The growth of Consumer Connected Devices such as Smart TVs and Smart Speakers has introduced unprecedented challenges for preserving consumers’ security and privacy, and nations’ cybersafety. The European Union has been at the regulatory forefront, developing strict regulatory frameworks to protect consumers and increase European cyber-resilience. However, the path towards compliance and enforcement is not straight-forward.

In May 2018, the EU General Data Protection Regulation (GDPR) was implemented to protect users’ privacy and digital rights. However, 5 years later, its success has been moderate due to developers’ inability (or lack of incentives) to comply with the regulation. This is aggravated by rule interpretation differences across DPAs, which is causing developers confusion and different criteria for enforcement. Now, the new EU Cyber Resilience Act aims to enforce security requirements for digital products like IoT devices by establishing a framework for secure development and empowering users to make security-aware decisions. This is complemented by a European-wide Cybersecurity Certification Framework (ECCS) and the new NIS 2 Directive, which puts in place cybersecurity requirements including supply chain measures. The combination of these regulations aims at ensuring that digital products are vulnerability-free, transparent, and vendor-supported throughout their life cycle, while also respectful with citizen’s digital rights and privacy. However, what will be the barriers and challenges for compliance and enforcement?

Device and software analysis methods—from formal methods to black-box testing—are essential for facilitating compliance at different stages of the product life cycle, but also for independent certification and enforcement as ECCS mandates. However, the rapid evolution and increasing complexity of new technologies and other socio-technical factors may add further challenges and barriers for compliance and enforcement. On the one hand, it is essential to understand whether regulatory requirements are realistic, unambiguous, and if they are completely misaligned with technology trends, manufacturers’ incentives and goals, and with users’ privacy and security awareness. For example, research evidence has shown that many developers do not fully comply with GDPR and COPPA requirements due to their dependency on obscure third-party components for development support and advertising, economic incentives, poor software engineering habits, or even lack of regulation awareness. On the other hand, we need to assess to which extent device and software analysis methods are fit for aiding developers and manufacturers in compliance, but also for independent certification and enforcement. Yet, current software and device analysis techniques (e.g., black-box testing) often over-simplify the complexity of digital products and present scalability and coverage limitations that prevent them from testing whether observed software properties comply with regulatory requirements at scale.

This Dagstuhl Seminar wants to unite a multidisciplinary group of tech and legal academics, industry actors and policy experts to holistically explore the complex landscape of research and socio-technical challenges for regulatory adoption and enforcement. These arise from developer practices and incentives, user awareness, and the feasibility of existing software analysis methods for certification and enforcement. By fostering multidisciplinary dialogue across communities that are often disconnected, this workshop aims to (1) shed light on pressing research challenges and barriers for adoption and enforcement of new tech laws; (2) promote cross-disciplinary research networks and collaboration in developing innovative solutions to strengthen digital security and resilience while preserving users’ rights, and (3) produce reports to inform the regulatory debate and future research agendas at the intersection of tech and policy.

Creative Commons BY 4.0

Mila Dalla Preda, Serge Egelman, Anna Maria Mandalari, and Narseo Vallina-Rodriguez

• Rainer Böhme (Universität Innsbruck, AT) [dblp]
• Mila Dalla Preda (University of Verona, IT) [dblp]
• Daniel J. Dubois (Northeastern University - Boston, US)
• Carolyn Egelman (Google - Mountain View, US)
• Serge Egelman (ICSI - Berkeley, US) [dblp]
• Hamed Haddadi (Imperial College London, GB)
• Christin Hartung-Kümmerling (BSI - Freital, DE)
• François Hublet (ETH Zürich, CH)
• Martina Lindorfer (TU Wien, AT) [dblp]
• Anna Maria Mandalari (University College London, GB)
• Federica Maria Francesca Paci (University of Verona, IT)
• Simon Parkin (Delft University of Technology, NL) [dblp]
• Sergio Pastrana (Carlos III University of Madrid, ES)
• Joel Reardon (University of Calgary, CA)
• Anna Schwendicke (BSI - Freital, DE)
• Ben Stock (CISPA - Saarbrücken, DE) [dblp]
• Volker Stocker (Weizenbaum Institut - Berlin, DE)
• Guillermo Suárez-Tangil (IMDEA Networks Institute - Madrid, ES)
• Juan Tapiador (Carlos III University of Madrid, ES)
• Vincent Toubiana (CNIL - Paris, FR) [dblp]
• Narseo Vallina-Rodriguez (IMDEA Networks Institute - Madrid, ES)