Privacy and AI weekly - Issue 12

This Friday on Privacy and AI weekly

Privacy

? FTC enforcement action against a VoIP for facilitating illegal telemarketing robocalls

? Best interests of the child self-assessment

? ICO's Self-assessment risk tool

? The hybrid war in Ukraine (Microsoft report)

Artificial Intelligence

? People-centric approaches to algorithmic explainability (TTC Labs)

? Not all AI is ML: ISO TR 24372:2021

PRIVACY

Sponsor

You are probably aware of the privacy issues Google Analytics is facing. Simple Analytics is the privacy-first alternative to Google Analytics. We provide the website insights your organisation needs without ever collecting any personal data or using cookies.?

As friends of this newsletter and fans of Federico’s work, we would like to give you a 25% discount if you sign up. Just let us know you found out about Simple Analytics in this newsletter.

?????????????????????? Try Simple Analytics

FTC enforcement action against a VoIP for facilitating illegal telemarketing robocalls

FTC enforcement action against a VoIP service provider for, among other things, providing VoIP services to customers despite knowing its customers were:

? using the services to place calls to numbers on the FTC’s DNC Registry

? delivering pre-recorded messages; and

? displaying spoofed caller ID services to callers involved in scams related to credit card interest rate reduction, tech support, and the COVID-19 pandemic.

* Voice over Internet Protocol (VoIP) refers to making phone calls that are made through the Internet, rather than through a regular landline or a mobile network. A VoIP system works by taking analogue voice signals, converting them into digital signals, then sending them as data over the broadband line. For instance, Skype can be used to call a regular landline or mobile numbers too.

Access the press release here

Best interests of the child self-assessment

The Information Commissioner's Officer developed an assessment for the best interests of the child following the the Children's Code. The Children’s code (or Age appropriate design code) is a data protection code of practice for online services, such as apps, online games, and web and social media sites, likely to be accessed by children.

Standard 1 of the Children’s code requires online services to treat the best interests of the child as a primary consideration when designing and developing online services likely to be accessed by a child.

To consider whether organisations are acting in the best interests of children, they must consider how the use of children's data impacts the rights they hold under the United Nations Convention on the Rights of the Child (UNCRC).

To help organisations make the assessment, the ICO created tools, templates and guidance.

Step 1: Understand rights: Understand the rights of the child under the UNCRC.

Step 2: Identify impacts: Identify potential impacts on the rights of the child in your product or service.

Step 3: Assess impacts: Consider the likelihood and scale of potential impacts on the rights of children.

Step 4: Prioritising actions; Create an action plan for issues highlighted in your risk assessment.

ICO's Self-assessment risk tool

The ICO has published a self-assessment risk tool to implement the Children's Code.

This tool?has been created with medium to large private, public and third sector organisations in mind.

From the moment a young person opens an app, plays a game or loads a website, data begins to be gathered. For all the benefits the digital economy can offer children, we are not currently creating a safe space for them to learn, explore and play. The Children's code looks to change that, not by seeking to protect children from the digital world, but by protecting them within it.

This tool will help organisations to conduct their own risk assessment of how both the UK General Data Protection Regulation and the Children's code applies in the context of their digital services and give them practical steps for you to apply a proportionate and risk-based approach to ensuring children’s protection and privacy.

Download the self-assessment risk tool here

The hybrid war in Ukraine (Microsoft report)

Microsoft released a report detailing Russian cyberattacks observed in a hybrid war against Ukraine, and they also explain the measures they have taken to protect Ukrainian people and organizations.

Before the invasion, Microsoft observed that at least six separate Russia-aligned nation-state actors launched more than 237 operations against Ukraine.

Before the war, malicious actors: sought access to insights on Ukrainian defence and foreign partnerships, positioned themselves for third-party attacks on networks in Ukraine and partner nations, sought access to insights on military and humanitarian response capabilities, secured access to critical infrastructure for future destruction.

After the war:

Access the report here (via Tudor Galos)

ARTIFICIAL INTELLIGENCE

People-centric approaches to algorithmic explainability

Providing transparency and explainability of artificial intelligence (AI) presents complex challenges across industry and society, raising questions around how to build confidence and empower people in their use of digital products.

The purpose of this report is to contribute to cross-sector efforts to address these questions. It shares the key findings of a project conducted in 2021 between TTC Labs and Open Loop in collaboration with the Singapore Infocomm Media Development Authority (IMDA) and Personal Data Protection Commission (PDPC).

Through this project TTC Labs and Open Loop have developed a series of operational insights to bring greater transparency to AI-powered products and develop related public policy proposals.

These learnings are intended both for policymakers and product makers – for those developing frameworks, principles and requirements at the government level and those building and evolving apps and websites driven by AI.

You can access the full report here and the visual explainer here

Not all AI is ML: ISO TR 24372:2021

One of the criticisms that the AIA draft often receives concerns the breadth of the definition of AI. According to the Commission's proposal, AI is software that:?

? is developed with one or more of the following techniques or approaches:

• Machine learning approaches
• Logic- and knowledge-based approaches
• Statistical approaches, Bayesian estimation, search and optimization methods

? can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with

It is indeed a very broad definition of AI and many applications or solutions that are not usually considered to be covered in the general idea of AI, following this definition, may be included.

During the debate of the draft in the EU Parliament MEP Axel Voss suggested restricting the definition of AI to those approaches based only on machine learning (see Amendment 37). This was the rationale for the amendment:

"Although the AI Act is an EU Regulation, it should use the wording developed by the OECD. Using this widely accepted definition will help the EU to better cooperate with non-EU democracies such as the USA, Canada or UK. Together, it will be easier to promote international standards based on our democratic values. The new definition for AI systems moreover creates legal certainty while providing enough flexibility by accommodating future technological developments."

But despite the

It is worth noticing that, apart from the approaches and the objectives/consenquences that define an AI system, the AIA regulates almost exclusively AI systems according to their risks. Hence, as long as a system does not creates high risks it would be largely unregulated.

Apart from that, the ISO recently issued a Technical Report ISO/IEC TR 24372:2021(en) Information technology — Artificial intelligence (AI) — Overview of computational approaches for AI systems where it explains different approaches that are covered by the umbrella concept of AI. In this document, the ISO included among the algorithms and approaches used in AI systems:

? knowledge engineering and representation

? logic reasoning

? machine learning

? metaheuristics

Access a preview of ISO TR 24372:2021 here

Admittedly, both practitioners and academia hotly debate this issue. However, it is expected more insightful and convincing explanations from lawmakers.

The Draft Report on the AIA by the LIBE seems to have left the Commission's broad definition of AI almost untouched.

Let's be patient, there is still a long way to go for the final (if ever) enactment of the AIA.

Qubit Privacy?is a boutique consultancy firm that provides data protection and AI governance services. Qubit Privacy helps your organization to stay compliant with privacy regulations like the GDPR, to protect you against cyber-attacks and data breaches and to manage and assess algorithmic risks through a range of affordable professional solutions.

Federico Marengo is the founder of Qubit Privacy. He is a PhD student (in data protection and AI) and the author of “Data Protection Law in Charts. A Visual Guide to the General Data Protection Regulation“, available?here

For inquiries, feedback or collaborations, please contact me at federico@qubitprivacy.com

Thanks for reading & for our sponsor Simple Analytics