Timesdelhi.com

December 15, 2018
Category archive

Tim-berners lee

Big tech must not reframe digital ethics in its image

in Advertising Tech/Apple/Artificial Intelligence/Brussels/california/China/civic tech/competition law/computing/data protection/data protection law/Delhi/digital advertising/digital media/DuckDuckGo/Elizabeth Denham/engineer/Europe/european parliament/European Union/Facebook/facial recognition/fundamental rights/Giovanni Buttarelli/Google/human rights/ICDPPC/India/Kent Walker/Mark Zuckerberg/New America Foundation/news media/Nick Clegg/Politics/privacy/San Francisco/search engine/Security/smartphone/Snapchat/Social/social network/Sundar Pichai/TC/terms of service/Tim Cook/Tim-berners lee/United States/Washington D.C./world wide web by

Facebook founder Mark Zuckerberg’s visage loomed large over the European parliament this week, both literally and figuratively, as global privacy regulators gathered in Brussels to interrogate the human impacts of technologies that derive their power and persuasiveness from our data.

The eponymous social network has been at the center of a privacy storm this year. And every fresh Facebook content concern — be it about discrimination or hate speech or cultural insensitivity — adds to a damaging flood.

The overarching discussion topic at the privacy and data protection confab, both in the public sessions and behind closed doors, was ethics: How to ensure engineers, technologists and companies operate with a sense of civic duty and build products that serve the good of humanity.

So, in other words, how to ensure people’s information is used ethically — not just in compliance with the law. Fundamental rights are increasingly seen by European regulators as a floor not the ceiling. Ethics are needed to fill the gaps where new uses of data keep pushing in.

As the EU’s data protection supervisor, Giovanni Buttarelli, told delegates at the start of the public portion of the International Conference of Data Protection and Privacy Commissioners: “Not everything that is legally compliant and technically feasible is morally sustainable.”

As if on cue Zuckerberg kicked off a pre-recorded video message to the conference with another apology. Albeit this was only for not being there to give an address in person. Which is not the kind of regret many in the room are now looking for, as fresh data breaches and privacy incursions keep being stacked on top of Facebook’s Cambridge Analytica data misuse scandal like an unpalatable layer cake that never stops being baked.

Evidence of a radical shift of mindset is what champions of civic tech are looking for — from Facebook in particular and adtech in general.

But there was no sign of that in Zuckerberg’s potted spiel. Rather he displayed the kind of masterfully slick PR manoeuvering that’s associated with politicians on the campaign trail. It’s the natural patter for certain big tech CEOs too, these days, in a sign of our sociotechnical political times.

(See also: Facebook hiring ex-UK deputy PM, Nick Clegg, to further expand its contacts database of European lawmakers.)

And so the Facebook founder seized on the conference’s discussion topic of big data ethics and tried to zoom right back out again. Backing away from talk of tangible harms and damaging platform defaults — aka the actual conversational substance of the conference (from talk of how dating apps are impacting how much sex people have and with whom they’re doing it; to shiny new biometric identity systems that have rebooted discriminatory caste systems) — to push the idea of a need to “strike a balance between speech, security, privacy and safety”.

This was Facebook trying reframe the idea of digital ethics — to make it so very big-picture-y that it could embrace his people-tracking ad-funded business model as a fuzzily wide public good, with a sort of ‘oh go on then’ shrug.

“Every day people around the world use our services to speak up for things they believe in. More than 80 million small businesses use our services, supporting millions of jobs and creating a lot of opportunity,” said Zuckerberg, arguing for a ‘both sides’ view of digital ethics. “We believe we have an ethical responsibility to support these positive uses too.”

Indeed, he went further, saying Facebook believes it has an “ethical obligation to protect good uses of technology”.

And from that self-serving perspective almost anything becomes possible — as if Facebook is arguing that breaking data protection law might really be the ‘ethical’ thing to do. (Or, as the existentialists might put it: ‘If god is dead, then everything is permitted’.)

It’s an argument that radically elides some very bad things, though. And glosses over problems that are systemic to Facebook’s ad platform.

A little later, Google’s CEO Sundar Pichai also dropped into the conference in video form, bringing much the same message.

“The conversation about ethics is important. And we are happy to be a part of it,” he began, before an instant hard pivot into referencing Google’s founding mission of “organizing the world’s information — for everyone” (emphasis his), before segwaying — via “knowledge is empowering” — to asserting that “a society with more information is better off than one with less”.

Is having access to more information of unknown and dubious or even malicious provenance better than having access to some verified information? Google seems to think so.

SAN FRANCISCO, CA – OCTOBER 04: Pichai Sundararajan, known as Sundar Pichai, CEO of Google Inc. speaks during an event to introduce Google Pixel phone and other Google products on October 4, 2016 in San Francisco, California. The Google Pixel is intended to challenge the Apple iPhone in the premium smartphone category. (Photo by Ramin Talaie/Getty Images)

The pre-recorded Pichai didn’t have to concern himself with all the mental ellipses bubbling up in the thoughts of the privacy and rights experts in the room.

“Today that mission still applies to everything we do at Google,” his digital image droned on, without mentioning what Google is thinking of doing in China. “It’s clear that technology can be a positive force in our lives. It has the potential to give us back time and extend opportunity to people all over the world.

