compliance


Continuing my attempts to bring Shakespeare into as many posts as I can….

Let specialties be therefore drawn between us,
That covenants may be kept on either hand.

(Taming of the Shrew  II. i. 127-8)

A couple of weeks ago, I presented at the HR Technology Conference in Chicago, the topic being SaaS Contracts:  how not to get ripped off.  I made an animation to start the presentation, as talking about contracts can be a bit dry.

 

If the embedded version doesn’t behave,  watch it here.    My goal was to show the naivete of the typical buyer when dealing with a smooth salesperson. In the space of about 2 minutes, the buyer makes at least 9 major blunders. See if you can spot them. It is supposed to be funny, but I’ll let you be the judge of that.

A week or so after the event I did a podcast  on the Bill Kutik Radio Show, where I go into a bit more detail.  Have a listen here.  I’m not a lawyer, so this doesn’t constitute legal advice, but I’m saddened by the ignorance on the side of the buyer, and the willingness of the seller to exploit that. That is business, I guess.

Or as Camillo said in   The Winter’s tale:

You pay a great deal too dear for what’s given freely.

Also we have a lot of research on how to buy cloud/SaaS solutions.  Gartner clients should definitely check out Alexa Bona’s  research. Whether buying or selling, getting a fair contract is best in the long run.

(I’m very impressed with the Xtranormal tool for animation. I checked with their legal folks on usage, what a pleasure to deal with them).

image

From the cc flickrstream of sludgegulper Thanks!

I have been watching and reading about the goings on with the UK parliamentarian expenses with a mixture of incredulousness, dismay, horror, and anger. This is a grave insult to the UK tax payers, and a blow to global democracy.  Corrupt politicians around the world can sleep easy. One man’s moat is another man’s Wabenzi.

Other than all the information about moat cleaners, tennis courts, duck shelters, large screen TVs, iPhones for husbands, 200 mile taxi rides, tax advisors, and mortgage payments on mortgages that no longer existed, I was struck by the absolute lack of process and systems to manage the expenses. The inefficiencies and the lack of control are astounding. 

The problems are bigger than technology, The whole process needs a complete overall, but essentially we are talking about some basic compliance procedures. Workflow approvals, automated routing of claims out of policy, electronic receipt management,and SOD (separation of duties).  Even simple expense management system would go a long way to stopping this sort of abuse happening again. Rules can be easily automated and enforced, and with a bit of configuration, even issues such as flipping and claiming for trivia could be managed.

Driven out of a good process system, the data could also be easily mashed up with consumer analytics tools such as Google maps, and a simple query tool, allowing concerned citizens the right to audit.

Indeed, there has been a wave of excellent mashups and analytic reports based on the data that has been released and collated.

image

image

Charles Arthur over at the Guardian has a closer lookTony Hirst’s blog gives an excellent account on the technical efforts needed to do this. Looking at what he has done with essentially free software. It is interesting to see how various technologies and techniques have been deployed. more here.  It is a fascinating study for anyone interested in analytics and data visualization. It does make the analytics offerings of many of the software vendors I cover seem rather dowdy, but that story is for another day.

Shining a bit of sunshine on the issue by opening up the data  is the best remedy. After all, when I last looked, parliamentarians work for the citizens.

As some of you know, I’m labouring away at what must be one of the longest part-time PhDs ever.  My research is looking at how software code and law work or don’t work together. However, there is light at the end of the tunnel.  In order to add a bit of empirical juice to will be a rather dry theoretical legal tome, I’ve decided to do a survey. 

I won’t bore you with the whole long story of the diss. here , but if you are interested in knowing more, please drop me a note and I can send you more details.

Whether it is ERP systems or toasters, software impacts much of our daily lives. We ask and demand software to do things on our behalf;  software transacts, it searches, it assesses, and in some cases it judges us.  Legal systems have evolved over centuries to codify rights and obligations in societies. Throughout history law and technology have interacted, modifying each other along the way.  It is often an uneasy relationship.

