Michael Veale @[email protected]
@mikarv
Followers
25,642
Following
1,890
Media
3,153
Statuses
44,218
assoc prof in tech law & vice-dean @UCLLaws , fellow @ivir_uva . not resigned to today's digital power structures (yet). 🦣
London
Joined February 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Maggie Smith
• 785844 Tweets
Netanyahu
• 622037 Tweets
Beirut
• 486962 Tweets
القادسية
• 423643 Tweets
Nasrallah
• 306100 Tweets
Zelensky
• 262196 Tweets
Harry Potter
• 211815 Tweets
Lali
• 201017 Tweets
بيروت
• 163760 Tweets
الزمالك
• 120127 Tweets
Acapulco
• 95699 Tweets
#الضاحيه_الجنوبيه
• 79155 Tweets
I-40
• 73039 Tweets
マクゴナガル先生
• 54231 Tweets
حامد
• 35722 Tweets
Van Gogh
• 29508 Tweets
Willie
• 27821 Tweets
Asheville
• 26536 Tweets
FONDEN
• 25808 Tweets
#حسن_نصر_الشيطان
• 18311 Tweets
Dortmund
• 15527 Tweets
Barcola
• 15406 Tweets
#السوبر_الافريقي
• 13565 Tweets
Bane
• 12104 Tweets
Pinned Tweet
How do and should model marketplaces hosting user-uploaded AI systems like
@HuggingFace
@GitHub
&
@HelloCivitai
moderate models & answer takedown requests? In a new paper,
@rgorwa
& I provide case studies of tricky AI platform drama & chart a way forward.
8
57
201
I've analysed the data protection impact assessment for the NHSX Isle of Wight App trial. It indicates very significant legal flaws. The paper I have written on it can be found here: . I'll go through the main ones in this thread 1/n
64
1K
2K
When pushed with the GDPR,
@spotify
gives you a huge amount of telemetry data from their app (for me, 850mb of JSON files).
Includes your A/B testing history, anything you've ever drag-dropped, connected, so on. This is how software works today.
34
1K
2K
Google: we have used AI to discover 2.2 million new crystals, 384K are stable.
Chemists, actually examining results: we have yet to find any strikingly novel compounds in the [..] listings. (most could not exist or are so trivially different chemists wouldn’t consider them new)
Back in November, Google announced 2.2 milllion new materials.
Today, a paper in Chemistry of Materials from Ram Seshadri and Tony Cheetham dismantles that claim
18
361
1K
4
375
1K
Governments cannot be trusted w/ social network data from Bluetooth. So w/ colleagues from 7 unis, 5 countries, we've built & legally analysed a bluetooth COVID proximity tracing system that works at scale, where the server learns nothing about individuals
As countries deploy data-hungry contact tracing, we worry about what will happen with this data. Together with colleagues from 7 institutions, we designed a system that hides all personal information from the server. Please read and give comments!
24
382
717
35
587
1K
Remember everyone quickly speculating whether Black Mirror: Bandersnatch was a data mining experiment. I used my GDPR right of access to find out more. (short thread)
#Bandersnatch
20
606
971
The Register has a very technically savvy long-read headlined simply: “UK finds itself almost alone with centralized virus contact-tracing app that probably won't work well, asks for your location, may be illegal”
25
726
944
How exactly can
#DP3T
privacy-preserving Bluetooth COVID-19 alerts work if identifiable personal data never leaves your device? It's actually not so complicated, and even less so now
@ncasenmare
has made a fantastic, public domain, comic explaining it: 1/
28
742
940
New 📰: There's more to the EU AI regulation than meets the eye: big loopholes, private rulemaking, powerful deregulatory effects. Analysis needs connection to broad—sometimes pretty arcane—EU law
@fborgesius
& I have done it so you don't have to: long 🧵
21
370
835
So, Facebook, I'm very suddenly seeing adverts for boutique Amsterdam hotels because I speak English (US) and am over 26? Not because I just booked a hotel for Amsterdam next week on a different site, even with a tracker blocker installed?
19
333
782
New minister in charge of data protection in the United Kingdom.
My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on
@BBCNews
just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!
