Lachlan's Research

ETHICOMP/CEPE 2017: Smart Cities

Time flies and it’s more than 18 months since the last ETHICOMP at De Montfort’s Centre for Computing and Social Responsibility in 2015. This time the conference moved further afield to the University of Torino, Italy, to be co-hosted with CEPE (Computer Ethics Philosophical Enquiry). From the 5-8th July I attended 4 days of panels, keynotes and plenaries at (what must be!) the biggest computer ethics conference in the world.

Train from Airport to Torino

It was great to catch up with familiar faces, and I was pleased to be part of the ICT and the City session organised by Prof Michael Nagenborg from 4TU/Twente University.

The full paper has just been published in a new journal, Orbit, that has emerged from a big EPSRC RRI project. The paper has also been nominated to be published in the ACM SIGCAS publication, Computers and Society, so hopefully, I’ll be able to link to that in due course too.

Screen Shot 2017-06-19 at 13.28.29


Before the workshop, Michael conducted interviews with different panellists about our work and published these on his website: Urban Technologies. My discussion there with him is a bit more detailed, but to summarise, this paper mainly focused on unpacking ethical dimensions of the role of designers in regulation. Using mediation theory, it discusses how designers can address concerns of citizens posed by smart cities. In sustainably scaling up IoT technologies to the city level, HCI designers can both engage with the needs of citizens and respond to these through the design of urban IoT systems (eg using participatory/co-design, value sensitive design etc). I explored how concepts from HCI, like ‘seamful design’, could be useful for surfacing the regulatory uncertainties inherent in future urban IoT management.



As is common at many conferences I’ve attended this year (especially BILETA 2017 and TILTing 2017), AI and algorithms continue to be hot topics.  Below I’ve provided a list of some personal highlights from across the conference.

Day 1:

  • The Law track – I enjoyed Burri et al’s paper on using legal personhood  (e.g. LLPs) as a mechanism to attach legal responsibilities to autonomous systems. They compared legal possibilities for using this route in different jurisdictions, namely the UK, Germany, Switzerland and Delaware, US.
  • The Fiction track – Johnson et al discussed using Design Fictions to engage with ethical dimensions of new technologies; Vallejos et al presented findings from the CRUCIBLE funded project ‘AI Goes to War‘; Adams and Ben-Youssef  presented their work on the interplay between superheroes narratives and security/policy debates (e.g. through Daredevil & Superman vs Batman).

Day 2:

  • Ethics in Software Development Track – Wolf et al examined the case of Microsoft Tay; Breems proposed ways to support longitudinal reasoning by software engineers about responsibility for artificial agents, linking initial action with future impacts.
  • Video Games Track – Flick discussed the construction of a code of ethics for in-game archaeological practices in No Man’s Sky; Neely explored the ethical interplay/disconnect between real world identities of players and in-game avatars (for example in World of Warcraft); Klein and Lin deconstructed the arguments underpinning the widely discussed Ban on Sex Robots campaign.

Day 3:

  • Both ICT and the City Track Sessions, with talks from:
    • Nagenbourg (chair) set the scene highlighting the need for smart cities to emerge as sites of citizen participation and engagement, attending to risks of urban surveillance;
    • Gonzalez Woge proposed learning from post-phenomenology and how agency is increasingly embedded in our environment (through ambient intelligence) using the example of open living labs;
    • Dainow suggested using autopoietic theories to reframe definitions and ethical implications of smart cities;
    • Heimo discussed ethical dilemmas of constructing mixed reality experiences for cultural heritage where insufficient historical information requires designers to take creative liberties to create an immersive experience, but at the expense of historical accuracy;
    • Lastly, Fichtner explored how the logic of optimising flows of knowledge underpinning smart cities can reduce spaces for creativity and citizens may find themselves experiencing the city through spatial filter bubbles.
  • I really enjoyed the keynote from Herman Tavani who surveyed shifts in computer ethics and highlighted the need to return to formal logic and critical reasoning in deconstructing arguments within computer ethics.

