The missing pieces: teaching the legal side of web development

Estimated reading time: 12 minutes

In June I attended the Web Teaching Day unconference, an annual gathering of educators bringing up the next generation of web professionals, at MMU in Manchester. Run by Richard Eskins and Derren Wilson, the unconference is a day of exchanging perspectives, ideas, and opportunities about the ways that web design and development are taught. It’s a casual, convivial, and very sweary day in good company.

The conference was a sort of homecoming for me – my first proper conference talk was at MMU, and that set off an unlikely series of events which (amongst other things) resulted in that part of Manchester becoming my second home. The topic I brought has taken years of reflection to assemble into a presentable shape, so there could not have been a better place to bring it into the world.

Following the thought-provoking talks you’d expect from speakers like Andy Clarke on design, Chris Murphy on UX, and Michael Lorek on business skills, it was my turn to talk about teaching future professionals about the legal side of web development.

That, of course, is speaking hypothetically: we don’t teach that. Nobody does. That’s why I was there.

What follows is my slides expanded into a narrative and a call to action. It’s up to you to listen.

We don’t know what we don’t know

Web Teaching 2019

Yep, I’m definitely on a roll here. Photo by Prisca Schmarsow

See us, we designers and developers?

We’re the bad guys, and all of the problems with the web right now are our fault.

That, believe it or not, is what a lot of professionals from other fields – like law, politics, and privacy – think about us. Working in tech policy and privacy, it’s a refrain I hear a lot.

Privacy scandals, inaccessible web sites, data breaches, stalkerware apps, dark patterns – what the hell’s the matter with us, they ask? What’s it going to take for you people to get a grip?

They’re not right, those nasty critics. But they’re not all wrong either. They are looking at us from their perspectives, and they don’t necessarily understand ours. I can only explain what our perspective is – though by no means will I be an apologist for it.

Here’s what we all need to understand.

No common paths of entry

Web design and development are open to anyone. That’s the beauty of it. You can enter as a student; you can change careers in your thirties; you can start a new career in your forties or beyond. It’s all good. You can come into the field with some high school training; you can come into it through a university computer science course like MMU’s; you can come to it through a code academy like CodeClan; or, like me, you can be a self-taught veteran of the dialup era. We’re a big melting pot of diverse education and experience and it’s all good.

Except when it’s not.

With no common path of entry or educational curriculum, the knowledge we bring to the job beyond code and UX is all over the shop. What a developer learned in their formal education might be incredibly narrow. What a self-taught developer knows is contingent on their personal curiosity. What a college or university teaches might be bound up in internal politics and financial targets.

In other words, we don’t know what we don’t know.

What we do know is that the laws and policies which shape web design and development – topics like privacy, data protection, accessibility, and intermediary liability – are not taught as a standard part of any educational path.

The laws that shape web development are not taught in secondary schools. For example, the Scottish higher curriculum in computer science teaches only the Communications Act, RIPA, the Computer Misuse Act, and the Copyrights, Designs, and Patents Act – a sort of thou-shalt-not approach – and makes no call to the professional obligations that future practicioners will have to others.

The laws that shape web development are not taught in university computer science courses. MMU’s ICT and the Law and Media Law courses are a rare exception, but most future practicioners will receive no formal education during their studies. There are dozens of internet law courses, including the one I took for my postgraduate certification in it, but these are offered at a graduate level for students of law, not web development, who are most certainly not web practicioners. (Wise courses, like the one I took under Lilian Edwards’ leadership, welcome non-lawyers like me, but these are few and far between.)

The laws that shape web development are not taught in code academies; there’s no room for those topics in laser-focused curricula designed to turn around qualified developers in a matter of weeks and hit government funding targets. (At least that’s what I was told over a beer when I put out the idea of teaching at one.)

And if like me, your development knowledge was self-taught from the mid-90s with no formal education at all, what you know is what you know. I did, for what it’s worth, take a web design certification course at a local university after 10 years of being a hobbyist; it didn’t teach me anything I didn’t already know, much less anything legal, but it did teach Dreamweaver. Yay?

The openness of web development, and the lack of common paths of entry or educational requirements, also mean that there are no requirements for continuing professional development. I’ve given data protection and privacy seminars to a handful of enlightened agencies who knew they needed to keep up, but they are rare birds indeed. As a web professional, if you want refresher training on something like privacy law, it’s likely to be on your own time and out of your own pocket.

So we don’t know what we don’t know.

And only in web development is that seen as a good thing.

Move fast and break things

We fetishise some really dumb things in web development. You can file them under the “move fast and break things” mentality: the notion that you should do what you want, whenever you want, however you want, damn the consequences. There was even a mantra called “just effing ship”, a call to ship your code into the world every day come hell or high water – even if it was wrong – as if web development existed to provide its practicioners with a form of personal validation. It’s all about you, baby.

