Skip to main content
Skip to main content
Microsoft Security

Future-proofing principles against technological change

  • Paul Nicholas Senior Director, Digital Trust

In recent years, governments’ concerns about cybersecurity, data protection, and other information and communications technology (ICT) related issues have led to new policies, legislation, and regulation. In response, the ICT industry has consistently called for laws and rules that focus on outcomes and on principles, rather than on processes and prescriptions. This call has become so ubiquitous, however, that there is a danger it has become a hollow form of words. A truly outcome-oriented approach would be revolutionary and perhaps government or even industry will shy away from it, having forgotten why we need this approach in the first place.

So, I’d like to take a moment to re-examine the why and the how of outcomes- and principles-led legislation and regulation.

Technology moves fast; in 2007 we had the first iPhone and now we’re rolling out cloud computing. As a result, laws designed for telephony or paper files are increasingly difficult to apply, if not wholly irrelevant. Governments are acting on this realization, but as they do so they are inevitably looking to enshrine certain unchangeable points of principle into their new laws – from European privacy to American freedom of speech. And this where the essential rationale for principles-led approaches is most obvious. Immovable principles could be laid down as particular behaviors within particular technologies but then they would live and die with that technology. Allowing unchangeable points of principle to become contingent on something we know will change, i.e. technology, won’t work for governments or societies. A different approach is needed, one that future-proofs our principles against technological change.

So how would that actually work? On the surface it seems simple enough: governments state the outcomes they expect or principles they demand, give whatever limited controls/incentives they think necessary, and allow ICT providers and regulators to get on with it. The reality is necessarily more complex. For one thing, even within a single nation there may be varied societal perspectives on what is wanted in principle. For another, the outcomes of today’s solutions can form tomorrow’s problems. In light of this, an effective “future-proofing” process may require new policy or regulatory bodies that are more flexible and more broad-based, because they can take account of divergent priorities and can also look more clearly at future consequences.

In the ferment of technological change, we can forget that society changes too, sometimes profoundly. Once concrete principles can shift over time and what was once acceptable or helpful can cease to be so. Amusingly, I know someone who is a Freeman of the City of London, with a right to drive sheep across a bridge over the Thames. This might have been very useful at one point but today most people would rather have free parking. More seriously, in the past women and minorities have been unfairly treated (and in places still are, even today). Applying this insight to the heart of law- and rule-making might seem odd, especially to the lawyers and technocrats that currently dominate the process. But if a principles-led approach is to have true meaning and longevity then the inclusiveness of the process must be genuine.

Equally, what seems like a good solution today can have unintended consequences. In the 1890s motorized vehicles solved horse-drawn vehicles’ endless manure and carcasses but eventually led to pollution and transport crises. In the 1920s lead in petrol solved “knocking” in automobile motors but paved the way for “a catastrophe for public health”. In the 1990s and 2000s diesel and biofuels answered petrol’s CO2-emissions but caused particulate air pollution and food supply problems. The chance of unintended consequences from government interventions in ICT are even more significant. Technology has spread throughout our lives, businesses, and governments. As a result, unexpectedly problematic outcomes are more likely and are potentially more damaging. Any structure process pushing an outcomes-led approach needs to have the breadth of insights and expertise to minimize this risk. This means, once again, expanding the participants in the new approach beyond the current roster of legal and regulatory experts.

In conclusion, in order to help formulate lasting policies, law and regulations with a genuine focus on outcomes and principles, governments will need advice from new bodies with diverse legal, technical, social, and even philosophical membership. The new, non-traditional membership of these bodies will likely have to go beyond current “public private partnerships” if they are to deal with the operational differences, varying priorities, and distinct needs of those affected by new rules – now and in the foreseeable future. This will be a revolution in policy-making, equal in its own way to the technological revolution that has sparked it.