“But it’s equally clear that we need to be responsible in how we use technology. We want to make sound choices and build products that benefit society that’s why earlier this year we worked with our employees to develop a set of AI principles that clearly state what types of technology applications we will pursue.”

Of course it sounds fine. Yet Pichai made no mention of the staff who’ve actually left Google because of ethical misgivings. Nor the employees still there and still protesting its ‘ethical’ choices.

It’s not almost as if the Internet’s adtech duopoly is singing from the same ‘ads for greater good trumping the bad’ hymn sheet; the Internet’s adtech’s duopoly is doing exactly that.

The ‘we’re not perfect and have lots more to learn’ line that also came from both CEOs seems mostly intended to manage regulatory expectation vis-a-vis data protection — and indeed on the wider ethics front.

They’re not promising to do no harm. Nor to always protect people’s data. They’re literally saying they can’t promise that. Ouch.

Meanwhile, another common FaceGoog message — an intent to introduce ‘more granular user controls’ — just means they’re piling even more responsibility onto individuals to proactively check (and keep checking) that their information is not being horribly abused.

This is a burden neither company can speak to in any other fashion. Because the solution is that their platforms not hoard people’s data in the first place.

The other ginormous elephant in the room is big tech’s massive size; which is itself skewing the market and far more besides.

Neither Zuckerberg nor Pichai directly addressed the notion of overly powerful platforms themselves causing structural societal harms, such as by eroding the civically minded institutions that are essential to defend free societies and indeed uphold the rule of law.

Of course it’s an awkward conversation topic for tech giants if vital institutions and societal norms are being undermined because of your cut-throat profiteering on the unregulated cyber seas.

A great tech fix to avoid answering awkward questions is to send a video message in your CEO’s stead. And/or a few minions. Facebook VP and chief privacy officer, Erin Egan, and Google’s SVP of global affairs Kent Walker, were duly dispatched and gave speeches in person.

They also had a handful of audience questions put to them by an on stage moderator. So it fell to Walker, not Pichai, to speak to Google’s contradictory involvement in China in light of its foundational claim to be a champion of the free flow of information.

“We absolutely believe in the maximum amount of information available to people around the world,” Walker said on that topic, after being allowed to intone on Google’s goodness for almost half an hour. “We have said that we are exploring the possibility of ways of engaging in China to see if there are ways to follow that mission while complying with laws in China.

“That’s an exploratory project — and we are not in a position at this point to have an answer to the question yet. But we continue to work.”

Egan, meanwhile, batted away her trio of audience concerns — about Facebook’s lack of privacy by design/default; and how the company could ever address ethical concerns without dramatically changing its business model — by saying it has a new privacy and data use team sitting horizontally across the business, as well as a data protection officer (an oversight role mandated by the EU’s GDPR; into which Facebook plugged its former global deputy chief privacy officer, Stephen Deadman, earlier this year).

She also said the company continues to invest in AI for content moderation purposes. So, essentially, more trust us. And trust our tech.

She also replied in the affirmative when asked whether Facebook will “unequivocally” support a strong federal privacy law in the US — with protections “equivalent” to those in Europe’s data protection framework.

But of course Zuckerberg has said much the same thing before — while simultaneously advocating for weaker privacy standards domestically. So who now really wants to take Facebook at its word on that? Or indeed on anything of human substance.

Not the EU parliament, for one. MEPs sitting in the parliament’s other building, in Strasbourg, this week adopted a resolution calling for Facebook to agree to an external audit by regional oversight bodies.

But of course Facebook prefers to run its own audit. And in a response statement the company claims it’s “working relentlessly to ensure the transparency, safety and security” of people who use its service (so bad luck if you’re one of those non-users it also tracks then). Which is a very long-winded way of saying ‘no, we’re not going to voluntarily let the inspectors in’.

Facebook’s problem now is that trust, once burnt, takes years and mountains’ worth of effort to restore.

This is the flip side of ‘move fast and break things’. (Indeed, one of the conference panels was entitled ‘move fast and fix things’.) It’s also the hard-to-shift legacy of an unapologetically blind ~decade-long dash for growth regardless of societal cost.

Given the, it looks unlikely that Zuckerberg’s attempt to paint a portrait of digital ethics in his company’s image will do much to restore trust in Facebook.

Not so long as the platform retains the power to cause damage at scale.

It was left to everyone else at the conference to discuss the hollowing out of democratic institutions, societal norms, humans interactions and so on — as a consequence of data (and market capital) being concentrated in the hands of the ridiculously powerful few.

“Today we face the gravest threat to our democracy, to our individual liberty in Europe since the war and the United States perhaps since the civil war,” said Barry Lynn, a former journalist and senior fellow at the Google-backed New America Foundation think tank in Washington, D.C., where he had directed the Open Markets Program — until it was shut down after he wrote critically about, er, Google.

“This threat is the consolidation of power — mainly by Google, Facebook and Amazon — over how we speak to one another, over how we do business with one another.”

Meanwhile the original architect of the World Wide Web, Tim Berners-Lee, who has been warning about the crushing impact of platform power for years now is working on trying to decentralize the net’s data hoarders via new technologies intended to give users greater agency over their data.

