11,357 research outputs found
An Analysis of the Consequences of the General Data Protection Regulation on Social Network Research
This article examines the principles outlined in the General Data Protection Regulation in the context of social network data. We provide both a practical guide to General Data Protection Regulation--compliant social network data processing, covering aspects such as data collection, consent, anonymization, and data analysis, and a broader discussion of the problems emerging when the general principles on which the regulation is based are instantiated for this research area
Counterfactual Explanations without Opening the Black Box: Automated Decisions and the GDPR
There has been much discussion of the right to explanation in the EU General
Data Protection Regulation, and its existence, merits, and disadvantages.
Implementing a right to explanation that opens the black box of algorithmic
decision-making faces major legal and technical barriers. Explaining the
functionality of complex algorithmic decision-making systems and their
rationale in specific cases is a technically challenging problem. Some
explanations may offer little meaningful information to data subjects, raising
questions around their value. Explanations of automated decisions need not
hinge on the general public understanding how algorithmic systems function.
Even though such interpretability is of great importance and should be pursued,
explanations can, in principle, be offered without opening the black box.
Looking at explanations as a means to help a data subject act rather than
merely understand, one could gauge the scope and content of explanations
according to the specific goal or action they are intended to support. From the
perspective of individuals affected by automated decision-making, we propose
three aims for explanations: (1) to inform and help the individual understand
why a particular decision was reached, (2) to provide grounds to contest the
decision if the outcome is undesired, and (3) to understand what would need to
change in order to receive a desired result in the future, based on the current
decision-making model. We assess how each of these goals finds support in the
GDPR. We suggest data controllers should offer a particular type of
explanation, unconditional counterfactual explanations, to support these three
aims. These counterfactual explanations describe the smallest change to the
world that can be made to obtain a desirable outcome, or to arrive at the
closest possible world, without needing to explain the internal logic of the
system
Algorithms that Remember: Model Inversion Attacks and Data Protection Law
Many individuals are concerned about the governance of machine learning
systems and the prevention of algorithmic harms. The EU's recent General Data
Protection Regulation (GDPR) has been seen as a core tool for achieving better
governance of this area. While the GDPR does apply to the use of models in some
limited situations, most of its provisions relate to the governance of personal
data, while models have traditionally been seen as intellectual property. We
present recent work from the information security literature around `model
inversion' and `membership inference' attacks, which indicate that the process
of turning training data into machine learned systems is not one-way, and
demonstrate how this could lead some models to be legally classified as
personal data. Taking this as a probing experiment, we explore the different
rights and obligations this would trigger and their utility, and posit future
directions for algorithmic governance and regulation.Comment: 15 pages, 1 figur
Cyber Babel: Finding the Lingua Franca in Cybersecurity Regulation
Cybersecurity regulations have proliferated over the past few years as the significance of the threat has drawn more attention. With breaches making headlines, the public and their representatives are imposing requirements on those that hold sensitive data with renewed vigor. As high-value targets that hold large amounts of sensitive data, financial institutions are among the most heavily regulated. Regulations are necessary. However, regulations also come with costs that impact both large and small companies, their customers, and local, national, and international economies. As the regulations have proliferated so have those costs. The regulations will inevitably and justifiably diverge where different governments view the needs of their citizens differently. However, that should not prevent regulators from recognizing areas of agreement. This Note examines the regulatory regimes governing the data and cybersecurity practices of financial institutions implemented by the Securities and Exchange Commission, the New York Department of Financial Services, and the General Data Protection Regulations of the European Union to identify areas where requirements overlap, with the goal of suggesting implementations that promote consistency, clarity, and cost reduction
Slave to the Algorithm? Why a \u27Right to an Explanation\u27 Is Probably Not the Remedy You Are Looking For
