How do and should model marketplaces hosting user-uploaded AI systems like
@HuggingFace
@GitHub
&
@HelloCivitai
moderate models & answer takedown requests? In a new paper,
@rgorwa
& I provide case studies of tricky AI platform drama & chart a way forward.
I've analysed the data protection impact assessment for the NHSX Isle of Wight App trial. It indicates very significant legal flaws. The paper I have written on it can be found here: . I'll go through the main ones in this thread 1/n
When pushed with the GDPR,
@spotify
gives you a huge amount of telemetry data from their app (for me, 850mb of JSON files).
Includes your A/B testing history, anything you've ever drag-dropped, connected, so on. This is how software works today.
Google: we have used AI to discover 2.2 million new crystals, 384K are stable.
Chemists, actually examining results: we have yet to find any strikingly novel compounds in the [..] listings. (most could not exist or are so trivially different chemists wouldn’t consider them new)
Back in November, Google announced 2.2 milllion new materials.
Today, a paper in Chemistry of Materials from Ram Seshadri and Tony Cheetham dismantles that claim
Governments cannot be trusted w/ social network data from Bluetooth. So w/ colleagues from 7 unis, 5 countries, we've built & legally analysed a bluetooth COVID proximity tracing system that works at scale, where the server learns nothing about individuals
As countries deploy data-hungry contact tracing, we worry about what will happen with this data. Together with colleagues from 7 institutions, we designed a system that hides all personal information from the server. Please read and give comments!
Remember everyone quickly speculating whether Black Mirror: Bandersnatch was a data mining experiment. I used my GDPR right of access to find out more. (short thread)
#Bandersnatch
The Register has a very technically savvy long-read headlined simply: “UK finds itself almost alone with centralized virus contact-tracing app that probably won't work well, asks for your location, may be illegal”
How exactly can
#DP3T
privacy-preserving Bluetooth COVID-19 alerts work if identifiable personal data never leaves your device? It's actually not so complicated, and even less so now
@ncasenmare
has made a fantastic, public domain, comic explaining it: 1/
New 📰: There's more to the EU AI regulation than meets the eye: big loopholes, private rulemaking, powerful deregulatory effects. Analysis needs connection to broad—sometimes pretty arcane—EU law
@fborgesius
& I have done it so you don't have to: long 🧵
So, Facebook, I'm very suddenly seeing adverts for boutique Amsterdam hotels because I speak English (US) and am over 26? Not because I just booked a hotel for Amsterdam next week on a different site, even with a tracker blocker installed?
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on
@BBCNews
just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!
I did indeed pass my PhD ‘Governing Machine Learning That Matters’ today (w/ minor corrections)
This PhD relied deeply on so many people in the UK and around the world. Thank you for your friendship, support and inspiration. Tech policy rocks. Being collegiate rocks.
The comic explaining
#DP3T
Bluetooth contact tracing (also explains Apple-Google protocol) from
@ncasenmare
now available in 1) simplified one-pane v (img), 2) versions in French, German, Spanish, Thai & Finnish on the repo! Wanna translate it too?
Northern Ireland:
- will not encourage downloading of centralised NHSX contact app
- building a NI version to work w the Republic (decentralised)
- Deputy First Minister has human rights concerns about centralisation
Remember
@Researchfish
's
@PhishResearch
aggressive reporting of researchers criticising it on Twitter? The FOI request I made to UKRI shows pretty disturbing behaviour from both Interfolio (who owns RF) and UKRI egging them on. 1/ 🧵
Amazon seems to have turned the Koepelgevangnis in Haarlem, a literal 1901 Bentham panopticon-inspired penitentiary, into an AWS office. Can’t make it up.
A surprisingly significant part of my job as an lecturer in a law school is undoing the damage done by airheaded blockchain marketers & shockingly naive practitioners/academics to law students.
Blockchain is not a useful general purpose technology.
This past week in
#LegalTech
press: "Gartner analysts recommend Data & Analytics leaders pilot blockchain smart contracts now." Whilst over at the BBC: "Blockchain has struggled to find a purpose, beyond powering cryptocurrencies like Bitcoin."
