Lecturer in Technology Law

View my full research profile

  • Tel: +44 (0)131 650 7128
  • Email: lachlan.urquhart@ed.ac.uk
  • Office and Feedback Hours for current students:
    Tuesdays - 2pm-4pm


I am a Lecturer in Technology Law at the University of Edinburgh. I am also a visiting researcher at the Horizon Digital Economy Research Institute, where I was a Research Fellow in Information Technology Law from 2016-2018. I am a multidisciplinary, socio-legal researcher, having degrees in both law [ LL.B, Hons (Edin); LL.M IT & Telecoms Law, Distinction (Strath) ] & computer science [ Ph.D (Nott) ]. 

I primarily work at the boundaries of computer science (human-computer interaction), information technology law (mainly privacy & information security), and computer ethics. I focus extensively on the technical, socio-legal, sociological, and ethical implications of living with interactive computing (e.g. Ubicomp/Internet of Things, robotics, smart homes & cities, social media etc.). I often collaborate with researchers from different disciplines, ranging from architecture and criminology to art and media studies. My publications are available here, projects here and recent public speaking here.

I am currently working on a range of projects in 2018-9, including: 

- Co-I on the new £1m EPSRC funded ‘Defence Against Dark Artefacts’ project examining technical, sociological & legal requirements for effective management of smart home cybersecurity. This is a collaborative project with the Universities of Nottingham, Cambridge, Imperial College London and a range of industry partners.

- Co-I on a £50,000 ESRC Japan-UK Connections project on Emotional AI in commercial and security contexts with Bangor University and Ritsumeiken Asia Pacific University.

- Co-I on the £90,000 Horizon/EPSRC funded ‘Memory Machine’ project on co-designing a memory preserving IoT device with dementia sufferers. 

- Principle Investigator on the £16,000 Horizon/EPSRC funded ‘Moral-IT: Enabling Design of Ethical Systems’ on developing card-based tools for building ethical IT systems, which are now available here

- Co-I on £8,000 UoN Digital Research funded ‘Ethics of Internet of Things in Research’ on new strategies to manage risks of using IoT used in research. 

Prior to this, I was CI on a £30,000 UoN Research Priority Area funded project ‘About Algorithms & Beyond’ exploring aspects of algorithms and IoT, a £1,500 DEN funded project on 'Games & Human Values’ exploring how games can be medium of critique for wider societal concerns and a Horizon funded AGILE project on ‘Information Privacy by Design Cards’ with Microsoft Research, which was also funded for $175,000 in a US National Science Foundation partner project based at NYU.

My PhD, entitled Towards User-Centric Regulation: Exploring the Interface between Information Technology Law and Human Computer Interaction was completed at the Mixed Reality Laboratory and EPSRC/RCUK funded Horizon Centre for Doctoral Training, School of Computer Science, University of Nottingham.

During this 4-year multidisciplinary programme, I completed a quasi-MSc including courses on science and technology studies, computer science, human factors engineering, business studies, geospatial information services, programming. My PhD research explored the role of technology designers in regulation using a mixed methods approach that combined conceptual and regulatory perspectives with development of design tools (ideation cards) and empirical research (expert interviews, questionnaires, workshops etc). 

Main Areas of Interest for Project Collaboration and PhD supervision:

1) Multidisciplinary research drawing together human computer interaction, technology law (socio-legal), and computer ethics perspectives. Also, interested in Surveillance Studies, Science & Technology Studies,

2) Examining regulatory, design, sociological & ethical implications of living with the Internet of Things at different scales (from smart homes to cities).

3) Addressing practical challenges in Data Protection, Information Security & Cybercrime.


