As some of you know, I’m labouring away at what must be one of the longest part-time PhDs ever.  My research is looking at how software code and law work or don’t work together. However, there is light at the end of the tunnel.  In order to add a bit of empirical juice to will be a rather dry theoretical legal tome, I’ve decided to do a survey. 

I won’t bore you with the whole long story of the diss. here , but if you are interested in knowing more, please drop me a note and I can send you more details.

Whether it is ERP systems or toasters, software impacts much of our daily lives. We ask and demand software to do things on our behalf;  software transacts, it searches, it assesses, and in some cases it judges us.  Legal systems have evolved over centuries to codify rights and obligations in societies. Throughout history law and technology have interacted, modifying each other along the way.  It is often an uneasy relationship.

Whether it is contract law, licensing, intellectual property, privacy laws, accessibility, liability software and law interact significantly. There is a fairly large field of research looking at this relationship between code and law. (Lessig being the most famous, but there are many others)

However, not much research has focused on the role of the software developer and software firm in this relationship. So I decided to spend part of my dissertation looking more closely at the role of the software firm and the software developer in the code as law relationship. I want to ask as many software people as possible about what they understand of the law that can impact software, and what their attitudes are towards a couple of legal concepts in a software context.

It is designed to gather information about the knowledge, education and attitude of software developers towards the law related to software, and how law is or isn’t built into software. My goal is not to just have a small survey of a couple of hundred developers, but to really survey lots of them.

To do this, I want to tap as many of my readers  as I can to spread the news of the survey, and for as many of you to take the survey as possible. The more answers I can get from around the world, the richer the results will be. I will also be following up with telephone interviews with a much smaller sample group.

In this survey I have used the term software developer rather broadly. I define this to be anyone working professionally to design, build or maintain software (information technology). So if you are a product manager, solution manager, implementation consultant, systems architect, business analyst, or a systems tester, for instance, then we would be just as interested in your responses. The survey isn’t just aimed at those who code, but those who make a living from its construction and maintenance. Much of this group would fall under that definition. The Germans have a rather nice term, informatiker, but it doesn’t really translate very well.

Gartner is supportive of my PhD, this research doesn’t form part of my formal Gartner research agenda. In other words,  it isn’t a Gartner survey!

Several developer friends  have been kind enough to test the survey, and give me feedback, much of which I have incorporated in this final version. (If you tested the earlier versions, please take the test again)

Blunders and errors remain my responsibility.

Here is the survey as it stands today.

Please take this link and spread it to your software friends. colleagues and families.

Facebook is indeed taking the world by storm. Apparently growing 6% a week in the UK, and now with 30 million users world wide.  I’m gradually finding myself using it more, not just to play with, but as useful business tool.

But there are more implications to Facebook than meets the eye.

Denise Howell  from ZDNET makes a good starting point to explore some of the legal implications of Facebook, (and in fairness, other social media tools)

Firstly, from an employment law perspective I’d urge you to have a look at George’s series of posts.

Employers using Facebook to for background checking-

More on using facebook et al. in recruiting and hiring (Part II)

Employers Using Facebook for Background Checking, Part III

Sobering stuff, both as an employee and employer.  Any UK or German law bloggers fancy transposing that into something relevant for this side of the pond?  Perhaps someone from Allen and Overy?

Secondly, one of the UK’s leading computer law academics has picked up on the privacy and data protection law implications that Facebook creates. Lilian writes:

My colleague Ian Brown of Blogzilla reports on an interesting post on why Facebook may be violating European privacy law.

The article reveals that creating an “exploit” in FaceBook – ie hacking the privacy of unsuspecting users – is trivially easy. All you have to do is use Advanced Search and you can search across controversial (and in European DP language, “sensitive”) pieces of data such as Religion and Sexuality in apparently unlimited numbers of profiles. This is true even if the user has taken steps to protect the privacy of their data (see below). As Ian comments this is a security failure on FB’s part, which should have been trivially easy to fix in their code.

