How requirements management is a first step to tackling the misuse of technology

null

I have been involved in ‘IT’ and computer programming since 1983.  Back when I first wrote a program in BASIC to fill a screen with a simple GOTO loop, I never imagined the world I, and millions like me, were going to create. The opportunities it would enable in entertainment, business, consumerism, management and ultimately laziness, bullying, crime, terrorism and cyber warfare.  I never forsaw a world where we could “NetFlix and chill” and afterwards Just Eat, HungryHouse or Deliveroo whatever style or ethnic origin food we could desire. I did not see how this would create so much “pizza dare” content off the back of it too. Nor did I imagine the abuse of individual’s rights, if consent is not granted to post such content online in an act of ‘revenge porn’. IoT is opening up new opportunities in sloth, entertainment, education and crime. With any new technological advancement there are good and bad applications to be found. That is an inevitable consequence of the human condition.

Many years of experience has embedded the inexorable necessity of IT in all our lives. From my earliest days of networked computing, trying to force different ad-hoc computer systems to talk to each other, to my earlier days of web-development, I played my part in developing online shopping malls, which allowed the customer to purchase from many stores with the convenience of one shared shopping cart.  I am currently kept busy by a software development company whose software has enabled global corporations to manage their requirements, accurately and efficiently right throughout their entire development project lifecycles on global projects, covering everything from space exploration, to engine management systems in cars.

As we engage ever more with technology, to install more and more smart devices, to enable our laziness (Alexa turn the kettle on, OK Google, switch the bathroom light on… etc) we ‘old geeks’ have time to ponder how we can use our talents and experience to help make the systems and technology we collectively developed, much safer and better for all, and I believe we have a duty to communicate our expertise in the adoption of such solutions.

The first step in all of this is to analyse and identify the actual requirements of safety in how people use systems. How are people actually misusing these systems? How can such abuse be negated before it happens? If not how do we identify who is abusing the system? What patterns are they developing which can be pattern matched and how can we use AI to predict where abuse is going to happen next? Can we harness the power of predictive analytics to predict what crime will happen next? Or should we initiate systems which automatically identify those who commit such crimes as they are being committed?

Ad-hoc

Once those requirements are known, quantified and described in detail, then design and planning can proceed to develop and implement solutions which will work.  If we are not clear about the system’s requirements, we can never adequately satisfy those requirements. Requirements management is the critical key in implementing successful solutions, in ALL systems. Those requirements are the detailed descriptions of all the parts of the overall system goal.  Every stage of development must comply with those requirements, right through analysis, design, development, testing and implementation.  Without such careful requirements management, critical information will be lost in the development process, leading to ineffective or defective solutions with an ever increasing amount of repetitive changes being necessitated during development as flaws in the system present themselves.  All such flaws add cost and delays to implementing a good solution and they create opportunities for exploits which enable cyber crime.

It appears that today, combating computer misuse, cyber-crime, cyber-bullying, or simply “bad people” is being done afterwards in an ad-hoc fashion. As new abuse comes to light, then policies or legislation are introduced to tackle them. Bolting the stable-door after the horse has bolted has never been an adequate form of equine safety.

Possibly what is required is for the IT community to start with cyber-safety as an obligatory, legally enforceable requirement at the start of systems development at the top level and initiate solutions with such safety built in.  Ensuring that cyber security is included and tracked and compliance is ensured at every stage of the development lifecycle. I know that the vast majority of companies and software developers and systems designers do this already.  Security is a very high priority in systems development, yet we still often see headlines of the most terrifying nature about data misuse and systems failure.

All this begs the question, is what we are currently doing good enough? Clearly the answer is no. Do we need to identify who is responsible for every bit of information sent online? Do we want a world where we are always at risk; our identities being stolen; our information being leaked; our devices being hacked and misused?  Is it even possible to create a safe, private space within cyberspace at all?  Even if we trust corporations to be able to create foolproof technologically to do that, do we continue to trust them with our data? How many headlines have already been generated by failures in cloud computing? Who is storing our data? What are their motivations?

This does force us to ask awkward and very disturbing questions. Should all technology which connects to the internet allow total identification of the user? Should we be required to consent to abandon our privacy as a condition of using such technology? Arguably, many people are genuinely ignorant of how much privacy they have abandoned already in their eagerness to embrace and connect with others on social networks online.

Wilful misuse of code 

Of course, in the incredibly unlikely event that total abandonment of our privacy were agreed, then only global state level control of servers could achieve this, as it would require such a high level of control, to abolish the dark-web. To venture forth down this route, a fanciful, dark and twisted route that it undoubtedly is, is arguing for a new world order, agreement between all governments under the auspices of a single global authority and totalitarian control of the web. The current state of global geopolitics renders this idea unworkable currently, as cyber-espionage has become a major tool in statecraft. Whilst states use online war against each other, the door is always open to all the other levels of cyber abuse. Is this merely argumentum ad absurdum? Or is society really willing to allow innocents to be abused, financially, emotionally, even sexually and physically, on a level never before known just so individuals can enjoy their own privacy, in order to privately view or share whatever niche forms of pornography they choose as consenting adults or share political views anonymously that, whilst legal, a majority of people, or the state itself, could find abhorrent?

Or should we trust individual users with securing their own privacy, along with the legal obligation of companies to comply with user's wishes, as is happening in the EU with GDPR? Thus, leaving the less technologically advanced users and those users who are ignorant of the law, open to abuse?

Or is it time to tell people that if they want privacy, then they can only have that offline? There are already those users who are making this decision. Those who are refusing to accept such technology in their homes and businesses today, as the fear of abuse of our privacy and our data increases. Alarming headlines about data loss, data misuse leaving innocent users vulnerable to identity theft, real theft, or worse, are leading increasing numbers of users to become "luddite" in their opinions of technology and refuse to have smart technology in their homes or businesses.

I know technology business owners, who are very IT literate and have been coding for decades, who will never allow an Alexa or Google assistant anywhere near their home. They would never have a “smart TV” and they will never subscribe to using the IoT for they cannot trust the software running smart systems without reading the source code themselves. Those creating and selling Smart technology promise that security and privacy will be upheld, but like electronic voting, it requires substantial levels of trust on the part of users, who will never know what the underlying source code actually does. The VW emissions scandal is proof that even corporations can wilfully misuse code for their own ends.  It is also possible that corporations which developed code do not know of secret back-doors which coders could have put in? Humans make shortcuts for themselves, which is basic human nature to save time, or make life a little bit easier for ourselves.  Sometimes systems failure really is a case of “cock-up rather than conspiracy.” The best processes are not always followed. We are being asked to trust them to keep our data safe, when there are ever increasing examples of reasons not to trust them.

These are not questions for me to answer, thankfully, but we all should have our say in this on-going debate, and then we in the IT community will be tasked with implementing the solutions. If those solutions are implemented with the correct use of requirements management, it will ensure that, whichever solutions are agreed upon, they will actually work, as the prediction of all home and work appliances being “smart” by default within 20 years, the stakes could hardly be higher.

Ken Hall, 3SL Ltd
Image source: Shutterstock/violetkaipa