Legal Challenges of Information Technology (Course Organiser)

Information Technology Law (Course Organiser) 

Law of e-Commerce (Course Organiser)

Electronic Commerce Law (Course organiser)

Data Protection and Information Privacy Law 

EU Data Protection Law 

Controversies in the Data Society (Edinburgh Futures Institute)

Research students

Natalie Leesakul - "Manufacturing Robots and the Law" (External: Horizon, University of Nottingham) 


LL.B (Hons), Edinburgh

LL.M Information Technology and Telecommunciations Law (Distinction), Strathclyde

Ph.D Computer Science, Nottingham


Rachel Jacobs, Frank Abbott, Lachlan Urquhart, Dominic Price, 'Performing the future: Risk, uncertainty & artistic process', (2019), Journal of risk research
Abstract: This paper follows a practice-led methodology to explore how the diverse participants in the 'Performing the Future' project - including scientists working with climate models and over-60s groups in Liverpool and Cambridge - mediated their sense of risk and uncertainty in response to environmental change. We explore the nature of their participation and the different strategies used by the artists leading the project, describing the opportunities that emerged for more nuanced and complex visions of the realities of anthropogenic environmental change, and how we might respond to the impacts of these changes.

Lachlan Urquhart, Holger Schnädelbach, Nils Jäger, 'Adaptive Architecture: Regulating human building interaction', (2019), International Review of Law, Computers and Technology
Abstract: In this paper we explore regulatory, technical and interactional implications of Adaptive Architecture, a novel trend emerging in the built environment. We provide a comprehensive description of the emergence and history of the term, with reference to the current state of the art and policy foundations supporting it e.g. smart city initiatives and building regulations. As Adaptive Architecture is underpinned by the Internet of Things (IoT), we are interested in how regulatory and surveillance issues posed by the IoT manifest in buildings too. To support our analysis, we utilise a prominent concept from architecture, Stuart Brand’s Shearing Layers model, which describes the different physical layers of a building and how they relate to temporal change. To ground our analysis, we use three cases of Adaptive Architecture, namely an IoT device (Nest Smart Cam IQ); an Adaptive Architecture research prototype, (ExoBuilding); and a commercial deployment (the Edge). In bringing together Shearing Layers, Adaptive Architecture and the challenges therein, we frame our analysis under 5 key themes. These are guided by emerging information privacy and security regulations. We explore the issues Adaptive Architecture needs to face for: A – ‘Physical & information security’; B – ‘Establishing responsibility’; C – ‘occupant rights over flows, collection, use & control of personal data’; D- ‘Visibility of Emotions and Bodies’; & E – ‘Surveillance of Everyday Routine Activities’. We conclude by summarising key challenges for Adaptive Architecture, regulation and the future of human building interaction.

Lachlan Urquhart, Dominic Reedman-Flint, Natalie Leesakul, 'Responsible domestic robotics: Exploring ethical implications of robots in the home', (2019), Journal of Information, Communication & Ethics in Society
Abstract: Purpose: The vision of robotics in the home promises increased convenience, comfort, companionship, and greater security for users. The robot industry risks causing harm to users, being rejected by society at large, or being regulated in overly prescriptive ways if robots are not developed in a socially responsible manner. The purpose of this paper is to explore some of the challenges and requirements for designing responsible domestic robots. Design/methodology/approach: The paper examines definitions of robotics and the cur-rent commercial state of the art. In particular it considers the emerging technological trends, such as smart homes, that are already embedding computational agents in the fabric of everyday life. The paper then explores the role of values in design, aligning with human computer interaction and considers the importance of the home as a deployment setting for robots. The paper examines what responsibility in robotics means and draws lessons from past home information technologies. An exploratory pilot survey was conducted to understand user concerns about different aspects of domestic robots such as form, privacy and trust. The paper provides these findings, married with literature analysis from across technology law, computer ethics and computer science. Findings: By drawing together both empirical observations and conceptual analysis, this paper concludes that user centric design is needed to create responsible domestic robotics in the future.Originality/value: This multidisciplinary paper provides conceptual and empirical research from different domains to unpack the challenges of designing responsible domestic robot-ics.