She goes on

Do we need a legal solution? Is there a case for extension of DP law to cover the setting of defaults on social network sites? Should privacy not be the default, by law (perhaps with some exceptions to preserve functionality, such as name and network) and openness the opt-out, rather than the reverse? Maybe. Maybe all that is needed is an Industry Code of Practice combined with some upping of awareness of the issue. However with the number of people – especially young pre-employment proto-citizens – involved in web 2.0 sites rising by the minute, this really does seem an issue which is not merely knee jerk alarmism and should not be swept under the carpet. First year students may not care now about spilling their sexuality and contacts to the world: they may when they are older, wiser and looking for employment :)

It is good to see that Facebook is registered in the EU safe Harbour, but wonder if anyone from the DP authorities has looked at Facebook’s architecture, because as is noted above, the processing of sensitive data is likely to be in contravention of the Directive. I question the safety of the safe harbor model too, but that would be a long rant…

When the architects of Facebook began to code away in their Harvard Dorm room they may not have even been aware of the EU Data Protection Directive and the nuances of its various national level implementations, and even if they had it would been unlikely that they would have architected the legal principles into the application. There is little market pressure to do so. There are limited guidelines even if you wanted to, and it would have just added complexity to the application and slowed its adoption.

Yet sometimes the law exists to protect us from ourselves. Like seat belts and traffic regulations. As more and more of our lives and socialising move online, then those that build and run the applications need to take greater heed of the law. And the law will need to take greater heed of the online world.

BTW. Harvard is home to some of the best research on internet law, check out the Berkmann Center  It led me Rebbeca’s blog  and then to this video. about facebook.  Make up your own mind…

I sense another chapter brewing.


Last week James Governor kindly bought me lunch and gave me a book. The curry was very good, but the book has  had a profound impact on me. It is not often that I finish a book, and then immediately read it again. Nassim Nicholas Taleb’s book, Fooled by Randomness is such a book.

Throughout my business studies at university, I heard a lot about the rational man. Rationality became something assumed. At the centre of most economic, efficient market and business theory is the rational, self interested behaviour. This book knocks that on the head.

Nassim has performed  format c:  on a goodly portion of my naive assumptions about financial markets and life in general. He has validated lots of what Francis Antonie and Douglas Irvine taught me as a political philosophy student years ago and I’d forgotten. It is time to dust off Karl Popper, and start thinking again.

Who ya callin' bignose

Photo from Flickr  by launceston_lad

Black swans are symbolically important, because until Australia was discovered, it was believed that all swans are white. This is a good example of a logical fallacy. There is a difference between  there is no evidence of black swans, and there is evidence of no black swans.

We humans tend to fall into the induction trap. I do it a lot.

In the airport on the way home I spotted his new book. It has the title, you guessed it, Black Swan. I was glad my flight was delayed. I could read more of it. He Americanises Betrand Russell’s chicken, turning it into a turkey.  

A little googling and I discovered  Knackeredhack he has a good review of the book here ,as well as an excellent interview series.

Nassim’s motto is

“My major hobby is teasing people who take themselves & the quality of their knowledge too seriously & those who don’t have the guts to sometimes say: I don’t know.…” (You may not be able to change the world but can at least get some entertainment & make a living out of the epistemic arrogance of the human race).

Nassim writes very well, the prose is tight and buzzword free. He doesn’t dumb things down and he explains  without being condescending. He merges a fantastic knowledge of the classics with a profound grasp of probability. He is witty but serious. 

So many new things to learn, and so much that I learned decades ago but need to rediscover:  Hindsight bias, Platonic folds, logical fallacy, epiphenomena, exquisite cadavers, induction, Mandelbrot, Hume, Wittgenstein’s ruler, negative skewness, Extremestan and Mediocristan.The list goes on.

My readers will have noticed I’ve been working on trying to understand risk recently, and Nassim’s work has made me realise that  risk isn’t as simple as I thought it was. After spending most of my adult life avoiding statistics, I’m realising the folly of my ways.

I’d better build my antilibrary.

By coincidence I stumbled on this post from the O’Reilly Radar this morning on the beauty of statistics. Watch Professor Rosling video. Swivel also looks rather interesting.  Just remember those black swans….

Vinnie, Dennis, James  and I are having a rather longwinded discussion on Compliance, Governance and Risk , and in partly  the Sarbanes-Oxley Act of 2002.  (We had a similar run in last year)

I don’t really  like it when the broader compliance discussion ends up focusing on the costs of section 404 of SOX,  but this is where the debate always seems to end up. (I’ll save that rant for another day, but there is more to SOX than audit, more to compliance than SOX, and more to GRC than compliance) In this post I won’t discuss software. I’ll focus on SOX.

Vinnie, I don’t think I am glamourising compliance,  but at the risk of being trite I’d  suggest that you are looking at business through a set of rose-coloured specs.  Options scandals , excessive executive pay anyone?

