Lachlan Urquhart

Playing the Legal Card: Using Ideation Cards to Raise Data Protection Issues within the Design Process

The regulatory climate is in a process of change. Design, having been implicated for some time, is now explicitly linked to law. This paper recognises the heightened role of designers in the regulation of ambient interactive technologies. Taking account of incumbent legal requirements is difficult. Legal rules are convoluted, uncertain, and not geared towards operationalisable heuristics or development guidelines for system designers. Privacy and data protection are a particular moral, social and legal concern for technologies. This paper seeks to understand how to make emerging European data protection regulation more accessible to our community. Our approach develops and tests a series of data protection ideation cards with teams of designers. We find that, whilst wishing to protect users, regulation is viewed as a compliance issue. Subsequently we argue for the use of instruments, such as our cards, as a means to engage designers in leading a human-centered approach to regulation.

New directions in information technology law: learning from human–computer interaction

ABSTRACT Effectively regulating the domestic Internet of Things (IoT) requires a turn to technology design. However, the role of designers as regulators still needs to be situated. By drawing on a specific domain of technology design, human–computer interaction (HCI), we unpack what an HCI-led approach can offer IT law. By reframing the three prominent design concepts of provenance, affordances and trajectories, we offer new perspectives on the regulatory challenges of the domestic IoT. Our HCI concepts orientate us towards the social context of technology. We argue that novel regulatory strategies can emerge through a better understanding of the relationships and interactions between designers, end users and technology. Accordingly, closer future alignment of IT law and HCI approaches is necessary for effective regulation of emerging technologies.

Building accountability into the Internet of Things: the IoT Databox model

This paper outlines the IoT Databox model as a means of making the Internet of Things (IoT) accountable to individuals. Accountability is a key to building consumer trust and is mandated by the European Union’s general data protection regulation (GDPR). We focus here on the ‘external’ data subject accountability requirement specified by GDPR and how meeting this requirement turns on surfacing the invisible actions and interactions of connected devices and the social arrangements in which they are embedded. The IoT Databox model is proposed as an in principle means of enabling accountability and providing individuals with the mechanisms needed to build trust into the IoT.

Avoiding the internet of insecure industrial things

Security incidents such as targeted distributed denial of service (DDoS) attacks on power grids and hacking of factory industrial control systems (ICS) are on the increase. This paper unpacks where emerging security risks lie for the industrial internet of things, drawing on both technical and regulatory perspectives. Legal changes are being ushered by the European Union (EU) Network and Information Security (NIS) Directive 2016 and the General Data Protection Regulation 2016 (GDPR) (both to be enforced from May 2018). We use the case study of the emergent smart energy supply chain to frame, scope out and consolidate the breadth of security concerns at play, and the regulatory responses. We argue the industrial IoT brings four security concerns to the fore, namely: appreciating the shift from offline to online infrastructure; managing temporal dimensions of security; addressing the implementation gap for best practice; and engaging with infrastructural complexity. Our goal is to surface risks and foster dialogue to avoid the emergence of an Internet of Insecure Industrial Things

Bridging the gap between law & HCI: designing effective regulation of human autonomy in everyday ubicomp systems

Ubicomp technologies pose challenges to human agency, and legal rights reliant on individual autonomy, for example informed consent to data processing. Existing regulatory measures designed to address these issues are working less adequately, and increased dialogue between design and law communities is necessary to decide how best to ensure effective regulation of human autonomy. This thesis seeks to understand the various regulatory issues posed by ubicomp technologies, through specific case studies, with the overall aim of creating legal and technological solutions that work in practice.