On the democratic damage front, Lynn pointed to how news media is being hobbled by an adtech duopoly now sucking hundreds of billion of ad dollars out of the market annually — by renting out what he dubbed their “manipulation machines”.

Not only do they sell access to these ad targeting tools to mainstream advertisers — to sell the usual products, like soap and diapers — they’re also, he pointed out, taking dollars from “autocrats and would be autocrats and other social disruptors to spread propaganda and fake news to a variety of ends, none of them good”.

The platforms’ unhealthy market power is the result of a theft of people’s attention, argued Lynn. “We cannot have democracy if we don’t have a free and robustly funded press,” he warned.

His solution to the society-deforming might of platform power? Not a newfangled decentralization tech but something much older: Market restructuring via competition law.

“The basic problem is how we structure or how we have failed to structure markets in the last generation. How we have licensed or failed to license monopoly corporations to behave.

“In this case what we see here is this great mass of data. The problem is the combination of this great mass of data with monopoly power in the form of control over essential pathways to the market combined with a license to discriminate in the pricing and terms of service. That is the problem.”

“The result is to centralize,” he continued. “To pick and choose winners and losers. In other words the power to reward those who heed the will of the master, and to punish those who defy or question the master — in the hands of Google, Facebook and Amazon… That is destroying the rule of law in our society and is replacing rule of law with rule by power.”

For an example of an entity that’s currently being punished by Facebook’s grip on the social digital sphere you need look no further than Snapchat.

Also on the stage in person: Apple’s CEO Tim Cook, who didn’t mince his words either — attacking what he dubbed a “data industrial complex” which he said is “weaponizing” people’s person data against them for private profit.

The adtech modeus operandi sums to “surveillance”, Cook asserted.

Cook called this a “crisis”, painting a picture of technologies being applied in an ethics-free vacuum to “magnify our worst human tendencies… deepen divisions, incite violence and even undermine our shared sense of what is true and what is false” — by “taking advantage of user trust”.

“This crisis is real… And those of us who believe in technology’s potential for good must not shrink from this moment,” he warned, telling the assembled regulators that Apple is aligned with their civic mission.

Of course Cook’s position also aligns with Apple’s hardware-dominated business model — in which the company makes most of its money by selling premium priced, robustly encrypted devices, rather than monopolizing people’s attention to sell their eyeballs to advertisers.

The growing public and political alarm over how big data platforms stoke addiction and exploit people’s trust and information — and the idea that an overarching framework of not just laws but digital ethics might be needed to control this stuff — dovetails neatly with the alternative track that Apple has been pounding for years.

So for Cupertino it’s easy to argue that the ‘collect it all’ approach of data-hungry platforms is both lazy thinking and irresponsible engineering, as Cook did this week.

“For artificial intelligence to be truly smart it must respect human values — including privacy,” he said. “If we get this wrong, the dangers are profound. We can achieve both great artificial intelligence and great privacy standards. It is not only a possibility — it is a responsibility.”

Yet Apple is not only a hardware business. In recent years the company has been expanding and growing its services business. It even involves itself in (a degree of) digital advertising. And it does business in China.

It is, after all, still a for-profit business — not a human rights regulator. So we shouldn’t be looking to Apple to spec out a digital ethical framework for us, either.

No profit making entity should be used as the model for where the ethical line should lie.

Apple sets a far higher standard than other tech giants, certainly, even as its grip on the market is far more partial because it doesn’t give its stuff away for free. But it’s hardly perfect where privacy is concerned.

One inconvenient example for Apple is that it takes money from Google to make the company’s search engine the default for iOS users — even as it offers iOS users a choice of alternatives (if they go looking to switch) which includes pro-privacy search engine DuckDuckGo.

DDG is a veritable minnow vs Google, and Apple builds products for the consumer mainstream, so it is supporting privacy by putting a niche search engine alongside a behemoth like Google — as one of just four choices it offers.

But defaults are hugely powerful. So Google search being the iOS default means most of Apple’s mobile users will have their queries fed straight into Google’s surveillance database, even as Apple works hard to keep its own servers clear of user data by not collecting their stuff in the first place.

There is a contradiction there. So there is a risk for Apple in amping up its rhetoric against a “data industrial complex” — and making its naturally pro-privacy preference sound like a conviction principle — because it invites people to dial up critical lenses and point out where its defence of personal data against manipulation and exploitation does not live up to its own rhetoric.

One thing is clear: In the current data-based ecosystem all players are conflicted and compromised.

Though only a handful of tech giants have built unchallengeably massive tracking empires via the systematic exploitation of other people’s data.

And as the apparatus of their power gets exposed, these attention-hogging adtech giants are making a dumb show of papering over the myriad ways their platforms pound on people and societies — offering paper-thin promises to ‘do better next time — when ‘better’ is not even close to being enough.

Call for collective action

Increasingly powerful data-mining technologies must be sensitive to human rights and human impacts, that much is crystal clear. Nor is it enough to be reactive to problems after or even at the moment they arise. No engineer or system designer should feel it’s their job to manipulate and trick their fellow humans.

Dark pattern designs should be repurposed into a guidebook of what not to do and how not to transact online. (If you want a mission statement for thinking about this it really is simple: Just don’t be a dick.)

