Lecturer in Technology Law


View my full research profile

  • Tel: +44 (0)131 650 7128
  • Email: lachlan.urquhart@ed.ac.uk
  • Office and Feedback Hours for current students:
    Tuesdays - 2pm-4pm

Biography

I am a Lecturer in Technology Law at the University of Edinburgh. I am also a visiting researcher at the Horizon Digital Economy Research Institute, where I was a Research Fellow in Information Technology Law from 2016-2018. I am a multidisciplinary researcher, having degrees in both law [ LL.B, Hons (Edin); LL.M IT & Telecoms Law, Distinction (Strath) ] & computer science [ Ph.D (Nott) ]. 

I primarily work at the boundaries of computer science (human-computer interaction), information technology law (mainly privacy & information security), and computer ethics. I focus extensively on the technical, legal, sociological, and ethical implications of living with interactive computing (e.g. Ubicomp/Internet of Things, robotics, smart homes & cities, social media etc.). I often collaborate with researchers from different disciplines, ranging from architecture and criminology to art and media studies. My publications are available here, projects here and recent public speaking here.

I am currently working on a range of projects in 2018. I am a Co Investigator on the new £1m EPSRC funded ‘Defence Against Dark Artefacts’ project examining technical, sociological & legal requirements for effective management of smart home cybersecurity. This is a collaborative project with the Universities of Nottingham, Cambridge, Imperial College London and a range of industry partners. I'm also a Co-I on the £90,000 Horizon/EPSRC funded ‘Memory Machine’ project on co-designing a memory preserving IoT device with dementia sufferers. I'm Principle Investigator on the £16,000 Horizon/EPSRC funded ‘Moral-IT: Enabling Design of Ethical Systems’ on developing card-based tools for building ethical IT systems, which are now available here. and also working on the £8,000 UoN Digital Research funded ‘Ethics of Internet of Things in Research’ on new strategies to manage risks of using IoT used in research. Prior to this, I was CI on a £30,000 UoN Research Priority Area funded project ‘About Algorithms & Beyond’ exploring aspects of algorithms and IoT, a £1500 DEN funded project on 'Games & Human Values’ exploring how games can be medium of critique for wider societal concerns and a Horizon funded AGILE project on ‘Information Privacy by Design Cards’ with Microsoft Research.

My PhD, entitled Towards User-Centric Regulation: Exploring the Interface between Information Technology Law and Human Computer Interaction was completed at the Mixed Reality Laboratory and EPSRC/RCUK funded Horizon Centre for Doctoral Training, School of Computer Science, University of Nottingham. During this 4-year multidisciplinary programme, I completed a quasi-MSc including courses on science and technology studies, computer science, human factors engineering, business studies, geospatial information services, programming. My PhD research explored the role of technology designers in regulation using a mixed methods approach that combined conceptual and regulatory perspectives with development of design tools (ideation cards) and empirical research (expert interviews, questionnaires, workshops etc). 

Main Areas of Interest for Collaboration and PhD supervision:

1) Multidisciplinary research, particularly at the intersection of Computer Science (especially Human Computer Interaction), Technology Law and Computer Ethics.

2) Examining Legal, Design, Sociological & Ethical implications of living with the Internet of Things at different scales (from smart homes to cities).

3) Practical Challenges in Data Protection, Information Security & Cybercrime.

4) Perspectvives from Surveillance Studies, Science & Technology Studies, Socio-Legal Methods.

Teaching

Legal Challenges of Information Technology (Course Organiser)

Information Technology Law (Course Organiser) 

Law of e-Commerce (Course Organiser)

Electronic Commerce Law (Course organiser)

Data Protection and Information Privacy Law 

EU Data Protection Law 

Research students

Natalie Leesakul - "Robots and the Law" (External: Horizon, University of Nottingham) 

Qualifications

LL.B (Hons), Edinburgh

LL.M Information Technology and Telecommunciations Law (Distinction), Strathclyde

