Aaron Massey

Assistant Professor — University of Maryland, Baltimore County

• Home
• About
• Publications
• Teaching
• Resume
• Advice
• Data
• Subscribe

The more laws, the less justice.

— Cicero

Reasons to Study Regulatory Compliance

estimated reading time: 4 minutes and 51 seconds.

Since I began work here at UMBC, I’ve been asked several times why a technically-oriented person should study regulatory compliance. Most people understand that it’s important, but can’t point to many specific examples of this. I thought I would highlight three recent events that demonstrate both the importance of regulation and why technologists should care.

The Right to Be Forgotten

French data protection authorities have told Google that they need to globally remove search results to be in compliance with the EU’s Right to Be Forgotten. Here’s Google’s response as reported by Ars Technica:

As you’ve probably gathered, Google disagrees with CNIL’s stance. In a July blog post regarding the case, the company’s global privacy chief, Peter Fleischer, wrote: “If the CNIL’s proposed approach were to be embraced as the standard for Internet regulation, we would find ourselves in a race to the bottom. In the end, the Internet would only be as free as the world’s least free place. We believe that no one country should have the authority to control what content someone in a second country can access.”

Clearly, this is an important development. I also find it historically interesting because France was also a major player in early regulation of the Internet. As told in the first chapter of Jack Goldsmith and Tim Wu’s book “Who Controls the Internet?”, France won a lawsuit against Yahoo! fifteen years ago over whether or not Yahoo! was required to comply with French laws regarding the sale of Nazi-related items. Yahoo’s argument was, “Hey, this is the Internet. It’s global, so setting up some regional difference would be both technically expensive and ultimately fruitless.” France’s argument was, “If you want to do business in France, you need to redirect visitors from France to a version of your site that’s compliant with French law.” France won that case based on that argumentation. Now, they seem to have seen the logic in Yahoo’s position, but they still want compliance with French (or really EU) law.

Volkswagon and Emissions

Modern cars are basically a small network of computers. Here’s a summary from the New York Times:

The electronic systems in modern cars and trucks — under new scrutiny as regulators continue to raise concerns about Toyota vehicles — are packed with up to 100 million lines of computer code, more than in some jet fighters.

“It would be easy to say the modern car is a computer on wheels, but it’s more like 30 or more computers on wheels,” said Bruce Emaus, the chairman of SAE International’s embedded software standards committee.

Even basic vehicles have at least 30 of these microprocessor-controlled devices, known as electronic control units, and some luxury cars have as many as 100.

Oh yeah, and that piece was written over five years ago. Now we have companies like Tesla and perhaps even Apple, getting into the automotive business.

But the regulatory compliance news here has been all about Volkswagon building software that detected whether their cars were being tested for emissions and enable the exhaust system to trap more pollutants during the test than they did during typical road use.

What sort of failure is this? I would argue this is at least partly a failure of the test itself. The EPA has opposed rules that might have caught this much earlier. Auditing software for regulatory compliance is not trivial and often expensive, but cutting corners could mean that companies like Comcast or Verizon can throttle bandwidth in violation of network neutrality regulations or that healthcare providers to skirt HIPAA where they find it convenient.

Unintended Consequences of Regulation

Regulation of technical domains has historically been rather poor at avoiding unintended consequences. There are numerous examples of this, but I would point to the Electronic Communications Privacy Act (ECPA) as the best example of this. The regulators were well-intentioned, and they got a lot of the law right at the time. But it’s been nearly 30 years since the law was passed, and which means that it’s needed to be updated for at least 25 years. Yet, it’s still the current law of the land for electronic communications. Emails receive different protections based on how long they have been on the server. Social networks and mobile location data is effectively not protected at all. I don’t believe the current state of regulation was the intention of those who wrote the ECPA, but here we are. We need to find a way to reform it. The Digital Due Process coalition has been arguing to update ECPA for years, and the Senate Judiciary Committee did recently meet to consider some reforms.

In addition to reforming unintended consequences, we need to get better at not creating regulations likely to result in them. The FCC just recently posted notice of an update to their regulations regarding wireless devices. If passed, this regulation could dramatically affect consumers’ ability to install their own operating systems on wireless devices. It raises questions like “What is the legal definition of a ‘device’?” or “Should software be considered a part of the device?” These are questions that are broadly unanswered anywhere in US laws and regulations.

Summary

A primary goal of my research is to address regulatory compliance issues in software engineering. I hope this post has provided you with an overview of what that means and why anyone would want to do it. Currently, I’m focusing on privacy and security concerns, particularly in the healthcare space. If you’re a student interested in working with me on these issues, please get in touch.