching online and talk to veteran techies in that area).
The US state of California has similar privacy rules and there may also be regulations on specific industries or groups that apply to your application. One example is HIPAA, which covers US healthcare information. Another is the COPPA rule on children's data.
As well as privacy, GDPR includes regulation around security. It requires the use of encryption and anonymisation for storing some sensitive personal data. Again, other countries have their own rules, for example the US government's FedRAMP regs.
GDPR also imposes transparency requirements on uses of data. For example, a "right to explanation" for some algorithmic decisions, particularly if they have significant ramifications for the individual like prison sentence recommendations or credit scores.
The transparency aspect of the GDPR is widely expected to cause legal wrangling in future because deep neural networks defy explanation. The UK government's current advice on handling this kind of decision-making is sensible:
Even if you did produce something yourself, you could break IP law by accidentally infringing a patent or trademark. Accidental infringement usually doesn't come with huge penalties but the IP owner could stop you using your materials from then on.
Whenever you use anything you didn't create from scratch yourself, legally you need to confirm your right to do so. That might include licensing either the patent or the copyright. Licenses and trademarks tell you what you can and cannot do with materials and legally you must comply. Even if you have a license, you can't do anything you want. For example, you can't tell people you are the author if you aren't.
All open source code comes with a copyright license that tells you how you can use it. Some licenses, for example Apache 2, are permissive and let you use the code for whatever you like. Some licenses are more restrictive, e,g, GPL, and only let you legally use the code in certain ways.
Even if you did write all your code yourself, you still need to be careful not to deliberately infringe someone else's IP because the penalties for that can be steep. Avoid casually discussing patents or trade secrets with anyone outside your company so you don't learn things you shouldn't know and might put in future products. If a conversation like that starts, subtly excuse yourself ASAP.
Many contracts contain confidentiality clauses or you might be asked to sign a non-disclosure agreement (NDA). Confidentiality clauses and NDAs are enforced the same way as any contract: though the courts. If you blab, you can be sued.
I'm not a lawyer and I'm not giving legal advice. I am commenting as a layman who has experienced most of these rules in my engineering career. If you need expert advice on any of this stuff talk to an actual lawyer. You may have one in your firm but if you don't your insurer can often help.
Be Warned! I Haven't Covered Everything
Every country and sector has its own rules you need to stick to when building a new tech product or extending an existing one. That's a lot of laws. I couldn't list them even if I knew them all, which I don't (and I'm not in prison yet). The good news is, most of them will never apply to you. However, some we do run across a lot and you're likely to encounter.(Note: for every new project someone usually needs to do a bit of legal research: at least do some searching online and talk to veteran techies in that area).
1. Privacy, Transparency and Security (GDPR & Others)
Many countries have laws about digital privacy, but perhaps the most extensive are the European Union's General Data Protection Regulations (GDPR). They limit what a company or individual can do with the personal information of EU citizens. They also dictate how, and how long, such data can be stored.The US state of California has similar privacy rules and there may also be regulations on specific industries or groups that apply to your application. One example is HIPAA, which covers US healthcare information. Another is the COPPA rule on children's data.
As well as privacy, GDPR includes regulation around security. It requires the use of encryption and anonymisation for storing some sensitive personal data. Again, other countries have their own rules, for example the US government's FedRAMP regs.
GDPR also imposes transparency requirements on uses of data. For example, a "right to explanation" for some algorithmic decisions, particularly if they have significant ramifications for the individual like prison sentence recommendations or credit scores.
The transparency aspect of the GDPR is widely expected to cause legal wrangling in future because deep neural networks defy explanation. The UK government's current advice on handling this kind of decision-making is sensible:
- give individuals information about the processing you do
- introduce simple ways for them to request human intervention or challenge a decision
- carry out regular checks to make sure that your systems are working as intended.
2. Patents, Trademarks, Copyright, & Licensing (IP Law)
IP law applies to everything that you didn't produce from scratch yourself. That might be code samples or libraries, written text, music, or images you downloaded from the internet.Even if you did produce something yourself, you could break IP law by accidentally infringing a patent or trademark. Accidental infringement usually doesn't come with huge penalties but the IP owner could stop you using your materials from then on.
Whenever you use anything you didn't create from scratch yourself, legally you need to confirm your right to do so. That might include licensing either the patent or the copyright. Licenses and trademarks tell you what you can and cannot do with materials and legally you must comply. Even if you have a license, you can't do anything you want. For example, you can't tell people you are the author if you aren't.
All open source code comes with a copyright license that tells you how you can use it. Some licenses, for example Apache 2, are permissive and let you use the code for whatever you like. Some licenses are more restrictive, e,g, GPL, and only let you legally use the code in certain ways.