3K
754
1K
18
273
650
@Researchfish
@bedcatalysis
@seis_matters
I’ve asked
@UKRI_News
what they know about this in an FOI request.
17
49
643
I did indeed pass my PhD ‘Governing Machine Learning That Matters’ today (w/ minor corrections)
This PhD relied deeply on so many people in the UK and around the world. Thank you for your friendship, support and inspiration. Tech policy rocks. Being collegiate rocks.
Congrats to my brilliant friend and colleague Dr
@mikarv
on passing his viva - he's being uncharacteristically quiet I suspect as celebrating!!
4
3
42
92
21
614
Google Vision AI is so reliable it recognises a screenshot of its own product as being 90% certain as Azure.
19
76
610
The comic explaining
#DP3T
Bluetooth contact tracing (also explains Apple-Google protocol) from
@ncasenmare
now available in 1) simplified one-pane v (img), 2) versions in French, German, Spanish, Thai & Finnish on the repo! Wanna translate it too?
22
372
588
Northern Ireland:
- will not encourage downloading of centralised NHSX contact app
- building a NI version to work w the Republic (decentralised)
- Deputy First Minister has human rights concerns about centralisation
19
274
563
Remember
@Researchfish
's
@PhishResearch
aggressive reporting of researchers criticising it on Twitter? The FOI request I made to UKRI shows pretty disturbing behaviour from both Interfolio (who owns RF) and UKRI egging them on. 1/ 🧵
12
266
538
Lots of selected thoughts on the draft leaked EU AI regulation follow. Not a summary but hopefully useful. 🧵
7
205
531
Amazon seems to have turned the Koepelgevangnis in Haarlem, a literal 1901 Bentham panopticon-inspired penitentiary, into an AWS office. Can’t make it up.
14
151
524
German ministers announce official flip to decentralised, privacy-preserving Bluetooth contact tracing, joining 🇨🇭 🇪🇪 🇦🇹. Reuters:
#DP3T
13
317
510
A surprisingly significant part of my job as an lecturer in a law school is undoing the damage done by airheaded blockchain marketers & shockingly naive practitioners/academics to law students.
Blockchain is not a useful general purpose technology.
This past week in
#LegalTech
press: "Gartner analysts recommend Data & Analytics leaders pilot blockchain smart contracts now." Whilst over at the BBC: "Blockchain has struggled to find a purpose, beyond powering cryptocurrencies like Bitcoin."
#blockchain
2
11
23
31
130
498
Time to share that in autumn I’m joining
@UCLLaws
as Lecturer (UK Asst Prof) in Digital Rights and Regulation! SO excited to ask, research and teach the most inconvenient and interdisciplinary questions about tech law, data & power. Let’s make data rights real. </personalnews>
64
22
443
the potential dangers of centralised contact tracing apps already becoming scarily, explicitly apparent
Minnesota Public Safety Commissioner John Harrington says they've begun contact tracing arrestees.
"Who are they associated with? What platforms are they advocating for? ... Is this organized crime? ... We are in the process right now of building that information network."
590
2K
4K
19
296
431
professional news ✉️ — thanks
@ucl
!
(fun UK fact: ‘tenure’ was abolished here in 1988, academic unions play a key role in ensuring the remaining unis w/ strong governance protections against redundancy retain them )
87
4
423
A reminder that Facebook is currently engaging in legal threats and the shadow of a vicious litigation against NYU and specific PhD candidates there to try to silence researchers studying its advertising targeting system beyond the questions and parameters it wants to control.
NEW: Facebook’s attempt to shutter research at NYU on political ads is just the most extreme example of the increasingly fraught relationship between platforms and academics.
My
#longreads
on how tech giants both court and crush the people who study them
19
438
815
6
208
401
Remember this? PEPP-PT has (without notice) removed
#DP3T
's decentralised, privacy-preserving approach from its site. PEPP-PT stands now ONLY for an intransparent, unpublished centralised database of Bluetooth social graph data, prone to leakage and function creep.
Important on COVID BT proximity tracing
The 'PEPP-PT' protocol is not settled. Our decentralised privacy design (DP-3T) prevents co-optation, function creep. Centralised alternatives do not.
