Keyword search warrants are (too?) powerful

Three teenagers set fire to a home in Denver because they believed someone who stole a phone lived there. Five members of a family died.

The police had video from a neighbor’s house showing three people in hooded sweatshirts and masks near the home at the time of the fire. But for weeks they had no further evidence.

Then the police subpoenaed cell tower data to see who was in the area. They got 7,000 devices, which they narrowed down to exclude neighbors and any that did not match the movement of a vehicle that was observed. Only 33 devices remained.

Then they went to Google:

[A] warrant to Google asked for any searches for the destroyed house’s address anytime in the two weeks before the fire. Google provided five accounts that made that search — including three accounts with email addresses that included [the suspect’s names].

Teen charged in deadly Denver arson told investigators he set fire over stolen phone, detective says

One of the defendants has filed a motion to suppress the Google search evidence, and the EFF has filed an amicus brief in support:

Should the police be able to ask Google for the name of everyone who searched for the address of an abortion provider in a state where abortions are now illegal? Or who searched for the drug mifepristone? What about people who searched for gender-affirming healthcare providers in a state that has equated such care with child abuse? Or everyone who searched for a dispensary in a state that has legalized cannabis but where the federal government still considers it illegal?

EFF to File Amicus Brief in First U.S. Case Challenging Dragnet Keyword Warrant

Fascinating case. Some version of this feels destined for the U.S. Supreme Court.

States aren’t any better at privacy

A press release by the California Department of Justice acknowledges that it leaked personal data on individuals applying for a concealed and carry weapons permit between 2011 and 2021.

The leaked data included “names, date of birth, gender, race, driver’s license number, addresses, and criminal history.”

The California Attorney General page on the California Consumer Privacy Act:

https://oag.ca.gov/privacy/ccpa

At least GDPR applies to public entities in Europe.

UK IPO suggests copyright exception for text and data mining

The United Kingdom’s Intellectual Property Office has concluded a study on “how AI should be dealt with in the patent and copyright systems.”

For text and data mining, we plan to introduce a new copyright and database exception which allows TDM for any purpose. Rights holders will still have safeguards to protect their content, including a requirement for lawful access.

Consultation outcome / Artificial Intelligence and IP: copyright and patents

They also considered copyright protection for computer-generated works without a human author, and patent protection for AI-devised inventions. But they suggest no changes in the law for these latter two areas.

Some companies agree to not use location data from “sensitive points of interest”

A subset of Network Advertising Initiative companies have voluntarily agreed that they will not use location data associated with “sensitive points of interest,” which include:

Places of religious worship

Correctional facilities

Places that may be used to infer an LGBTQ+ identification

Places that may be used to infer engagement with explicit sexual content, material, or acts

Places primarily intended to be occupied by children under 16

Domestic abuse shelters, including rape crisis centers

Welfare or homeless shelters and halfway houses

Dependency or addiction treatment centers

Medical facilities that cater predominantly to sensitive conditions, such as cancer centers, HIV/ AIDS, fertility or abortion clinics, mental health treatment facilities, or emergency room trauma centers

Places that may be used to infer refugee or immigrant status, such as refugee or immigration centers and immigration services`

Credit repair, debt services, bankruptcy services, or payday lending institutions

Temporary places of assembly such as political rallies, marches, or protests, during the times that such rallies, marches, or protests take place

Military bases

NAI PRECISE LOCATION INFORMATION SOLUTION PROVIDER VOLUNTARY ENHANCED STANDARDS

The announcement is close behind increasing public concern that location data brokers might intentionally or reluctantly provide data on individuals visiting abortion clinics.

More US federal cybersecurity laws

New cybersecurity laws are slowly being passed, mostly around reporting and coordination:

  1. The Better Cybercrime Metrics Act directs the Justice Department to improve data on cybercrimes, including establishing a new reporting category in the National Incident-Based Reporting System specifically for federal, state and local cybercrime reports.
  2. The Federal Rotational Cyber Workforce Program Act allows cybersecurity professionals to rotate through federal agencies to enhance their expertise.
  3. The State and Local Government Cybersecurity Act directs the federal government to coordinate more with state and local governments on cybersecurity.

“For hackers, state and local governments are an attractive target — we must increase support to these entities so that they can strengthen their systems and better defend themselves from harmful cyber-attack,” Rep. Joe Neguse (D-Colo.), who introduced the bill, said in a statement after the House’s passage.

Biden signs cyber bills into law

Facebook settles housing discrimination lawsuit

In 2019, Facebook was sued for housing discrimination because their machine learning advertising algorithm functioned “just like an advertiser who intentionally targets or excludes users based on their protected class.”

