human rights

Privacy - GDPR for the US

You do not have the right to Privacy, at least not guaranteed by your constitution or by law. Years and years of application of the 4th amendment (unreasonable search and seizure) create a world of “reasonable expectation of privacy”. To give you an idea of how narrowly this is defined, in Smith v Maryland (1979) Supreme Court case, the dialing of digits on your telephone constituted consent to the telephone company to release your privacy. This decision is being applied over and over again in the digital age, but technology companies who use your data and information to enormous profit ($24 bil in Q2 2017 for Google alone). Recently the Amici Curiae, brief was prepared by 42 legal scholars to suggest that the times have changed and continued use of the Smith decision is problematic. I agree times 10. I have argued that we need to rebuild our right to privacy from the ground up with a constitutional amendment protecting privacy. The problem is two-fold, one that’s a hard thing to do. 2) James Comey speaking at a Boston Security conference on March 7th 2017 said “There is no such thing as privacy anymore in America”. Which indicates that the authorities (and the largest companies in the world) like their very long reach into your lives and your data.

Recently Europe has actually lead the way on privacy with GDPR (General Data Protection Regulation) which goes into effect in Europe on 25 May 2018. This new law effects any company around the world looking to do business with a European person. It is an excellent start to the rights of individuals in the digital age. I would advocate for something similar here in the US, but I expect the resistance to be substantial from the largest companies in the big data business, Amazon, Facebook, Google and now the ISPs. They have zero interest in your privacy, in fact if everyone went dark on these businesses, they would be hard pressed to exist. Here’s a summary of the key points that GDPR provides for the citizens of Europe:

The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

Data Subject Rights

Breach Notification

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic fromat. This change is a dramatic shift to data transparency and empowerment of data subjects.

Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests. *personally I think this remains a weakness of the law as there is too much subjectivity

Data Portability
GDPR introduces data portability — the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.

Privacy by Design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically — ‘The controller shall..implement appropriate technical and organisational an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects’. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.

Data Protection Officers
Currently, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities, nor will it be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal record keeping requirements, as further explained below, and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. Importantly, the DPO:

  • Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
  • May be a staff member or an external service provider
  • Contact details must be provided to the relevant DPA
  • Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
  • Must report directly to the highest level of management
  • Must not carry out any other tasks that could results in a conflict of interest.

As you can see this is a game changer as it relates to your existing privacy relationships in the United States and many other countries. Since privacy is not explicitly guaranteed by the Constitution, the people, have fought to claw back that privacy time and again. The proverbial slippery slope has been tilted against the individual from the outset. Which is why I suggest we change the slope completely and ask for the constitutional amendment. Failing that, I would like to see law makers begin to implement the features above from GDPR with the added increase that it would be law enforcement and not controllers who could consider the public record versus the appropriate right to be forgotten.

Lastly, I call on the technology world to build a series of privacy tool.

  1. Privacy App — designed to track your own data, who has it, what is it, where it goes. This app ought to plug into any aspect of your life and immediately change the privacy settings in an instant.
  2. Right to be Forgotten tool kit. An internet eraser that allows the individual to quickly and completely clean up their online life and their data footprint.

I suspect the both apps would be wildly successful, and thus are already in development. Personally I can’t wait to use them.

Living in the Age of Machines - Do we need a second Bill of Rights?

The initial Bill of Rights, written by James Madison in 1789, served to facilitate the passage, acceptance and ratification of the constitution by the 13 colonies as the United States was being formed. These individual rights were identified specifically to protect freedoms that the people of the United States already had. Citizens were concerned that the new Federal Government might infringe upon them. In other words, the Bill of Rights was devised to AVOID future possible infringement by the federal government. The Bill of Rights was PRE-EMPTIVE. It has served as the basis for considerable thought, legal scrutiny and precedence for nearly 250 years. The rights guaranteed in The Bill of Rights are VITAL to the lives we live today and to the legal framework of society in the United States.

Since then the world has changed and expanded considerably. We live in a global world and even the farthest points of that world can be reached in a matter of hours. Information flows abundantly and instantly via the internet. Today people can pick up and move cross country in a matter of hours. Alternatively they can travel thousands of miles with minimal danger and they can get to their destination on their own path and at their own pace. Robust currencies, guaranteed by central governments, have become electronic, exchangeable and pervasive. Everything is for sale and can be purchased with the click of a button. Today, with a single video recording, the entire world may know what we are doing, where we are and how we are behaving. We choose how our families will be structured. Some take a pass on children others have a dozen, but no longer is family size based on need or on abysmal survival rates, but on freedom of choice.

Technology gives us great power and improves our lives 9 times out of 10. But there is something unsettling about the way that technology seduces us as well, and I think that many of us feel it in our souls. We have slowly become accustomed to sacrificing our privacy in the name of convenience. Sacrificing freedoms and rights in the name of safety. Just like technological growth has accelerated, I am concerned that those sacrifices will accelerate more quickly as well. That is what ForHumanity wants to safeguard against, because as technology becomes more and more pervasive, we expect these sacrifices to increases and become second nature to many. ForHumanity believes that it is vital now to protect a few the things that make us human, because it is likely that technological progress will infringe upon those rights sooner rather than later.

With the advent of Artificial Intelligence (AI)and Robotics, ForHumanity has become concerned that some of these freedoms that are not explicitly covered by the constitution may become usurped in the name of technology. Furthermore, as I have begun to engage in the dialogue that AI experts are having around future society, I see ideas and concepts that are petrifying. Many casual followers of the expansion of AI might be astonished at the ideas some leading academics and practitioners in AI are putting forward. It is my hope that a robust dialogue on this subject may serve to safeguard humanity and the rights we enjoy today. ForHumanity believes it is smart to protect these rights NOW before AI, both narrow and general, dramatically change the world we are living in. Before AI can threaten these rights that we hold dear. Rights that we have held so sacred and sacrosanct that our founders didn’t even think to write them down.

One might argue, do we really need to protect these rights now? I would counter that it can no longer wait. The concern is great enough that there are regular conferences and discussions happening where ethics, standards, practices and policy are being crafted already. It’s as if we are ordering the pizza NOW, if you speak up, you have a decent chance of getting the toppings that you would like. If you do not, you will eat what arrives, like it or not.

Here is my list of a few of the rights that we enjoy today but I would like us to consider guaranteeing. This list is not exhaustive and each of these ideas will need discussion and refining however I am not willing to wait and believe that the discussion must be started and work needs to be done now:

  1. Right to mobility (Right to drive)
  2. Right to use Currency (prevent machines from controlling currency)
  3. Right to Privacy (right to unplug)
  4. Right to Procreate

I was about to explore each one of these individually and then I realized… that’s going to take some time, so I will do it in four individual blog posts. So instead I want to leave you with 4 questions to ponder…

  1. Would you be happy if the government told you when and where you could go?
  2. Would you be happy if a 100% automated company could buy and sell vital resources, unchecked by humans?
  3. Would you be happy to be told that you MUST have electronic health records for government provided health care?
  4. Would you be happy to be told that in your life you could only have 1 child?

If you answer “No” to any or all of those questions, then you are aligned with the thinking of ForHumanity and would probably like to safeguard your rights on those issues. If you answered “Yes”, I’m not sure why, to be honest as I am seeking a serious path of least resistance here, but I would love to know and understand your thinking as well. I am keen for dialogue on each of these subjects, so please respond. I will aim to post four more blog posts, one for each of these points over the coming week.

PrivacyHuman RightsArtificial IntelligenceMachine LearningAutomation