#blockchain
The global governance of AI is getting more salient and more confusing. Don't worry, this isn't another open letter. With
@Kira_UCL
@rgorwa
, we have a new paper, forthcoming in Annual Review of Law & Social Science to help you navigate.
Time to share that in autumn I’m joining
@UCLLaws
as Lecturer (UK Asst Prof) in Digital Rights and Regulation! SO excited to ask, research and teach the most inconvenient and interdisciplinary questions about tech law, data & power. Let’s make data rights real. </personalnews>
Minnesota Public Safety Commissioner John Harrington says they've begun contact tracing arrestees.
"Who are they associated with? What platforms are they advocating for? ... Is this organized crime? ... We are in the process right now of building that information network."
professional news ✉️ — thanks
@ucl
!
(fun UK fact: ‘tenure’ was abolished here in 1988, academic unions play a key role in ensuring the remaining unis w/ strong governance protections against redundancy retain them )
A reminder that Facebook is currently engaging in legal threats and the shadow of a vicious litigation against NYU and specific PhD candidates there to try to silence researchers studying its advertising targeting system beyond the questions and parameters it wants to control.
NEW: Facebook’s attempt to shutter research at NYU on political ads is just the most extreme example of the increasingly fraught relationship between platforms and academics.
My
#longreads
on how tech giants both court and crush the people who study them
Remember this? PEPP-PT has (without notice) removed
#DP3T
's decentralised, privacy-preserving approach from its site. PEPP-PT stands now ONLY for an intransparent, unpublished centralised database of Bluetooth social graph data, prone to leakage and function creep.
Important on COVID BT proximity tracing
The 'PEPP-PT' protocol is not settled. Our decentralised privacy design (DP-3T) prevents co-optation, function creep. Centralised alternatives do not.
Do not support PEPP-PT w/o making support explicitly CONDITIONAL on decentralisation.
More
#DP3T
open-source code for truly privacy-preserving, decentralised Bluetooth contact tracing. Today, our i'national consortium releases alpha Android/iOS apps on GitHub for the world to test & improve. Please do!
Android:
iOS:
NHSX App code for iOS/Android (not backend) now online at , as well as a separate repo with a few short slide decks. Kudos to the tireless people inside who push the UK gov to not develop code in secrecy. Regardless of protocol disputes, you're doing great.
Data access requests in the GDPR remain more powerful on paper than in practice. I've created a new, comprehensive template letter to help everyone get the most of data rights against controllers large & small, mixing access, portability & more. It's here:
People often cite Lessig/Reidenberg for the origin claims related to 'code is law' — they certainly applied it to the Internet — but more people should also cite
@langdonw
, who in 1977 in 'Autonomous Technology' wrote specifically that 'technology in a true sense is legislation'.
In the last 24 hours, the Austrian health system and the Swiss health system have both announced that
#DP3T
will be their national Bluetooth contact tracing application.
🇦🇹
🇨🇭
The person appointed to run the group of UK regulators covering digital issues, supposed to link up competition law (CMA), data protection (ICO) and content moderation (OFCOM) has quite literally been working for Google for the last 5 years. Astounding.
Gill Whitehead has been appointed as the new Chief Executive of the Digital Regulation Cooperation Forum (DRCF).
Gill will lead the collective expertise of
@ICOnews
,
@TheFCA
,
@CMAgovUK
and Ofcom to oversee effective regulation of the digital landscape.
UCL now hosts Facebook’s PhD programme. Not an endowment or grant with guaranteed independence, but a business partnership where the company (as in this press release) describes the PhD programme, consistently as “ours”.
Today, Facebook AI Research London is announcing a new, strategic research partnership with
@UCL
as part of the expansion of our PhD program to the UK:
@uclcs
French court finds facial recognition for school entry was
- ultra vires (region not school did it)
- w/o lawful basis (consent not freely given)
- not proportionate (no evidence access cards and/or CCTV, wouldn’t have met need).
CNIL vindicated
This is hugely important.
It's also complex and commonly misreported.