Ph.D Computer Science, Nottingham

Articles

Lachlan Urquhart, Tom Lodge, Andy Crabtree, 'Demonstrably doing accountability in the Internet of Things ', (2018), International Journal of Law and Information Technology, Vol 26
Abstract: This paper explores the importance of accountability to data protection, and how it can be built into the Internet of Things (IoT). The need to build accountability into the IoT is motivated by the opaque nature of distributed data flows, inadequate consent mechanisms, and lack of interfaces enabling end-user control over the behaviours of internet-enabled devices. The lack of accountability precludes meaningful engagement by end-users with their personal data and poses a key challenge to creating user trust in the IoT and the reciprocal development of the digital economy. The EU General Data Protection Regulation 2016 (GDPR) seeks to remedy this particular problem by mandating that a rapidly developing technological ecosystem be made accountable. In doing so it foregrounds new responsibilities for data controllers, including data protection by design and default, and new data subject rights such as the right to data portability. While GDPR is technologically neutral, it is nevertheless anticipated that realising the vision will turn upon effective technological development. Accordingly, this paper examines the notion of accountability, how it has been translated into systems design recommendations for the IoT, and how the IoT Databox puts key data protection principles into practice.

Lachlan Urquhart, Holger Schnädelbach, Nils Jäger, 'Adaptive Architecture: Regulating human building interaction', (2018), International Review of Law, Computers and Technology
Abstract: In this paper we explore regulatory, technical and interactional implications of Adaptive Architecture, a novel trend emerging in the built environment. We provide a comprehensive description of the emergence and history of the term, with reference to the current state of the art and policy foundations supporting it e.g. smart city initiatives and building regulations. As Adaptive Architecture is underpinned by the Internet of Things (IoT), we are interested in how regulatory and surveillance issues posed by the IoT manifest in buildings too. To support our analysis, we utilise a prominent concept from architecture, Stuart Brand’s Shearing Layers model, which describes the different physical layers of a building and how they relate to temporal change. To ground our analysis, we use three cases of Adaptive Architecture, namely an IoT device (Nest Smart Cam IQ); an Adaptive Architecture research prototype, (ExoBuilding); and a commercial deployment (the Edge). In bringing together Shearing Layers, Adaptive Architecture and the challenges therein, we frame our analysis under 5 key themes. These are guided by emerging information privacy and security regulations. We explore the issues Adaptive Architecture needs to face for: A – ‘Physical & information security’; B – ‘Establishing responsibility’; C – ‘occupant rights over flows, collection, use & control of personal data’; D- ‘Visibility of Emotions and Bodies’; & E – ‘Surveillance of Everyday Routine Activities’. We conclude by summarising key challenges for Adaptive Architecture, regulation and the future of human building interaction.

Lachlan Urquhart, 'Ethical dimensions of user centric regulation ', (2018), ACM SIGCAS Computers and Society, Vol 47, pp 81-95
Abstract: In this paper, we question the role of information technology (IT) designers in IT regulation. Through our concept of user centric regulation (UCR) we unpack what a closer alignment of IT design and regulation could mean. We also situate how they can respond to their ethical and legal duties to end users. Our concept asserts that human computer interaction (HCI) designers are now regulators and as designers are not traditionally involved in the practice of regulation hence the nature of their role is ill-defined. We believe designers need support in understanding what their new role entails, particularly managing ethical dimensions that go beyond law and compliance. We use conceptual analysis to consolidate perspectives from across Human Computer Interaction and Information Technology Law and Regulation, Computer Ethics, Philosophy of Technology, and beyond. We focus in this paper on the importance of mediation and responsibility and illustrate our argument by drawing on the emerging technological setting of smart cities.

Andy Crabtree, Tom Lodge, James Colley, Chris Greenhalgh, Kevin Glover, Hamed Haddadi, Yousef Amar, Richard Mortier, Qi Li, John Moore, Liang Wang, Poonam Yadav, Jianxin Zhao, Anthony Brown, Lachlan Urquhart, Derek McAuley, 'Building accountability into the Internet of Things: The IoT Databox model', (2018), Journal of Reliable Intelligent Environments, Vol 4, pp 39-55
Abstract: This paper outlines the IoT Databox model as a means of making the Internet of Things (IoT) accountable to individuals. Accountability is a key to building consumer trust and is mandated by the European Union’s general data protection regulation (GDPR). We focus here on the ‘external’ data subject accountability requirement specified by GDPR and how meeting this requirement turns on surfacing the invisible actions and interactions of connected devices and the social arrangements in which they are embedded. The IoT Databox model is proposed as an in principle means of enabling accountability and providing individuals with the mechanisms needed to build trust into the IoT.