Sociotechnical Internet technologies must always be designed with people and societies in mind — a key point that was hammered home in a keynote by Berners-Lee, the inventor of the World Wide Web, and the tech guy now trying to defang the Internet’s occupying corporate forces via decentralization.

“As we’re designing the system, we’re designing society,” he told the conference. “Ethical rules that we choose to put in that design [impact society]… Nothing is self evident. Everything has to be put out there as something that we think we will be a good idea as a component of our society.”

The penny looks to be dropping for privacy watchdogs in Europe. The idea that assessing fairness — not just legal compliance — must be a key component of their thinking, going forward, and so the direction of regulatory travel.

Watchdogs like the UK’s ICO — which just fined Facebook the maximum possible penalty for the Cambridge Analytica scandal — said so this week. “You have to do your homework as a company to think about fairness,” said Elizabeth Denham, when asked ‘who decides what’s fair’ in a data ethics context. “At the end of the day if you are working, providing services in Europe then the regulator’s going to have something to say about fairness — which we have in some cases.”

“Right now, we’re working with some Oxford academics on transparency and algorithmic decision making. We’re also working on our own tool as a regulator on how we are going to audit algorithms,” she added. “I think in Europe we’re leading the way — and I realize that’s not the legal requirement in the rest of the world but I believe that more and more companies are going to look to the high standard that is now in place with the GDPR.

“The answer to the question is ‘is this fair?’ It may be legal — but is this fair?”

So the short version is data controllers need to prepare themselves to consult widely — and examine their consciences closely.

Rising automation and AI makes ethical design choices even more imperative, as technologies become increasingly complex and intertwined, thanks to the massive amounts of data being captured, processed and used to model all sorts of human facets and functions.

The closed session of the conference produced a declaration on ethics and data in artificial intelligence — setting out a list of guiding principles to act as “core values to preserve human rights” in the developing AI era — which included concepts like fairness and responsible design.

Few would argue that a powerful AI-based technology such as facial recognition isn’t inherently in tension with a fundamental human right like privacy.

Nor that such powerful technologies aren’t at huge risk of being misused and abused to discriminate and/or suppress rights at vast and terrifying scale. (See, for example, China’s push to install a social credit system.)

Biometric ID systems might start out with claims of the very best intentions — only to shift function and impact later. The dangers to human rights of function creep on this front are very real indeed. And are already being felt in places like India — where the country’s Aadhaar biometric ID system has been accused of rebooting ancient prejudices by promoting a digital caste system, as the conference also heard.

The consensus from the event is it’s not only possible but vital to engineer ethics into system design from the start whenever you’re doing things with other people’s data. And that routes to market must be found that don’t require dispensing with a moral compass to get there.

The notion of data-processing platforms becoming information fiduciaries — i.e. having a legal duty of care towards their users, as a doctor or lawyer does — was floated several times during public discussions. Though such a step would likely require more legislation, not just adequately rigorous self examination.

In the meanwhile civic society must get to grips, and grapple proactively, with technologies like AI so that people and societies can come to collective agreement about a digital ethics framework. This is vital work to defend the things that matter to communities so that the anthropogenic platforms Berners-Lee referenced are shaped by collective human values, not the other way around.

It’s also essential that public debate about digital ethics does not get hijacked by corporate self interest.

Tech giants are not only inherently conflicted on the topic but — right across the board — they lack the internal diversity to offer a broad enough perspective.

People and civic society must teach them.

A vital closing contribution came from the French data watchdog’s Isabelle Falque-Pierrotin, who summed up discussions that had taken place behind closed doors as the community of global data protection commissioners met to plot next steps.

She explained that members had adopted a roadmap for the future of the conference to evolve beyond a mere talking shop and take on a more visible, open governance structure — to allow it to be a vehicle for collective, international decision-making on ethical standards, and so alight on and adopt common positions and principles that can push tech in a human direction.

The initial declaration document on ethics and AI is intended to be just the start, she said — warning that “if we can’t act we will not be able to collectively control our future”, and couching ethics as “no longer an option, it is an obligation”.

She also said it’s essential that regulators get with the program and enforce current privacy laws — to “pave the way towards a digital ethics” — echoing calls from many speakers at the event for regulators to get on with the job of enforcement.

This is vital work to defend values and rights against the overreach of the digital here and now.

“Without ethics, without an adequate enforcement of our values and rules our societal models are at risk,” Falque-Pierrotin also warned. “We must act… because if we fail, there won’t be any winners. Not the people, nor the companies. And certainly not human rights and democracy.”

If the conference had one short sharp message it was this: Society must wake up to technology — and fast.

“We’ve got a lot of work to do, and a lot of discussion — across the boundaries of individuals, companies and governments,” agreed Berners-Lee. “But very important work.

“We have to get commitments from companies to make their platforms constructive and we have to get commitments from governments to look at whenever they see that a new technology allows people to be taken advantage of, allows a new form of crime to get onto it by producing new forms of the law. And to make sure that the policies that they do are thought about in respect to every new technology as they come out.”

This work is also an opportunity for civic society to define and reaffirm what’s important. So it’s not only about mitigating risks.

