BlockChain has become an increasingly common term, largely fueled by the highly volatile blockchain currency BitCoin. But under a surface understanding, there is a lot of uncertainty about what it offers and what it means. Let’s dive into that a bit today, starting with the main benefits and problems and then what it means.

With a little bit of simplification, BlockChain is a technology in which records are tracked in a publicly accessible way, with each record containing a piece of the previous record. This last bit is critical – this makes it nearly impossible to modify previous records without making it obvious that the content has been tampered with. BlockChains typically use something called “Proof of work” to add records. This can be completed by anyone with computing power and thus removes the need for a central authority, creating more flexibility for people to complete transactions independently. (There are still checks in place to ensure only authentic records are added). As a result, BlockChain technologies are considered revolutionary for ensuring authenticity and security of records, changing the way we complete transactions from bank account transfers to house purchases.

However, the system is not infallible. In 2016, the blockchain based currency DAO was hacked with a thief nearly getting away with $55 million (learn more). As secure as the base protocols may seem, there is always still a risk of human error or new discoveries that create vulnerabilities that adversaries can exploit. Further, the way that many BlockChain systems work today requires an immense amount of energy – according to the Economist, the amount of energy used to keep BitCoin going is roughly the same as the energy consumption of country of Ireland. In an era where we are increasingly conscious of our energy use and the dangers it poses to our environment, it is challenging to imagine BlockChain technologies growing and scaling without serious repercussions or a revolution in energy technology. The scale is also limited by the technology itself. Barron’s notes that Visa currently completes more than 5,000 times more transactions per second than Bitcoin. For cryptocurrencies like Bitcoin to take off, or other BlockChain applications in fast moving industries like commerce, the speed of transactions must dramatically improve.

There are ways to workaround these problems, and given the enormous potential benefits of BlockChain technologies, I’m sure we will see the investments to get around them. Today, BlockChain is being explored across many industries, from finance to humanitarian aid to voting. Digging into these examples more, the decentralization from authority enabled by BlockChain means that it can be used to provide finances, records, and other assets to people in regions of great instability, which is appeals to humanitarian efforts. The confidence that you can have in records and the convergence towards a single ledger is interesting for finance and voting – these industries can now make processes much faster and more secure because BlockChain tracking removes the need to extensively verify actions, and thus they can be completed much faster with less overhead. You can learn more about these three applications through Forbes, Follow My Vote, and the Harvard Business Review.

What does this all mean? First, as laid out in the HBR article, we can expect to see a transformation in our society driven by the new opportunities presented by BlockChain, since this has the potential to revolutionize how most industries work. But secondly, because many of the benefits from BlockChain stem from decentralization and the lack of an authoritative source, policymakers and society in general needs to be proactive to create the right guidelines for how this should play out. If crypto currencies overtake current government-backed money, how will The Federal Reserve adapt to still protect American finances? If medical records are moved to BlockChain based ledgers (while still encrypted to ensure only authorized people can access the information), how do HIPAA and other privacy regulations need to change to still protect individuals? The BlockChain revolution seems to be more than just a hype, but we need to take the right steps to make sure that we can get the most out of this new technology and in a way that best helps our society.

              When do digital issues need to be considered on a national vs global scale? At what level should regulations and decisions be made? A lot of the ideas I’ve been exploring recently and that are cropping up on the global stage are forcing us to explore the line between national and global digital space in more depth. These are opening the stage for us to start collaborating more internationally – perhaps even adopting the same regulation around new digital topics across multiple countries. I’ve picked a sample of cases to look at what this could look like and what the impact is.

Case #1: GDPR

I think you’ve realized by now that I think this is a very important piece of legislation, partly because it is one of the most active and most expansive legislations in this space. It also brought the issue of privacy into a global discussion. It has an immense scope, by applying to companies doing any business in the EU to those reaching EU citizens, and is broad enough to get the attention of global companies. By creating the first widespread rules about modern privacy, it guaranteed that any attempts by other countries to adopt privacy regulation will face a dilemma that largely impacts businesses. The dilemma is whether or not to have the same rules as GDPR.

