Regulating Freedom

Disclaimer: I am an active OSS advocate. I have even given training to investment funds on how to invest in OSS and to evaluate risks of OSS investments. I am also an active OSS contributor with my company’s core product driving a number of market proven OSS products. I am no stranger to liberty.

I’ve been hearing some random opinions that any form of regulation is evil and will stifle freedoms particularly the development of Open Source Software (OSS). I think that there is a gross misunderstanding of the role that strong regulation plays in regulating freedom.

OSS is particularly fussy about freedoms. In fact, we are so fussy about freedoms that we have split the world into two major camps – the Free Software and Open Source Software movement. Both look similar to the untrained eye but are particularly different in their individual philosophies.

However, I want to point out to all the techies out there who do not realise this – the entire FLOSS (Free Libre Open Source Software) movement can only thrive on strong regulation – particularly strong copyright laws. If strong copyright laws did not exist, none of the open-source licenses can be enforced.

This is something that we must note and remember.

Law is neither good nor evil. It is people who abuse the law. The genius in the whole FLOSS movement is how we managed to turn regulation that is typically used to restrict freedoms, into one that actually encourages and enforces freedoms. If someone tries to take our freedoms away, we get to sue them in court.

The question that I’m asking myself now is this – can we turn the CPB2011 into something that enforces freedoms instead of restricting it?

CPB2011 Restrictions

I’ve already mentioned some of this in my preliminary analysis. However, there are a few more things that I have missed out that I think need to be addressed.

Devil’s in the details.

Restrictions on Residence

18. (1) Except as otherwise provided under any other written law, no person or body, other than a Registered Computing Professional who is residing in Malaysia or a Registered Computing Services Provider providing Computing Services that are within the scope stipulated in section 2, shall be entitled to submit proposals, plans, designs, drawings, schemes, reports, studies or others to be determined by the Board to any person or authority in Malaysia.

Wow, this is protectionism ala Malaysia, reeling it’s ugly head again. Only RCP who are resident in Malaysia are allowed to submit documents. Companies acting as RCSP can only qualify if their staff are RCP who must be resident in Malaysia to qualify to submit documents. In other words, only RCP in Malaysia, period.

I don’t see how this could possibly benefit our country as a whole. If the CPB2011 is designed to control quality and to ensure standards, I don’t see why the issue of country of residence needs to be included. I can understand if certifications, training, etc are important but not country of residence.

It would also severely restrict our Malaysian experts. While they may very well qualify to be RCPs, they may not be normally resident in Malaysia due to the global nature of IT operations and they need to go where the work takes them. As a result, they will not be allowed to submit documents. This just punishes them for being successful.

This is just silly.

Restrictions on Employment

34. No CNII entities or person shall employ a person, sole proprietorship, partnership or body corporate, other than a Registered Computing Practitioner or Registered Computing Professional or Registered Computing Services Provider practice, to perform Computing Services.

While I can understand that you only want people who are RCP to take responsibility for submitting documents, I don’t understand why it is that non-RCP cannot even be employed to do the work. This is just going to bite the CNII entities in the ass.

I can imagine this problem biting someone like TM in the ass. One would imagine that being a GLC controlling most of the telecommunications infrastructure within Malaysia, TM would be clearly marked as a CNII entity. If TM is not even allowed to employ a non-RCP to provide Computing Services, I can imagine their HR having a huge headache very soon.

This is particularly true if you consider the meaning of “Computing Services” as defined in the S.3 of the CPB2011:

“Computing Services” means services within the domain of Computing rendered by the scope of this Act;
“Computing” is a goal-oriented activity to plan, architect, design, create, develop, implement, use and manage information technology or information technology systems.

And there you have it – a CNII entity cannot even employ a non-RCP person to use an IT system. I think that the drafters of the bill may not have considered this in its entirety. While this will only affect the CNII entities, they are arguably, the largest employers of IT staff in the country – from banks, to government, telcos to hospitals.

I can understand that you want fully qualified people to plan, architect, design, create, develop, implement and manage the systems but it’s crazy to demand that RCP be the only ones who can use the system as well. Most computing systems are designed to be used by non-IT personnel.

Amazing law.

PS: Just realised that the CPB2011 encourages CNII entities (e.g. the government) to employ non-RCP people to use IT systems aimlessly i.e. without a goal!

Computing Professionals Bill 2011 Preliminary Analysis

Disclaimer: I’m a registered engineer and a recent law student. I have been in the IT industry for 14+ years and been actively programming for 22 years.

TLDR: go straight to the conclusion at the bottom.

Someone has posted up the draft bill incorporating changes up to 22-Nov-2011. I’d like to put on my law school hat for a moment to read this draft bill and see whether it is screwed up in form and/or substance.

I remember from MLS class that a statute needs to be read in its entirety, including it’s long title:

An Act to provide for the establishment of the Board of Computing Professionals Malaysia and for the registration of computing practitioners, computing professionals, sole proprietorships, partnerships and bodies corporate providing Computing Services and for purposes connected therewith.