But, equally, not doing the job is unthinkable — because there’s no putting the AI genii back in the bottle.

News Source = techcrunch.com

The Internet Bill of Rights is just one piece of our moral obligations

in Column/Delhi/digital media/digital rights/Facebook/India/Internet/internet access/internet service providers/isp/net neutrality/new media/open Internet/Politics/smartphones/Technology/Tim-berners lee/United States/Virtual Reality by

Congressman Ro Khanna’s proposed Internet Bill of Rights pushes individual rights on the Internet forward in a positive manner. It provides guidelines for critical elements where the United States’ and the world’s current legislation is lacking, and it packages it in a way that speaks to all parties. The devil, as always, is in the details—and Congressman Khanna’s Internet Bill of Rights still leaves quite a bit to subjective interpretation.

But what should not be neglected is that we as individuals have not just rights but also moral obligations to this public good—the Internet. The web positively impacts our lives in a meaningful fashion, and we have a collective responsibility to nurture and keep it that way.

Speaking to the specific rights listed in the Bill, we can likely all agree that citizens should have control over information collected about them, and that we should not be discriminated against based on that personal data. We probably all concur that Internet Service Providers should not be permitted to block, throttle, or engage in paid prioritization that would negatively impact our ability to access the world’s information. And I’m sure we all want access to numerous affordable internet providers with clear and transparent pricing.

These are all elements included in Congressman Khanna’s proposal; all things that I wholeheartedly support.

As we’ve seen of late with Facebook, Google, and other large corporations, there is an absolute need to bring proper legislation into the digital age. Technological advancements have progressed far faster than regulatory changes, and drastic improvements are needed to protect users.

What we must understand, however, is that corporations, governments, and individuals all rely on the same Internet to prosper. Each group should have its own set of rights as well as responsibilities. And it’s those responsibilities that need more focus.

Take, for example, littering. There may be regulations in place that prevent people from discarding their trash by the side of the road. But regardless of these laws, there’s also a moral obligation we have to protect our environment and the world in which we live. For the most part, people abide by these obligations because it’s the right thing to do and because of social pressure to keep the place they live beautiful—not because they have a fear of being fined for littering.

We should approach the protection of the Internet in the same way.

We should hold individuals, corporations, and governments to a higher standard and delineate their responsibilities to the Internet. All three groups should accept and fulfill those responsibilities, not because we create laws and fines, but because it is in their best interests.

For individuals, the Internet has given them powers beyond their wildest dreams and it continues to connect us in amazing ways. For corporations, it has granted access to massively lucrative markets far and wide that would never have been accessible before. For governments, it has allowed them to provide better services to their citizens and has created never before seen levels of tax revenue from the creation of businesses both between and outside their physical borders.

Everyone — and I mean everyone — has gained (and will continue to gain) from protecting an open Internet, and we as a society need to recognize that and start imposing strong pressure against those who do not live up to their responsibilities.

We as people of the world should feel tremendously grateful to all the parties that contributed to the Internet we have today. If a short-sighted government decides it wants to restrict the Internet within its physical borders, this should not be permitted. It will not only hurt us, but it will hurt that very government by decreasing international trade and thus tax revenue, as well as decreasing the trust that the citizens of that country place in their government. Governments often act against their long-term interests in pursuit of short-term thinking, thus we have 2 billion people living in places with heavy restrictions on access to online information.

When an Internet Service Provider seeks full control over what content it provides over its part of the Internet, this, again, should not be allowed. It will, in the end, hurt that very Internet Service Provider’s revenue; a weaker, less diverse Internet will inevitably create less demand for the very service they are providing along with a loss of trust and loyalty from their customers.

Without the Internet, our world would come grinding to a halt. Any limitations on the open Internet will simply slow our progress and prosperity as a human race. And, poignantly, the perpetrators of those limitations stand to lose just as much as any of us.

We have a moral responsibility, then, to ensure the Internet remains aligned with its original purpose. Sure, none of us could have predicted the vast impact the World Wide Web would have back in 1989—probably not even Sir Tim Berners-Lee himself—but in a nutshell, it exists to connect people, WHEREVER they may be, to a wealth of online information, to other people, and to empower individuals to make their lives better.

This is only possible with an open and free Internet.

Over the next five years, billions of devices—such as our garage door openers, refrigerators, thermostats, and mattresses—will be connected to the web via the Internet of Things. Further, five billion users living in developing markets will join the Internet for the first time, moving from feature phones to smartphones. These two major shifts will create incredible opportunities for good, but also for exploiting our data—making us increasingly vulnerable as Internet users.

Now is the time to adequately provide Americans and people around the world with basic online protections, and it is encouraging to see people like Congressman Khanna advancing the conversation. We can only hope this Internet Bill of Rights remains bipartisan and real change occurs.

Regardless of the outcome, we must not neglect our moral obligations—whether individual Internet users, large corporations, or governments. We all shoulder a responsibility to maintain an open Internet. After all, it is perhaps the most significant and impactful creation in modern society.