Realising the right to data portability for the domestic Internet of things

There is an increasing role for the IT design community to play in regulation of emerging IT. Article 25 of the EU General Data Protection Regulation (GDPR) 2016 puts this on a strict legal basis by establishing the need for information privacy by design and default (PbD) for personal data-driven technologies. Against this backdrop, we examine legal, commercial and technical perspectives around the newly created legal right to data portability (RTDP) in GDPR. We are motivated by a pressing need to address regulatory challenges stemming from the Internet of Things (IoT). We need to find channels to support the protection of these new legal rights for users in practice. In Part I we introduce the internet of things and information PbD in more detail. We briefly consider regulatory challenges posed by the IoT and the nature and practical challenges surrounding the regulatory response of information privacy by design. In Part II, we look in depth at the legal nature of the RTDP, determining what it requires from IT designers in practice but also limitations on the right and how it relates to IoT. In Part III we focus on technical approaches that can support the realisation of the right. We consider the state of the art in data management architectures, tools and platforms that can provide portability, increased transparency and user control over the data flows. In Part IV, we bring our perspectives together to reflect on the technical, legal and business barriers and opportunities that will shape the implementation of the RTDP in practice, and how the relationships may shape emerging IoT innovation and business models. We finish with brief conclusions about the future for the RTDP and PbD in the IoT.

White noise from the white goods?: conceptual & empirical perspectives on ambient domestic computing

Within this chapter we consider the emergence of ambient domestic computing systems, both conceptually and empirically. We critically assess visions of post-desktop computing, paying particular attention to one contemporary trend: the internet of things (IoT). We examine the contested nature of this term, looking at the historical trajectory of similar technologies, and the regulatory issues they can pose, particularly in the home. We also look to the emerging regulatory solution of privacy by design, unpacking practical challenges it faces. The novelty of our contribution stems from a turn to practice through a set of empirical perspectives. We present findings that document the practical experiences and viewpoints of 13 leading experts in technology law and design.

A Legal Turn in Human Computer Interaction? Towards ‘Regulation by Design’ for the Internet of Things

This discursive paper explores the role of law in HCI through the concept of ‘regulation by design’. Technology designers are increasingly being called upon by law and policy to act in a regulatory capacity, for example in ‘privacy by design’. This is problematic as technology designers are not traditionally involved in regulation and regulators may not fully appreciate what these designers do. We argue that to practically and conceptually achieve ‘regulation by design’ requires greater understanding of and interaction between the regulation and design communities. This paper consolidates and assimilates work from the fields of human-computer interaction and technology regulation. It is framed within the context of privacy by design and the Internet of Things. It lays out theoretical tools and conceptual frameworks available to each community and explores barriers and commonalities between them, proposing a route forward. It contends five main points: 1) regulation by design involves prospective, as opposed to just retrospective, application of law; 2) HCI methods need to be repurposed to engage with legal and regulatory aspects of a system; 3) the legal framing of regulation and design is still anchored in systems theory but human computer interaction has a range of rich approaches for understanding the social, and ‘regulation by design’ needs to use these; 4) designers are now regulators and this brings a range of responsibilities; and lastly, 5) design and human values perspectives in HCI need to be extended to legal values and participatory design is a strong candidate for doing this.Please get in touch with thoughts and feedback. Email address in paper.

Privacy in Public Spaces: What Expectations of Privacy Do We Have in Social Media Intelligence?

In this paper we give an introduction to the transition in contemporary surveillance from top down traditional police surveillance to profiling and “pre-crime” methods. We then review in more detail the rise of open source (OSINT) and social media (SOCMINT) intelligence and its use by law enforcement and security authorities. Following this we consider what if any privacy protection is currently given in UK law to SOCMINT. Given the largely negative response to the above question, we analyse what reasonable expectations of privacy there may be for users of public social media, with reference to existing case law on art 8 of the ECHR. Two factors are in particular argued to be supportive of a reasonable expectation of privacy in open public social media communications: first, the failure of many social network users to perceive the environment where they communicate as “public”; and secondly, the impact of search engines (and other automated analytics) on traditional conceptions of structured dossiers as most problematic for state surveillance. Lastly, we conclude that existing law does not provide adequate protection for open SOCMINT and that this will be increasingly significant as more and more personal data is disclosed and collected in public without well-defined expectations of privacy.

Interdisciplinary Reflections on Games and Human Values

We explore the interaction between digital games and human values. HCI as a field is increasingly focused on the importance of engaging with broader discussions around human values. Games are an ideal medium for reflecting on social, ethical and political questions. Accordingly, we propose a multidisciplinary workshop to discuss existing work, consider the future and bring together a range of different epistemological perspectives.