Even if you did write all your code yourself, you still need to be careful not to deliberately infringe someone else's IP because the penalties for that can be steep. Avoid casually discussing patents or trade secrets with anyone outside your company so you don't learn things you shouldn't know and might put in future products. If a conversation like that starts, subtly excuse yourself ASAP.
3. Contracts
Contracts are two-sided commitments that describe the work one company or individual does for another. Contracts ensure the buyer gets what they want and the supplier gets paid for it. They might be between an individual user and the company behind a website, for example, or between a contractor building a custom application and the company who hired them.
A contract is legally binding. If either side fails to do what they agreed, the courts can force them to. Before they sign a contract, most companies ensure they have insurance to cover the cost of either suing the other party for a breach or being sued. That might happen even if you didn't do anything wrong. This is called liability insurance.
A contract is legally binding. If either side fails to do what they agreed, the courts can force them to. Before they sign a contract, most companies ensure they have insurance to cover the cost of either suing the other party for a breach or being sued. That might happen even if you didn't do anything wrong. This is called liability insurance.
4. Confidentiality
Engineers are frequently asked to keep secret what they are working on or what they learn through work.Many contracts contain confidentiality clauses or you might be asked to sign a non-disclosure agreement (NDA). Confidentiality clauses and NDAs are enforced the same way as any contract: though the courts. If you blab, you can be sued.
5. Duty of Care
Duty of care legislation applies to products that may do foreseeable harm. This means physical or psychological harm rather than "pure economic loss" and therefore hasn't generally been applied to software products in the past. However, where software is incorporated into a physical device (robot, IOT etc...) then liability may apply because it could physically hurt someone.
6. Accessibility
Many countries have laws about access to websites for disabled users. If your site or product is inaccessible there is a potential risk of you being sued, particularly if you have users in the United States. Some government bids require compliance with accessibility standards like section 508 in the US or the EU's web accessibility standards. Being accessible also helps with Google's SEO scoring.
7. Other Stuff to Comply With
Although GDPR, IP law, and contracts are probably the rules you'll encounter most often in the tech industry, they aren't the only ones.
- In every country, there are regulations on tax (VAT or other sales taxes, customs duties etc..) Those rules affect product reporting.
- Your product might come under export laws (for example the US rules on exporting so-called dual-use technology - items that are classified as potentially military. Some of those laws apply to fairly innocuous-seeming stuff like publicly available SSL libraries. For cryptographic libraries in particular, double-check before including them in your products. Don't panic - even if you end up using dual use tech in your application it normally just involves some extra paperwork).
- There are sectors where the software is additionally regulated, for example, finance products and strict anti-money laundering (AML) rules.
Other forms of cybercrime include online trolling, bullying and stalking, which are quite common. You may spot them being committed using your company's computer equipment. It's often an inside job: one of your employees or someone who's leaving, so you might have to act to stop or report it.
- In every country, there are regulations on tax (VAT or other sales taxes, customs duties etc..) Those rules affect product reporting.
- Your product might come under export laws (for example the US rules on exporting so-called dual-use technology - items that are classified as potentially military. Some of those laws apply to fairly innocuous-seeming stuff like publicly available SSL libraries. For cryptographic libraries in particular, double-check before including them in your products. Don't panic - even if you end up using dual use tech in your application it normally just involves some extra paperwork).
- There are sectors where the software is additionally regulated, for example, finance products and strict anti-money laundering (AML) rules.
Cybercrime or the Computer Misuse Act
I've talked about rules that affect how you write products, but there are also ones about how you use them. The laws around computer misuse are fairly draconian. For example, gaining unauthorised access to a computer, even if you do no harm, is a criminal offense in the UK with a penalty of up to 2 years in prison!Other forms of cybercrime include online trolling, bullying and stalking, which are quite common. You may spot them being committed using your company's computer equipment. It's often an inside job: one of your employees or someone who's leaving, so you might have to act to stop or report it.
Laws to Come?
The EU has plans to add new laws around AI and public surveillance, which will probably appear over the next few years. Or then again, perhaps not.
There are a Lot of Laws
You always need to do some reading around and checking in your field. What's legal and what's not changes all the time and it's not necessarily obvious. Research is your friend!In the next post, we'll look at why complying with the law is not always enough - it's just the minimum.
<< Read Part 1 | Read Part 3 >>
About the Author
Anne Currie is tech greybeard (ahem) who has been in the sector as an engineer, writer and speaker for 25 years. She runs & helps organise conferences in hard tech and in ethics, is a visiting lecturer at the University of Hertfordshire and most importantly of all, is the author of the dystopian, hard scifi Panopticon series (Amazon US, Amazon UK). Contact her on Twitter @anne_e_currie or at www.annecurrie.com
Photo by King's Church International on Unsplash
No comments:
Post a Comment