Summary: Regulations

This is a summary with links to my posts on regulations.

Regulations are supposed to make things better. Most of the time regulations make things worse by preventing innovation, increasing costs and failing to achieve the goals for which they were created. The negative impact of regulations, whether government or corporate, is greatly magnified in software and technology.

The reason why our ever-growing number of regulations fail to protect us is simple. In the vast majority of cases, they spell out, often in great detail, how to accomplish the goal, instead of plainly and simply defining the goal and leaving it up to the person or company regulated to figure out how to get it done.

Regulations that define a goal enable innovators to find new ways to accomplish the goal, whether it’s a better medical device, computer security, whatever.

Another way to think about effective regulations is the criminal law, which regulates behavior. There aren’t ever-growing mountains of regulations telling you how to avoid murdering someone, just a simple statement that murder is something you must not do.

Regulations are front-and-center in the bureaucracy-driven battle to prevent innovation. Regulations are ever-growing mountains of words written by lawyers and bureaucrats. The current federal regulations have more than 100 times the number of words than the collected works of Shakespeare.

Regulations and standards can be good; without standard steering wheels and brake pedals, no one would be able to drive a rental car. Software is different. The misguided effort to impose standards and regulations on software development has played a key role in the nonstop cybersecurity disasters and software failures that most organizations try to minimize and ignore.

Medical device regulations increase costs and prevent innovation. The FDA device regulations provide an excellent example, declaring in massive detail how exactly to achieve quality in classic how-type method. The what-type (criminal version) would simply declare that the device must perform its declared function, accurately and well.

A similar story plays out in the field of medical imaging. The essential devices could be vastly improved if the regulators got out of the way.

The bureaucrats who write regulations for software are ignorant of software. It’s literally invisible to them! Their understanding, such as it is, tends to be based on false metaphors and is wildly inappropriate. They end up requiring expensive, obsolete methods for building software that no sensible company would use.

The current mountains of regulations should be replaced by something like “We don’t care how you build your software, but it’s your responsibility to assure that the software performs its stated job without fail. If the software has errors that cause medical harm, you are responsible for the damage it causes, and you may be barred from supplying software to the medical market in the future.”

Regulation is also about important things like making trains safe so that, even when something goes wrong, you don’t have a crash that kills people. That’s one the government has been all over. They devised a system called PTC (positive train control) to prevent crashes. The cost to implement it was tens of billions of dollars and took many years. Years after it was mandated there was a crash that killed people and injured hundreds.

The crash in Philadelphia wasn't a one-off. The problem is that PTC is built on computing technology that belongs in a museum, not supposedly protecting our lives.

The technology exists to enable a more effective, inexpensive system to be built using modern technology. But of course the regulators ignore it.

Whenever the government wants to step in to improve a company’s software, beware. When has such a move ever had a positive impact on anything, much less the stated goal of the regulation?

There has been a recurring furor about the unfairness of the internet. According to the critics, regulators at the FCC should step in and impose “net neutrality” to make service fairer for everyone. In fact, what few problems there are have been caused by regulation. And where regulation has been imposed elsewhere, government-mandated severe censorship has quickly followed.

It’s not just the government. Big bureaucracies to “control and improve” software emerge in giant companies of all kinds. Even in a software company, the in-house regulators can impose insanity. Here’s a case involving Microsoft and digital goods.

Regulations have an outsized role in causing the on-going disaster of computer security. See these for examples and explanations:

For more about security and how regulations make things worse, here is the summary post.