If each country adopts different regulation, companies will quickly become burdened with high overhead costs of complying with the different regulations for each country they operate in. It could also inadvertently bring a reduction in privacy as companies will need to better track country of operation or citizenship for each user, to make sure each person is offered the version of the product that follows the laws specific to them. This becomes even more complex if someone is protected by two different sets of differing laws – such as an EU citizen in the US if (for example) the US had rules that required a different type of output for the same set of GDPR operations. Which set of rules would dominate?

If countries instead collaborated to create comprehensive technology privacy laws that match GDPR and/or GDPR is adjusted to a version that more countries sign off on, we can start to create better global norms and protect consumers without unduly burdening companies.

Privacy regulation is one clear area where governments need to collaborate in order to protect interests of both consumers and businesses.

Case #2: Apple’s Refusal to Decrypt a Phone

              Next look at the case of the FBI trying to unlock the San Bernadino shooter’s iPhone. They asked Apple to decrypt the phone, but Apple refused on the grounds that creating a workaround would reduce iPhone security dangerously (learn more). Eventually, the FBI got the phone unlocked through a third-party company. But this has re-prompted a discussion around the rights of governments in the digital space – should they have a way to get into phones that are encrypted, and more broadly, to intercept encrypted data?

              There are a couple ways to make this happen that rise to the front of conversations, but underlying are two international-oriented questions. Which governments get access? How do you control for that?

              In this case, Apple is an American company and it could be said that they have a responsibility to the US government and thus the US government gets access. What if US allies then ask for access as well? And then their allies make the same request? Who determines whether the tool is being used responsibly and who gets access? What happens if a stable and approved government is replaced by one that wouldn’t be approved? The acess then creates a risk for creating a means of suppressing people and violating rights, such as by stifling speech. If something like this was created, there needs to be a global discussion on how permission is granted, and most likely there would need to be a new committee that oversees requests to determine whether the request will maintain global values.

              Even if we agree who gets access and who doesn’t, how is that enforced? Once others know that there is a secret way to intercept encrypted data, they will try to find this. These adversaries could be nations that were not granted permission, or even just other hackers. Once the tool exists, it will be hard to make sure it is only available to authorized parties, and thus creates a risk for everyone.

              The moral of this example is that governments need to be careful when unilaterally requesting this type of access, because it has global implications and could create privacy and security risks for everyone. If they do move ahead with this type of tool, some of the conversation around future use may benefit from considering global implications from the start.

Case #3: Cybercrime Prosecutions

This is a case that I’ll need to come back to in more depth later, but it’s worth mentioning here. In many cases in which cybercriminals are identified, the legal track hits a roadblock because the criminal and the victim are in different jurisdictions – so it can be hard to get the arrest or to determine who gets jurisdiction. Some even say this that jurisdiction conflicts are the #1 challenge to prosecuting cyber criminals.

Global cooperation will need to improve to make it easier to prosecute cyber criminals, something that will also help protect individuals since it adds a disincentive for the criminals. By coordinating on both definitions of cybercrime and how to determine jurisdiction, we can improve the cybercrime judicial process.

 

These are just 3 scenarios that show how the decisions we are making around technology and policy need to shift towards a global perspective. Perhaps we will begin to see more regulation in digital space that is supported by many countries together.

A few times each year the use of COMPASS in courtrooms raises concerns. It’s a program that predicts recidivism and is used in some courts to determine who can be released on bail, and to assist judges with sentencing. (For examples of past discussions, see articles from 2016, 2017, 2017, 2018). Most discussions center around the ethics of the algorithm and whether the algorithm has bias that makes it unjust. However, as technology increases predictive capabilities and becomes more pervasive, the conversation needs to shift beyond the ethics of COMPASS to the question of what is the appropriate and ethical use of algorithms in a courtroom.