Day 4

  • Social Media Track: Tuikka et al provided detailed insights on ethics of netnography as a research tool; Koene et al unpacked the nature of editorial responsibilities social media platforms may owe to users due to personalisation algorithms (e.g. Facebook news feed curating content for individuals); lastly, Koga and Yanagihara explored ethical aspects of social media marketing, focusing on prominent case studies (eg Target pregnancy case; BabyFoot online competitions).
  •  The keynote from James Moor, who received the Weizenbaum Award, examined the future of computer ethics with challenges stemming from AI.

TILTing Perspectives 2017

Last week I was back over in the Netherlands for TILTing Perspectives Conference 2017. Hosted by Tilburg University at their Institute for Law, Technology, and Society, this was a 3-day event with around 200 presenters, 8 parallel sessions, 6 keynotes etc. I was over there presenting a WiP paper with Derek McAuley on Cybersecurity Implications of the Industrial Internet of Things.

Security incidents like targeted distributed denial of service (DDoS) attacks on power grids and industrial control system (ICS) hacks in factories are set to increase as infrastructure becomes increasingly connected. The short paper looks at where emerging security threats might lie as the industrial IoT trend gathers pace, both from engineering and regulatory perspectives. Vulnerabilities and threats around the smart energy infrastructure are used to consider where risks might arise at different points in the energy supply chain, from exploration through to consumption.

hacker-2300772_1920The Digital Oilfield‘ sees the integration of IoT into oil platforms, for example, to monitor integrity and performance of operational components. This opens new threat vectors for advanced persistent threats (APTs) and cyber espionage. The variety of organisations operating on a platform, sharing infrastructure but seeking confidentiality in their operations adds to the complexity of securing this domain.  Understanding how to make IoT components on rigs that are secure, but usable for workers is an important element, to minimise risks to safety or security of infrastructure through avoidable human error. Similarly, in a future of autonomous logistics, with oil tankers navigating the seas, new opportunities can emerge for GPS jamming or spoofing to enable remote piracy or ransomware attacks where the consequences are the environmental harm in addition to monetary loss. Perhaps most familiar are the challenges for IoT in the smart energy grid. Risks arise at many points in this supply chain such as in:

  • Energy generation with the hacking of industrial control systems in power plants.
  • Energy transmission /distribution across the power grid with DDoS attacks causing blackouts and knock on effects for services relying on power (hospitals, transportation etc).
  • Energy consumption where insecure domestic IoT devices can become parts of cybercrime infrastructure, particularly botnets and be used to leverage attacks against critical infrastructure (e.g. Mirai; Persirai; Hajime). The use of software agents to help manage dynamic energy tariffs on behalf of users (to enable peak levelling on the grid) is another emerging domain to consider threats to end users.

oil-rig-2205542_1920There are also regulatory changes afoot, with the EU Network and Information Security (NIS) Directive 2016 coming into effect at the same time as the GDPR in 2018. NIS brings in rules around securing critical infrastructure, including cloud platforms and establishes notification and cooperation requirements for responding to cyber attacks (e.g. role of member state computer emergency response teams). GDPR establishes obligations around personal data breach notifications, most relevant for domestic IoT/household energy management devices caught up in attacks. Balancing the growth of Industrial-IoT against the security threats and regulatory requirements is going to be a tall order. power-plant-2259713_1920Overall, industrial IoT brings four security elements to the fore that need to be managed:

  • Anticipating risks from bringing infrastructure online when it is ordinarily offline.
  • Managing infrastructural complexity where critical systems interact and share dependencies in ways that make it difficult to anticipate both threats and knock on effects of attacks.
  • Temporal dimensions of security, particularly how IoT risks are managed over the life cycle of systems, subject to organisational change, loss of IT support for platforms etc.
  • The implementation gap around best practice where standards for security in Industrial IoT are still emerging, and once settled, will still take some time to be actioned.

There is a working paper up on SSRN with more details, so any feedback on this is welcome!