News Source = techcrunch.com

Europe is drawing fresh battle lines around the ethics of big data

in Amazon/Artificial Intelligence/Brussels/competition law/data controller/data protection/Delhi/Europe/European Union/Facebook/General Data Protection Regulation/Giovanni Buttarelli/Google/India/law/Margrethe Vestager/Max Schrems/Politics/privacy/privacy policy/Security/social media/social networks/terms of service/Tim Cook/Tim-berners lee by

It’s been just over four months since Europe’s tough new privacy framework came into force. You might believe that little of substance has changed for big tech’s data-hungry smooth operators since then — beyond firing out a wave of privacy policy update spam, and putting up a fresh cluster of consent pop-ups that are just as aggressively keen for your data.

But don’t be fooled. This is the calm before the storm, according to the European Union’s data protection supervisor, Giovanni Buttarelli, who says the law is being systematically flouted on a number of fronts right now — and that enforcement is coming.

“I’m expecting, before the end of the year, concrete results,” he tells TechCrunch, sounding angry on every consumer’s behalf.

Though he chalks up some early wins for the General Data Protection Regulation (GDPR) too, suggesting its 72 hour breach notification requirement is already bearing fruit.

He also points to geopolitical pull, with privacy regulation rising up the political agenda outside Europe — describing, for example, California’s recently passed privacy law, which is not at all popular with tech giants, as having “a lot of similarities to GDPR”; as well as noting “a new appetite for a federal law” in the U.S.

Yet he’s also already looking beyond GDPR — to the wider question of how European regulation needs to keep evolving to respond to platform power and its impacts on people.

Next May, on the anniversary of GDPR coming into force, Buttarelli says he will publish a manifesto for a next-generation framework that envisages active collaboration between Europe’s privacy overseers and antitrust regulators. Which will probably send a shiver down the tech giant spine.

Notably, the Commission’s antitrust chief, Margrethe Vestager — who has shown an appetite to take on big tech, and has so far fined Google twice ($2.7BN for Google Shopping and staggering $5BN for Android), and who is continuing to probe its business on a number of fronts while simultaneously eyeing other platforms’ use of data — is scheduled to give a keynote at an annual privacy commissioners’ conference that Buttarelli is co-hosting in Brussels later this month.

Her presence hints at the potential of joint-working across historically separate regulatory silos that have nonetheless been showing increasingly overlapping concerns of late.

See, for example, Germany’s Federal Cartel Office accusing Facebook of using its size to strong-arm users into handing over data. And the French Competition Authority probing the online ad market — aka Facebook and Google — and identifying a raft of problematic behaviors. Last year the Italian Competition Authority also opened a sector inquiry into big data.

Traditional competition law theories of harm would need to be reworked to accommodate data-based anticompetitive conduct — essentially the idea that data holdings can bestow an unfair competitive advantage if they cannot be matched. Which clearly isn’t the easiest stinging jellyfish to nail to the wall. But Europe’s antitrust regulators are paying increasing mind to big data; looking actively at whether and even how data advantages are exclusionary or exploitative.

In recent years, Vestager has been very public with her concerns about dominant tech platforms and the big data they accrue as a consequence, saying, for example in 2016, that: “If a company’s use of data is so bad for competition that it outweighs the benefits, we may have to step in to restore a level playing field.”

Buttarelli’s belief is that EU privacy regulators will be co-opted into that wider antitrust fight by “supporting and feeding” competition investigations in the future. A future that can be glimpsed right now, with the EC’s antitrust lens swinging around to zoom in on what Amazon is doing with merchant data.

“Europe would like to speak with one voice, not only within data protection but by approaching this issue of digital dividend, monopolies in a better way — not per sectors,” Buttarelli tells TechCrunch. 

“Monopolies are quite recent. And therefore once again, as it was the case with social networks, we have been surprised,” he adds, when asked whether the law can hope to keep pace. “And therefore the legal framework has been implemented in a way to do our best but it’s not in my view robust enough to consider all the relevant implications… So there is space for different solutions. But first joint enforcement and better co-operation is key.”

From a regulatory point of view, competition law is hampered by the length of time investigations take. A characteristic of the careful work required to probe and prove out competitive harms that’s nonetheless especially problematic set against the blistering pace of technological innovation and disruption. The law here is very much the polar opposite of ‘move fast and break things’.

But on the privacy front at least, there will be no 12 year wait for the first GDPR enforcements, as Buttarelli notes was the case when Europe’s competition rules were originally set down in 1957’s Treaty of Rome.

He says the newly formed European Data Protection Board (EDPB), which is in charge of applying GDPR consistently across the bloc, is fixed on delivering results “much more quickly”. And so the first enforcements are penciled in for around half a year after GDPR ‘Day 1’.

“I think that people are right to feel more impassioned about enforcement,” he says. “We see awareness and major problems with how the data is treated — which are systemic. There is also a question with regard to the business model, not only compliance culture.

“I’m expecting concrete first results, in terms of implementation, before the end of this year.”

“No blackmailing”

Tens of thousands of consumers have already filed complaints under Europe’s new privacy regime. The GDPR updates the EU’s longstanding data protection rules, bringing proper enforcement for the first time in the form of much larger fines for violations — to prevent privacy being the bit of the law companies felt they could safely ignore.

The EDPB tells us that more than 42,230 complaints have been lodged across the bloc since the regulation began applying, on May 25. The board is made up of the heads of EU Member State’s national data protection agencies, with Buttarelli serving as its current secretariat.

