To celebrate the tracks on technology and the city at CEPE/ETHICOMP and SPT 2017, we will publish a series of interviews. The second interview is with Lachlan Urquhart. He will be presenting his paper titled ‘Ethical Dimensions of User Centric Regulation”’ as part of the ICT and the City track as ETHICOMP/CEPE 2017. The interview has been conducted in May 2017.
What should our readers know about Lachlan Urquhart?
I’m a Scottish researcher based in Nottingham, UK at a multidisciplinary research centre called Horizon Digital Economy Research Institute. My research sits at the interface of Information Technology Law (particularly privacy/data protection and information security law), Human Computer Interaction and Computer Ethics.
I did my undergraduate in law at Edinburgh, my masters in IT law at Strathclyde, and my PhD here at Nottingham in the Horizon Centre for Doctoral Training, School of Computer Science. It’s a great place for doing multidisciplinary research as I spent the first year of my PhD doing a quasi-MSc of modules from science and technology studies, human computer interaction and human factors engineering through to statistics, programming, mobile app building and geospatial information services. This really opened my eyes to how other disciplines work and got me thinking about new directions for research. I was also based in the Mixed Reality Lab (MRL) here at Nottingham, surrounded by sociologists, computer scientists, artists and musicians looking at what it means to live with ubiquitous computing. Being at the edge of what is going on technically makes for interesting legal research too!
What has brought you to the city (as a research topic)?
I got increasingly interested in smart cities during my PhD when I helped Lilian Edwards organise a major Smart Cities conference at Strathclyde University a couple of years ago. Following this I edited a special edition of a UK IT law society magazine, Computers and Law, dedicated to contributions from the conference. I find the work of people like Rob Kitchin particularly influential because it surfaces concerns of citizens in the wider narratives about how urban life is changing as computing is embedded into the built environment. It also links to my other research interests in surveillance studies eg following David Murakami Wood’s UbiCity project, design eg environmental criminology/situational crime prevention and even work I’d done a few years ago on privacy implications of domestic drones.
I also have colleagues at the MRL doing research on adaptive architecture, so we’ve had many discussions about the legal and ethical implications of this too! Most recently, as I’ve also been working in the area of privacy by design for the domestic internet of things for a while, I’ve recently started looking to issues around Industrial Internet of Things, particularly cybersecurity considerations, and that brings us back to the realm of critical infrastructure and, linked to that, smart cities.
In your paper, “Ethical Dimensions of User Centric Regulation,” you argue that it’s about time that designers need to be recognized and thought of as regulators. You seem to take “Code is law” quite literal, right?
Yeah, Lessig is a big influence in IT law, so a lot of my LL.M was spent reading all his work! During the PhD I started to question this notion of code is law more, thinking what a turn to the design community to help solve tough regulatory challenges might actually mean in practice. We see drive towards IT design in the law, for example in Article 25 of the new EU GDPR, but what this means in practice is more difficult to anticipate. This informed my PhD work where I looked at how to situate the role of IT designers in regulation from four perspectives, namely - conceptually, legally, empirically, and through a design intervention. At the conceptual level, as in the ETHICOMP paper, I argued the case for why designers are now regulators. I focus on the HCI community, unpacking how their proximity to end users as a route for establishing their regulatory legitimacy, for example through participatory/co-design approaches. I also wanted to look at this from another level using legal case studies. So, I focused on smart meters and domestic internet of things as two complicated cases for privacy by design thinking about how the legal rights and responsibilities of different actors, from end users to third party marketers, play out. I was particularly interested in frameworks regulating access and control around personal data flows. These case studies were useful for thinking about the legal challenges, but I also wanted to understand what privacy by design might mean in practice for the internet of things, so I did a range interviews with experts from IT law and design, to get a sense of the challenges these concepts face in practice (as they are both emergent, nebulous terms). Similarly, I was involved in developing a design tool, a set of ‘ideation cards’, that translates the new GDPR into a more accessible, physical playing card based format. These cards were developed, tested and evaluated with different settings, from start-ups/SMEs to larger organisations ! Cumulatively, this work gave significant practical and conceptual insight as to what it might mean for designers to be regulators, how concepts are negotiated around, where strengths and weaknesses lie, what motivations exist and so forth. In any case, I think as law increasingly turns to design to help deal with challenges of regulating emerging technologies, we need much more dialogue and support to bring these communities closer together.
Unlike design, the process of law-making is delegated to institutions under democratic control. If we take the idea of “designers as regulators” seriously, doesn’t that imply that we need more democratic control over the design process?
That is one of the key tensions here. As regulatory increasingly involves non-state actors, and the law is pushing IT designers to be involved in regulation, I think the challenge is how to understand the scope of that role and make it legitimate. Translating traditional metrics of public accountability, like due process, is one approach, but I’ve been focusing on understanding what new approaches IT designers can offer as regulators and how this may establish their legitimacy. By focusing on a particular IT design community, Human Computer Interaction, I’ve argued their proximity and focus on needs of end users is a route forward. They are in a position to understand user needs from IT through tools like participatory, co or value sensitive design. When repurposed to understanding regulatory needs, for example around user rights, the designers and their tools can go beyond top down understandings of legitimacy, to engage with practices, relationships and routines of users at a more situated level. This helps get a sense of how technologies impact users in different settings, going beyond top down approaches of traditional regulators, where specificities of different users are often neglected. Designers also have scope for action, as these findings can be reflected in design. How they respond is bounded up in how ethical or legitimate their actions may be deemed. They can inform regulatory interventions mediated by the technology, although there are still limits to this because of the disconnect between how a technology is used in practice vs how it is designed. Nevertheless, understanding how to build awareness, engagement and supporting reflection of IT designers on regulatory dimensions of their work is an important line of inquiry.
Besides your own work, what readings would you suggest for someone interested in your topic?
Where to begin… here are some books/papers I found particularly influential:
- L. Lessig Code v2.0 (2006)
- A. Murray Regulation of Cyberspace (2006)
- R. Leenes “Framing Techno-Regulation” (2011)
- J. Black Decentring Regulation: Understanding the Role of Regulation and Self-regulation in a Post-Regulatory World (2001)
- M. Hildebrandt & B.J. Koops The Challenges of Ambient Law and Legal Protection in the Profiling Era (2010)
In a nutshell, what would you recommend to municipalities with regards to smart city technologies?
Engage with citizens as users to get a situated understanding of their needs and respond to those. Avoid treating the city purely at a macro level, but instead engage with different settings of technology deployment and how these interventions might shape the practices of communities (for better or worse).