Regulating Freedom

Disclaimer: I am an active OSS advocate. I have even given training to investment funds on how to invest in OSS and to evaluate risks of OSS investments. I am also an active OSS contributor with my company’s core product driving a number of market proven OSS products. I am no stranger to liberty.

I’ve been hearing some random opinions that any form of regulation is evil and will stifle freedoms particularly the development of Open Source Software (OSS). I think that there is a gross misunderstanding of the role that strong regulation plays in regulating freedom.

OSS is particularly fussy about freedoms. In fact, we are so fussy about freedoms that we have split the world into two major camps – the Free Software and Open Source Software movement. Both look similar to the untrained eye but are particularly different in their individual philosophies.

However, I want to point out to all the techies out there who do not realise this – the entire FLOSS (Free Libre Open Source Software) movement can only thrive on strong regulation – particularly strong copyright laws. If strong copyright laws did not exist, none of the open-source licenses can be enforced.

This is something that we must note and remember.

Law is neither good nor evil. It is people who abuse the law. The genius in the whole FLOSS movement is how we managed to turn regulation that is typically used to restrict freedoms, into one that actually encourages and enforces freedoms. If someone tries to take our freedoms away, we get to sue them in court.

The question that I’m asking myself now is this – can we turn the CPB2011 into something that enforces freedoms instead of restricting it?

CPB2011 Restrictions

I’ve already mentioned some of this in my preliminary analysis. However, there are a few more things that I have missed out that I think need to be addressed.

Devil’s in the details.

Restrictions on Residence

18. (1) Except as otherwise provided under any other written law, no person or body, other than a Registered Computing Professional who is residing in Malaysia or a Registered Computing Services Provider providing Computing Services that are within the scope stipulated in section 2, shall be entitled to submit proposals, plans, designs, drawings, schemes, reports, studies or others to be determined by the Board to any person or authority in Malaysia.

Wow, this is protectionism ala Malaysia, reeling it’s ugly head again. Only RCP who are resident in Malaysia are allowed to submit documents. Companies acting as RCSP can only qualify if their staff are RCP who must be resident in Malaysia to qualify to submit documents. In other words, only RCP in Malaysia, period.

I don’t see how this could possibly benefit our country as a whole. If the CPB2011 is designed to control quality and to ensure standards, I don’t see why the issue of country of residence needs to be included. I can understand if certifications, training, etc are important but not country of residence.

It would also severely restrict our Malaysian experts. While they may very well qualify to be RCPs, they may not be normally resident in Malaysia due to the global nature of IT operations and they need to go where the work takes them. As a result, they will not be allowed to submit documents. This just punishes them for being successful.

This is just silly.

Restrictions on Employment

34. No CNII entities or person shall employ a person, sole proprietorship, partnership or body corporate, other than a Registered Computing Practitioner or Registered Computing Professional or Registered Computing Services Provider practice, to perform Computing Services.

While I can understand that you only want people who are RCP to take responsibility for submitting documents, I don’t understand why it is that non-RCP cannot even be employed to do the work. This is just going to bite the CNII entities in the ass.

I can imagine this problem biting someone like TM in the ass. One would imagine that being a GLC controlling most of the telecommunications infrastructure within Malaysia, TM would be clearly marked as a CNII entity. If TM is not even allowed to employ a non-RCP to provide Computing Services, I can imagine their HR having a huge headache very soon.

This is particularly true if you consider the meaning of “Computing Services” as defined in the S.3 of the CPB2011:

“Computing Services” means services within the domain of Computing rendered by the scope of this Act;
“Computing” is a goal-oriented activity to plan, architect, design, create, develop, implement, use and manage information technology or information technology systems.

And there you have it – a CNII entity cannot even employ a non-RCP person to use an IT system. I think that the drafters of the bill may not have considered this in its entirety. While this will only affect the CNII entities, they are arguably, the largest employers of IT staff in the country – from banks, to government, telcos to hospitals.

I can understand that you want fully qualified people to plan, architect, design, create, develop, implement and manage the systems but it’s crazy to demand that RCP be the only ones who can use the system as well. Most computing systems are designed to be used by non-IT personnel.

Amazing law.

PS: Just realised that the CPB2011 encourages CNII entities (e.g. the government) to employ non-RCP people to use IT systems aimlessly i.e. without a goal!

CPB2011 and Tort

I think that there is room for me to do a little law school analysis on how the Computer Professionals Bill 2011 can affect tort/contract and vice-versa.

Some people think that if there are problems with the deployment of a computer system, you can already sue under existing law such as Contract Law. Unfortunately, it may not be so simple to sue someone for breach of contract as clearly illustrated in the Highlands Towers case.

As an illustration, imagine if someone was contracted to design and build a high-availability cluster managing the stock market. The system guy decided to only install one server instead of a dozen and that one server died from the overload. In this case, the breach of contract is clear as the contract was for the installation of a cluster, not a single server.

Unfortunately, Contract Law is quite clear about the remedies. If I remember correctly you cannot sue someone for an arbitrarily high value, and that value must be agreed upon the contract. It would not be fair to hire someone to build the system for RM1mil and then sue them for RM100bil.

You can sue for specific performance, and they can re-install a high-availability cluster. You can sue for liquidated damages, which would need to be agreed upon the signing of the contract and will not amount to anywhere near RM100bil as no company would open up themselves to a RM100bil suit for a RM1mil contract.

Furthermore, if that person installed a proper cluster and the stock market system still crashed due to overload, this is no longer an issue of a breach of contract – particularly if the contract was specific enough that the installer actually did everything as per contract. Good luck trying to sue them under Contract Law.

However, the stock market system still crashed and people lost a lot of money. Some may have lost their livelihoods and others, their lives. In order for justice to be served, someone must pay. The question is whom and how much.

This is where the law of Tort comes in. There is the whole concept of ‘duty of care’ due and the standards for ‘duty of care’ become much higher for professionals and experts. So, it might be arguable that there was a breach of duty if the installer built the system to spec even if the spec was sub-standard.

It could be then argued that any reasonable systems installer should be able to calculate a load and then advise their clients, Bursa, that the high-availability cluster would not be sufficient to cater to the expected and foreseeable load based on the transaction volume for the last few years. That data may not be publicly available but as the guys designing the system, they could have gotten it with reasonable diligence.

In this kind of scenario, it would be better to sue under a breach of duty or negligence as the facts of the matter are that the systems were not up to par to handle the expected load.

Now, even if the systems guys did a wonderful job and did everything humanly possible to build a high-availability cluster for the stock market system it still crashed. Sometimes, shit just happens. In this case, there may still be room for some other tort. Depending on the scenario, maybe strict liability can apply.

So, the CPB2011 would help in terms of liability. It now becomes clear that whomever who sells services to critical sectors must be a registered computing professional. This person would then be held liable in the event that shit happened. That is what it means to be a professional.

Having the CPB2011 elevates that position and raises the bar for ‘duty of care’ owed. That is why I am not against the CPB2011 on principle. However, the devil’s in the details and I’ve already looked at some of the other details in my earlier post.