Carnegie Mellon University's School of Computer Science (SCS) and Fordham Law School are collaborating on a new National Science Foundation program to study innovative ways to make software more accountable by bridging the gap between law and computing.
To date, law and software engineering have been largely siloed, and legal accountability is typically addressed late in the design process, after key decisions have been made and when the cost to change those decisions is high. Society places a great deal of trust in software-intensive computing systems and in those responsible for designing them, but designers often lack a blueprint for how to build legally compliant software and applications. Without that roadmap, lawyers and engineers struggle to anticipate when and how software could fail to comply with law, why it failed, and who was harmed as a result.
"Because lawyers and engineers come from different risk cultures, with two different bodies of knowledge and expertise, their communication can be fraught with a variety of problems," said Travis Breaux, an associate professor in SCS's Software and Societal Systems Department. "When we train the next generation of software engineers, we want them equipped to ask the right questions and even to help drive the discussion around how to build legal protections for consumers into software. This requires a new skill set to speak to lawyers about technical and legal risks, and balancing innovation and market leadership with protecting consumer rights."
The SCS-Fordham Law project aims to break down this barrier by discovering methods that align legal and engineering considerations from both disciplines, allowing design teams to make accountability decisions early in the software design process. Accountability is especially important in contexts where software helps make decisions about consumers.
"When you step on a plane, there are lots of rules governing the design, construction and operation of the plane to ensure your safety. But when you use online services that track your location or decide whether you qualify for a loan, there are fewer guarantees that those services will enforce the legal rules to protect consumers," said Tom Norton, the executive director of the Center on Law and Information Policy at Fordham Law School.
In the data privacy context, for example, recent surveys suggest that while 60% of companies surveyed are tracking data-protection legislation, 39% overall say they lack the available staff to address compliance with the law. This means that technology companies will increasingly need to do more with less to stay ahead of emerging internal and external compliance challenges.
The cost of innovation with weak legal accountability is high. In the past five years alone, regulators around the world have fined hundreds of companies billions of dollars over privacy violations, imposed strict multiyear compliance and reporting requirements, and even required the deletion of algorithms or models created from unlawfully collected data.
The cost to society is even higher. Because regulators are often overwhelmed and underresourced, many violations go unresolved. The U.S. Federal Trade Commission reported needing "millions of dollars to hire more experts" in product development; data privacy; and analytics, algorithms and software development. Similarly, European Union data protection authorities have noted that they lack resources and have faced criticism for the pace at which they process cases.
Breaux and Norton's project will examine how people trained in law and software engineering can work together in design teams. The two often come from different risk cultures — risk avoidance in the practice of law and risk-seeking in computing as part of innovation and market competition.
The project will study new ways to collect and represent legal and technical information, new ways to form and organize design teams, and new software requirements — all for the purpose of building accountability into software from the outset of the design process. In addition to advances in cross-functional teaming, the project will introduce new software-based tools to support collaboration between lawyers and engineers. This three-year project will include training new Ph.D. and law students and developing new course materials and applications for U.S. data processing and privacy law.
More information is available on the project's website.