Pair that with a hardcore Silicon Valley tech bro mentality which sees regulation as bad (have they heard of Section 230?), accessibility as a barrier to innovation (really), and privacy law as government interference with your god-given freedom as a developer (yep, this is a thing) and it’s a wonder we haven’t accidentally triggered global thermonuclear war out of a game of tic-tac-toe.

The thing about that, though, was Pogo was right: we have met the enemy, and he is us. Those sun-addled veterans of the 1990s vision of the internet as Cyberspace, the new home of Mind, never imagined that the practicioners who craft the web would proceed to make it every bit as hellish and dysfunctional as the offline world they thought it would replace. They saw a virtual home for unconstrained thought and expression. They got Nazis and Cambridge Analytica.

The web, as I said last week, is not an uncivilised Wild West. But it’s one where a lack of respect for the rule of law grew out of a lack of respect for each other. There’s no room for professionalism – and that includes consideration for the laws and regulations which shape a profession – when you’re moving fast, breaking things, and just effing shipping. By turning our nose up at the rule of law, we have fetishised unprofessionalism. Our users paid the price.

Unknown unknowns

Remember our irascible legal, political, and privacy professionals at the beginning of this article who can’t understand why developers don’t get a grip? It’s worth looking at what developers, businesses, and lawyers all assume about each other. It might suprise you.

Developers assume businesses know the law. And businesses are often very badly guided. In a world where we’re told anyone can start an online business anytime, due diligence and professional responsibility get left by the wayside. Let’s do some of what I call Waterstones research: seeing what information is available to everyday readers who might be thinking of starting up a business. Here was a book I spotted, which resulted in an unexpected and much appreciated response from someone I admire:

That book is a good example of how starting up a business, like shipping code, became fetishised over the years. Just do it, get it out there, roll with the punches, and celebrate your plucky entrepreneurial spirit. Taking some time to check that your business isn’t putting people at risk – or, for that matter, is even legal? Why do that when you can throw a tantrum about government getting in the way of innovation. After all, this book you got in the shop didn’t mention that stuff, so it can’t have been that important.

Let’s use an even more personal example than that. When I started up my web design business in 2007, I went to Business Gateway – the startup support agency in Scotland – to find out what I needed to know. They’re great for helping you on stuff like HR, VAT, and things like that. Legal stuff? They gave me some brochures on trademarks and branding. Data protection for my business, and online privacy for the sites I’d build? Not a word. Not one. It didn’t exist. And if the national startup agency doesn’t think those things are important, why would you? Fast forward to today, and Business Gateway now has a guide to GDPR for startups. They have it because I wrote it. I literally had to write the guidance that no one wrote for me. That’s cool and everything, but should it really have fallen to me to personally sort that on behalf of the nation?

Businesses assume developers know the law. If you hire someone to build an extension to your house, you’re going to assume they’re competent in your local and national building codes. The same goes for web development. Businesses hire agencies assuming they know that legal stuff. Not only is it unlikely that the agency knows any of it, but if the business itself is on the wrong side of the law, and the result is a privacy-slurping app or a data breach of personal details, the agency won’t have seen any of that as a problem.

Other professionals assume web development is an organised profession with a defined career path like theirs. It is very, very difficult for highly intelligent people working in law and academia, for whom their careers meant three or four years at university, a year or two at graduate school, a full-time position in a professionally structured company, and a clear path of career development, to understand that web development has none of that. They assume we learned certain things, in certain places, at certain times. They assume we receive certain things in the workplace. (They assume we have a workplace). They assume we receive refreshers, CPD, or ongoing training. They assume we are fed regular knowledge by a professional body. To professionals like those, the reality of being a web development practicioner, with no training, guidance, or support, is incomprehensible.

Schools assume developers will learn this stuff elsewhere. If schools and universities did not assume that legal education was someone else’s problem, they would teach it. Instead, they presume that future practicioners will study legal topics in their own time, or that perhaps those issues will be covered by students’ eventual employers. They would be wrong on both counts.

The law is an ivory tower. Let’s do some more Waterstones research. Before GDPR, I had a nosey through the legal section of a flagship Waterstones to see what information about data protection law was available to the everyday reader. This book pack was the only book at all: a massive hardcover tome written by lawyers, for lawyers, plus a shorter reference companion. The price? £388.00. You read that right: three hundred and eighty eight pounds. You could take a decent holiday for that.

This book is not actionable information for everyday readers with everyday budgets. This is for lawyers to buy, on the company expense account, to top up knowledge they already have. What self-employed developer would spend that much to read something written for barristers as their introduction to both theory and practice? The book written for them, in the language they need, doesn’t exist – nor will lawyers come down from the ivory tower to write one. (It falls to people like me to get the odd client commission to pave that ground, so if you’re looking for guidance on GDPR written for developers, fill your boots.)