Whether it is contract law, licensing, intellectual property, privacy laws, accessibility, liability software and law interact significantly. There is a fairly large field of research looking at this relationship between code and law. (Lessig being the most famous, but there are many others)

However, not much research has focused on the role of the software developer and software firm in this relationship. So I decided to spend part of my dissertation looking more closely at the role of the software firm and the software developer in the code as law relationship. I want to ask as many software people as possible about what they understand of the law that can impact software, and what their attitudes are towards a couple of legal concepts in a software context.

It is designed to gather information about the knowledge, education and attitude of software developers towards the law related to software, and how law is or isn’t built into software. My goal is not to just have a small survey of a couple of hundred developers, but to really survey lots of them.

To do this, I want to tap as many of my readers  as I can to spread the news of the survey, and for as many of you to take the survey as possible. The more answers I can get from around the world, the richer the results will be. I will also be following up with telephone interviews with a much smaller sample group.

In this survey I have used the term software developer rather broadly. I define this to be anyone working professionally to design, build or maintain software (information technology). So if you are a product manager, solution manager, implementation consultant, systems architect, business analyst, or a systems tester, for instance, then we would be just as interested in your responses. The survey isn’t just aimed at those who code, but those who make a living from its construction and maintenance. Much of this group would fall under that definition. The Germans have a rather nice term, informatiker, but it doesn’t really translate very well.

Gartner is supportive of my PhD, this research doesn’t form part of my formal Gartner research agenda. In other words,  it isn’t a Gartner survey!

Several developer friends  have been kind enough to test the survey, and give me feedback, much of which I have incorporated in this final version. (If you tested the earlier versions, please take the test again)

Blunders and errors remain my responsibility.

Here is the survey as it stands today.

https://www.surveymonkey.com/s.aspx?sm=oxUTPWBBgFXHolONAGhAJg_3d_3d

Please take this link and spread it to your software friends. colleagues and families.

Thanks to truly brilliant stream of  Auntie P.

I’m very late to this, and originally I wasn’t planning to comment on the Scoble-Facebook thingy, (see techmeme) but after seeing James Governor’s deli.cio.us link comment,about Nick Carr’s post, I figured I’d jump in.

James said…

my take: Che? No. Scoble the Mike Huckabee of the A-list. He thinks privacy is “just a theory” but runs awesome home and webspun campaigns… aw shucks

Spot on James. (thanks also to James for getting me into this CC flickr photo thingy)

Part of Robert’s defence is that he was “only” collecting

Names and email address and birthday.

But name, email address and birthday are personal data.

Here in ye old Europe we have a pretty clear legal definition of personal information.

Personal data are defined as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;” (art. 2 a of the EU Data Protection Directive)

I don’t want to go into a long history of European privacy law here, but The ancient runes (1980) of the OECD guidelines are a good starting place. The seven principles governing the OECD’s recommendations for protection of personal data were:

   1. Notice—data subjects should be given notice when their data is being collected;
   2. Purpose—data should only be used for the purpose stated and not for any other purposes;
   3. Consent—data should not be disclosed without the data subject’s consent;
   4. Security—collected data should be kept secure from any potential abuses;
   5. Disclosure—data subjects should be informed as to who is collecting their data;
   6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
   7. Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principle

These principles eventually wound up as the foundation of the Data Protection Directive, which in turn ended up in the national law of all EU countries. They would make a good start for anyone building a terms of service for an offering that consumes personal data too.

The principles in the UK Act are defined as follows

Personal data:

  1. Shall be processed fairly and lawfully
  2. Shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose(s)
  3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
  4. Shall be accurate and, where necessary, kept up to date.
  5. Processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.

Robert Scoble’s actions may be perceived as noble in some quarters, but they don’t impress me. He single-handedly bashed through most of the basic principles of privacy with his scraping exercise, never mind Facebook’s terms of service. Facebook was right to take Robert on here. Facebook is subject to the provisions of European Data Protection Law. Facebook is part of the safe harbor. 