“I did not appreciate the tsunami of legalistic notices landing on the account of millions of users, written in an obscure language, and many of them were entirely useless, and in a borderline even with spamming, to ask for unnecessary agreements with a new privacy policy,” he tells us. “Which, in a few cases, appear to be in full breach of the GDPR — not only in terms of spirit.”

He also professes himself “not surprised” about Facebook’s latest security debacle — describing the massive new data breach the company revealed on Friday as “business as usual” for the tech giant. And indeed for “all the tech giants” — none of whom he believes are making adequate investments in security.

“In terms of security there are much less investments than expected,” he also says of Facebook specifically. “Lot of investments about profiling people, about creating clusters, but much less in preserving the [security] of communications. GDPR is a driver for a change — even with regard to security.”

Asked what systematic violations of the framework he’s seen so far, from his pan-EU oversight position, Buttarelli highlights instances where service operators are relying on consent as their legal basis to collect user data — saying this must allow for a free choice.

Or “no blackmailing”, as he puts it.

Facebook, for example, does not offer any of its users, even its users in Europe, the option to opt out of targeted advertising. Yet it leans on user consent, gathered via dark pattern consent flows of its own design, to sanction its harvesting of personal data — claiming people can just stop using its service if they don’t agree to its ads.

It also claims to be GDPR compliant.

It’s pretty easy to see the disconnect between those two positions.

WASHINGTON, DC – APRIL 11: Facebook co-founder, Chairman and CEO Mark Zuckerberg prepares to testify before the House Energy and Commerce Committee in the Rayburn House Office Building on Capitol Hill April 11, 2018 in Washington, DC. This is the second day of testimony before Congress by Zuckerberg, 33, after it was reported that 87 million Facebook users had their personal information harvested by Cambridge Analytica, a British political consulting firm linked to the Trump campaign. (Photo by Chip Somodevilla/Getty Images)

“In cases in which it is indispensable to build on consent it should be much more than in the past based on exhaustive information; much more details, written in a comprehensive and simple language, accessible to an average user, and it should be really freely given — so no blackmailing,” says Buttarelli, not mentioning any specific tech firms by name as he reels off this list. “It should be really freely revoked, and without expecting that the contract is terminated because of this.

“This is not respectful of at least the spirit of the GDPR and, in a few cases, even of the legal framework.”

His remarks — which chime with what we’ve heard before from privacy experts — suggest the first wave of complaints filed by veteran European data protection campaigner and lawyer, Max Schrems, via his consumer focused data protection non-profit noyb, will bear fruit. And could force tech giants to offer a genuine opt-out of profiling.

The first noyb complaints target so-called ‘forced consent‘, arguing that Facebook; Facebook-owned Instagram; Facebook-owned WhatsApp; and Google’s Android are operating non-compliant consent flows in order to keep processing Europeans’ personal data because they do not offer the aforementioned ‘free choice’ opt-out of data collection.

Schrems also contends that this behavior is additionally problematic because dominant tech giants are gaining an unfair advantage over small businesses — which simply cannot throw their weight around in the same way to get what they want. So that’s another spark being thrown in on the competition front.

Discussing GDPR enforcement generally, Buttarelli confirms he expects to see financial penalties not just investigatory outcomes before the year is out — so once DPAs have worked through the first phase of implementation (and got on top of their rising case loads).

Of course it will be up to local data protection agencies to issue any fines. But the EDPB and Buttarelli are the glue between Europe’s (currently) 28 national data protection agencies — playing a highly influential co-ordinating and steering role to ensure the regulation gets consistently applied.

He doesn’t say exactly where be thinks the first penalties will fall but notes a smorgasbord of issues that are being commonly complained about, saying: “Now we have an obvious trend and even a peak, in terms of complaints; different violations focusing particularly, but not only, on social media; big data breaches; rights like right of access to information held; right to erasure.”

He illustrates his conviction of incoming fines by pointing to the recent example of the ICO’s interim report into Cambridge Analytica’s misuse of Facebook data, in July — when the UK agency said it intended to fine Facebook the maximum possible (just £500k, because the breach took place before GDPR).

A similarly concluded data misuse investigation under GDPR would almost certainly result in much larger fines because the regulation allows for penalties of up to 4% of a company’s annual global turnover. (So in Facebook’s case the maximum suddenly balloons into the billions.)

The GDPR’s article 83 sets out general conditions for calculating fines — saying penalties should be “effective, proportionate and dissuasive”; and they must take into account factors such as whether an infringement was intentional or negligent; the categories of personal data affected; and how co-operative the data controller is as the data supervisor investigates.

For the security breach Facebook disclosed last week the EU’s regulatory oversight process will involve an assessment of how negligent the company was; what response steps it took when it discovered the breach, including how it communicated with data protection authorities and users; and how comprehensively it co-operatives with the DPC’s investigation. (In a not-so-great sign for Facebook the Irish DPC has already criticized its breach notification for lacking detail).

As well as evaluating a data controller’s security measures against GDPR standards, EU regulators can “prescribe additional safeguards”, as Buttarelli puts it. Which means enforcement is much more than just a financial penalty; organizations can be required to change their processes and priorities too.

