On the Intersection of Software and Regulation
Software has been the most magical ingredient in economic terms and clearly the biggest “economic revolution” to have taken place in history, yet has also been largely unregulated.
A twitter thread from March 21, 2018.
What is going on with Facebook and privacy is very challenging for not just FB but many — consumers most of all (more than FB), but of also makers, regulators, marketers, and those relying on platforms. This is not unsolvable. But status quo won’t work…
Software has been the most magical ingredient in economic terms and clearly the biggest “economic revolution” to have taken place in history. Compared to the industrial revolution there has been one key difference…
The industrial revolution was very dangerous, physically. As it progressed it created a world of regulations for safety, employment, and then for products and then using products. What would factories or cars and driving be like without those regulations?
Of course many resisted — many in government and most in the private sector. Activists from unions to engineering socieities to consumer advocacy contributed to changing social norms.
Even though many disagreed, 1965 book “Unsafe At Any Speed” by Ralph Nader had a profound impact on the public view of cars, driving, safety. You can trace many developments in both product and accountability to this work, which was very controversial.
Fast forward from my birth year to my first year as a professional engineer and my very first assignment was to learn about computer viruses. These were “low tech” viruses that spread by infected floppy disc. But the ability to abuse “INT 27h” (gik) was well known.
It would be more than 10 years of viruses and malware and the rise of the internet before there would be action from the platform to address this.
At the time this was a crazy disaster for Microsoft and yet we remained “stumped” because people were “just using the platform the way we designed it”. Lots of huddles. Lots of consternation. The result was “Trustworthy Computing”.
In this memo that Bill Gates sent to the company (and world) he put forth a bold step which would essentially be an “upending” of priorities for Microsoft. The company would now prioritize security and privacy ABOVE doing new features for customers (including developers).
Here is the key excerpt “So now, when we face a choice between adding features and resolving security issues, we need to choose security…If we discover a risk that a feature could compromise someone’s privacy, that problem gets solved first.”
So everyone gets the history, this was a big deal. There were tons of regulatory hearings around the world and a lot of “blame” and “lack of accountability” to go around.
In the end, the industry seems to have self-regulated and markets worked as seen from the results in the rise of new post-PC computing platforms that are more secure and private. But things are evolving differently in social networks and large databases. History only rhymes.
One of the more interesting aspects of software as an economic revolution was how it has escaped the “unsafe at any speed” moment. But as a professional “engineer” I always found that puzzling to some degree, as much as s/w benefited.
Going back to the 90s a bigger crisis loomed for software and that was “quality” and “reliability” but these never rose to a broad public debate or anger. In fact software sort of basically was viewed as “buggy”, “late”, and generally sloppy.
My biggest concern regarding quality as we were building Office was that sometime down the road we would be held to the same standards for quality that *our* customers in Detroit, Seattle, Frankfurt, Houston, Dallas and other engineering products would be held to.
I even wrote a memo, “Unsafe At Any Megahertz” outlining the ways that “Software Engineering” was not living up to “Engineering” the way that electrical, mechanical, civil do. No licensing, no apprenticeship, inspectors, standards, and more. Why?
I don’t know why. But I do know that the industry has done a phenomenal job of self-regulation. By and large quality has been on a constant march of improvement and projects are rarely “vaporware” any more or less than say construction. Yes I’m generalizing.
But along comes “data”…“breaches” (FB not a breach) and things seem different to me. In particular, damage is great and remediation mostly impossible — “identity theft” is almost benign expression for “our software engineering and processes failed” assigning away accountability.
The core challenge is privacy lacks “engineering” yet more importantly privacy/data already have an existing body of ad hoc regulations. Software flew “under the radar” because there were no regulations for makers just for their customers (just a tool used in process of making).
Today’s challenge is that there is a global patchwork of historic regulations around privacy that are impossible to navigate — imagine trying to build the exact same building in every major city of the world and meet code everywhere. Seems crazy complex.
If you look at airplanes or cars, the regulators in each place a) existed and b) worked together to develop agreements, reciprocity, and an understanding of the state of the art, standards, and how accountability should work.
That is what is missing today. That is what I would hope the large “collectors” of data would stand up and call for. I believe we are beyond the point of self-regulation only because we are already half-regulated. But hold on…don’t panic I know what I’m saying…
Regulation can be burdensome, awful, and even stifle innovation, create dysfunctional markets, advantage weak players, etc. The rule of regulation is unintended side effects. But also, planes almost never crash, electrical fires are rare, and buildings hardly fall.
With the advent of Europe’s GDPR it is clear that the state of no regulation is not going to happen with privacy and data as it relates to software. The worst case would be for the US to embark on both national and statewide regulation (and litigation) in dozens of silos.
Look past negatives, regulators are great at collaborating, working through jurisdiction, driving standards, and creating public dialog on good approaches. How can this time and place and challenge serve to create this alignment between regulation and industry? Discuss…
One aspect that was important about the “Trustworthy Computing” memo was that even though we knew there was much work to do around the ecosystem, we focused this communication on what we would be doing differently going forward.