Euston, we have a problem

That’s been my overview of the points which cause a lack of knowledge on the legal side of web development: no common points of entry or educational path, “moving fast and breaking things”, and the misunderstandings that developers, lawyers, and policymakers all have about each other.

But what’s the consequence of all that? It’s very simple.

We are creating architects who have never heard of building codes, drivers who have never heard of the Highway Code, and doctors who have never heard of the Hippocratic oath.

Me. Looks very impressive in big quotes, doesn't it
We are turning out future professionals and new practicioners who will spend their careers with gaps in their knowledge, and missing pieces in their professional practices, which would be incomprehensible in any other field. Privacy scandals, reputational damage, and heavy-handed regulation are just some of the consequences.

As a result, the open web is beginning to close up. The abuses of rapacious tech giants are only partially at fault. Designers and developers who didn’t know what they didn’t know, didn’t check to verify if what they were doing was okay, and didn’t ask the questions they should have asked are equally to blame.

So what can we, as advocates and educators and trainers, do to turn that around?

I want to make three suggestions of projects, initiatives, and movements we can work on together.

Curricular materials

We need to look at what we teach, what we’re failing to teach, and how we teach it.

Developers – both present and future ones – need reference materials. This could take the form of a Github repo, an actual physical textbook, or perhaps both. Who wants to fund me to write them?

Educators and students alike need resources on internet law which were not written by lawyers wanting to show off how smart they are. They need resources on internet law not written by academics who don’t code or develop or hack. They need resources on internet law that aren’t about scaremongering, threatening, or drumming up business.

Everyone needs guidance written by their own people, for their own people, in actionable steps they can deploy on the code level.

Teaching and training

We need to look at where we teach the legal side of web development and when we teach it.

Secondary schools need to expand the curriculum from a heavy-handed, Home Office-influenced litany of thou-shalt-nots to a proactive and positive view of user protection.

Universities need to take a more holistic approach, and one in particular that knocks down the ivory tower between law and design schools. Internet law should not be a niche subject for mid-career legal professionals, and no web practicioner should have to go to postgraduate school to learn it.

Code academies need to concede that if teaching the legal side of web development adds a week or two to a curriculum, that’s a small price to pay for not turning out half-trained professionals into the world.

Software communities have a role to play here too, particularly as they may be the closest thing to a professional body that most developers will ever have. Practicing developers need continuing professional training. Talks, workshops, and refresher training on legal and regulatory issues need to become part of every development community’s conference cycle. I don’t know about you, but that’s what I want when I go to a conference. Sod yoga.

Moving towards professionalism

We don’t ever want to put in mandatory certifications, qualifications, or barriers to entry in front of the web profession. But we can’t go on fetishising the idea that anyone can show up with no knowledge or training and go straight to shipping. We need to move towards an understanding that if you come to this job with massive gaps in your knowledge, you have an obligation to fill them.

We need to help people fill those gaps.

As part of that journey, we need to expand the view of the web profession past code to one encompassing both ethics and the rule of law.

We need to check each other, and have the courage to call each other out when something is unethical or illegal. We need to stop worrying about being nice and start saying “that’s not good enough.” And when we see practicioners who came to this profession because they saw it as one where they would have no obligations to anyone but themselves, we need to call them out and ask them to find a different career.

That is what professionals do.

As I have said for years, we need to regulate ourselves – and that means showing respect for the rule of law, and the processes which create it – or we will be regulated with heavier legislation and a decisive closing of the open web. I fear that for many of us, it’s already too late. Maybe not for you, though.

Where do we start?

Here is what I need to help turn these ideas into a movement.

First, I need a publisher and funding sources. I am under no obligation to starve on behalf the open web. (Update: DONE)

Second, I need a brain trust of diverse professionals. I’m not doing this all myself.

Third, I need contrarians. Constructive challenges make good ideas better.

Fourth, I need a community of like-minded individuals. Does that include you?

How do we do this?

That bit’s easy:

First, we need to commit to understanding each other better.

Then, we need to commit to building bridges between policymakers, the legal sector, regulators, projects, academia, and developers.

Third, we need to commit to helping each other on good days and pulling each others’ socks up on bad ones.

And fourth, we need to commit to having a bloody good time along the way.

So now let’s begin.

The Author

I’m a UK tech policy wonk based in Glasgow. I work for an open web built around international standards of human rights, privacy, accessibility, and freedom of expression. The content and opinions on this site are mine alone and do not reflect the opinions of any current or previous team.

1 Comment

  1. Thank you Heather. I really enjoyed reading this and 100% agree with what you wrote. Unfortunately we only have been learning to code but paid not much attention to the law side of IT/design at all. Really important subject/module that must be added to all IT courses/degrees.

Comments are closed.