Focusing on algorithmic bias implies that biased algorithms represent a coding flaw that can be easily corrected. This idea that machines and algorithms aren’t biased is also a frequent argument in favor of broader use. However, predictive algorithms are typically trained on existing sets of data. Based on the patterns, they create predictions for the future. However, humans generate these baseline data (arrest records, sentence lengths, etc). Any bias that we have as humans will be reflected in the data, and thus in the algorithm. So the issue of a biased algorithm does not necessarily require a code fix, but deciding what is an un-biased data set and training on that. Defining such a set and creating one requires so much human input that it will likely again involve some bias or may not even be feasible. Predictive power is valuable, but trying to make it unbiased is an extremely challenging problem (though some organizations are trying).

Though algorithms are biased, we should continue to use them in courtrooms – but with some guidance. They still have the potential to reveal valuable information, and help create smoother processes for all involved. However, before an algorithm is approved for courtroom use, I propose three requirements:

1) Potential biases against protected classes are measured and within a reasonable margin of error. There are many ways to test this, such as entering all of the same information and just changing the class to see how much the recommendation changes. With this, courtrooms can reject programs with unfair or excessive biases.

2) Until biases are fully adjusted for, the program is only used to assist with decisions, and not as a decision maker itself. As many of the linked articles state, judges go through significant training and practice to understand the nuances associated with cases. While the programs can be used to inform decisions, judges should still make the final decision. This will account for elements of the case that the program does not consider, and provides an opportunity to correct for programmatic biases.

3) Algorithms are retrained based on newer data every 6 months. Making an optimistic assumption that the arc of history moves away from bias, retraining based on newer data will ensure the algorithms are based on data with decreasing bias. Thus they will also trend towards unbiased decisions and will continue to improve as well.

While we should still continue to work actively on reducing bias in programs used in courtrooms, we cannot block the use of them until we create bias-free programs. For now, these three requirements can help create a more just system.

Today’s discussions about data collection have focused on the risks to individuals, the potential misuse of data (especially for aggressive advertising), and other downsides. However, to have a meaningful conversation about data protection and data rights, it’s also important to consider the benefits of data collection. By understanding both sides, we can demand and regulate to push technology and data collection towards the benefits while still protecting against the downsides. This blog looks at a few of those benefits.

Let’s first look at the potential to help with mental health management and treatment. Data collected by Facebook has the potential to reveal when someone suffering from bipolar disorder is about to enter the manic phase. Zeynep Tufekci noted in a Ted Talk that this data could be used to unethically encourage impulse buys. However, another company is using the data for a different reason – to help those with bipolar disorder to manage their mental health. That is the purpose of SANE Bipolar App. Motherboard notes that this app will leverage the same data to warn people of a predicted upcoming manic phase and offer to notify someone who can help (ex: family, nurse). These data, that can be potentially dangerous, are being used to improve the health of people with bipolar disorder.

The benefits also extend into physical healthcare. Forbes looked at 5 ways that Artificial Intelligence, drawing on the data contained in patient records, was able to impact healthcare from reducing patient hospital stays by 21% post surgery to improving recognition (thus treatment) of cardiac arrests, even create savings of up to $18 Billion in the industry. The data driving these changes is incredibly private and needs to be protected accordingly. But when aggregated and used responsibility, it is helping improve our quality of life in very tangible and meaningful ways.

Data collection also improves one of our largest goals in many data discussions – better data protection. For an example, look at Microsoft’s Conditional Access feature (watch the “Microsoft Intelligent Security Graph” video from about 1:29). By aggregating data and looking at trends, companies like Microsoft are better able to identify anomalies and potential security threats – letting people react faster and better mitigate the threat. This means that their data can be protected more securely.

Through ways like these, it’s clear that data collection isn’t always bad or harmful. The judicious and responsible use of data can significantly improve quality of life in meaningful ways. As we continue the discussion on data and privacy, it’s important to keep in mind both the harmful and beneficial ways that data can be used, to come to a better informed solution that can protect the good and mitigate the bad.

