Formal Methods as a Link between Software Code and Legal Rules

The rapid evolution of the technological landscape and the impact of information technologies on our everyday life raise new challenges which cannot be tackled by a purely technological approach. Generally speaking, legal and technical means should complement each other to reduce risks for citizens and consumers : on one side, laws (or contracts) can provide assurances which are out of reach of technical means (or cope with situations where technical means would be defeated); on the other side, technology can help enforce legal and contractual commitments. This synergy should not be taken for granted however, and if legal issues are not considered from the outset, technological decisions made during the design phase may very well hamper or make impossible the enforcement of legal rights. But the consideration of legal constraints in the design phase is a challenge in itself, not least because of the gap between the legal and technical communities and the difficulties to establish a common understanding of the concepts at hand. In this paper, we advocate the use of formal methods to reduce this gap, taking examples in areas such as privacy, liability and compliance.

[1]  Carmela Troncoso,et al.  PrETP: Privacy-Preserving Electronic Toll Pricing , 2010, USENIX Security Symposium.

[2]  Christian Johansen,et al.  A Formal Language for Electronic Contracts , 2007, FMOODS.

[3]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[4]  Serge Gutwirth,et al.  Data Protection in a Profiled World , 2010, Data Protection in a Profiled World.

[5]  Henry Prakken,et al.  Contrary-to-duty obligations , 1996, Stud Logica.

[6]  Bart Jacobs Architecture Is Politics: Security and Privacy Issues in Transport and Beyond , 2010, Data Protection in a Profiled World.

[7]  Antoinette Rouvroy,et al.  Privacy, Data Protection, and the Unprecedented Challenges of Ambient Intelligence , 2007 .

[8]  Lawrence Lessig,et al.  The future of ideas - the fate of the commons in a connected world , 2002 .

[9]  Stéphane Frénot,et al.  Liability issues in software engineering: the use of formal methods to reduce legal uncertainties , 2011, CACM.

[10]  Daniel Le Métayer,et al.  Designing Log Architectures for Legal Evidence , 2010, 2010 8th IEEE International Conference on Software Engineering and Formal Methods.

[11]  Mireille Hildebrandt,et al.  Profiling and the rule of law , 2008 .

[12]  Tyler Moore,et al.  Information Security Economics - and Beyond , 2007, DEON.

[13]  Yves Poullet,et al.  EU data protection policy. The Directive 95/46/EC: Ten years after , 2006, Comput. Law Secur. Rev..

[14]  Lawrence Lessig,et al.  Code and Other Laws of Cyberspace , 1999 .

[15]  Stéphane Frénot,et al.  Liability in software engineering: overview of the LISE approach and illustration on a case study , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[16]  Daniel Le Métayer,et al.  A Formal Framework for Specifying and Analyzing Logs as Electronic Evidence , 2010, SBMF.

[17]  Lon L. Fuller,et al.  The Morality of Law. , 1965 .

[18]  Bart Jacobs,et al.  Privacy-Friendly Electronic Traffic Pricing via Commits , 2008, Formal Aspects in Security and Trust.

[19]  M BerryDaniel Liability issues in software engineering , 2011 .

[20]  Gordon J. Pace,et al.  Automatic Conflict Detection on Contracts , 2009, ICTAC.

[21]  Mireille Hildebrandt Profiling: From data to knowledge , 2006, Datenschutz und Datensicherheit - DuD.

[22]  Daniel Le Métayer,et al.  Automated consent through privacy agents: Legal requirements and technical architecture , 2009, Comput. Law Secur. Rev..

[23]  Gordon J. Pace,et al.  Challenges in the Specification of Full Contracts , 2009, IFM.

[24]  Bernhard A. Koch,et al.  The “Principles of European Tort Law”* , 2007 .

[25]  Marek J. Sergot,et al.  Using the event calculus for tracking the normative state of contracts , 2005, Int. J. Cooperative Inf. Syst..

[26]  Luc Bouganim,et al.  Restoring the Patient Control over Her Medical History , 2008, 2008 21st IEEE International Symposium on Computer-Based Medical Systems.

[27]  Jan Zibuschka,et al.  Legal considerations on privacy-enhancing Location Based Services using PRIME technology , 2008, Comput. Law Secur. Rev..

[28]  Ian Goldberg,et al.  Privacy-Enhancing Technologies for the Internet, II: Five Years Later , 2002, Privacy Enhancing Technologies.

[29]  Jean-Baptiste Raclet,et al.  Causality Analysis in Contract Violation , 2010, RV.

[30]  William J. Kirsch,et al.  The protection of privacy and transborder flows of personal data: the work of the Council of Europe, the Organization for Economic Co-operation and Development and the European Economic Community , 1982, Legal Issues of Economic Integration.

[31]  Theo Dimitrakos,et al.  Formal Aspects in Security and Trust, Fourth International Workshop, FAST 2006, Hamilton, Ontario, Canada, August 26-27, 2006, Revised Selected Papers , 2007, Formal Aspects in Security and Trust.

[32]  Daniel Le Métayer,et al.  Technologies de l’information et droit : Défis, conflits, complémentarités , 2008 .

[33]  Shazia Wasim Sadiq,et al.  Compliance checking between business processes and business contracts , 2006, 2006 10th IEEE International Enterprise Distributed Object Computing Conference (EDOC'06).

[34]  Daniel J. Ryan Two Views on Security Software Liability: Let the Legal System Decide , 2003, IEEE Secur. Priv..

[35]  Daniel Le Métayer,et al.  FLAVOR: A Formal Language for a Posteriori Verification of Legal Rules , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[36]  Carroll Morgan,et al.  Theoretical Aspects of Computing - ICTAC 2009 , 2009, Lecture Notes in Computer Science.

[37]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[38]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[39]  Thierry Viéville STIC et droit : défis, conflits et complémentarités , 2008 .

[40]  Daniel Le Métayer Privacy by Design: A Matter of Choice , 2010, Data Protection in a Profiled World.

[41]  J. Reidenberg Lex Informatica: The Formulation of Information Policy Rules through Technology , 1997 .

[42]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.