I’m not arguing that SOX is perfect, just that is working. Investor confidence is up,  transparency is up, and costs are on the way down.  Yes, Audit costs are still way too high, but recent reforms may help to address this.

I was updating my reading list  this morning.  I wish I’d found this blog earlier. Lots of interesting, well researched stuff on compliance. Well worth a long perusal.  The site pretty much debunks the argument that SOX is a failure, and also points out that many business leaders are strong supporters of SOX.

The blog is maintained by Prof Brown from The University of Denver. Herewith a excerpt from a recent paper.

Sarbanes-Oxley (SOX) was adopted in a rush, political expediency necessitating that something be done before the 2002 election to minimize voter backlash from the collapse of Enron and WorldCom. Despite the rush, the Act contained a number of improvements on the current state of regulation, including a separation of accounting and consulting services, increase in the strength and independence of the audit committee, certification of financial statements by top officers, and assessment of internal controls by managers and auditors


The blog led me to this piece written  by Joel Seligman is president of the University of Rochester and has written several books about securities regulation. Harvey J. Goldschmid is Dwight Professor of Law at Columbia Law School and served as a commissioner of the SEC from 2002 to 2005, and general counsel of the SEC in 1998 and 1999

It is important to remember the context in which SOX was passed.

Go back about five years. This country was in the midst of the largest securities fraud wave in its history. Daily news stories highlighted the alleged misconduct of major corporations, including Enron Corp. and WorldCom Inc. As significant were several other lesser known trends. Financial restatements had grown linearly between 1997, when there were 116 restatements, and 2001, when there were 305. Not all of the restatements should be attributed to fraud, but a significant number fairly could be. The staff of the SEC had not grown by a single position between 1995 and 1998. Deterrence, as we entered the new century, had been grievously weakened. Significant areas of concern, such as research analysts, were largely unaddressed by the commission. In the months running up to the enactment of the Sarbanes-Oxley Act, aggregate stock market values declined by more than $7 trillion between selected dates in March 2000 and July 2002.
These developments led Congress (by a vote of 99-0 in the Senate and 423-3 in the House), the SEC, the New York Stock Exchange and the National Association of Securities Dealers to respond vigorously with the Sarbanes-Oxley Act and other important reforms. Conflicts of interest in the auditing profession and in corporate board practice have been systematically reduced. Internal auditing controls have been effectively strengthened through executive certification and the much-criticized § 404 of Sarbanes-Oxley. The SEC’s budget was dramatically increased, and the SEC and Justice Department devoted much greater resources to enforcement. And private securities class actions have played an important role in deterring corporate misconduct.

 They go on to note:

Is the system perfect today? Of course not. It is nearly universally recognized that compliance costs with respect to § 404 of Sarbanes-Oxley have been too high, particularly for small and medium- sized firms. But the system is working. The Public Company Accounting Oversight Board has recently proposed revising its most expensive Audit Standard No. 2 (the basis for most complaints about § 404) and replacing it with a streamlined Audit Standard No. 5. The SEC itself has offered constructive guidance that should further reduce compliance costs.

 See also what the Business Roundtable had to say in 2003. I’d argue they are more representative of the CEO than Fortune magazine is. (given that it directly represents one third of listed companies, rather than the whims of an editor)

The following is submitted on behalf of The Business Roundtable, an association of chief executive officers of leading corporations with a combined workforce of more than 10 million employees in the United States and $3.7 trillion in revenues. …

The Business Roundtable strongly supported the enactment of the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), and we applaud the Commission’s efforts to implement the Sarbanes-Oxley Act.

Read the full submission here. And if you go to the Business Roundtable site you will see continued, consistent support for SOX.

Brown’s blog also led me to this business week article, not everyone hates Sarbox.

Lost amid all the boos over SarbOx, they say, are some major benefits. The biggest: SarbOx and related reforms have produced much more reliable corporate financial statements, which investors rely on when deciding whether to buy or sell shares. For them, SarbOx has been a godsend.

At the end of the day though,  SOX is about the investors. Since the passage of SOX, the Dow has almost doubled, some of the credit for this should go those that passed and implemented the law. 

I’ll finish with a link to a bad couple of weeks for critics of SOX

Technorati tags: ,


I sense a series of enterprise software and law-compliance posts brewing.  I tried to explain some compliance stuff last night via email, but I failed.  Signal-noise ratio was wonky.  So I’ll post instead.  Warning if you find law, finance costs and software boring, stop reading now.