It’s clear that biometric recognition technology is making our daily lives significantly easier. You may have a phone that you unlock with a fingerprint, a laptop that you unlock with a smile (facial recognition), or a customs station you can get through quickly by giving both a fingerprint and a smile. In many ways, these are also improving security – it is much harder for a malicious actor to guess and spoof a fingerprint than it is for them to do the same with a password. For reasons like these, biometric improvements have been an asset to modern life.

However, as the use of these technologies grow, we need to make sure we have regulatory frameworks that ensures the use continues to be ethical. Based on current trends, there seems to be a spectrum of possible uses, that vary based on who uses the data (the individual/another organization) and for what purpose (to improve life of the individual/for societal needs). For now, I’m focusing this towards public use (private company use would be different):

 

Stage 1: Biometric use only by individuals for their quality of life (ex: unlocking a device).

Stage 2: Biometric use of an individual by other organizations, to provide greater ease for the individual (ex: automated customs stations, ClearMe airport security clearance).

Stage 3: Biometric recognition techniques used for law enforcement purposes, only for scenarios involving an acute danger/threat.

Stage 4: Biometric recognition techniques used for any law enforcement.

Stage 5: Biometric recognition used for general surveillance and monitoring.

 

I believe that as a society, we should push our regulators to create laws that cap the use of this technology at stage 3. The examples at the top of the blog are both stage 1 and 2. Stage 3 would be cases like the use of biometric software to identify suspected terrorists, armed criminals, or in other cases where there is a direct threat to people. Faster identification and tracking of these people would significantly improve the safety and lives of many individuals.

To understand stage 4, we can look at some of the techniques being used today by the Chinese government. Forbes has an article with great depth about the use of just one biometric technology, facial recognition, by the government. One of the striking examples is the case of using facial recognition software along with traffic cams to capture jaywalkers, and then post “personal information, including names and home addresses…on screens at the side of roads as a warning.” The crime was much less severe than something that would qualify for stage 3. However, law enforcement used the same type of technology, and then leveraged it in a way that potentially also poses a privacy violation.

I think there are many regulatory guidelines and protections that would prevent us from getting to stage 5 – that would be a Big Brother type scenario. Once we reach this stage, there is a high potential for violation of free speech, freedom of expression, and other individual rights.

The use of biometrics is quickly expanding, and more organizations both in the public and private sector are looking to leverage these better. At the same time, we need to make sure that we have regulatory frameworks that cap the use of biometrics to an ethical level, and robust discussions to establish exactly what that level is.

As revelations about Cambridge Analytica’s use of Facebook to potentially impact elections came out earlier this year, cries to #deleteFacebook swept social media. However, if you look at the rates at which people searched for “delete Facebook” (using Google Trends), it took less than two weeks after the peak of outrage for people’s interest to halve, and less than one month for the interest to return to the baseline. It is this short attention span and general indifference that causes us to overlook the ways we can take control of our data privacy.

 

The Global Data Protection Regulation (GDPR) is an important part of the story. The GDPR is a new regulation from the European Union (EU) that aims to give some control over data back into the hands of users. One of the biggest provisions is a requirement for users to have the ability to view, export, and delete most of the data a company has about them. Because this is an EU law, this doesn’t apply to everyone. However, numerous companies have chosen to provide some or even all of the GDPR protections to all users rather than fragmenting their systems.

However, I doubt that most people are aware of this change, or that many people now feel that they better understand how companies use their data than they did before the GDPR went into effect. I also tried to find numbers about how many people have started taking advantage of these controls, but that information has not been easy to find. (Leave me a comment if you do find any of that information). The ability to use these is well documented, with varying levels of usefulness. For example, Facebook’s view information option is very accessible and helps you understand what data they have. It’s also available to all users – not just those covered by the GDPR. But several of these controls also lack any real value to users – for example, to delete the information Facebook has on you, the website recommends that you delete your entire account.