Lachlan Urquhart, Tom Lodge, Andy Crabtree, 'Demonstrably doing accountability in the Internet of Things ', (2018), International Journal of Law and Information Technology, Vol 26
Abstract: This paper explores the importance of accountability to data protection, and how it can be built into the Internet of Things (IoT). The need to build accountability into the IoT is motivated by the opaque nature of distributed data flows, inadequate consent mechanisms, and lack of interfaces enabling end-user control over the behaviours of internet-enabled devices. The lack of accountability precludes meaningful engagement by end-users with their personal data and poses a key challenge to creating user trust in the IoT and the reciprocal development of the digital economy. The EU General Data Protection Regulation 2016 (GDPR) seeks to remedy this particular problem by mandating that a rapidly developing technological ecosystem be made accountable. In doing so it foregrounds new responsibilities for data controllers, including data protection by design and default, and new data subject rights such as the right to data portability. While GDPR is technologically neutral, it is nevertheless anticipated that realising the vision will turn upon effective technological development. Accordingly, this paper examines the notion of accountability, how it has been translated into systems design recommendations for the IoT, and how the IoT Databox puts key data protection principles into practice.

Lachlan Urquhart, 'Ethical dimensions of user centric regulation ', (2018), ACM SIGCAS Computers and Society, Vol 47, pp 81-95
Abstract: In this paper, we question the role of information technology (IT) designers in IT regulation. Through our concept of user centric regulation (UCR) we unpack what a closer alignment of IT design and regulation could mean. We also situate how they can respond to their ethical and legal duties to end users. Our concept asserts that human computer interaction (HCI) designers are now regulators and as designers are not traditionally involved in the practice of regulation hence the nature of their role is ill-defined. We believe designers need support in understanding what their new role entails, particularly managing ethical dimensions that go beyond law and compliance. We use conceptual analysis to consolidate perspectives from across Human Computer Interaction and Information Technology Law and Regulation, Computer Ethics, Philosophy of Technology, and beyond. We focus in this paper on the importance of mediation and responsibility and illustrate our argument by drawing on the emerging technological setting of smart cities.

Andy Crabtree, Tom Lodge, James Colley, Chris Greenhalgh, Kevin Glover, Hamed Haddadi, Yousef Amar, Richard Mortier, Qi Li, John Moore, Liang Wang, Poonam Yadav, Jianxin Zhao, Anthony Brown, Lachlan Urquhart, Derek McAuley, 'Building accountability into the Internet of Things: The IoT Databox model', (2018), Journal of Reliable Intelligent Environments, Vol 4, pp 39-55
Abstract: This paper outlines the IoT Databox model as a means of making the Internet of Things (IoT) accountable to individuals. Accountability is a key to building consumer trust and is mandated by the European Union’s general data protection regulation (GDPR). We focus here on the ‘external’ data subject accountability requirement specified by GDPR and how meeting this requirement turns on surfacing the invisible actions and interactions of connected devices and the social arrangements in which they are embedded. The IoT Databox model is proposed as an in principle means of enabling accountability and providing individuals with the mechanisms needed to build trust into the IoT.

Lachlan Urquhart, Derek McAuley, 'Avoiding the internet of insecure industrial things ', (2018), Computer Law & Security Review, Vol 34, pp 450-466
Abstract: Security incidents such as targeted distributed denial of service (DDoS) attacks on power grids and hacking of factory industrial control systems (ICS) are on the increase. This paper unpacks where emerging security risks lie for the industrial internet of things, drawing on both technical and regulatory perspectives. Legal changes are being ushered by the European Union (EU) Network and Information Security (NIS) Directive 2016 and the General Data Protection Regulation 2016 (GDPR) (both to be enforced from May 2018). We use the case study of the emergent smart energy supply chain to frame, scope out and consolidate the breadth of security concerns at play, and the regulatory responses. We argue the industrial IoT brings four security concerns to the fore, namely: appreciating the shift from offline to online infrastructure; managing temporal dimensions of security; addressing the implementation gap for best practice; and engaging with infrastructural complexity. Our goal is to surface risks and foster dialogue to avoid the emergence of an Internet of Insecure Industrial Things.