Sounds benign enough. No argument there.

Now, the critical part of the bill that everyone seems to have missed out in their over-zealousness to condemn the bill:

2.(1) This Act applies throughout Malaysia.
(2) This Act applies to the Critical National Information Infrastructure (CNII).
(3) Every Registered Computing Practitioner, Registered Computing Professional and Registered Computing Services Provider shall be subject to this Act.
(4) The Minister may, by notification in the Gazette, suspend the operation of this Act in any part of Malaysia or suspend the operation of any part of this Act

One hitch that I have with the bill is that it seems to empower the Minister with quite a bit of discretion in determining where the Act may or may not apply. But the important part is that the proposed bill seems to only apply to those sectors defined as CNII in the bill as:

“Critical National Information Infrastructure(CNII)” refers to those assets, systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on national economic strength or National image or National defense and security or Government capability to function or Public health and safety;

According to the NITC, CNII would cover a range of services:

  • National Defence & Security
  • Banking & Finance
  • Information & Communications
  • Energy
  • Transportation
  • Water
  • Health Services
  • Government
  • Emergency Services
  • Food & Agriculture

Okay, this seems like a pretty wide ranging area but this seems fair enough to me. You don’t want to have any random IT guy write the code running your government do you? There’s still a lot of room to do business such as manufacturing, education, entertainment, multimedia, business services, etc.

Part II of the bill covers the composition and administration of the Board. This is quite mundane and boring. It even mentions remunerations. Arrgh! The next interesting part comes in Part III Section 14, registration of a Practicioner (kinda like a Graduate Engineer).

14.(1) (a) Subject to this Act, a person who holds –
(i) the qualifications required for Graduate Membership of a professional body or organisation recognized by the Board, and the qualifications are recognised by the Board; or
(ii) any qualification in Information Technology or Computing which is recognised by the Board; or
(iii) any other qualifications, certifications or relevant experiences recognised by the Board,
shall be entitled on application to be registered as a Registered Computing Practitioner.

Sounds very fair to me. It does not seem to be limited to only IT graduates but S.14(1)(a)(i) seems to open the way for Electronics Engineers registered with the Board of Engineers to be admitted also as Practitioners. S.14(1)(a)(iii) even allows those without formal academic training but possessing relevant experience to be registered.

Again, this seems fair enough to me as long as they actually implement it. Now, onto the main sticking part (as this is the determining factor on whether one can get the big money or not) – the registration of the Professional:

14. (2) Subject to this Act, the following persons shall be entitled on application to be registered as a Registered Computing Professional:
(a) any person who is a Computing Graduate or any person who has other qualifications recognized by the board
(i) who has obtained the practical experience as prescribed under subsection (1)(b); and
(ii) who has passed a professional assessment examination conducted by the Board, or is a Corporate Member of a professional body or organisation recognized by the Board; and
(iii) who has paid the prescribed fee and
(iv) who has complied with all the requirements of the Board;
(b) any person who, on the appointed date, was a Corporate Member of a professional body or organisation, or held a professional qualification which the Board considers to be equivalent thereto;
(c) any person who satisfies the Board that he was practicing or was carrying on business or was employed as a bonafide computing professional immediately before the appointed date and who applies for registration within twelve (12) months of that date;
(d) any person who, on the appointed date, had obtained a qualification which would have entitled him to be registered as a Registered Computing Practitioner by virtue of paragraph (1)(a) and who, after that date, has obtained outside Malaysia a professional qualification which the Board considers to be equivalent to that required for membership of a professional body or organisation recognized by the Board or has passed a professional assessment examination conducted by the Board.

Now, s.14(2)(c) seems to be the back door in for existing IT guys while s.14(2)(b) seems to be the back-door in for Corporate Members from other professional organisations. So, again, I wouldn’t break a sweat. Guys who are making a living as IT professionals at present, would be entitled to register as a computing professional after the act comes into being.

I hope that they do recognise the ICT Tech and CEng registration provided by the UK Engineering Council to ICT guys. Don’t be like the engineers who choose to become jaguh kampung and not recognising others. We’ve got to open up the service sectors soon anyway.

Computing Graduate is defined as:

“Computing Graduate” means a person who has completed a computer science or equivalent degree programme of study.

Now, this will cheese many people off but it applies largely to future applicants who’re not existing IT pros. It would make the degree a basic requisite of becoming a Registered Computing Professional. This is where there might be issues as there are lots of IT guys who do not have a degree especially since most of their role-models (Bill Gates, Steve Jobs, etc) dropped out of school and never finished.

This issue needs to be seriously addressed. I do not want to see a scenario like that of engineers where even 3-year degrees are not recognised and those who do not have degrees are virtually denied the opportunity to become a GE because the graduate exams seem to have gone on a holiday.

But the main sticking point to me seems to be the registration of companies under s.15 as service providers and the restriction of their services to only specific fields under s.15(4). In engineering, there is a clear demarcation between civil, mechanical, electrical etc. Can the same be said of IT?