They have now settled the lawsuit by agreeing to scrap the algorithm:

Under the settlement, Meta will stop using an advertising tool for housing ads (known as the “Special Ad Audience” tool) which, according to the complaint, relies on a discriminatory algorithm to find users who “look like” other users based on FHA-protected characteristics.  Meta also will develop a new system over the next six months to address racial and other disparities caused by its use of personalization algorithms in its ad delivery system for housing ads.  If the United States concludes that the new system adequately addresses the discriminatory delivery of housing ads, then Meta will implement the system, which will be subject to Department of Justice approval and court oversight.  If the United States concludes that the new system is insufficient to address algorithmic discrimination in the delivery of housing ads, then the settlement agreement will be terminated.

United States Attorney Resolves Groundbreaking Suit Against Meta Platforms, Inc., Formerly Known As Facebook, To Address Discriminatory Advertising For Housing

Government lawyers will need to approve Meta’s new algorithm, and Meta was fined $115,054, “the maximum penalty available under the Fair Housing Act.”

The DOJ’s press release states: “This settlement marks the first time that Meta will be subject to court oversight for its ad targeting and delivery system.”

Microsoft discontinues face, gender, and age analysis tools

Kashmir Hill for the NYT:

“We’re taking concrete steps to live up to our A.I. principles,” said Ms. Crampton, who has worked as a lawyer at Microsoft for 11 years and joined the ethical A.I. group in 2018. “It’s going to be a huge journey.”

Microsoft Plans to Eliminate Face Analysis Tools in Push for ‘Responsible A.I.’

This coincides with Microsoft’s release of their Microsoft Responsible AI Standard, v2 (see also blog post).

Note, however, that these tools may have been useful for accessibility:

The age and gender analysis tools being eliminated — along with other tools to detect facial attributes such as hair and smile — could be useful to interpret visual images for blind or low-vision people, for example, but the company decided it was problematic to make the profiling tools generally available to the public, Ms. Crampton said.

Trade-offs everywhere.

People don’t reason well about robots

Andrew Keane Woods in the University of Colorado Law Review:

[D]octors continue to privilege their own intuitions over automated decision-making aids. Since Meehl’s time, a growing body of social psychology scholarship has offered an explanation: bias against nonhuman decision-makers…. As Jack Balkin notes, “When we talk about robots, or AI agents, or algorithms, we usually focus on whether they cause problems or threats. But in most cases, the problem isn’t the robots. It’s the humans.”

Robophobia

Making decisions that go against our own instincts is very difficult (see also List of cognitive biases), and relying on data and algorithms is no different.

A major challenge of AI ethics is figuring out when to trust the AI’s.

Andrew Keane Woods suggests (1) defaulting to use of AI’s; (2) anthropomorphizing machines to encourage us to treat them as fellow decision-makers; (3) educating against robophobia; and perhaps most dramatically (4) banning humans from the loop. 😲

AI model predicts who will become homeless

 EMILY ALPERT REYES for the LA Times:

It pulls data from eight county agencies to pinpoint whom to assist, looking at a broad range of data in county systems: Who has landed in the emergency room. Who has been booked in jail. Who has suffered a psychiatric crisis that led to hospitalization. Who has gotten cash aid or food benefits — and who has listed a county office as their “home address” for such programs, an indicator that often means they were homeless at the time.

A computer model predicts who will become homeless in L.A. Then these workers step in

That’s a lot of sensitive personal data. The word “privacy” does not appear in the article.

Data is of course exceptionally helpful in making sure money and resources are applied efficiently. (See also personalized advertising.)

This seems great, so… ok?

No inherent legal duty to be good at cybersecurity

Colonial operates a large oil pipeline and had a very bad ransomware attack in 2021 that shut down the pipeline for five days.

Some individuals that purchased gas and paid higher prices as a result of the shutdown sued Colonial for negligence (among other things) under Georgia law.

The District Court for the Northern District of Georgia has now dismissed that lawsuit:

Plaintiffs provide no Georgia statutory or common law authority for the proposition that industry standards impose a duty of care to protect against cyberattacks generally, nor do they provide support that the particular industry standards they allege have been recognized by Georgia courts.

June 17, 2022 Order Granting Motion to Dismiss at 11-12 [N.D. GA, Case 1:21-cv-02098-MHC]

And because plaintiffs could not allege exposure of personal data or any other violation of statute or legal duty, the complaint was dismissed.

Now if Colonial had said it was good at cybersecurity, and then events suggested they were not in fact good at cybersecurity, they would definitely have drawn a few shareholder derivative suits and maybe even an SEC investigation. See Matt Levine (“everything is securities fraud”).

But there is no inherent duty to be good at cybersecurity. (Yet.)