FB scared of GDPR's depth & reach, will REDUCE legally enforceable privact protection based on what it is today for most the world.
Let me explain some of the the BIG implications. 1/n
The new Tony Blair Institute report finds huge time savings for the public sector from the use of AI tools... by asking GPT-4 what tasks can or cannot be automated 😵💫
Over 300 top academics from over 25 countries warn that centralised approaches to Bluetooth contact tracing, such as PEPP-PT, are:
- unnecessary, given tools such as
#DP3T
- intransparent
- hamper trust
- heavily prone to abuse and function creep
After a long, unnecessary saga, England/Wales launches a decentralised contact tracing app based on the DP-3T work led by
@carmelatroncoso
, following other regions of the UK.
On privacy and public health grounds, you should download and use it.
Apple & Google's annoucement provides HUGE support for
#DP3T
against centralised solutions, which *no longer work* under it. The API they specify lets devices to query list of IDs they have seen, but NOT access them to upload them to a central server.
New Belgian lockdown innovation: everyone can have a cuddle-partner (knuffelcontact), singles can have two (doubly cuddly), and you can only get a new one after two weeks. In England singles just get one (or a household) and you’re legally attached to them 4EVA.
The Council presidency compromise text on the draft EU AI Act has some improvements, some big steps back, ignores some huge residual problems and gives a *giant* handout to Google, Amazon, IBM, Microsoft and similar. Thread follows. 🧵
@nick_clegg
hey nick FYI you seem to have forgotten the immense number of apps and websites that facebook has embedded hidden pixel trackers and tracking SDKs in which means it’s not just ‘primarily’ what you do on facebook, it’s what the firm watches you do whenever you are online.
1: The DPIA reads like a fight between PR folk wanting to say it is anonymous, and data protection folk needing to say legally, it is not. DPIAs are no place for PR. This data is not anonymous.
Meta relatedly revoke LLaMA 2 licenses for anyone making a copyright claim over inputs or outputs. Might not be a legally successful strategy but I think it symbolically says something about the industry.
This is spot on from the NYT. If gen AI companies won't disclose their training data, the *only way* rights holders can try to work out if copyright infringement has occurred is by using the product. To call this a 'hack' is intentionally misleading.
If OpenAI don't want people
The
#DP3T
Project has produced a 21 page guidebook and typology to the various privacy & security attacks on the whole spectrum of digital proximity tracing systems, to make the space clearer and to help guide everyone through the various claims being made
Sick of illegal cookie banners hiding a reject button? Reminder that the Consent-O-Matic plugin from
@AarhusUni
@MidasNouwens
for Firefox, Safari (Mac/iOS) & Chromium auto-clicks reject for you, exercising your legal rights, and complements ad blockers.
Come do a fully-funded PhD (full Home/Overseas fees+stipend) w/ me
@UCLLaws
on future international regulation of platform computational and sensing infrastructures! How to govern protocols and power in legitimate, globally representative ways? (pls share)
The Data Protection and Digital Information Bill contains a lot of changes. Some were previewed in the June consultation response. Others weren't. Some observations: 🧵
Government-supported firm developing vaccine certificates for pubs has solution based on cloud based facial recognition at the door.
Usually as an academic I’d end a tweet with analysis but it’s pretty self explanatory this is a terrible, terrible idea.
Cynthia Rudin's frank about it. No black box should be deployed when there exists an interpretable model with the same level of performance
- interpretability v accuracy is a myth
- explanations are dishonest, incoherent, incomplete, unhelpful in practice
Significant news for the AI Act from the Commission as it proposes its new Standardisation Strategy, involving amending the 2012 Regulation. Remember: private bodies making standards (CEN/CENELEC/ETSI) are the key entities in the AI Act that determine the final rules. 🧵
Firefox now recommends you run Facebook in a separate browser container when you visit the website, to prevent/limit the tracking by like buttons, Facebook Pixel, etc across the Web,
On May 25, search your email for GDPR, take all the email addresses of all the organisations that have emailed you to opt-in, and send them a request for a copy of all your data, all purposes for which that data is processed, and the lawful basis they claim each is done for.