Regulations like the GDPR are intended to give some control back into the hands of users, but unless users actually care enough to use the tools provided by regulation, the provisions become meaningless. These tools give us the means to actually learn more about what is happening with our data, and demand more control. They provide an opening for us to say that some of the data we see stored by the company should not be for sale, or that we want to periodically delete stored data, or that we want to be able to track who our data was shared with and not just what data was stored.

We keep looking to companies collecting data to have an altruistic streak and suddenly safeguard our data the way we’d like to, or to regulators to create the perfect bill that guarantees our data will be handled with care and discretion. But companies need to know that we want that change, genuinely want it and not just for the one month fad of #deleteFacebook. It will take sustained interest for companies to prioritize that against the other features we are always demanding. And regulators can only close so many loopholes before they also rely on us to drive the business models we want to see.

Facebook is actually an interesting case – though the delete Facebook trend died, they have faced continued pressure and criticism around their data handling privacy more broadly, even being asked to testify in front of lawmakers globally. As this has continued, their controls and transparency around data handling has dramatically improved. Visit Facebook’s “Your Information”, to see what Facebook has inferred about you, and try exploring some of the options. For example, you can actually delete the majority of categories associated with your account that get used for ad targeting (without deleting your account). While we typically use Facebook as the example of a company with large amounts of personal data, Google has similar information. You can check that out on the Google Ad Setting page. These two are definitely not the only ones.

Now imagine if a majority of users went to these pages to remove labels and data. Revenue models for ad-based companies would have to change, allowing the model to shift away from having user data as the currency, or at least changing what data can be shared and the level user consent. Privacy-centered models would likely be taken more seriously as a way to bring users to opt into some data sharing. Then the control of data would truly have shifted more towards the hands of users. Through the changes of the past year we already have what we need to start bringing this conversation forward. It’s time to start using these tools, but also look at privacy and data beyond the social media – to advertisers, credit companies (think Equifax), public sector, etc. – and start driving conversations there too.

If we want data to be treated differently and change the way data is handled, we need to make that known and join the conversation. We need to use the tools we are given to show companies that we care and that we require better care of our information. By doing so, we can change the entire conversation around data sharing and come to the table as owners of our own data.

Every time we get a new app, upgrade our phones, or sign up for a new account, we are presented with an incredibly long set of “Terms and Agreements”. At this point, I’m guessing most of you are like me – scroll, scroll, check the box, next. Not bothering to read anything in between. How can we, when a study cited in Time Magazine a few years ago found that it would take the average internet user about 76 working days to read all the privacy policies (s)he encounters per year! I’m sure we’d all rather take those days as vacation! But these policies are often the only contract that we have with the service providers over the use of our data, and as a society we’re increasingly aware of egregious terms hidden in most of these. Before we continue, please note that these are typically referred to as “EULA”s (End User License Agreements).

In future blogs we’ll dig more into the actual intersection of technology and policy, but for today let’s understand EULAs. This will be important later when we discuss things like the General Data Protection Regulation (GDPR) and other upcoming issues.

Let’s take the frequently visited google.com. How do you find its EULA?

When you land on the page, notice the “About” option in the top left corner.

 

 

Clicking on that takes you to a page all about Google, but at the bottom once again you can find the link “Privacy and Security” under the “Responsibility” heading. Click this, and after scrolling through numerous statements of the great things that data collection empowers, you land on several boxes that let you explore the privacy settings.

From here, it’s pretty straightforward to explore the information and learn more about the privacy policy. This stands in stark contrast with many of the more traditional long text-only documents. It’s definitely worth exploring, since Google makes it clear what data they collect and how they use it. For example, in the “We do not sell your personal information to anyone” section, they explain how a lot of the data collected is kept for use by the company itself (ex: for targeted advertising), and any data going outside of the company is only shared in aggregated form.

(Note that many technology companies have dramatically redone their EULAs recently. I assume this is because GDPR required user-friendly EULAs, and went into effect May 2018. But more on GDPR and its impact later).

If you’ve never really looked into a EULA before, this is a great one to start with. Particularly explore the section about what you can control. Many technology services and products give you a moderate amount of flexibility and control over your data, if you know where to look.