Do not support PEPP-PT w/o making support explicitly CONDITIONAL on decentralisation.
11
68
141
13
306
404
More
#DP3T
open-source code for truly privacy-preserving, decentralised Bluetooth contact tracing. Today, our i'national consortium releases alpha Android/iOS apps on GitHub for the world to test & improve. Please do!
Android:
iOS:
14
251
380
is it just me or does it seem pretty clear that
@OpenAI
's DALLE-2 must have scraped a huge proportion of
@DeviantArt
?
22
32
350
NHSX App code for iOS/Android (not backend) now online at , as well as a separate repo with a few short slide decks. Kudos to the tireless people inside who push the UK gov to not develop code in secrecy. Regardless of protocol disputes, you're doing great.
14
121
347
Data access requests in the GDPR remain more powerful on paper than in practice. I've created a new, comprehensive template letter to help everyone get the most of data rights against controllers large & small, mixing access, portability & more. It's here:
17
142
351
People often cite Lessig/Reidenberg for the origin claims related to 'code is law' — they certainly applied it to the Internet — but more people should also cite
@langdonw
, who in 1977 in 'Autonomous Technology' wrote specifically that 'technology in a true sense is legislation'.
14
82
343
In the last 24 hours, the Austrian health system and the Swiss health system have both announced that
#DP3T
will be their national Bluetooth contact tracing application.
🇦🇹
🇨🇭
9
185
337
The person appointed to run the group of UK regulators covering digital issues, supposed to link up competition law (CMA), data protection (ICO) and content moderation (OFCOM) has quite literally been working for Google for the last 5 years. Astounding.
17
175
332
These are the glasses you’d need to slip Reese Witherspoon past a neural network disguised as Russell Crowe.
7
213
327
UCL now hosts Facebook’s PhD programme. Not an endowment or grant with guaranteed independence, but a business partnership where the company (as in this press release) describes the PhD programme, consistently as “ours”.
18
128
317
French court finds facial recognition for school entry was
- ultra vires (region not school did it)
- w/o lawful basis (consent not freely given)
- not proportionate (no evidence access cards and/or CCTV, wouldn’t have met need).
CNIL vindicated
7
218
313
This is hugely important.
It's also complex and commonly misreported.
FB scared of GDPR's depth & reach, will REDUCE legally enforceable privact protection based on what it is today for most the world.
Let me explain some of the the BIG implications. 1/n
Exclusive: Facebook to put 1.5 billion users out of reach of new EU privacy law
6
148
101
9
245
294
this methodology is a dismal new low, and any media outlet reporting on this report should in turn be humiliated if they do not ridicule it.
The new Tony Blair Institute report finds huge time savings for the public sector from the use of AI tools... by asking GPT-4 what tasks can or cannot be automated 😵💫
35
184
614
6
98
302
Over 300 top academics from over 25 countries warn that centralised approaches to Bluetooth contact tracing, such as PEPP-PT, are:
- unnecessary, given tools such as
#DP3T
- intransparent
- hamper trust
- heavily prone to abuse and function creep
7
192
293
After a long, unnecessary saga, England/Wales launches a decentralised contact tracing app based on the DP-3T work led by
@carmelatroncoso
, following other regions of the UK.
On privacy and public health grounds, you should download and use it.
25
183
277
i have a few jokes about positions on ai ethics boards but only the same handful of people ever get them
4
33
278
Apple & Google's annoucement provides HUGE support for
#DP3T
against centralised solutions, which *no longer work* under it. The API they specify lets devices to query list of IDs they have seen, but NOT access them to upload them to a central server.
15
169
268
New Belgian lockdown innovation: everyone can have a cuddle-partner (knuffelcontact), singles can have two (doubly cuddly), and you can only get a new one after two weeks. In England singles just get one (or a household) and you’re legally attached to them 4EVA.
10
79
267
The Council presidency compromise text on the draft EU AI Act has some improvements, some big steps back, ignores some huge residual problems and gives a *giant* handout to Google, Amazon, IBM, Microsoft and similar. Thread follows. 🧵
4
114
271
@nick_clegg
hey nick FYI you seem to have forgotten the immense number of apps and websites that facebook has embedded hidden pixel trackers and tracking SDKs in which means it’s not just ‘primarily’ what you do on facebook, it’s what the firm watches you do whenever you are online.