Elvira Perez Vallejos, Ansgar Koene, Christopher James Carter, Daniel Hunt, Christopher Woodard, Lachlan Urquhart, Aislinn Bergin, Ramona Statache, 'Accessing online data for youth mental health research: Meeting the ethical challenges', (2017), Philosophy & Technology, pp 1-24
Abstract: This article addresses the general ethical issues of accessing online personal data for research purposes. The authors discuss the practical aspects of online research with a specific case study that illustrates the ethical challenges encountered when accessing data from Kooth, an online youth web-counselling service. This paper firstly highlights the relevance of a process-based approach to ethics (Markham and Buchanan 2012) when accessing highly sensitive data and then discusses the ethical considerations and potential challenges regarding the accessing of public data from Digital Mental Health (DMH) services. It presents solutions that aim to protect young DMH service users as well as the DMH providers and researchers mining such data. Special consideration is given to service users’ expectations of what their data might be used for, as well as their perceptions of whether the data they post is public, private or open. We provide recommendations for planning and designing online research that includes vulnerable young people as research participants in an ethical manner. We emphasise the distinction between public, private and open data, which is crucial to comprehend the ethical challenges in accessing DMH data. Among our key recommendations, we foreground the need to consider a collaborative approach with the DMH providers while respecting service users’ control over personal data, and we propose the implementation of digital solutions embedded within the platform for explicit opt-out/opt-in recruitment strategies and ‘read more’ options (Bergin and Harding 2016).

Lachlan Urquhart, Neelima Sailaja, Derek McAuley, 'Realising the right to data portability for the domestic Internet of things ', (2017), Personal and Ubiquitous Computing, Vol 22, pp 317-332

Lachlan Urquhart, Tom Rodden, 'New directions in information technology law: Learning from human–computer interaction', (2017), International Review of Law, Computers and Technology, Vol 31, pp 150-169
Abstract: Effectively regulating the domestic Internet of Things (IoT) requires a turn to technology design. However, the role of designers as regulators still needs to be situated. By drawing on a specific domain of technology design, human?computer interaction (HCI), we unpack what an HCI-led approach can offer IT law. By reframing the three prominent design concepts of provenance, affordances and trajectories, we offer new perspectives on the regulatory challenges of the domestic IoT. Our HCI concepts orientate us towards the social context of technology. We argue that novel regulatory strategies can emerge through a better understanding of the relationships and interactions between designers, end users and technology. Accordingly, closer future alignment of IT law and HCI approaches is necessary for effective regulation of emerging technologies.

Lachlan Urquhart, 'Ethical dimensions of user centric regulation ', (2017), ORBIT Journal, Vol 1
Abstract: In this paper, we question the role of information technology (IT) designers in IT regulation. Through our concept of user centric regulation (UCR) we unpack what a closer alignment of IT design and regulation could mean. We also situate how they can respond to their ethical and legal duties to end users. Our concept asserts that human computer interaction (HCI) designers are now regulators and as designers are not traditionally involved in the practice of regulation hence the nature of their role is ill-defined. We believe designers need support in understanding what their new role entails, particularly managing ethical dimensions that go beyond law and compliance. We use conceptual analysis to consolidate perspectives from across Human Computer Interaction and Information Technology Law and Regulation, Computer Ethics, Philosophy of Technology, and beyond. We focus in this paper on the importance of mediation and responsibility and illustrate our argument by drawing on the emerging technological setting of smart cities.

Lilian Edwards, Lachlan Urquhart, 'Privacy in public spaces: What expectations of privacy do we have in social media intelligence?', (2016), International Journal of Law and Information Technology, Vol 24, pp 279-310
Abstract: In this paper we give a basic introduction to the transition in contemporary surveillance from top down traditional police surveillance to profiling and pre-crime methods. We then review in more detail the rise of open source (OSINT) and social media (SOCMINT) intelligence and its use by law enforcement and security authorities. Following this we consider what if any privacy protection is currently given in UK law to SOCMINT. Given the largely negative response to the above question, we analyse what reasonable expectations of privacy there may be for users of public social media, with reference to existing case law on Article 8 of the European Convention on Human Rights. Two factors are in particular argued to be supportive of a reasonable expectation of privacy in open public social media communications: first, the failure of many social network users to perceive the environment where they communicate as public; and secondly, the impact of search engines (and other automated analytics) on traditional conceptions of structured dossiers as most problematic for state surveillance. Lastly, we conclude that existing law does not provide adequate protection for open SOCMINT and that this will be increasingly significant as more and more personal data is disclosed and collected in public without well-defined expectations of privacy.