From Leeds to Braga to Leiden

IMG_20170425_202357076_HDRThe past month has involved a bit more travelling to various conferences and workshops. It started in Leeds at a workshop on electronic monitoring on 6th April. This is part of the Tracking People Seminar Series, with this one focusing on ethical and legal debates. Personal highlights for me were talks by Mike Nellis discussing both technical and criminological dimensions of electronic tagging, and Michael Nagenborg, giving a philosophical discussion of the ethical aspects of tracking. It was nice to catch up with Michael again, as I’ll be participating in the ICT and the City stream he co-chairs at ETHICOMP 2017 in Turin next month, presenting the paper called “Ethical Dimensions of User Centric Regulation” (more on this in due course).

After the Easter break, I went to the main UK IT law event, BILETA 2017, which had gone on a sunny excursion this year to Universidade do Minho, Braga, Portugal. I was presenting a paper written with CDT student Neelima Sailaja and Horizon Director Derek McAuley on legal, commercial and technical challenges around realising the new EU Right to Data Portability in practice. This involved discussion around the legal importance of personal information management systems, like the Databox project, in realising the right.

Hosted at the Escola de Direito, it was 2 packed days of parallel sessions on fake news, algorithmic governance, post-mortem privacy, IP, living in smart cities, biometric criminal identification, and cybercrime. There were very enjoyable keynotes from Burkhard Schafer (hello again, viva examiner!) on law and algorithms, former Spanish Data Protection commissioner Jose-Luis Pinar on GDPR and Joe Cannatacii about his work as UN Special Rapporteur on Privacy. As an aside, the conference dinner had all the Portuguese ingredients of Bacalhau, Vinho Verde and Fado! Next year it will be in slightly colder Aberdeen, but will seek to combine the unusual mix of privacy, Haggis and a Ceilidh…

IMG_20170426_133527579After BILETA I flew over to the Netherlands for a week-long interdisciplinary workshop called Privacy by Design Beyond the Screen hosted at the Lorentz Centre in Leiden. This was an intensive event bringing together invited specialists on Privacy by Design from many backgrounds to discuss all aspects of the concept from theoretical framings to practicalities of doing PbD in practice. Kindly organised by Bert-Jaap Koops, Tjerk Timan and Jaap-Henk Hoepman in the Lorentz’s hospitable space (they invite proposals to host and fund workshops if you’re interested), the workshop involved a mix of presentations, group discussions and break-out sessions.IMG_20170424_093101794 I presented my PhD research on the concept of user-centric regulation, and over the course of 5 days, we discussed the pros and cons of many different ways of conceptualising PbD from more legalistic discussions around what notion of privacy is appropriate to design frameworks like value sensitive design and requirements engineering.
We also had some interesting discussions about the differences between PbD as a process and a product, with insights from product design too. As part of group work, we looked in depth at privacy implications of augmented reality glasses used by police officers to attend domestic violence cases. We have a lot of material to sift through but hopefully, a few short papers should emerge in due course!

New Directions in IT law: learning from HCI

Yesterday, my new journal article with Tom Rodden “New Directions in Information Technology Law: Learning from Human-Computer Interaction” was published in the International Review of Law, Computers and Technology. It is part of a special edition on law and algorithms edited by Joseph Savirimuthu from Liverpool University. Other articles in the edition consider accountability in algorithms, algorithmic surveillance, deep learning, and health wearables. The abstract is provided below and there are allegedly 50 free copies available at this link, so help yourselves and snap one up before they all go (around 20 left at last count) 🙂

Screen Shot 2017-03-29 at 11.45.44

Abstract: Effectively regulating the domestic Internet of Things (IoT) requires a turn to technology design. However, the role of designers as regulators still needs to be situated. By drawing on a specific domain of technology design, human–computer interaction (HCI), we unpack what an HCI-led approach can offer IT law. By reframing the three prominent design concepts of provenance, affordances and trajectories, we offer new perspectives on the regulatory challenges of the domestic IoT. Our HCI concepts orientate us towards the social context of technology. We argue that novel regulatory strategies can emerge through a better understanding of the relationships and interactions between designers, end users and technology. Accordingly, closer future alignment of IT law and HCI approaches is necessary for effective regulation of emerging technologies.