Carr nails it.

Facebook has an obligation to protect the data entrusted to it by its members. At the very least, members should have the right to decide whether or not their personal information can be scraped out of the Facebook database. Scoble did not give them that choice. That doesn’t mean that Facebook is the hero. It, like other social networks, happily scrapes information from members’ email accounts to identify possible new members. Facebook will scrape when it suits its commercial interest but will block scraping when it doesn’t. Still, in this particular case, Facebook did what it needed to do: protect the information and the interests of its members. Until controls are in place, unauthorized scraping of other members’ personal information shouldn’t be allowed.

What the Scoble affair reveals is that the issue of “data portability” is not a simple issue but a fraught one. Data scraping can make our lives easier, but it can also put us at risk.

So does Anne

Even if Scoble’s Facebook friends agreed to let him view their data on Facebook, they didn’t agree to let him take that information wherever he wants to do with what he wants. He could use a screen scraping program to grab data that they consider just-among-friends and stick it out in public without any regard for their privacy settings. You might say, “Scoble wouldn’t do that” but it’s Facebook’s responsibility to see that it doesn’t happen.

Data portability could be designed into Facebook in such a way that it doesn’t compromise user’s privacy. At the very least, an opt-in to profile sharing outside Facebook would need to be provided. Allowing uncontrolled screen scraping is not the answer

And Loren Feldman’s acerbic take is well worth a watch.  See the comments too. This one from Patrica, (who has a super  golf blog)

Though evidently there are a number of geek wannabes out there just itching to join a data martyr movement.

Hat tip gapingvoid’s twitter

You may find this article on the position of Facebook in UK law interesting. Facebook could move at speed to suspend Robert, but seem awfully unwilling to let other people voluntarily remove themselves.  I’ve rambled before about Facebook and data protection law.

Robert, no doubt, had good intentions, but he was breaking the law, both in terms of the Facebook terms and conditions, and for those Europeans lurking in his 5000 “Friends”, a good bit of data protection law too.  Processing 5000 records moves one beyond the realms of Dunbar’s law into data controller mode.

I’m glad to see blawgs joining the discussion, for instance the Canadian Privacy Law Blog.  Also I’m very pleased to see privacy manifestos emerging, such as this one over on gigaOM, but rather than inventing stuff from new, I’d propose that the web 2.0 gurus get talking with some folks who know privacy and its complexities.  It is a lot harder than it looks. 

The right to privacy is one of the most complex legal and technical issues, and not just since web 2.0.  The Germans passed privacy laws in the 1970′s and are still grappling with the balance between privacy, security, freedom of speech.  One of the most famous cases in US law is mainly about privacy rights. 

The more folks start thinking and talking about privacy, and the sooner privacy impacts buying decisions the better. 

Daniel Solove’s recent book is a damn good place to start, especially from a US perspective.

For the technical challenges, Jeff Jonas is a must read. I’d like all developers who touch personal data to read and understand Kim Cameron’s laws of Identity.

I’d love to see more from Pangloss or on this too, oh and a Geeklawyer rant would be nice too.  I hope to be at this conference next year, the 8th Privacy Enhancing Technologies Symposium (PETS 2008).  It would be even better if Facebook sent some folks along too.

Video here, if not visible.TEDtalks session

I think I’ve read everything that Larry Lessig has published, and I saw him live a few years ago at the Oxford Union. This TED talk is one of his best. Restricting presenters to 20 minutes is a good discipline, at least in this format. Lessig is a master of using multimedia to delight and enhance his message, and his images leave an indelible residue in the back of your mind. Next time you hear a brass band, you will think of Lessig, and the need for copyright reform.

As adults we form opinions and take positions on issues such as war, abortion, death penalties, speed limits, drinking ages, the environment, human rights and so on. It is part of what defines us as human beings. It is time we did the same with copyright. Understanding copyright and intellectual property generally, and forming your own opinion about them is vital. I believe that as adults, we have a responsibility to understand copyright, its good bits and its problems, and have an informed opinion.