Lachlan Urquhart, Derek McAuley, 'Avoiding the internet of insecure industrial things ', (2018), Computer Law & Security Review, Vol 34, pp 450-466
Abstract: Security incidents such as targeted distributed denial of service (DDoS) attacks on power grids and hacking of factory industrial control systems (ICS) are on the increase. This paper unpacks where emerging security risks lie for the industrial internet of things, drawing on both technical and regulatory perspectives. Legal changes are being ushered by the European Union (EU) Network and Information Security (NIS) Directive 2016 and the General Data Protection Regulation 2016 (GDPR) (both to be enforced from May 2018). We use the case study of the emergent smart energy supply chain to frame, scope out and consolidate the breadth of security concerns at play, and the regulatory responses. We argue the industrial IoT brings four security concerns to the fore, namely: appreciating the shift from offline to online infrastructure; managing temporal dimensions of security; addressing the implementation gap for best practice; and engaging with infrastructural complexity. Our goal is to surface risks and foster dialogue to avoid the emergence of an Internet of Insecure Industrial Things.

Elvira Perez Vallejos, Ansgar Koene, Christopher James Carter, Daniel Hunt, Christopher Woodard, Lachlan Urquhart, Aislinn Bergin, Ramona Statache, 'Accessing online data for youth mental health research: Meeting the ethical challenges', (2017), Philosophy & Technology, pp 1-24
Abstract: This article addresses the general ethical issues of accessing online personal data for research purposes. The authors discuss the practical aspects of online research with a specific case study that illustrates the ethical challenges encountered when accessing data from Kooth, an online youth web-counselling service. This paper firstly highlights the relevance of a process-based approach to ethics (Markham and Buchanan 2012) when accessing highly sensitive data and then discusses the ethical considerations and potential challenges regarding the accessing of public data from Digital Mental Health (DMH) services. It presents solutions that aim to protect young DMH service users as well as the DMH providers and researchers mining such data. Special consideration is given to service users’ expectations of what their data might be used for, as well as their perceptions of whether the data they post is public, private or open. We provide recommendations for planning and designing online research that includes vulnerable young people as research participants in an ethical manner. We emphasise the distinction between public, private and open data, which is crucial to comprehend the ethical challenges in accessing DMH data. Among our key recommendations, we foreground the need to consider a collaborative approach with the DMH providers while respecting service users’ control over personal data, and we propose the implementation of digital solutions embedded within the platform for explicit opt-out/opt-in recruitment strategies and ‘read more’ options (Bergin and Harding 2016).

Lachlan Urquhart, Neelima Sailaja, Derek McAuley, 'Realising the right to data portability for the domestic Internet of things ', (2017), Personal and Ubiquitous Computing, Vol 22, pp 317-332

Lachlan Urquhart, Tom Rodden, 'New directions in information technology law: Learning from human–computer interaction', (2017), International Review of Law, Computers and Technology, Vol 31, pp 150-169
Abstract: Effectively regulating the domestic Internet of Things (IoT) requires a turn to technology design. However, the role of designers as regulators still needs to be situated. By drawing on a specific domain of technology design, human?computer interaction (HCI), we unpack what an HCI-led approach can offer IT law. By reframing the three prominent design concepts of provenance, affordances and trajectories, we offer new perspectives on the regulatory challenges of the domestic IoT. Our HCI concepts orientate us towards the social context of technology. We argue that novel regulatory strategies can emerge through a better understanding of the relationships and interactions between designers, end users and technology. Accordingly, closer future alignment of IT law and HCI approaches is necessary for effective regulation of emerging technologies.