Take the case of deploying a secure web-site – the systems administrator sets up the web-server with SSL, the network administrator sets up the firewall, the programmer writes the code for the site, the database admin sets up a secure database etc. Yes, it is possible to separate the roles but what about people who can do them all?

I can personally do them all. Would that mean that I’d need to register as a Computing Professional under different categories? Would that even be possible or allowed? Or would I need to hire half a dozen guys just to do the work that I can do solo?

This is a question that needs to be clearly answered. Otherwise, we end up with the same random problems as the engineers, where an Electrical Engineer can sign for Electronics but not the other way around. Supersets and subsets of fields, though tempting, are not the solution to this problem.

Another sticky part is Section 19:

19.(1) In relation to section 2 no person shall, unless he is a Registered Computing Professional—
(a) practice, carry on business or take up employment which requires him to carry out or perform the services of a Registered Computing Professional;
(b) be entitled to describe himself or hold himself out under any name, style or title—
(i) bearing the words “Registered Computing Professional”, or the equivalent thereto in any other language;
(ii) using abbreviation after his name or in any way in association with his name subject to the approval of the Board;
(c) use or display any sign, board, card or other device representing or implying that he is a Registered Computing Professional;
(d) be entitled to recover in any court any fee, charge, remuneration or other form of consideration for any professional technology services rendered.
(2) Notwithstanding subsection (1) –
(a) a Registered Computing Practitioner may take up employment which requires him to perform Computing Services subject to the
i. work is carried out under the supervision or instruction by a Registered Computing Professional, or
ii. similar work scope has been carried out by the Registered Computing Practitioner before.
(3) A Registered Computing Professional may only provide Computing Services in the disciplines or specialisations of Computing he is qualified to practise and as is shown in the Register under subsection 12(2).

Most of this section is pretty reasonable such as s.19(2) essentially covers supervision and s.19(b)-(c) that protects the use of the title to only those properly registered. This is merely to protect and distinguish those who are qualified versus those who are not.

Now, s.19(1)(a) and (d) seems to be the part that most people are screaming their lungs off about. However, it’s got to be read in with s.2, which limits the applicability of s.19 such that nobody who is not a registered Computing Professional can provide services and charge fees for only those services to the CNII industries.

But there’s a catch – they are not legally allowed to simply practice it! The trick lies in the definition of practice and according to my legal dictionary of what this means:

practice
1) n. custom or habit as shown by repeated action, as in “it is the practice in the industry to confirm orders before shipping.”
2) n. the legal business, as in “law practice,” or “the practice of the law.”
3) v. to repeat an activity in order to maintain or improve skills, as “he practices the violin every evening.”
4) v. to conduct a law business, as “she practices law in St. Louis.”

While this is specific to law, if we were to use it as an analogy and replace the words with computing, we get a scary meaning. This means that even working on free hobby open-source projects for the purpose of improving skills, may be construed to be breaking the law. This seems particularly onerous and as an OSS advocate, I cannot agree to it.

I can understand it if you want to protect these services if there is money involved but when there’s no money involved, one should be free to practice their own craft if they wish to, even if they are not certified as such. Otherwise, it would essentially limit their fundamental freedoms particularly since much of IT is developed through practice.

Part IV is administrative law – the disciplinary committee. Even more boring shit.

Uh-oh! I just spotted an ouster clause! S.39(1) and S.42 essentially protect the Board and anyone else involved in the administration this law from being sued while carrying out their duties. Does this mean that judicial review would only be limited to procedural aspects of the law?

Alright. It’s almost 2am and I’ve spent several hours reading law today. Tort is giving me a headache.

Conclusion

Some feel that the definition of CNII covers too broad an area, which it actually doesn’t. It is very clear that only critical areas where the destruction would endanger national interests, the keyword being destruction. So, not everything under the sun will fall under CNII. There is still plenty of room to make money.

Furthermore, it seems that there is a clause to allow existing computing professionals to be eligible for registration without much additional requirements. There also seems to be back-doors to allow registered professionals from other bodies to be transferred in. So, this seems a non-issue as well.

One sticky issue would be for future registrations, where one would presumably need to get a CS or equivalent degree. This wouldn’t be so much of a problem if all the IT role-models actually finished school. Most of them never did. This should be looked into.

However, the part that restricts a non-registered person’s practice of IT is particularly onerous. Since the development of IT is largely through practice, this clause would severely limit the development of the IT industry in Malaysia. This is the part where I think that the drafters failed to appreciate.

IT needs less restrictions to develop. I think that the best solution to this problem would be to ‘live and let live’. Allow non-registered person’s to practice whatever that they want particularly if they’re not going to charge any money for it. IT development needs the room for experimentation otherwise, it will die.

I’ve not yet looked into how this will affect FDI and whether the companies would need to be owned by a Registered Computing Professional, which might just have to be a Malaysian. I’m also not quite sure how companies like Intel would respond to this. Microsoft might lobby to get it’s MCSE recognised. Still lots more to consider for another blog.

Leave comments and let me know if there’s anything else that I missed out.