As politicians blog,  and use youTube, Twitter and the like, it is also time we heard from them about what they think of copyright. When you decide who to vote for, you assess their positions on a whole slew of factors, I’d ask you to add copyright to that list. I notice that John Edwards has come out in favour of net neutrality, but I’d love to know what his and the other candidates’ positions are on copyright and patents…

Some people have heard of the EFF, and indeed an EFF sticker on the Mac Book is rather trendy in digerati circles.

from pixelm

It is worth spending some time over on the EFF site, and on Chilling Effects. The EFF is primarily focused on the US issues, but these are important for the rest of us, as US law and lawlessness has global repercussions.

If I’d been to Berlin for web 2.0, I would have listened to Cory Doctorow’s presentation on copyright. Instead, I’ll have to rely on Stephanie Booth’s notes.

Support the Open Rights Group

It is timely that my favourite law blogger, Geeklawyer, mentioned Org, ( Open Rights Group. ) This is the UK equivalent of EFF.  According to the said Geeklawyer, who is sometimes reliable…

Jolly good job too. As it’s 2007 report shows it has more than lived up to its promise and done some magnificent work for such a new and minimally funded organisation. For example so far it has influenced the Gower report, helped shine an unwelcome spotlight on the farce of e-voting in the UK and counterbalanced the gross dissembling of the shadier parts of the copyright industry. It’s now a central media resource for journalists needing more balance in their reports – something desperately needed.

I’ll quote from the report here.

Further, digital technologies are affecting citizens’ ability to exercise their existing legal rights
effectively, as some segments of the private sector have increasingly looked to government to extend their rights in an effort to prop up outdated business models. And digital technologies may also generate new possibilities for public (non personal) data, though the UK government has tended to corral public sector information, limiting its exploitation and thus creative and economic opportunities.
For too long, there has been little informed public debate in the UK about any of these issues. Media coverage and policy-making has largely been driven by agendas set in Whitehall and corporate board rooms and there was no organisation in the UK defending citizens’ digital rights

For those more technically inclined, James Governor has this to say.

ORG is now looking for more money and more members as it further professionalises. So if you’re in the UK sign up. The EFF is nice and all, but the ORG is looking after local issues. In fact I am going to go make a donation right now!

(Actually I think James and Geeklawyer ought to meet!)

Check out the ORG  wiki here.  The board and advisory council of ORG has some serious heavy hitters on it, including the drummer of Blur, one of the Cluetrain authors and several top legal academics.

You may read the EFF and ORG stuff, and come to a view that you don’t agree with them, and that copyright is fine the way it is, or even that Disney etc need more rights. That is your democratic right. But I’d ask you to form an informed opinion.

The civil rights battles of this century will be fought online – by groups of passionate,technologically keen, articulate volunteers like ORG.” — Cory Doctorow, author

There is more to the copyright question than copying music.

In between all the SAP Business Objects pontifications, I just noticed this morning that Oracle has bought LogicalApps. This seems to be a rather delayed response to SAP’s acquisition of Virsa nearly 2 years ago, and another catch up attempt. In SAPspeak this would be a “tuck-in” but it is also an admission from Oracle that SAP is winning in the GRC space. It is a defensive play, and won’t really strengthen Oracle’s position beyond its core Oracle financials users. Nevetheless it makes sense.

LogicalApps plays in the SOX 404 and financial closing space, and from my understanding mainly sells to Oracle customers, and does well at it. Logicalapps has itself grown by acquistion, having bought Applimation earlier this year. Interesting also to see the focus on OMB A-123, a US public sector regulation. The customer base seems to be overwhelmingly US based. I’d not heard of them in a European context.

Over the last 4 years or so, there has been an explosion of GRC related vendors.Despite a rapidly growing market, more consolidation is likely. Perhaps I’m misreading this, but the venture funded 150 odd employee 300 customer, IPO unlikely for a while company is a tough place to be. Chasm jumping and all that.