@jburnmurdoch
@natashaloder
Palantir’s business is to make data linkage and transformation and querying proprietary. By putting a closed solution so deep into the stack, the NHS will be milked by them forever more. The costs of shifting will be too impossibly high.
Compare:
* US angrily claiming law should stop FaceApp sending data abroad (🇷🇺) to be pilfered by nat security
* US angrily claiming to CJEU (
@maxschrems
II) the EU has no authority to stop Facebook sending data abroad (🇺🇸) to be pilfered by nat security
Hey Microsoft Research people who think that constant facial emotion analysis might not be a great thing (among others), what do you think of this proposed Teams feature published at CHI to spotlight videos of audience members with high affective ‘scores’?
AffectiveSpotlight is a method that uses recent affect-sensing advances to show presenters select audience reactions, so that they can react in real-time to relevant feedback—including facial responses like confusion or boredom and body movements like head nods or raised hands.
Scholars! Your regular reminder not to use Mendeley to manage refs; this Elsevier product force encrypts your local database (lying that it’s for GDPR) so you can’t migrate to eg Zotero, leaving the only export via an online API they can kill whenever.
James Cleverly on
#r4today
is wrong to say that the London Assembly has no powers to compel Johnson to appear before them. Their power (under the GLA Act ‘99) extends to individuals who have been mayor within the last 8 years.
I recommend everyone following contact tracing/apps read and reflect on this very important letter posted to the
#DP3T
GitHub Issues page on expanding discussion beyond privileging the technical, by Miriyam Aouragh,
@Helen_Pritchard
, Femke Snelting
Official PEPP-PT severance notice from ETH Zürich, following PEPP-PT's failure to publish *any* documents or protocol, as they promised yesterday to governments and the press. Is this a Theranos moment? 1/n
ETH Zurich yesterday notified PEPP-PT that it is withdrawing from the PEPP-PT consortium with immediate effect. Our relentless focus from now on is
#DP3T
.
I have problems with the EU High-Level Expert Group on AI's Policy Recommendations, and have a paper on my views forthcoming in
@EurJRR
. The preprint is now up on
@lawarxiv
at . Here's a summary (short thread):
You can say it is protected.
You can say it takes effort to link to an individual person.
But databases of contact data connected to device IDs, such as that in the UK NHSX app, are *unambiguously* not anonymous data under UK law.
So you know where to find me on the off-chance you look up from Twitter, I'm now Digital Charter Fellow at
@turinginst
, researching evidence around and responses to contemporary digital challenges and emerging regulation in the UK and further afield.
The concern should not be about whether Palantir can ‘see’ your medical info, but whether, as a technological infrastructure, they shape and determine the ends to which it can and cannot be put. They don’t want to spy on you, but they do want to extract value by shaping data use.
Layer upon layer of b*llshit and misinformation here.
The operator of the NHS federated data platform (Palantir) does not have access to your health data.
Don't bother doing the "opt out" shown here--it just stops your data being used in medical research.
Lastly,
Netflix using dark patterns to preference some e-mail addresses over others. Why isn’t it suggesting ProtonMail, the privacy-friendly, encrypted, alternative to Gmail & co?
Chief AI Scientist at Meta and professor at NYU wilfully misrepresenting the law. Maybe do some interdisciplinary collaboration before you talk about requirements you haven’t parsed correctly.
EU: driving assistance systems are now mandatory for all vehicles (all based on deep learning).
Also EU: All safety-critical AI systems must be explainable (deep learning must be banned).
New piece from me in the Guardian: the Apple-Google contact tracing API (not app, headline not mine...) gives us all a preview into how even privacy enhancing technologies can be used to wield power, why they need governance, and how we might do it.
Here are three easy scenarios that show this data is really not anonymous (let alone the fact that it cannot be anonymous data in data protection law if there is a unique device identifier involved).
how do i opt out of the fact all websites are designed for chromium now? how do i opt out of doubleclick, google analytics, authorised buyers, google fonts? how do i opt out of google play services?