In other news, there are a couple of working papers up on SSRN looking for feedback if anyone feels so inclined 🙂 One is written with Neelima Sailaja and Derek McAuley on the new GDPR right to data portability, considering the legal, technical and business dimensions of realising the right in practice.  There is also a paper on artcodes and intellectual property law up there too, unpacking the copyright, trademark and design right dimensions (with a focus on creative commons licensing too). Lastly, but by no means least (!)  I passed my PhD viva with no corrections (just a few wee typos) with Burkhard Schafer (Edinburgh) and Derek McAuley at the start of March! So I’m feeling very pleased  🙂

New Paper: Ethical Dimensions of User Centric Regulation

turin_monte_cappucciniA new working paper has been added to Social Science Research Network called Ethical Dimensions of User Centric Regulation. This paper is set to be presented at CEPE/ETHICOMP 2017 in Turin, Italy later in the year, in the stream ‘ ICT and the City’.

We question the ethical role of information technology (IT) designers in IT regulation, unpacking the nature of their responsibilities. We illustrate our argument through the emerging technological setting of smart cities and use our concept of usercentric regulation (UCR) to consider what a closer alignment of IT design and regulation could mean in practice.

We situate how IT designers can respond to their ethical and legal duties to end users. Our concept asserts that human computer interaction (HCI) designers are now regulators  but as they are not traditionally involved in the practice of regulation, the nature of their role is ill-defined. We believe designers need support in understanding what their new role entails, particularly managing ethical dimensions that go beyond law and compliance.

We use conceptual analysis to consolidate perspectives from across Human Computer Interaction, Information Technology Law and Regulation, Computer Ethics, Philosophy of Technology, and beyond. We focus particular attention on the implications of designers mediating interactions of users with technologies and consider the distinction between intended and actual use, where regulation needs to accommodate for both.


User Centric Regulation for the Domestic Internet of Things,_University_of_Edinburgh.JPG

At the end of last week I returned to bonny Edinburgh for a talk at the Law School called “User Centric Regulation for the Domestic Internet of Things“. It was nice to return as an alumnus presenting on my PhD research and I was kindly hosted by the University of Edinburgh’s IT, IP and Media Law Group. The enjoyable event involved detailed discussions on the interplay between designers and lawyers in addressing the regulatory challenges stemming from the  internet of things. I presented not just theoretical and legal perspectives but also a range of empirical and design perspectives to situate the role of technologists in regulation. The empirical data draws on interviews, questionnaires, workshops, focus groups and so forth, and this work is in forthcoming journal papers and book chapters, with working versions here, here and here.


User-Centric Regulation for the Domestic Internet of Things (Lachlan Urquhart, University of Nottingham), 

Fri 2nd Dec, 2pm

“We are delighted to announce another discussion group event which will take place on Friday 2 December at 2pm in the Neil MacCormick Room (9.01) of David Hume Tower. Our speaker, Lachlan Urquhart, previously studied at Edinburgh and is now a Research Fellow in Information Technology Law at the Horizon Digital Economy Research Institute (University of Nottingham). He will present on the following topic:


Increasingly, technology designers are being called upon to address regulatory challenges posed by emerging technologies. However, their role in regulation is not settled and needs to be situated both conceptually and practically. We present a multidisciplinary response through examining what the field of human computer interaction (HCI) can offer. We do this by presenting a number of conceptual, empirical and design led perspectives from the interface between IT law and HCI. We ground these within the case study of doing information privacy by design for the domestic internet of things. HCI focuses on how users interact with technologies in practice. In designing user experiences, HCI practice draws on a range of approaches and concepts to develop a rich picture of the social context of technology use. By reframing these to consider regulatory and ethical dimensions, we argue the role of technology designers in regulation can be better understood. 

The talk will be followed by a Q&A section and refreshments will be provided. All students and staff are welcome and no registration is required.”


Two Forthcoming Papers

I’ve put working versions of two forthcoming papers up onto Social Science Research Network (SSRN).