Lachlan Urquhart, Murray Goulden, Martin Flintham, Dominic Price, 'Domesticating data Socio-legal perspectives on smart homes & good data design' in Angela Daly, S. Kate Devitt, Monique Mann (ed.) Good Data ( 2019)

Dimitrios Paris Darzentas, Raphael Velt, Richard Wetzel, Peter Craigon, Hanne Wagner, Lachlan Urquhart, Steve Benford, 'Card mapper Enabling data-driven reflections on ideation cards' in Proceedings of ACM SIG Computer Human Interaction (CHI) 2019 (ACM 2019)
Abstract: We explore how usage data captured from ideation cards can enable reflection on design. We deployed a deck of ideation cards on a Masters level module over two years, developing the means to capture the students’designs into a digital repository. We created two visualisations to reveal the relative co-occurrences of the cards as concept space and the relative proximity of designs (through cards used in common) as design space.We used these to elicit reflections from the perspectives of students, teachers and card designers. Our findings inspire ideas for extending the data-driven use of ideation cards throughout the design process; informing the redesign of cards, the rules for using them and their live connection to supporting materials and enabling stakeholders to reflect and recognise challenges and opportunities. We also identified the need, and potential ways, to capture a richer design rationale, including annotations, discarded cards and varying card interpretations.

Lachlan Urquhart, 'White noise from the white goods? Privacy by design for ambient domestic computing' in Burkhard Schafer, L Edwards, E Harbinja (ed.) Future Law (Edinburgh University Press 2019)

Lachlan Urquhart, 'Exploring cybersecurity and cybercrime Threats and legal responses' in Lilian Edwards (ed.) Law, Policy and the Internet (Hart Publishing 2018)

Lachlan Urquhart, 'Regulating privacy and Freedom of the Press from 2004-2018 From Campbell to fake news' in Lilian Edwards (ed.) Law, Policy and the Internet (Hart Publishing 2018)

Lachlan Urquhart, D Reedman Flint, N Leesakul, 'Responsible robotics Exploring ethical implications of robots in the home' in ETHICOMP 2018 Proceedings ( 2018)

Dimitrios Paris Darzentas, Lachlan Urquhart, 'Interdisciplinary reflections on games and human values ' in Proceedings of the 2015 Annual Symposium on Computer-Human Interaction in Play (ACM 2015) 805-810
Abstract: We explore the interaction between digital games and human values. HCI as a field is increasingly focused on the importance of engaging with broader discussions around human values. Games are an ideal medium for reflecting on social, ethical and political questions. Accordingly, we propose a multidisciplinary workshop to discuss existing work, consider the future and bring together a range of different epistemological perspectives.

Ewa Luger, Lachlan Urquhart, Tom Rodden, Michael Golembewski, 'Playing the legal card Using ideation cards to raise data protection issues within the design process' in Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (ACM 2015) 457-466

Lachlan Urquhart, 'Bridging the gap between law & HCI ' in Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing Adjunct Publication - UbiComp '14 Adjunct (ACM Press 2014) 355-360

Working Papers

Lachlan Urquhart, 'Assessing Information Security Regulations for Domestic and Industrial Cyber-Physical Systems ' 2017

Lachlan Urquhart, Tom Rodden, 'A Legal Turn in Human Computer Interaction: Towards Regulation by Design for the Internet of Things' 2016

Lachlan Urquhart, 'Briefing on Artcodes and Intellectual Property Law ' 2016