Today’s lawsuit by the Department of Justice is deeply flawed. People use Google because they choose to -- not because they're forced to or because they can't find alternatives. We will have a full statement this morning.
UCL commits not to use film/audio recordings created for teaching in the past or coming academic year in the future without the originator's consent. Any other unis, UK or otherwise, done this yet?
Apple continues its confusion of privacy and confidentiality by getting deeper into the ID business, laying the pathway for people to be asked to prove any characteristic, to anyone, at any time, with limited to no friction. But it's in a secure enclave, so that's ok then!
The takeaway: Two people who have their iPhones locked in their pockets will not register as contacts with each other. A room of people with iPhones locked in their pockets will not register with each other unless someone with an Android is in the room.
I’ll be giving oral evidence to the
@UKParliament
’s Joint
@HumanRightsCtte
on the human rights implications of COVID-19 tracing apps on Monday, alongside
@lynskeyo
, the Information Commissioner (and
@simcd
), NHSX and NCSC/GCHQ.
#DP3T
The European Parliament this week passed, by overwhelming majority of 395 against 171, a motion which demands decentralisation of COVID-19 tracking apps, publishing of code and revealing of all corporate interests.
New 📄: “Denied by Design? Data Access Rights in Encrypted Infrastructures”. Tension: Platforms are using more edge/privacy-enhancing tech to learn about the world, keeping data on user's devices — yet also hiding that data from those same users. 🧵
AI Act: *Do you HATE EU 4 column docs?* I've extracted and tidied the draft AI Act agreement so you can read it better. No accuracy guarantees, except that your eyes will infintely thank you. Please do not use this as an excuse to stop hating PDFs.
#AIAct
This is also because the computer science field confuses privacy with confidentiality because it conceptualises legal and ethical concepts that cannot be mathematically formalised as errors. Does not have a view of power.
A thing I worry about in the (academic) privacy field is that our work isn’t really improving privacy globally. If anything it would be more accurate to say we’re finding ways to encourage the collection and synthesis of more data, by applying a thin veneer of local “privacy.”
@NandoDF
imo the AI community can and should recognise its own irrelevance here and actively use its oversized platform to give way, giving other, much more important people, causes, disciplines and entities, air and airtime.
The sad thing with the Facebook leak (reported in 2019 already) is that straightforward data breaches are really the only GDPR infringement simple enough that data protection authorities feel confident to enforce.
Actual rights and freedoms continue to languish, ignored.
So, section 14 of the Data Protection Act 2018? (Art 22 of GDPR, for decisions authorised by law). Students could ask Ofqual to take a new decision not based solely on automated processsing, as this one has been. It clearly produces both legal and significant effects.
might as well place on the public record that 11 April email which I sent to (and was responded to/read) NHSX, NCSC, CDEI/DCMS representatives stating the problems the NHSX approach that lay down the line (regardless of if you think centralisation/decentralisation better)
#dp3t
Northern Ireland minister confirms they will use a decentralised app for reasons of privacy and to interoperate with the Republic, rather than adopting the centralised NHSX contact tracing app.
Europe will never lead in AI — and nor should it. Economically, socially, legally it should seek to lead in the discovery and application of appropriate technology for human and societal challenges. By letting itself be led by the constrained AI framing, Europe has already lost.
It’s time to show how Europe can lead in
#AI
!
We know how & we are already pushing it forward.
Meet the European networks of excellence.
Join us at the
#EuropeanVision4AI
:
🗓️Thu 22 Apr 2021 11am.
Register at
Luca, the dodgy for-profit German QR infrastructure, living up to the predictions
@annliffey
@linnetelwin
@sedyst
& I made last yr in
@EurJRR
, wanting to merge identity authentication (eg ID docs) w Covid attribute attestation: that’s where the €€€ is
Allmachtsfantasien bei
#LucaApp
:
"zusätzlich zum Impf- oder Genesenenausweis auch den Personalausweis oder Pass vorzeigen. Das wollen wir in Luca auch einfach zusammenführen."
Apple and Google confirm they will use App Store rules to forbid apps using their Exposure Notification API from using (or even asking for permission to use) GPS/location services too.