I look forward to reading the Approva  Audit Trail blog take on this. Perhaps Mark Crofton could take a pause from winning GRC deals and do a post too?

Technorati tags: , , , ,

I continue to be impressed by Sun Microsystems.  Until I met James Governor and then started reading Jonathan’s blog, Sun wasn’t really on my radar.  Now I follow Sun quite closely.  It strikes me as a very innovative organisation.  I saw this announcement today about Measuring Green.  I’ve just been over to the openeco.org site.  Goodness indeed.

According research on cited on Nick Carr’s blog, Roughtype, a considerable portion of the earth’s energy consumption is from computer usage.

a global basis, Sarokin estimates that the computing grid consumes 868 billion kWh a year, or 5.3% of total consumption

There are other estimates that put this higher.

It not at a Moore’s law level of growth, but as we continue to consume more and more services, buy more and more software, the word will require more and more hardware, and unless things change, use more power.

About a year ago Carr wrote about Frugal Computing. He picked up this quote.

 The computers we love so dearly,” wrote Timothy Prickett Morgan in 2004, “are among the most inefficient devices ever invented”; most of the electricity that goes into them is released “as heat, noise, and light”:

The heat of computers comes from chips and mechanical components, the noise comes from fans and disks, and light comes in the form of blinking lights and monitors. Once any kind of computer makes its heat … the energy cycle doesn’t end there. That heat has to be removed so the computers and the people near them can continue functioning properly. This, ironically, takes more fans and air conditioners, and therefore more electricity … And while the electricity bills for running and cooling computers are generally not part of an IT budget, a company with lots of computers has to pay for all that juice

I think it high time to add the role of the software vendor into this discussion.  I believe the software industry ought to do three things.

1. Start designing software that has a lower energy consumption footprint. After all people buy hardware to run software.  The equation is a simple one.  I like the concept of the Green API. (tip James)

2. Build software that helps others reduce and measure energy consumption. I’m thinking here of supply chain monitoring,  for instance, enabling customers to make buying decisions based on green criteria.  When I buy my next car, I’d be prepared to wait longer for delivery if my order was optimised for lower energy consumption in the production process.  I’m probably not the only one.

3. Ditch the fallacy that software is a clean industry without externalities.

So when I read about Sun’s involvement with a community to help cut greenhouse emissions,  I say brill and fab.  There is a goodly dose of 2.0 community is this too.  Making it open source also helps drive it out as a broader initiative-

Our goal is to lower the barriers for companies to measure and report their environmental footprint,” says Sun’s vice president of eco-responsibility, Dave Douglas. “For a company like Sun, figuring out how much energy you’re burning is pretty complex. So we’re trying to use open-source software development ideas to take the tools we’ve developed internally and make them publicly available.”

Forbes nails the significance of this when it noted.

Innovators in the green information-technology movement reap good publicity from their ever-higher standards of energy efficiency. The real goody two-shoes, however, inflict those standards on their competitors

Measuring environmental impact of a business becomes and important factor in evaluating the risk profile of investments, so investment bankers and the like are demanding more transparency on environmental risk.  This is already starting.  Look at Ceres :

The SEC exists to make sure that investors have the information that they need to make smart decisions,” said Mindy Lubber, president of Ceres, a group that promotes environmental standards among private companies. Ceres and the Calvert Group, an asset management firm, said in a January report that more than half of the companies in the Standard & Poor’s 500-stock index “are doing a poor job of disclosing climate change risk.”

SAP is getting its act together, but I think we should learn lots from what Sun is up to.  Part of this is about beefing up the GRC strategy to include a stronger environmental element, especially in the areas of risk management and disclosure, but a bigger part of it involves looking closely at the broader social implications of software.

Technorati tags: , , , , , ,

Next Page »

Follow

Get every new post delivered to your Inbox.

Join 29 other followers