The first, with Tom Rodden, is going to be in a special edition of the International Review of Law, Computers and Technology on algorithms and law being edited by Joseph Savirimuthu. It is titled “New Directions in Information Technology Law: Learning from Human Computer Interaction” and can be found here. The abstract is as follows:

Effective regulation of emerging technologies, like the domestic internet of things (IoT) and the underpinning algorithms, requires a range of approaches. In this paper we focus on the use of technology design as a regulatory tool.

Within IT law, there has long been recognition that technology design can be used to shape and regulate individual behaviour (Lessig, 2006; Reidenberg, 1998). In this paper, we assert that regulation, as a concept, has broadened sufficiently that designers are now regulators. Accordingly, we need deeper understanding of their epistemological positions to better situate their role within technology regulation.

Accordingly, we look at a specific domain of design, human computer interaction (HCI), and three prominent concepts from this community. We present these concepts to reframe regulatory dimensions of domestic IoT showing what HCI designers can offer as regulators, and more broadly, highlighting channels for conceptual alignment of the HCI and IT law communities.

Understanding how technologies impact rights of users, and how designers can respond effectively, requires a turn to the context of use. The user centric focus of HCI can provide valuable perspectives on designing effective regulatory strategies. Furthermore, we argue current models of technology regulation in IT law do not give sufficient weight to the lived, contextual experiences of how users interact with technologies in situ.

To understand what an HCI led approach can offer IT law and technology regulation, we focus on three prominent concepts: trajectories (Benford et al, 2009), affordances (Norman, 2013) and provenance. We reframe these design concepts within the context of regulation.

The second is going to be a chapter for the book Future Law being edited by Lilian Edwards, Burkhard Schafer and Edina Harbinja. It is titled “White Noise from the White Goods? Conceptual & Empirical Perspectives on Ambient Domestic Computing”and can be found here. The abstract for this one is:

Within this chapter we consider the emergence of ambient domestic computing systems, both conceptually and empirically. We critically assess visions of post-desktop computing, paying particular attention to one contemporary trend: the internet of things (IoT). We examine the contested nature of this term, looking at the historical trajectory of similar technologies, and the regulatory issues they can pose, particularly in the home. We also look to the emerging regulatory solution of privacy by design, unpacking practical challenges it faces. The novelty of our contribution stems from a turn to practice through a set of empirical perspectives. We present findings that document the practical experiences and viewpoints of leading experts in technology law and design.”



Towards User Centric Regulation

It’s been a busy few months since my last update on this blog! I submitted my PhD and I’ve now started a new job too!  A couple of weeks ago I moved desks from the MRL over to Horizon to start as a Research Fellow in Information Technology Law. This shiny new role will involve working between IT Law and HCI across a range of topics and projects within Horizon.

Given all the recent activity, the rest of this post is a bit of a round-up of things I didn’t manage to blog about over the last months…hence, at times, it reads a bit like a stream of consciousness!

In the end, my PhD was titled “Towards User Centric Regulation: Exploring the Interface between Information Technology Law and Human Computer Interaction” and was in on time on the 30 September. I’ve attached the abstract below for anyone interested in the work. I’m doing a talk at the Law School, University of Edinburgh (room/time TBC) on 2nd December called “User Centric Regulation for The Domestic Internet of Things” for anyone who wants to hear more about it.

I’ve also got a couple of articles I’ve been working on that are coming out soon.

The first, co authored with Tom Rodden, is called “New Directions in Information Technology Law: Learning from Human Computer Interaction” and is coming out in the International Review of Law, Computers and Technology as  part of a special edition on Algorithms and the Law (edited by Joseph Savirimuthu). The paper looks at ways to bring conceptual tools from HCI, like provenance, affordances and trajectories, into IT law by re-framing these as mechanisms to situate the role of technology designers in regulation.

The second is a chapter I’ve written for a new book called Future Law, edited by Lilian Edwards, Burkhard Schafer and Edina Harbinja. This will feature a range of contributors from the wonderful annual Gikii conference and should prove to be a brilliant edition. My chapter is called “White Noise from the White Goods: Conceptual and Empirical Perspectives on Ambient Domestic Computing“.

I’ll add more in depth blog posts on these papers in due course, including links to the working paper versions on SSRN.