I’d rather pick up on other laws than the Sarbanes-Oxley Act of  2002, it tends to crowd out discussion on other important laws, and paints a very US centric picture of compliance.   But given that the Act is undergoing a timely fine tuning, I figured it was worth a revisit.

Details here on the SEC site. 

Congress never intended that the 404 process should become inflexible, burdensome, and wasteful. The objective of Section 404 is to provide meaningful disclosure to investors about the effectiveness of a company’s internal controls systems, without creating unnecessary compliance burdens or wasting shareholder resources,” said SEC Chairman Christopher Cox. “With the Commission’s new interpretive guidance for management on the evaluation and assessment of its internal controls over financial reporting, companies of all sizes will be able to scale and tailor their evaluation procedures according to the facts and circumstances. And investors will benefit from reduced compliance costs.”

You can watch the SEC broadcast here.  (nice transparency!)  I’ll explore the implications of these changes in another post, but it seems that the US is moving to a more principles based control framework, which is more like the UK’s FSA model.  SOX isn’t being scrapped or radically transformed, but after 3 years of year-ends   the SEC is a better position to improve the “protection-cost” ratio.

Vinnie has a regular go at  SOX, SOX costs,  and indeed those selling compliance tools.   His recent post is no exception, commenting on Oxley saying he would have done things differently..

Wish he had said that 3 years ago – but sounds like we are back to “normal times” after pissing away billions on gun-to-the-head compliance spend.

In this post I’d like to explore SOX costs in a little more detail, because I’ve been privy to some interesting research.  As part of my job I have access to the Hackett Group Research, and I’d really urge anyone who is interested in understanding technology and best in class performance spend some time reading their stuff. It is thorough, independent, compelling and worth the money.

In 2005 Hackett commented.

This is the first time in Hackett’s 14-year history of benchmarking that finance costs have risen for typical companies.

2005 was the first year that Section 404 really hit home for most companies: they had to begin to comply with the requirement in their annual reports for their first fiscal year ending on or after April 15, 2005.

Hope Hackett don’t mind me linking the graph here.


Again in 2005 Hackett said.

Hackett’s research also found that world-class finance organizations now spend 42 percent less in the finance function than typical companies, and have 44 percent fewer finance staff. According to Hackett’s research, world-class finance organizations now spend 42 percent less than typical companies overall (0.73 percent of revenue versus 1.26 percent). Typical companies have seen an 18 percent increase in total finance costs since 2003, while world-class finance organizations have seen a 5 percent drop during the same period.

Compliance costs have risen significantly for both world-class and typical companies since 2003. World-class now spend 36 percent less on compliance than typical companies (.060 percent of revenue versus .094 percent). For instance we see that the typical company is spending an additional $340,000 per billion in revenues or a total of $940,000 per billion in revenues for additional internal finance and external resources to meet today’s compliance requirements.

There are a couple of things I’d like to pick up on this.

1. The impact of SOX is clear here. The big jump in costs can largely be linked to SOX related projects, especially the panic projects that drove early spend.  Interesting though that the world class companies cost of compliance post-SOX is lower that of the peer group pre-SOX.  The impact of SOX is less on world-class companies than on the peer group too, the jump in absolute terms being significantly smaller.

2. Now, let’s  move on to the more recent numbers from Hackett. (I don’t have a graph  I can share publicly, but book of numbers owners can look it up)  The finance costs as a percentage of revenue for world class companies have now dropped down to  below pre-SOX levels, whereas for typical  companies the cost continues to climb. The delta is growing. For those companies that lurch from audit to audit and spreadsheet to spreadsheet the cost of compliance will spiral,  as SOX is just one wave in the ebb and flow of compliance demands.  For those that invest in compliance automation, strong foundation systems and smarter processes, the picture is a whole lot better.  Hackett has the numbers to prove it. 

The message here is clear. Moan about SOX all you like, but the best companies in the world have focused on putting in place the processes and the technologies to drive down the cost of compliance.  Every year they will relentlessly improve their  processes, further automate and drive out more costs. Yes, compliance costs, but how big that cost becomes is entirely up to you.  SOX will not be the only law that causes compliance challenges.

I’m not sure where the  shame comes into it.  The finance folks that I talk to want a finance function that provides transparency, control and trust at the lowest possible cost.  And that is just for starters.


Technorati tags: , , , ,

As part of my pre-global-warming-glacier-pace academic efforts I read quite a lot of stuff on application security. I’m just about to send the final version of a paper to the Computer Law and Security Report. It has taken ages to write. Howcome blog posts can be churned out in minutes but papers take months?

