Skip to main content
Skip to main content
Microsoft Security

Rules-making in technology: Examining the past and predicting the future

  • Paul Nicholas Senior Director, Digital Trust

Are the rules and regulations being put in place today, from the Chinese cybersecurity law to the EU’s General Data Protection Regulation (GDPR), going to be appropriate for the world 10 years from now? And if not, should this be of concern?  To answer these questions, we need to learn from the past.

The technology concerns of 10 years ago are still with us in some ways, e.g. worries about data being accessed by the wrong people and important systems becoming vulnerable to cyberattacks, but much has changed as the technology has continued to develop and spread through our businesses, communities, governments, and private lives. As a result, the regulations in place in 2006 have had to be replaced, e.g. the US-EU Safe Harbour with Privacy Shield, or have been wholly supplanted, e.g. the emergence of new approaches to cybersecurity and critical infrastructure. Now that I look at it, the world of 10 years ago seems more distant than I expected. Technology was far from ubiquitous and the services offered more limited, the rules familiar but sometimes at a tangent to today’s.

2006 was an important year in technology development: Facebook emerged from university campuses and Google bought YouTube. The policy agendas of governments and regulators were driven by concerns about child online safety, e-skills and lifelong learning, access to broadband, e-commerce and online banking, and, yes, market dominance. This is not to discount the importance of these issues at the time, but cybersecurity then was more often viewed as avoiding exotically named viruses rather than combating the organized cybercrime we now face, whilst privacy was seen as protecting the vulnerable from online exploitation rather than through today’s post-Snowden lens.

Could 2006’s policy-makers have prepared better for the issues we now face? That seems unlikely. For one thing, policy-makers would have been hard-pressed to have predicted the direction of technology; self-driving cars were a near-fringe idea (Google’s first major steps were in 2005), smartphones had not yet taken off (the iPhone was launched on January 9, 2007) and 3D printing was an industrial process (the first commercial printer came out in 2009). For another thing, these policy-makers were not operating in a vacuum; the rules they were putting in place had to deal with immediate challenges and had to be built on structures and laws that dated to the turn of the millennium.

This shortfall may actually have been a good thing for technology in 2016. Regulations and laws define and fix things, disallowing certain behaviors or requiring others. This can be hard enough to do successfully with well-understood issues, but for nascent technologies or business-models it must be exceptionally difficult. Without undue constraints, technology was able to develop “naturally”. They found business models and technical solutions that worked, then built up momentum to emerge at the stage, where today they are robust enough to be more closely scrutinized and, perhaps, regulated.

So, following a similar pattern, should our 2016 efforts at rule-making focus on our immediate issues and leave the future to, in some sense, sort itself out? Perhaps. The emergence of advanced machine learning or of the Internet of Things mean those technologies can’t really be legislated for right now  because we don’t know what they will mean in practical terms for businesses and consumers, criminals and law enforcers, and so on. And yet, on the other hand, the technology of tomorrow is being shaped by the decisions of today. For example, rules currently being considered about data localization or cross-border data flows will shape the future of cloud computing, whilst concerns over privacy or intellectual property will shape big data and machine learning. The wrong choices now could undermine the potential of many technologies and tools.

The answer to whether or not today’s rules are going to be appropriate for 2026 is not, therefore, black and white. We need rules today that reflect technology today, because the old rules aren’t necessarily fit for purpose any more. Equally, we have to acknowledge that rules we create today aren’t always going to last long in the face of technological evolution. This could lead us to conclude we need to have a new way of regulating technology, one that might focus on outcomes for example (and that would be a separate blog), but it could also lead us to conclude that ingenuity and innovation can thrive in the gaps we leave and can even be encouraged by imperfect situations.

Whilst there can be no excuse for making rules that assume the world and technology won’t change over a decade, we also don’t have to constantly second guess our future at the price of having useful rules today. In 2026 we might look back at today with a similar feeling to that we currently experience on looking back at 2006: familiarity, perhaps nostalgia, combined with a sense that things really have moved. This won’t necessarily be a bad thing.