Lachlan Urquhart, 'Ethical dimensions of user centric regulation ', (2017), ORBIT Journal, Vol 1
Abstract: In this paper, we question the role of information technology (IT) designers in IT regulation. Through our concept of user centric regulation (UCR) we unpack what a closer alignment of IT design and regulation could mean. We also situate how they can respond to their ethical and legal duties to end users. Our concept asserts that human computer interaction (HCI) designers are now regulators and as designers are not traditionally involved in the practice of regulation hence the nature of their role is ill-defined. We believe designers need support in understanding what their new role entails, particularly managing ethical dimensions that go beyond law and compliance. We use conceptual analysis to consolidate perspectives from across Human Computer Interaction and Information Technology Law and Regulation, Computer Ethics, Philosophy of Technology, and beyond. We focus in this paper on the importance of mediation and responsibility and illustrate our argument by drawing on the emerging technological setting of smart cities.

Lilian Edwards, Lachlan Urquhart, 'Privacy in public spaces: What expectations of privacy do we have in social media intelligence?', (2016), International Journal of Law and Information Technology, Vol 24, pp 279-310
Abstract: In this paper we give a basic introduction to the transition in contemporary surveillance from top down traditional police surveillance to profiling and pre-crime methods. We then review in more detail the rise of open source (OSINT) and social media (SOCMINT) intelligence and its use by law enforcement and security authorities. Following this we consider what if any privacy protection is currently given in UK law to SOCMINT. Given the largely negative response to the above question, we analyse what reasonable expectations of privacy there may be for users of public social media, with reference to existing case law on Article 8 of the European Convention on Human Rights. Two factors are in particular argued to be supportive of a reasonable expectation of privacy in open public social media communications: first, the failure of many social network users to perceive the environment where they communicate as public; and secondly, the impact of search engines (and other automated analytics) on traditional conceptions of structured dossiers as most problematic for state surveillance. Lastly, we conclude that existing law does not provide adequate protection for open SOCMINT and that this will be increasingly significant as more and more personal data is disclosed and collected in public without well-defined expectations of privacy.

Chapters

Lachlan Urquhart, 'Regulating privacy and Freedom of the Press from 2004-2018 From Campbell to fake news' in L Edwards (ed.) Law, Policy and the Internet (Hart Publishing 2018)

Lachlan Urquhart, Murray Goulden, Martin Flintham, Dominic Price, 'Domesticating data Socio-legal perspectives on smart homes & good data design' in A Daly (ed.) Good Data ( 2018)

Lachlan Urquhart, D Reedman Flint, N Leesakul, 'Responsible robotics Exploring ethical implications of robots in the home' in ETHICOMP 2018 Proceedings ( 2018)

Lachlan Urquhart, 'Exploring cybersecurity and cybercrime Threats and legal responses' in L Edwards (ed.) Law, Policy and the Internet (Hart Publishing 2017)

Ewa Luger, Lachlan Urquhart, Tom Rodden, Michael Golembewski, 'Playing the legal card Using ideation cards to raise data protection issues within the design process' in Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (ACM 2015) 457-466

Dimitrios Paris Darzentas, Lachlan Urquhart, 'Interdisciplinary reflections on games and human values ' in Proceedings of the 2015 Annual Symposium on Computer-Human Interaction in Play (ACM 2015) 805-810
Abstract: We explore the interaction between digital games and human values. HCI as a field is increasingly focused on the importance of engaging with broader discussions around human values. Games are an ideal medium for reflecting on social, ethical and political questions. Accordingly, we propose a multidisciplinary workshop to discuss existing work, consider the future and bring together a range of different epistemological perspectives.

Lachlan Urquhart, 'Bridging the gap between law & HCI ' in Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing Adjunct Publication - UbiComp '14 Adjunct (ACM Press 2014) 355-360

Working Papers

Lachlan Urquhart, 'Assessing Information Security Regulations for Domestic and Industrial Cyber-Physical Systems ' 2017

Lachlan Urquhart, Tom Rodden, 'A Legal Turn in Human Computer Interaction: Towards Regulation by Design for the Internet of Things' 2016

Lachlan Urquhart, 'Briefing on Artcodes and Intellectual Property Law ' 2016