Bruce Schneier, the CTO of Counterpane,  is arguably the most famous security guy around. His Blog is well worth reading, covering such topics as forging a boarding pass, airport security and surveillance as art.  His books and heavier stuff are a must if you are interested in security, privacy and so on. If you are interested in this space, also read Jeff Jonas. 

Bruce’s company, Counterpane,  has announced a new solution

Counterpane Introduces Integrated Application Monitoring & Security Auditing for SAP Platform, Empowers Enterprises to Defend Against Unauthorized Activity on SAP Applications
Technological innovations coupled with proven correlation logic and security expertise ensure customers improved compliance, enhanced security posture and prevention of financial loss

Mountain View, CA – October 2, 2006 – Counterpane Internet Security, Inc., The Managed Security Company and the authority on enterprise security, today unveiled Integrated Application Monitoring & Security Auditing for SAP Platform, a new data security solution that leverages its industry leading Managed Security Services.

I’ll be interested to see how this fits together or competes with the SAP GRC offering.  But anyway, having the world’s top security experts helping customers avoid attacks is indeed goodness. I’ll have to ask Frank, he actually does SAP security as his day job.

I also read that they have been acquired by BT Global Services.  Ovum provides comment here.  Interesting that a UK telco firm is acquiring them. (Imagine the reaction if it had been a Chinese telco)

Technorati Tags: , , , , , ,

I attended an academic law conference on Monday and Tuesday this week, called GIKII. Andres provides a brief review , and I’m sure other posts will ooze out this week. I wasn’t sure what to expect, as I had never presented to a legal academic sort of audience before. It turns out that legal academics have a sense of humour. There was one latin maxim joke, and even that was funny. I will be spending some time in the BAILII  site, as it is a great source of UK legal material, and it is free. (interesting case here on what happens when an outsourcing agreement goes sour, but I digress)

I reckon topics weren’t representative of a typical technology law conference.  The sun shone in Edinburgh, which was equally odd.  (We ate at a restaurant called Howies. Go there if you are ever in Edinburgh. Good nosh indeed.)

The event was organised by Prof Lilian Edwards, (who has a very good blog.) She is moving from Edinburgh to sunny Southampton, where she will chair the IT tech law department. This is a strong department (top ranking of 5*)   Tim Berners Lee is on the Comp Sci Faculty there too. (the website sucks, but between Lilian and Tim, they should be able to sort it out)

I learnt lots, and it seems that my PhD thinking is not too shabby. I now need to write the damn thing. It may mean I need to blog less, but everything has its price.

I have been plodding away at my PhD for some time. In between work, family, the bicycle and this blog, I have been reading and thinking about compliance and enterprise applications for the past 3 years or so.  That must change, as unless I start writing something soon, I will have forgotten all the stuff I have read and thought. I need to write it down so that I can inflict it on others….

In an attempt to kick start this process, I’m presenting at the GikII Workshop, which is part of the VI World Computer Law Conference and led by Lilian Edwards, a leading computer law academic.  Lilian has an entertaining blog on computer law stuff, that is a no mean feat.  She links to the House of Lords discussion on pervasive computing at Kim Cameron’s identity blog, another good read.

Lord Campbell of Alloway: My Lords, will the Minister explain what pervasive computing is?

Lord Sainsbury of Turville: Yes, my Lords. This is an interesting subject. Some microprocessors now have in-built communication facilities. The most obvious example of that is radio identification. I do not suppose that the noble Lord ever goes to the back of his local supermarket, but if he did he would see that packages that are brought in have an identification code that can be read electronically without taking the goods off the pallet. That is done by radio communication and is an enormous step forward in efficiency. The same principle applies to smart keys; one can open a car door from a range of three feet with a smart key, using the same technology.

Note that is Lord Sainsbury speaking, I wonder if he is any relation?

If you read the whole discussion though, you will see that despite the formal lingo and funky dress code, these Lords are bang on the money….compare that to that Senator Stevens….

Back to the long and winding.. My simple method for self motivation is to set yourself up for ridicule.  By the first week of September I need to articulate my thoughts into something vaguely coherent, or I will be pelted by the academic tomato. If you’d like to attend, the details are available here.  The rest of the agenda looks really interesting, including a talk on open source killer robots.

If there are any privacy gurus out there, please drop me a note. You guys tend to be quite hard to find.


Get every new post delivered to your Inbox.

Join 29 other followers