On that note, the paper “A Legal Turn in HCI…” that I posted on SSRN earlier this year was picked up and given a great review in the online journal, Jotwell, by Daithi MacSitigh from Newcastle University. He provides a fantastic summary and some rather encouraging comments on this exploratory, multidisciplinary piece!

Less related to my PhD, and more in fact to my Masters (!), is my longstanding paper with Lilian Edwards on legalities of social media policing and open source intelligence eventually came out in the International Journal of Law and Information Technology – it’s available here 🙂

Lastly (promise), here is the PhD abstract:

Towards User Centric Regulation: Exploring the Interface between Information Technology Law and Human Computer Interaction

This thesis investigates the role of technology designers in regulation. Emerging information technologies are complex to regulate. They require new strategies to support traditional approaches. We focus on the use of technology design as a regulatory tool. Whilst this solution has significant conceptual traction, what it means in practice is not clear. Deeper investigation of the role of the design community in regulation is necessary to move these strategies from theory into practice. We structure our analysis by asking: how can we understand the role of designers in regulation of emerging technologies?

We answer this question from four primary perspectives: conceptual, legal, practical and design. We situate our investigation within the context of the domestic internet of things and information privacy by design. We adopt an overtly multidisciplinary approach, critically assessing how to bring together the human computer interaction and information technology law communities. To do this, we utilise a range of qualitative methods, including case studies, documental and legal analysis, semi structured expert interviews, questionnaires, focus groups, workshops, and development, testing and evaluation of a design tool. Our contributions are as follows:

Conceptually, we provide a critical investigation of the role of technology designers in regulation by consolidating, evaluating and aligning a range of theoretical perspectives from human computer interaction (HCI) and information technology (IT) law. We draw these together through the concept of user centric regulation. This concept advocates a user focused, interaction led approach to position the role of designers in regulation. It draws on the turn to human values and societal issues in HCI, and the increasing reliance in IT law on design for regulation of emerging technologies.

Legally, we present two detailed case studies of emerging technologies (domestic internet of things and smart metering) mapping the emerging legal landscape and challenges therein. We situate the role of designers, as regulators, within this space, and show how they can respond accordingly through their user centric focus.

Practically, we analyse experiences from leading experts in technology design and regulation to understand the challenges of doing information privacy by design (PbD) for the IoT. We present our findings within the framing of technological, business and regulatory perspectives.

Lastly, we present a design tool, ‘information privacy by design cards’, to support designers in doing PbD. This tool has been designed, tested and refined, providing us with a practical approach to doing user centric regulation. Based on our findings from using the cards, we provide the concept of regulatory literacy to clearly conceptualise the role of designers in regulation.


User Centric Regulation; Information Technology Law; Human Computer Interaction; Privacy by Design; Internet of Things; Smart Metering


ESRC Data PSST! Seminar Series

IMG_20160519_182523A couple of weeks ago I ventured over to North Wales to  Bangor University for the final seminar in the ESRC Data PSST! Seminar series. As a bit of background, the project has been running for the past couple of years, and has seen many different speakers and attendees meeting up for critique and discussion around the themes of surveillance, transparency, non-state actors and political communication.

Being rather late to the series, I was pleasantly surprised to be invited to come along as a speaker and participant for the final event by PI Vian Bakir. I had attended the previous session at Cardiff University after colleague and friend Gilad Rosner suggested I come along. The Cardiff event focused on the role of non-state actors in surveillance and the challenges posed for traditional notions of transparency. (I’ve put my position statements from both events at the bottom).

IMG_20160519_190813For this one, I had a few hours driving over to Bangor. It was a dreich Thursday evening from Ashbourne, but there were bonny sea views on the A55 and Gojira’s album l’Enfant Sauvage for company 🙂 Bangor is quite picturesque as it gazes out over nearby Welsh forests, estuaries, cliffs and mountains. The pre-workshop dinner over in Menai Bridge on Anglesey was at a rather charming fish restaurant too.