5
47
255
1: The DPIA reads like a fight between PR folk wanting to say it is anonymous, and data protection folk needing to say legally, it is not. DPIAs are no place for PR. This data is not anonymous.
4
135
257
Meta relatedly revoke LLaMA 2 licenses for anyone making a copyright claim over inputs or outputs. Might not be a legally successful strategy but I think it symbolically says something about the industry.
This is spot on from the NYT. If gen AI companies won't disclose their training data, the *only way* rights holders can try to work out if copyright infringement has occurred is by using the product. To call this a 'hack' is intentionally misleading.
If OpenAI don't want people
10
133
481
8
106
264
The
#DP3T
Project has produced a 21 page guidebook and typology to the various privacy & security attacks on the whole spectrum of digital proximity tracing systems, to make the space clearer and to help guide everyone through the various claims being made
6
177
258
Sick of illegal cookie banners hiding a reject button? Reminder that the Consent-O-Matic plugin from
@AarhusUni
@MidasNouwens
for Firefox, Safari (Mac/iOS) & Chromium auto-clicks reject for you, exercising your legal rights, and complements ad blockers.
5
86
254
Come do a fully-funded PhD (full Home/Overseas fees+stipend) w/ me
@UCLLaws
on future international regulation of platform computational and sensing infrastructures! How to govern protocols and power in legitimate, globally representative ways? (pls share)
11
189
258
The Data Protection and Digital Information Bill contains a lot of changes. Some were previewed in the June consultation response. Others weren't. Some observations: 🧵
5
116
253
Government-supported firm developing vaccine certificates for pubs has solution based on cloud based facial recognition at the door.
Usually as an academic I’d end a tweet with analysis but it’s pretty self explanatory this is a terrible, terrible idea.
14
139
250
Cynthia Rudin's frank about it. No black box should be deployed when there exists an interpretable model with the same level of performance
- interpretability v accuracy is a myth
- explanations are dishonest, incoherent, incomplete, unhelpful in practice
4
106
251
Significant news for the AI Act from the Commission as it proposes its new Standardisation Strategy, involving amending the 2012 Regulation. Remember: private bodies making standards (CEN/CENELEC/ETSI) are the key entities in the AI Act that determine the final rules. 🧵
4
89
253
Firefox now recommends you run Facebook in a separate browser container when you visit the website, to prevent/limit the tracking by like buttons, Facebook Pixel, etc across the Web,
7
126
248
On May 25, search your email for GDPR, take all the email addresses of all the organisations that have emailed you to opt-in, and send them a request for a copy of all your data, all purposes for which that data is processed, and the lawful basis they claim each is done for.
13
106
243
is it hot in here or is my laptop running microsoft teams
8
24
244
@jburnmurdoch
@natashaloder
Palantir’s business is to make data linkage and transformation and querying proprietary. By putting a closed solution so deep into the stack, the NHS will be milked by them forever more. The costs of shifting will be too impossibly high.
5
16
248
Compare:
* US angrily claiming law should stop FaceApp sending data abroad (🇷🇺) to be pilfered by nat security
* US angrily claiming to CJEU (
@maxschrems
II) the EU has no authority to stop Facebook sending data abroad (🇺🇸) to be pilfered by nat security
7
113
238
Hey Microsoft Research people who think that constant facial emotion analysis might not be a great thing (among others), what do you think of this proposed Teams feature published at CHI to spotlight videos of audience members with high affective ‘scores’?
AffectiveSpotlight is a method that uses recent affect-sensing advances to show presenters select audience reactions, so that they can react in real-time to relevant feedback—including facial responses like confusion or boredom and body movements like head nods or raised hands.
9
7
20
7
115
240
it’s almost like... skilfully using the law is more impactful than writing ai ethics principles ...
9
65
240
Scholars! Your regular reminder not to use Mendeley to manage refs; this Elsevier product force encrypts your local database (lying that it’s for GDPR) so you can’t migrate to eg Zotero, leaving the only export via an online API they can kill whenever.
