GDPR Isn’t Enough Protection In An Age Of Smart Algorithms

Europe’s new privacy law comes with teeth. Within hours of the General Data Protection Law (GDPR) coming into effect, an Austrian privacy campaigner used the new EU legislation to file a legal complaint against Facebook and Google. 

It’s too early to tell how the case will be resolved but companies that violate the law can be fined up to 4% of annual revenue. That means the two companies could be fined a total of €7.6 billion (£6.6 billion).

Yet, even as most Internet users were dealing with a deluge of GDPR-related emails from companies trying to follow the law, it suggests that what is possibly the most strident attempt by lawmakers to protect people’s privacy still won’t be enough. Not even nearly. 

The problem is that the law doesn’t protect the data that is most precious to tech firms, the inferred data produced by algorithms and used by advertisers.

The basic premise of GDPR is that consumers must give their consent before a company such as Facebook can start to collect personal data. The company must explain why data is collected and how it’s used. The firm also isn’t allowed to use the data for a different reason later on.

All these rules naturally translated into consent boxes that “popped up online or in applications, often combined with a threat, that the service can no longer be used if user(s) do not consent”, observed Max Schrems, the campaigner who has filed the complaint against this “take it or leave it” approach.

Still, any new cases against Facebook and Google could go the way of the current enquiries into the Cambridge Analytica scandal. Addressing EU representatives during a parliamentary hearing, a suited-up Mark Zuckerberg was recently seen rehashing a familiar narrative, that he’s sorry and hasn’t “done enough to prevent harm”. 

“Whether it’s fake news, foreign interference in elections or developers misusing people’s information, we didn’t take a broad enough view of our responsibilities,” he said.

In other words, a highly technical challenge concerning data security and consumer privacy has been reduced to a public spectacle of remorse and redemption. When the resolution comes in, just as with GDPR, it will arrive in the shape of email consent forms full of incomprehensible fine print and terms and conditions.

The greatest danger of this is that the public will be blinded from seeing what truly matters.

Where the social networking sites, search engines and big online retailers have truly succeeded so far is in defining the “personal data” that lawmakers say requires protection.  The data that GDPR covers includes credit card numbers, travel records, religious affiliations, web search results, biometric data from wearable fitness monitors and internet (IP) addresses. But when targeting consumers, such personal data, though useful, is not paramount.

For example, if TV network HBO wants to advertise the new season of Game of Thrones to anyone reading an article about the show on the New York Times website, then all HBO needs is an algorithm that understands the behavioural correlation, not a demographic profile. And those all-knowing algorithms, the under-the-hood machine learning tools that power everything from Facebook’s news feed to Google’s self-driving cars, remains opaque and unchallenged. In fact they have their own protections in the form of intellectual property rights, making them trade secrets much like the Coca-Cola recipe.

But the difference between Coca-Cola and Facebook is, of course, in their business models. Facebook, Google, Snapchat and YouTube all generate revenue through advertising. Consumers pay for their Coca-Cola but they get their digital services for “free”. 

That seemingly free service has introduced what economists call the “principal-agent” problem, meaning tech firms may not act in consumers’ best interest because they are the product not the customers. 

This is exactly why Sheryl Sandberg, Facebook’s chief operating officer, has said Facebook users can’t opt out of sharing their data with advertisers because that would require Facebook to be “a paid product”.

GDPR could open the way for a solution
But this is not unsolvable. Tech companies could be required to nominate independent reviewers, computer scientists and academic researchers to conduct algorithm audits to ensure any automatic decisions are unbiased and ethical. 
Data scientists working at tech companies could also be required to ensure that any smart algorithm follows the principle of “explainable artificial intelligence”. This is the idea that machine learning systems should be able to explain their decisions and actions to human users and “convey an understanding of how they will behave in the future”.

What is unique about the tech world today, and remains virtually incomprehensible to those who work outside the sector, is the minimal level of reassurance and regulation of the basics it has come to expect. Facebook’s shares have already recovered since the Cambridge Analytica scandal. 

This shows that the biggest potential payoff of GDPR is not so much immediate protection of consumers, but the chance to open up an arena for public debate. 

Imagine consumers could one-day voice their grievances over unfair targeting, or challenge the logic of a proprietary algorithm at a public tribunal, staffed by independent computer scientists. It is this kind of built-in scrutiny that will make a fairer and more useful Internet. GDPR is the first step in this direction.

The Conversation:

You Might Also Read: 

GDPR - More People Will Share Data:

Data Privacy: The Tide Turns in EU:
 

« Chinese Hackers Steal Naval Warfare Secrets
Deaths From Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Cyber Security Associates (CSA)

Cyber Security Associates (CSA)

Cyber Security Associates provides cyber consultancy and cyber managed services which help to detect, protect and educate against the ever-changing cyber threat.

ZDL Group

ZDL Group

At ZDL (formerly ZeroDayLab) we take a comprehensive view of our clients cyber security risks and provide quality services to address those risk

Niksun

Niksun

Niksun's forensics-based cyber security and network performance monitoring products provide customers with actionable insight into security threats, performance issues, and compliance risks.

MASS

MASS

MASS provides world-class capabilities in electronic warfare operational support, cyber security, information management, support to military operations and law enforcement.

Internet Infrastructure Investigation

Internet Infrastructure Investigation

Internet Infrastructure Investigation offers a bespoke Internet Governance Solution to your brands online infringement problems.

spiderSilk

spiderSilk

spiderSilk is a Dubai-based cybersecurity firm, specializing in simulating the most advanced cyber offenses on your technology so you can build your best security defenses.

Blackfoot Cybersecurity

Blackfoot Cybersecurity

At Blackfoot, we work in partnership with you to deliver on-demand cyber security expertise and assurance, keeping you one step ahead of threats & compliant with regulations.

boxxe

boxxe

boxxe create flexible IT infrastructures, collaborative global workspaces and data clarity, all underpinned by world-leading security.

Naq Cyber

Naq Cyber

Naq is the number one platform for SMEs looking to become legally compliant and protect against cybercrime and other data-related incidents.

NARIS

NARIS

NARIS is the leading provider of an integrated Governance, Risk and Compliance platform called NARIS GRC.

NI Cyber Security Centre

NI Cyber Security Centre

NI Cyber Security Centre works to make Northern Ireland cyber safe, secure and resilient for its citizens and businesses.

Canonic Security

Canonic Security

Canonic streamlines app review, continuously monitors apps, and reduces the risks involved in third-party access to your data.

Dazz

Dazz

Dazz is the cloud security remediation platform for smart security and development teams.

Astrix Security

Astrix Security

Astrix enables security teams to instantly see through the fog of connects and detect redundant, misconfigured and malicious third-party exposure to their critical systems.

SecurEnvoy

SecurEnvoy

SecurEnvoy are a leader in designing zero access trust solutions using the latest cutting-edge technologies, to protect your users, devices and data, whatever the location.

Cyber Dagger

Cyber Dagger

Cyber Dagger is a cybersecurity company driven by a mission to protect digital infrastructures and close the cybersecurity skills gap.