And that’s why Schrems’ forced consent complaints are so interesting.

Because a fine, even a large one, can be viewed by a company as revenue-heavy as Facebook as just another business cost to suck up as it keeps on truckin’. But GDPR’s follow on enforcement prescriptions could force privacy law breakers to actively reshape their business practices to continue doing business in Europe.

And if the privacy problem with Facebook is that it’s forcing people-tracking ads on everyone, the solution is surely a version of Facebook that does not require users to accept privacy intrusive advertising to use it. Other business models are available, such as subscription.

But ads don’t have to be hostile to privacy. For example it’s possible to display advertising without persistently profiling users — as, for example, pro-privacy search engine DuckDuckGo does. Other startups are exploring privacy-by-design on-device ad-targeting architectures for delivering targeted ads without needing to track users. Alternatives to Facebook’s targeted ads certainly exist — and innovating in lock-step with privacy is clearly possible. Just ask Apple.

So — at least in theory — GDPR could force the social network behemoth to revise its entire business model.

Which would make even a $1.63BN fine the company could face as a result of Friday’s security breach pale into insignificance.

Accelerating ethics

There’s a wrinkle here though. Buttarelli does not sound convinced that GDPR alone will be remedy enough to fix all privacy hostile business models that EU regulators are seeing. Hence his comment about a “question with regard to the business model”.

And also why he’s looking ahead and talking about the need to evolve the regulatory landscape — to enable joint working between traditionally discrete areas of law. 

“We need structural remedies to make the digital market fairer for people,” he says. “And therefore this is we’ve been successful in persuading our colleagues of the Board to adopt a position on the intersection of consumer protection, competition rules and data protection. None of the independent regulators’ three areas, not speaking about audio-visual deltas, can succeed in their sort of old fashioned approach.

“We need more interaction, we need more synergies, we need to look to the future of these sectoral legislations.”

People are targeted with content to make them behave in a certain way. To predict but also to react. This is not the kind of democracy we deserve. Giovanni Buttarelli, European Data Protection Supervisor

The challenge posed by the web’s currently dominant privacy-hostile business models is also why, in a parallel track, Europe’s data protection supervisor is actively pushing to accelerate innovation and debate around data ethics — to support efforts to steer markets and business models in, well, a more humanitarian direction.

When we talk he highlights that Sir Tim Berners-Lee will be keynoting at the same European privacy conference where Vestager will appear at — which has an overarching discussion frame of “Debating Ethics: Dignity and Respect in Data Driven Life” as its theme.

Accelerating innovation to support the development of more ethical business models is also clearly the Commission’s underlying hope and aim.

Berners-Lee, the creator of the World Wide Web, has been increasingly strident in his criticism of how commercial interests have come to dominate the Internet by exploiting people’s personal data, including warning earlier this year that platform power is crushing the web as a force for good.

He has also just left his academic day job to focus on commercializing the pro-privacy, decentralized web platform he’s been building at MIT for years — via a new startup, called Inrupt.

Doubtless he’ll be telling the conference all about that.

“We are focusing on the solutions for the future,” says Buttarelli on ethics. “There is a lot of discussion about people becoming owners of their data, and ‘personal data’, and we call that personal because there’s something to be respected, not traded. And on the contrary we see a lot of inequality in the tech world, and we believe that the legal framework can be of an help. But will not give all the relevant answers to identify what is legally and technically feasible but morally untenable.”

Also just announced as another keynote speaker at the same conference later this month: Apple’s CEO Tim Cook.

In a statement on Cook’s addition to the line-up, Buttarelli writes: “We are delighted that Tim has agreed to speak at the International Conference of Data Protection and Privacy Commissioners. Tim has been a strong voice in the debate around privacy, as the leader of a company which has taken a clear privacy position, we look forward to hearing his perspective. He joins an already superb line up of keynote speakers and panellists who want to be part of a discussion about technology serving humankind.”

So Europe’s big fight to rule the damaging impacts of big data just got another big gun behind it.

Apple CEO Tim Cook looks on during a visit of the shopfitting company Dula that delivers tables for Apple stores worldwide in Vreden, western Germany, on February 7, 2017. (Photo: BERND THISSEN/AFP/Getty Images)

 

“Question is [how do] we go beyond the simple requirements of confidentiality, security, of data,” Buttarelli continues. “Europe after such a successful step [with GDPR] is now going beyond the lawful and fair accumulation of personal data — we are identifying a new way of assessing market power when the services delivered to individuals are not mediated by a binary. And although competition law is still a powerful instrument for regulation — it was invented to stop companies getting so big — but I think together with our efforts on ethics we would like now Europe to talk about the future of the current dominant business models.

“I’m… concerned about how these companies, in compliance with GDPR in a few cases, may collect as much data as they can. In a few cases openly, in other secretly. They can constantly monitor what people are doing online. They categorize excessively people. They profile them in a way which cannot be contested. So we have in our democracies a lot of national laws in an anti-discrimination mode but now people are to be discriminated depending on how they behave online. So people are targeted with content to make them behave in a certain way. To predict but also to react. This is not the kind of democracy we deserve. This is not our idea.”

News Source = techcrunch.com

Go to Top