5
136
242
James Cleverly on
#r4today
is wrong to say that the London Assembly has no powers to compel Johnson to appear before them. Their power (under the GLA Act ‘99) extends to individuals who have been mayor within the last 8 years.
21
139
226
I recommend everyone following contact tracing/apps read and reflect on this very important letter posted to the
#DP3T
GitHub Issues page on expanding discussion beyond privileging the technical, by Miriyam Aouragh,
@Helen_Pritchard
, Femke Snelting
10
124
237
Official PEPP-PT severance notice from ETH Zürich, following PEPP-PT's failure to publish *any* documents or protocol, as they promised yesterday to governments and the press. Is this a Theranos moment? 1/n
6
163
234
European Union swiftly pivots from 'let's ban facial recognition' to 'let's create a pan-European database of facial data'.
8
183
232
You can say it is protected.
You can say it takes effort to link to an individual person.
But databases of contact data connected to device IDs, such as that in the UK NHSX app, are *unambiguously* not anonymous data under UK law.
4
170
231
So you know where to find me on the off-chance you look up from Twitter, I'm now Digital Charter Fellow at
@turinginst
, researching evidence around and responses to contemporary digital challenges and emerging regulation in the UK and further afield.
28
9
233
The concern should not be about whether Palantir can ‘see’ your medical info, but whether, as a technological infrastructure, they shape and determine the ends to which it can and cannot be put. They don’t want to spy on you, but they do want to extract value by shaping data use.
Layer upon layer of b*llshit and misinformation here.
The operator of the NHS federated data platform (Palantir) does not have access to your health data.
Don't bother doing the "opt out" shown here--it just stops your data being used in medical research.
Lastly,
61
100
545
5
72
230
stretching the definition of dark patterns to absolute breaking point now
Netflix using dark patterns to preference some e-mail addresses over others. Why isn’t it suggesting ProtonMail, the privacy-friendly, encrypted, alternative to Gmail & co?
6
0
18
4
9
229
Chief AI Scientist at Meta and professor at NYU wilfully misrepresenting the law. Maybe do some interdisciplinary collaboration before you talk about requirements you haven’t parsed correctly.
EU: driving assistance systems are now mandatory for all vehicles (all based on deep learning).
Also EU: All safety-critical AI systems must be explainable (deep learning must be banned).
66
197
1K
11
43
229
New piece from me in the Guardian: the Apple-Google contact tracing API (not app, headline not mine...) gives us all a preview into how even privacy enhancing technologies can be used to wield power, why they need governance, and how we might do it.
Big tech doesn’t need big personal datasets to control us: excellent piece from
@mikarv
.
3
49
72
12
144
223
no
The coronavirus pandemic has exposed how vulnerable international supply chains are to disruption. Blockchains could help.
19
33
67
3
42
218
The Pokémon Company issued a takedown request to Hugging Face for a dataset describing the characteristics of e.g. Bulbasaur. Let's see how this goes.
3
87
217
Here are three easy scenarios that show this data is really not anonymous (let alone the fact that it cannot be anonymous data in data protection law if there is a unique device identifier involved).
3
94
201
how do i opt out of the fact all websites are designed for chromium now? how do i opt out of doubleclick, google analytics, authorised buyers, google fonts? how do i opt out of google play services?
Today’s lawsuit by the Department of Justice is deeply flawed. People use Google because they choose to -- not because they're forced to or because they can't find alternatives. We will have a full statement this morning.
374
511
1K
7
52
205
UCL commits not to use film/audio recordings created for teaching in the past or coming academic year in the future without the originator's consent. Any other unis, UK or otherwise, done this yet?
4
103
203
Apple continues its confusion of privacy and confidentiality by getting deeper into the ID business, laying the pathway for people to be asked to prove any characteristic, to anyone, at any time, with limited to no friction. But it's in a secure enclave, so that's ok then!
5
83
203
The takeaway: Two people who have their iPhones locked in their pockets will not register as contacts with each other. A room of people with iPhones locked in their pockets will not register with each other unless someone with an Android is in the room.