A very small group (9 or 10 of us) spent the day discussing how best to engage different stakeholders with concerns over transparency, state surveillance and data governance. I particularly enjoyed learning about the concept of translucency from Vian Bakir and Andrew McStay’s work on a typology of transparency. Interesting communication and engagement tools, from provocative short films to art projects, were discussed. An important point raised was how engaging the public and  policymakers require different approaches. The former may be more interested in educational or viral type material (like the recent Cassette Boy/Privacy International mashup on the IP Bill), whereas that won’t work for the latter, where they may be more responsive to reports, white papers and policy recommendations.

20160520_094747My presentation for this session considered practical approaches to engaging internet of things designers with privacy regulation. The privacy by design cards are a good example, but importantly  I looked at the broader shift IMG_20160519_173403towards bringing designers into regulation too. Finding the best forums to support designers in their new role is important.  Professional bodies like the ACM or IEEE clearly have strong links with their members and can guide on ethics and to an extent regulation. Equally state regulators like the Information Commissioner Office have a role in communicating and supporting designers on their compliance obligations. A particular challenge of this is the differing level of resources organisations have to deal with compliance, from startups and SMEs (with little) to multinationals (with more). The nature of support they may require will differ, and we need to better understand how compliance plays out in these different organisations.

It was an enjoyable workshop and thanks again to the organisers again for having me along 🙂

I’ve put my position statements from Data PSST! Cardiff (March 2016) and Bangor (May 2016) below.

Seminar 5:

Transparency of Non-State Actors? The Case of Technology Designers and Privacy by Design

Lachlan Urquhart

Mixed Reality Laboratory & Horizon Digital Economy CDT, University of Nottingham

Cardiff (March 2016)


My position on transparency and non-state actors is framed in the context of European Data Protection (DP) Law. A key component of the upcoming EU DP reform package is the concept of data protection by design and default (DPbD). Designing privacy protections into a technology has long been considered best practice, and soon it will be mandated by law. It requires privacy concerns to be considered as early as possible in the design of a new technology, taking appropriate measures to address concerns. Such an approach recognises the regulatory power of technology which mediates behaviour of a user, and can instantiate regulatory norms.

Concurrently, regulation, as a concept, has been broadening and moving beyond notions of state centricity and increasingly incorporating actions of non-state actors. I’d argue privacy by design is a context where technology designers, as non-state actors, are now regulators. How they build systems needs to reflect their responsibilities of protecting their users’ rights and personal data, through technical and social safeguards.

However, the nature of their new role is not well defined, leaving open questions on their legitimacy as regulators. They are not normally subject to traditional metrics of good governance like public accountability, responsibility or transparency. Furthermore, the transnational nature of data flows, as we see with cloud computing for example, adds an extra layer of complication. The new DP law will apply to actors outside of EU, e.g. in US, if they are profiling or targeting products and services to EU citizens, meaning  there are national, regional and international dimensions to consider. Overall, the fast pace of technological change, contrasted with the slowness of the law has pushed designers to be involved in regulation, but without appropriate guidance on how to do so.

This is a practical problem that needs to be addressed. An important component is the role of nation states. State and non-state actors need to complement each other, with the state often ‘steering, not rowing’. The model of less centralised regulation cannot mean dispelling with traditional values of good governance. Instead state regulators need to support and guide non-state actors, on how to act in a regulatory capacity. How can transparency, legitimacy and accountability be reformulated for this new class of ‘regulator’: the technology designer. Much work needs to be done to understand how designers need support as regulators, and how the state can respond to this.

Seminar 6:

Making Privacy by Design a Reality?

Lachlan Urquhart

Mixed Reality Laboratory & Horizon Digital Economy CDT, University of Nottingham

Bangor (May 2016)

We have developed a tool that aims to take the principle of data protection by design from theory into practice. Article 23 of the General Data Protection (DP) Reform Package (GDPR) mandates data protection by design and default (DPbD). This requires system designers to be more involved in data protection regulation, early on in the innovation process. Whilst this idea makes sense, we need better tools to help designers actually meet their new regulatory obligations. [1]

Guidance on what DPbD actually requires in practice is sparse, although work from usable privacy and security or privacy engineering does provide some guidance [5, 6]. These may favour technical measures like anonymisation or tools to increase user control over their personal data [7]; or organisational approaches like privacy impact assessments. [2]

By calling on design to be part of regulation, it is calling upon the system design community, one that is not ordinarily trained or equipped to deal with regulatory issues. Law is not intuitive or accessible to non-lawyers, yet by calling for privacy by design, the law is mandating non-lawyers be involved in regulatory practices. We argue that there is a need to engage, sensitise and guide designers on data protection issues on their own terms.

