Software Regulations

• FIELDS OF STUDY: Software Engineering

ABSTRACT

Software developers must keep numerous legal and regulatory considerations in mind when creating software. Organizations that use the software should also be aware of these regulations in order to remain compliant, both in their record keeping and in their use of internal-use, proprietary, and open-source software.

Software Regulations and Legal Standards

Until 1983, computer programs could not copyrighted in the United States. A software developer could copyright source code, but not the binary program produced when this code is compiled. This is because the compiled program was viewed as a "utilitarian good" generated from the code rather than a creative work. In order to assert a copyright, the developer had to make the source code available with the program. While publishing the source code gave a developer greater control, it also made it easier for others to copy and modify the program.

Copyright rules began to change with the US Court of Appeals' decision in Apple Computer, Inc. v. Franklin Computer Corp. (1983). It was the first appellate court ruling to state that machine-readable code is subject to copyright. Prior to this, developers had no reason to withhold source code. Computers were not standardized enough to make large-scale development profitable, and software often had to be modified to run on different computers. Introducing software copyright allowed for greater profit potential and provided new incentives for standardization. It also gave developers a reason to keep source code private: now they had a copyright to protect.

Since then, several laws have been passed to regulate both software development and its end use. Because computer technology is constantly evolving, new regulations are often needed. One such law is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA includes provisions designed to protect patients' health information, particularly when using software developed for healthcare providers. Any software or application (app) that collects or stores personally identifiable health information or shares it with certain covered medical entities, such as doctors and hospitals, must be in compliance with HIPAA.

Another law, the 2002 Sarbanes-Oxley Act (SOX), covers information retention. It states that all organizations, regardless of size, must retain certain business records for at least five years. Emails and electronic records are included in this category.

In 2024, the US Department of Commerce increased its efforts to secure the Information and Communications Technology and Services (ICTS) supply chain. New regulations authorized the investigation and potential banning of ICTS transactions from countries deemed adversarial, such as China and Russia. This change also proposed bans on software and hardware from these nations in autonomous vehicles to protect national security and personal privacy. Also in 2024, to comply with the EU's Digital Markets Act, Apple announced changes allowing iPhone and iPad users in the EU to delete native apps like Safari and the App Store.

The EU implemented the Cyber Resilience Act in early 2025 to enhance cybersecurity. The act requires manufacturers to ensure their products are secure throughout their lifecycle through regular security updates and incident reporting. Some advocates have called for similar legislation to be implemented in the US.

Types of Software

There are several types of software, distinguished by which license governs their use. A software license is a legal instrument that states how copyrighted software can be used. Open-source software makes its source code available, with no restrictions on how it may be used. Its license gives users the right to modify the program, make copies, and distribute it to others. Open-source software is usually, but not always, free of charge.

Proprietary software is software on which the copyright holder has placed certain restrictions. It typically comes with a license agreement. This is an implied contract between the copyright holder and the end user. The license agreement spells out what the user can and cannot to do with the software. It may also include a disclaimer of responsibility should the software damage the user's computer in some way. As a legal contract, license agreements can, in theory, be enforced in court. In practice, enforceability may depend on the terms of the agreement, how and when the user consented to it, and even which court has jurisdiction.

Other types of software include freeware, shareware, and internal-use software. Freeware can be freely used, copied, and distributed but does not permit modification of source code. Shareware is a type of proprietary software that is initially provided for no cost and can be freely copied and distributed, but continued use under certain conditions requires the purchase of a license. Internal-use software, or private software, is developed for a company's own internal use but not made publicly available.

Mobile and Smartphone Software

In 2008, Google released the first version of Android, a smartphone operating system (OS) based on Linux. Android is open-source software, with source code available through the Android Open Source Project. As a result, a large community has formed in which developers modify and distribute their own versions of Android. These modified versions often provide updates and bug fixes ahead of official releases. Others are designed to support older devices or to run on devices designed for other OSs.

The Food and Drug Administration (FDA) has said it does not intend to regulate mobile medical apps and consumer devices to the same extent as other medical software. Official guidelines state that unless an app or device makes disease-specific claims, it will receive no or low-level oversight, depending on how much risk it poses to patients. Any app that shares health information with covered medical entities must be HIPAA compliant.

The Value of Software Regulation

Software regulations and standards provide numerous benefits, including limiting flaws in software and lessening users' exposure to viruses. They are also geared toward protecting users' privacy. Regulation is about ensuring the confidentiality, accessibility, availability, and integrity of information. It is a form of accountability that will allow both proprietary and open-source software to improve as technology moves forward.

Bibliography

Balovich, David. "Sarbanes-Oxley Document Retention and Best Practices." Creditworthy News, 3JM Company, 5 Sept. 2007, www.creditworthy.com/3jm/articles/cw90507.html. Accessed 9 Feb. 2025.

"Categories of Free and Nonfree Software." GNU Operating System. Free Software Foundation, 15 Feb. 2024, www.gnu.org/philosophy/categories.en.html. Accessed 9 Feb. 2025.

Del Valle, Gaby. "The FTC Should Stop Tech Companies from Bricking Their Products, Consumer Groups Say." The Verge, 5 Sept. 2024, www.theverge.com/2024/9/5/24236237/ftc-software-tethering-letter-consumer-reports-ifixit. Accessed 9 Feb. 2025.

Gaffney, Alexander. "FDA Confirms It Won't Regulate Apps or Devices Which Store Patient Data." Regulatory Affairs Professionals Society, www.raps.org/News-and-Articles/News-Articles/2015/2/FDA-Confirms-it-Won-t-Regulate-Apps-or-Devices-Whi. Accessed 9 Feb. 2025.

Hanna, Katie Terrell. "Sarbanes-Oxley Act (SOX) Section 404." TechTarget, Mar. 2022, www.techtarget.com/searchcio/definition/Sarbanes-Oxley-Act-SOX-Section-404. Accessed 9 Feb. 2025.

Rapa, Anthony. "The 'ICTS' Rules: Technology Supply Chain Regulation Has Arrived." Reuters, 30 Oct. 2024, www.reuters.com/legal/legalindustry/icts-rules-technology-supply-chain-regulation-has-arrived-2024-10-30. Accessed 9 Feb. 2025.

Wang, Jason. "HIPAA Compliance: What Every Developer Should Know." Information Week, UBM, 11 July 2014, www.informationweek.com/cyber-resilience/hipaa-compliance-what-every-developer-should-know. Accessed 9 Feb. 2025.