Algorithms, particularly machine learning (ML) algorithms, are increasingly important to individuals’ lives, but have caused a range of concerns revolving mainly around unfairness, discrimination and opacity. Transparency in the form of a “right to an explanation” has emerged as a compellingly attractive remedy since it intuitively promises to open the algorithmic “black box” to promote challenge, redress, and hopefully heightened accountability. Amidst the general furore over algorithmic bias we describe, any remedy in a storm has looked attractive. However, we argue that a right to an explanation in the EU General Data Protection Regulation (GDPR) is unlikely to present a complete remedy to algorithmic harms, particularly in some of the core “algorithmic war stories” that have shaped recent attitudes in this domain. Firstly, the law is restrictive, unclear, or even paradoxical concerning when any explanation-related right can be triggered. Secondly, even navigating this, the legal conception of explanations as “meaningful information about the logic of processing” may not be provided by the kind of ML “explanations” computer scientists have developed, partially in response. ML explanations are restricted both by the type of explanation sought, the dimensionality of the domain and the type of user seeking an explanation. However, “subject-centric explanations (SCEs) focussing on particular regions of a model around a query show promise for interactive exploration, as do explanation systems based on learning a model from outside rather than taking it apart (pedagogical versus decompositional explanations) in dodging developers\u27 worries of intellectual property or trade secrets disclosure. Based on our analysis, we fear that the search for a “right to an explanation” in the GDPR may be at best distracting, and at worst nurture a new kind of “transparency fallacy.” But all is not lost. We argue that other parts of the GDPR related (i) to the right to erasure ( right to be forgotten ) and the right to data portability; and (ii) to privacy by design, Data Protection Impact Assessments and certification and privacy seals, may have the seeds we can use to make algorithms more responsible, explicable, and human-centered
Building up the “Accountable Ulysses” model. The impact of GDPR and national implementations, ethics, and health-data research: Comparative remarks.
The paper illustrates obligations emerging under articles 9 and 89 of the EU Reg. 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) within the health-related data pro- cessing for research purposes. Furthermore, through a comparative analysis of the national implementations of the GDPR on the topic, the paper highlights few practical issues that the researcher might deal with while accomplishing the GDPR obligations and the other ethical requirements. The result of the analyses allows to build up a model to achieve an acceptable standard of accountability in health-related data research. The legal remarks are framed within the myth of Ulysse
Governing autonomous vehicles: emerging responses for safety, liability, privacy, cybersecurity, and industry risks
The benefits of autonomous vehicles (AVs) are widely acknowledged, but there
are concerns about the extent of these benefits and AV risks and unintended
consequences. In this article, we first examine AVs and different categories of
the technological risks associated with them. We then explore strategies that
can be adopted to address these risks, and explore emerging responses by
governments for addressing AV risks. Our analyses reveal that, thus far,
governments have in most instances avoided stringent measures in order to
promote AV developments and the majority of responses are non-binding and focus
on creating councils or working groups to better explore AV implications. The
US has been active in introducing legislations to address issues related to
privacy and cybersecurity. The UK and Germany, in particular, have enacted laws
to address liability issues, other countries mostly acknowledge these issues,
but have yet to implement specific strategies. To address privacy and
cybersecurity risks strategies ranging from introduction or amendment of non-AV
specific legislation to creating working groups have been adopted. Much less
attention has been paid to issues such as environmental and employment risks,
although a few governments have begun programmes to retrain workers who might
be negatively affected.Comment: Transport Reviews, 201
Making GDPR Usable: A Model to Support Usability Evaluations of Privacy
We introduce a new model for evaluating privacy that builds on the criteria
proposed by the EuroPriSe certification scheme by adding usability criteria.
Our model is visually represented through a cube, called Usable Privacy Cube
(or UP Cube), where each of its three axes of variability captures,
respectively: rights of the data subjects, privacy principles, and usable
privacy criteria. We slightly reorganize the criteria of EuroPriSe to fit with
the UP Cube model, i.e., we show how EuroPriSe can be viewed as a combination
of only rights and principles, forming the two axes at the basis of our UP
Cube. In this way we also want to bring out two perspectives on privacy: that
of the data subjects and, respectively, that of the controllers/processors. We
define usable privacy criteria based on usability goals that we have extracted
from the whole text of the General Data Protection Regulation. The criteria are
designed to produce measurements of the level of usability with which the goals
are reached. Precisely, we measure effectiveness, efficiency, and satisfaction,
considering both the objective and the perceived usability outcomes, producing
measures of accuracy and completeness, of resource utilization (e.g., time,
effort, financial), and measures resulting from satisfaction scales. In the
long run, the UP Cube is meant to be the model behind a new certification
methodology capable of evaluating the usability of privacy, to the benefit of
common users. For industries, considering also the usability of privacy would
allow for greater business differentiation, beyond GDPR compliance.Comment: 41 pages, 2 figures, 1 table, and appendixe
- …