Presenting a non-legal community with legislation, case law or principles framed in complex, inaccessible legalese is not a good starting point. Instead, a truly multidisciplinary approach is required to translate legal principles from law to design. In our case, we bring together information technology law and human computer interaction. [4]

Our data protection by design cards are an ideation technique that helps designers explore the unfamiliar or challenging issues of EU DP law. [8] Our cards focus on the newly passed GDPR, which comes into effect in 2018. They are designed to be sufficiently lightweight for deployment in a range of design contexts eg connected home ecosystems or smart cars. We have been testing them through workshops with teams of designers in industry and education contexts: we are trying to understand the utility of the cards as a privacy by design tool. [9]

A further challenge for privacy by design goes beyond how to communicate regulatory requirements to communities unfamiliar with the law and policy landscape. Whilst finding mechanisms for delivering complex content in more accessible ways is one issue, like our cards, finding the best forums for engagement with these concepts is another. Two examples could be the role of state regulators and industry/professional associations. State regulatory bodies, like the UK ICO or EU Article 29 Working Party, have a role to play in broadcasting compliance material and supporting technology designers’ understanding of law and regulation. The needs of each business will vary, and support has to adapt accordingly. One example could be the size and resources a business has at its disposal. It is highly likely these will dictate how much support they needed to understand regulatory requirements e.g. an under resourced Small or Medium-sized Enterprise vs. a multinational with in-house legal services.

Industry and professional associations, like British Computer Society, Association for Computing Machinery or the Institute of Electrical and Electronics Engineers may be suitable forums for raising awareness with members about the importance of regulation too. Sharing best practice is a key element of this, and these organisations are in a good position to feed their experience into codes of practice, like those suggested by Art 40 GDPR.

[1] – L Urquhart and E Luger “Smart Cities: Creative Compliance and the Rise of ‘Designers as Regulators’” (2015) Computers and Law 26(2)

[2] – D Wright and P De Hert Privacy Impact Assessment (2012 Springer)

[3] – A29 WP “Opinion 8/2014 on the recent Developments on the Internet of Things” WP 233

[4] –  We are conducting a project in the EU and US involving researchers from: University of Nottingham (Tom Rodden, Neha Gupta, Lachlan Urquhart),Microsoft Research Cambridge (Ewa Luger, Mike Golembewski), Intel (Jonathan Fox), Microsoft (Janice Tsai), University of California Irvine (Hadar Ziv) and New York University (Lesley Fosh and Sameer Patil).

EU project page and cards are available at

[5] – J Hong “Usable Privacy and Security: A Grand Challenge for HCI” (2009) Human Computer Interaction Institute

[6] – Danezis et al “Privacy and Data Protection by Design– from policy to engineering” (2014) ENISA; M Dennedy, J Fox and T Finneran “Privacy Engineer’s Manifesto” (2014) Apress; S Spiekermann and LF Cranor “Engineering Privacy” (2009) IEEE Transactions on Software Engineering 35 (1)

[7] – H Haddadi et al “Personal Data: Thinking Inside the Box”(2015) 5th Decennial Aarhus Conferences; R Mortier et al “Human -Data Interaction: The Human Face of the Data Driven Society”(2014)

[8] IDEO; M Golembewski and M Selby “Ideation Decks: A Card Based Ideation Tool” (2010) Proceedings of ACM DIS ’10, Aarhus, Denmark

[9] E Luger, L Urquhart, T Rodden, M Golembewski “Playing the Legal Card” (2015) Proceedings of ACM CHI ’15, Seoul, S Korea


Blog at

Up ↑