Algorithms that Remember: Model Inversion Attacks and Data Protection Law

Many individuals are concerned about the governance of machine learning systems and the prevention of algorithmic harms. The EU's recent General Data Protection Regulation (GDPR) has been seen as a core tool for achieving better governance of this area. While the GDPR does apply to the use of models in some limited situations, most of its provisions relate to the governance of personal data, while models have traditionally been seen as intellectual property. We present recent work from the information security literature around `model inversion' and `membership inference' attacks, which indicate that the process of turning training data into machine learned systems is not one-way, and demonstrate how this could lead some models to be legally classified as personal data. Taking this as a probing experiment, we explore the different rights and obligations this would trigger and their utility, and posit future directions for algorithmic governance and regulation.Comment: 15 pages, 1 figur

Social knowledge and the Web

Epistemologists have traditionally been concerned with elucidating the conditions under which an agent knows some proposition, focusing on the state of a single individual, and her relation to the world. Whatever its merits, this approach to a theory of knowledge neglects the distinct phenomenon of social knowledge; knowledge that is held collectively by groups. However, we are fast approaching a world in which the sum of human knowledge is primarily stored on and accessed via the web, rather than existing in the minds of individuals. Our theory of knowledge must therefore be developed accordingly

The Cost of the GDPR for Apps?:Nearly Impossible to Study without Platform Data

A recently published pre-print titled 'GDPR and the Lost Generation of Innovative Apps' by Jan{\ss}en et al. observes that a third of apps on the Google Play Store disappeared from this app store around the introduction of the GDPR in May 2018. The authors deduce 'that GDPR is the cause'. The effects of the GDPR on the app economy are an important field to study. Unfortunately, the paper currently lacks a control condition and a key variable. As a result, the effects on app exits reported in the paper are likely overestimated, as we will discuss. We believe there are other factors which may better explain these changes in the Play Store aside from the GDPR

The Cost of the GDPR for Apps?:Nearly Impossible to Study without Platform Data

A recently published pre-print titled 'GDPR and the Lost Generation of Innovative Apps' by Jan{\ss}en et al. observes that a third of apps on the Google Play Store disappeared from this app store around the introduction of the GDPR in May 2018. The authors deduce 'that GDPR is the cause'. The effects of the GDPR on the app economy are an important field to study. Unfortunately, the paper currently lacks a control condition and a key variable. As a result, the effects on app exits reported in the paper are likely overestimated, as we will discuss. We believe there are other factors which may better explain these changes in the Play Store aside from the GDPR

Measuring third party tracker power across web and mobile

Third-party networks collect vast amounts of data about users via web sites and mobile applications. Consolidations among tracker companies can significantly increase their individual tracking capabilities, prompting scrutiny by competition regulators. Traditional measures of market share, based on revenue or sales, fail to represent the tracking capability of a tracker, especially if it spans both web and mobile. This paper proposes a new approach to measure the concentration of tracking capability, based on the reach of a tracker on popular websites and apps. Our results reveal that tracker prominence and parent-subsidiary relationships have significant impact on accurately measuring concentration

Fortifying the algorithmic management provisions in the proposed Platform Work Directive

The European Commission proposed a Directive on Platform Work at the end of 2021. While much attention has been placed on its effort to address misclassification of the employed as self-employed, it also contains ambitious provisions for the regulation of the algorithmic management prevalent on these platforms. Overall, these provisions are well-drafted, yet they require extra scrutiny in light of the fierce lobbying and resistance they will likely encounter in the legislative process, in implementation and in enforcement. In this article, we place the proposal in its sociotechnical context, drawing upon wide cross-disciplinary scholarship to identify a range of tensions, potential misinterpretations, and perversions that should be pre-empted and guarded against at the earliest possible stage. These include improvements to ex ante and ex post algorithmic transparency; identifying and strengthening the standard against which human reviewers of algorithmic decisions review; anticipating challenges of representation and organising in complex platform contexts; creating realistic ambitions for digital worker communication channels; and accountably monitoring and evaluating impacts on workers while limiting data collection. We encourage legislators and regulators at both European and national levels to act to fortify these provisions in the negotiation of the Directive, its potential transposition, and in its enforcement

Third Party Tracking in the Mobile Ecosystem

Third party tracking allows companies to identify users and track their behaviour across multiple digital services. This paper presents an empirical study of the prevalence of third-party trackers on 959,000 apps from the US and UK Google Play stores. We find that most apps contain third party tracking, and the distribution of trackers is long-tailed with several highly dominant trackers accounting for a large portion of the coverage. The extent of tracking also differs between categories of apps; in particular, news apps and apps targeted at children appear to be amongst the worst in terms of the number of third party trackers associated with them. Third party tracking is also revealed to be a highly trans-national phenomenon, with many trackers operating in jurisdictions outside the EU. Based on these findings, we draw out some significant legal compliance challenges facing the tracking industry.Comment: Corrected missing company info (Linkedin owned by Microsoft). Figures for Microsoft and Linkedin re-calculated and added to Table

Fortifying the Algorithmic Management Provisions in the Proposed Platform Work Directive

The European Commission proposed a Directive on Platform Work at the end of 2021. While much attention has been placed on its effort to address misclassification of the employed as self-employed, it also contains ambitious provisions for the regulation of the algorithmic management prevalent on these platforms. Overall, these provisions are well-drafted, yet they require extra scrutiny in light of the fierce lobbying and resistance they will likely encounter in the legislative process, in implementation and in enforcement. In this article, we place the proposal in its sociotechnical context, drawing upon wide cross-disciplinary scholarship to identify a range of tensions, potential misinterpretations, and perversions that should be pre-empted and guarded against at the earliest possible stage. These include improvements to ex ante and ex post algorithmic transparency; identifying and strengthening the standard against which human reviewers of algorithmic decisions review; anticipating challenges of representation and organising in complex platform contexts; creating realistic ambitions for digital worker communication channels; and accountably monitoring and evaluating impacts on workers while limiting data collection. We encourage legislators and regulators at both European and national levels to act to fortify these provisions in the negotiation of the Directive, its potential transposition, and in its enforcement