9
114
188
I’ll be giving oral evidence to the
@UKParliament
’s Joint
@HumanRightsCtte
on the human rights implications of COVID-19 tracing apps on Monday, alongside
@lynskeyo
, the Information Commissioner (and
@simcd
), NHSX and NCSC/GCHQ.
#DP3T
8
54
195
The European Parliament this week passed, by overwhelming majority of 395 against 171, a motion which demands decentralisation of COVID-19 tracking apps, publishing of code and revealing of all corporate interests.
4
88
189
New 📄: “Denied by Design? Data Access Rights in Encrypted Infrastructures”. Tension: Platforms are using more edge/privacy-enhancing tech to learn about the world, keeping data on user's devices — yet also hiding that data from those same users. 🧵
3
63
190
first day as lecturer at
@UCLLaws
! just need to move the books in... and perhaps some plants. And get some hats.
14
2
186
AI Act: *Do you HATE EU 4 column docs?* I've extracted and tidied the draft AI Act agreement so you can read it better. No accuracy guarantees, except that your eyes will infintely thank you. Please do not use this as an excuse to stop hating PDFs.
#AIAct
7
42
181
This is also because the computer science field confuses privacy with confidentiality because it conceptualises legal and ethical concepts that cannot be mathematically formalised as errors. Does not have a view of power.
A thing I worry about in the (academic) privacy field is that our work isn’t really improving privacy globally. If anything it would be more accurate to say we’re finding ways to encourage the collection and synthesis of more data, by applying a thin veneer of local “privacy.”
13
68
276
13
49
182
@NandoDF
imo the AI community can and should recognise its own irrelevance here and actively use its oversized platform to give way, giving other, much more important people, causes, disciplines and entities, air and airtime.
3
3
178
The sad thing with the Facebook leak (reported in 2019 already) is that straightforward data breaches are really the only GDPR infringement simple enough that data protection authorities feel confident to enforce.
Actual rights and freedoms continue to languish, ignored.
5
32
173
So, section 14 of the Data Protection Act 2018? (Art 22 of GDPR, for decisions authorised by law). Students could ask Ofqual to take a new decision not based solely on automated processsing, as this one has been. It clearly produces both legal and significant effects.
9
126
169
might as well place on the public record that 11 April email which I sent to (and was responded to/read) NHSX, NCSC, CDEI/DCMS representatives stating the problems the NHSX approach that lay down the line (regardless of if you think centralisation/decentralisation better)
#dp3t
5
86
173
Northern Ireland minister confirms they will use a decentralised app for reasons of privacy and to interoperate with the Republic, rather than adopting the centralised NHSX contact tracing app.
5
107
170
Estonia 🇪🇪 officially announces that the government contract tracing app will be decentralised, based on
#DP3T
, joining 🇦🇹 and 🇨🇭.
7
92
176
Europe will never lead in AI — and nor should it. Economically, socially, legally it should seek to lead in the discovery and application of appropriate technology for human and societal challenges. By letting itself be led by the constrained AI framing, Europe has already lost.
It’s time to show how Europe can lead in
#AI
!
We know how & we are already pushing it forward.
Meet the European networks of excellence.
Join us at the
#EuropeanVision4AI
:
🗓️Thu 22 Apr 2021 11am.
Register at
0
15
31
6
27
177
lol DCMS has outdone itself today; recruiting “Head of Big Tech Expertise” starting at 47K.
13
19
172
Luca, the dodgy for-profit German QR infrastructure, living up to the predictions
@annliffey
@linnetelwin
@sedyst
& I made last yr in
@EurJRR
, wanting to merge identity authentication (eg ID docs) w Covid attribute attestation: that’s where the €€€ is
Allmachtsfantasien bei
#LucaApp
:
"zusätzlich zum Impf- oder Genesenenausweis auch den Personalausweis oder Pass vorzeigen. Das wollen wir in Luca auch einfach zusammenführen."
56
126
494
5
67
158
Apple and Google confirm they will use App Store rules to forbid apps using their Exposure Notification API from using (or even asking for permission to use) GPS/location services too.
7
114
160