GDPR Isn’t Enough Protection In An Age Of Smart Algorithms

Europe’s new privacy law comes with teeth. Within hours of the General Data Protection Law (GDPR) coming into effect, an Austrian privacy campaigner used the new EU legislation to file a legal complaint against Facebook and Google. 

It’s too early to tell how the case will be resolved but companies that violate the law can be fined up to 4% of annual revenue. That means the two companies could be fined a total of €7.6 billion (£6.6 billion).

Yet, even as most Internet users were dealing with a deluge of GDPR-related emails from companies trying to follow the law, it suggests that what is possibly the most strident attempt by lawmakers to protect people’s privacy still won’t be enough. Not even nearly. 

The problem is that the law doesn’t protect the data that is most precious to tech firms, the inferred data produced by algorithms and used by advertisers.

The basic premise of GDPR is that consumers must give their consent before a company such as Facebook can start to collect personal data. The company must explain why data is collected and how it’s used. The firm also isn’t allowed to use the data for a different reason later on.

All these rules naturally translated into consent boxes that “popped up online or in applications, often combined with a threat, that the service can no longer be used if user(s) do not consent”, observed Max Schrems, the campaigner who has filed the complaint against this “take it or leave it” approach.

Still, any new cases against Facebook and Google could go the way of the current enquiries into the Cambridge Analytica scandal. Addressing EU representatives during a parliamentary hearing, a suited-up Mark Zuckerberg was recently seen rehashing a familiar narrative, that he’s sorry and hasn’t “done enough to prevent harm”. 

“Whether it’s fake news, foreign interference in elections or developers misusing people’s information, we didn’t take a broad enough view of our responsibilities,” he said.

In other words, a highly technical challenge concerning data security and consumer privacy has been reduced to a public spectacle of remorse and redemption. When the resolution comes in, just as with GDPR, it will arrive in the shape of email consent forms full of incomprehensible fine print and terms and conditions.

The greatest danger of this is that the public will be blinded from seeing what truly matters.

Where the social networking sites, search engines and big online retailers have truly succeeded so far is in defining the “personal data” that lawmakers say requires protection.  The data that GDPR covers includes credit card numbers, travel records, religious affiliations, web search results, biometric data from wearable fitness monitors and internet (IP) addresses. But when targeting consumers, such personal data, though useful, is not paramount.

For example, if TV network HBO wants to advertise the new season of Game of Thrones to anyone reading an article about the show on the New York Times website, then all HBO needs is an algorithm that understands the behavioural correlation, not a demographic profile. And those all-knowing algorithms, the under-the-hood machine learning tools that power everything from Facebook’s news feed to Google’s self-driving cars, remains opaque and unchallenged. In fact they have their own protections in the form of intellectual property rights, making them trade secrets much like the Coca-Cola recipe.

But the difference between Coca-Cola and Facebook is, of course, in their business models. Facebook, Google, Snapchat and YouTube all generate revenue through advertising. Consumers pay for their Coca-Cola but they get their digital services for “free”. 

That seemingly free service has introduced what economists call the “principal-agent” problem, meaning tech firms may not act in consumers’ best interest because they are the product not the customers. 

This is exactly why Sheryl Sandberg, Facebook’s chief operating officer, has said Facebook users can’t opt out of sharing their data with advertisers because that would require Facebook to be “a paid product”.

GDPR could open the way for a solution
But this is not unsolvable. Tech companies could be required to nominate independent reviewers, computer scientists and academic researchers to conduct algorithm audits to ensure any automatic decisions are unbiased and ethical. 
Data scientists working at tech companies could also be required to ensure that any smart algorithm follows the principle of “explainable artificial intelligence”. This is the idea that machine learning systems should be able to explain their decisions and actions to human users and “convey an understanding of how they will behave in the future”.

What is unique about the tech world today, and remains virtually incomprehensible to those who work outside the sector, is the minimal level of reassurance and regulation of the basics it has come to expect. Facebook’s shares have already recovered since the Cambridge Analytica scandal. 

This shows that the biggest potential payoff of GDPR is not so much immediate protection of consumers, but the chance to open up an arena for public debate. 

Imagine consumers could one-day voice their grievances over unfair targeting, or challenge the logic of a proprietary algorithm at a public tribunal, staffed by independent computer scientists. It is this kind of built-in scrutiny that will make a fairer and more useful Internet. GDPR is the first step in this direction.

The Conversation:

You Might Also Read: 

GDPR - More People Will Share Data:

Data Privacy: The Tide Turns in EU:
 

« Chinese Hackers Steal Naval Warfare Secrets
Deaths From Cyber Attacks »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Get Cyber Safe

Get Cyber Safe

Get Cyber Safe is a national public awareness campaign created to educate Canadians about Internet security and the simple steps they can take to protect themselves online.

Information Security Group (ISG) - Royal Holloway

Information Security Group (ISG) - Royal Holloway

The Information Security Group, Royal Holloway, University of London, is an Academic Centres of Excellence in Cyber Security Research.

Center for a New American Security (CNAS)

Center for a New American Security (CNAS)

CNAS is the nation's leading research institution focused on defense and national security policy. Cyber security issues are an intrinsic element of the national security debate.

Cybonet

Cybonet

Cybonet provides easy to deploy, flexible and scalable security solutions that empower organizations of all sizes to actively safeguard their networks in the face of today’s evolving threats.

Honeynet Project

Honeynet Project

The Honeynet Project is a leading international non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools.

SafeBreach

SafeBreach

SafeBreach's platform simulates hacker breach methods across the entire kill chain to identify breach scenarios in your environment before an attacker does.

PECB

PECB

PECB is a certification body for persons, management systems, and products on a wide range of international standards in a range of areas including Information Security and Risk Management.

Subgraph

Subgraph

Subgraph is an open source security company, committed to making secure and usable open source computing available to everyone.

netfiles

netfiles

netfiles offers highly secure data rooms for sensitive business processes and secure data exchange.

LATRO Services

LATRO Services

LATRO Services is a complete solution provider to discover, locate, and eliminate telecom fraud.

S4x Events

S4x Events

S4x are the most advanced and largest ICS cyber security events in the world.

Inspira Enterprise

Inspira Enterprise

Inspira Enterprise is a leading digital transformation company with expertise in Cyber Security, Internet of Things (IOT), Blockchain, Big Data & Analytics, Intelligent Automation and Cloud Computing.

RedHunt Labs

RedHunt Labs

RedHunt Labs is a premier Cybersecurity Solutions provider, offering Attack Surface Management solution 'NVADR' and Penetration Testing services.

Seraphic Security

Seraphic Security

Seraphic Security provides attack protection to enable safe browsing for employees or contractors, as well as advanced governance controls to enforce enterprise policies across devices.

DuckDuckGoose

DuckDuckGoose

DuckDuckGoose offer advanced solutions to protect against manipulated videos, images, voices and texts.

MergeBase

MergeBase

Reduce software supply chain risk with MergeBase proven Software Composition Analysis (SCA).

Soteria Communications

Soteria Communications

Soteria Communications supports clients to prepare for and manage crises, with a focus on cyber incidents.