Categories
Uncategorized

THOUGHTS ON GDPR

The GDPR legislation seems very fair from afar, it seems to be empowering the individual and before watching the conference talk (https://youtu.be/meHvy24i1LU) I was strongly in favour of reducing businesses ability to have complete control over our data. I still agree with the principle – that our data shouldn’t be shared without our knowledge.

But the reality of the situation, the application of the law is far bleaker than I could have imagined! It looks like not nearly enough communication was had with security experts about the potential loopholes or flaws in the new regulation. It really plays into the attackers hands as they know that there is a good number of businesses not ready to handle this new regulation. The video makes clear how slick a process a company really needs and how nuanced the application process should be for retrieving data records.

I had an inkling from personal experience in some small businesses (who do not have lawyers or a security team on hand) that there is very little understanding or observance of the new GDPR law – just a general understanding or attitude that the customers data should be ‘respected’.

Digital rights, digital hygiene, digital history – these are all things that are relatively new and perhaps still unheard of for the ordinary citizen who simply uses Facebook regularly and does a touch of online shopping. It might need to become standard behaviour online to take steps to prevent identity theft rather than simply hiding amongst the crowd of billions as many do now. These steps include using a password manager, a quality VPN, multiple email addresses and deleting accounts after periods of inactivity. As has happened with the ‘screen time’ implementation in iOS, these features if demanded enough could become baked into OS’s.

It’s counter intuitive to a non-security expert that a new law would open up so much opportunity for foul play. But it seems upon inspection a very political law – one designed to show how potent and active the EU could be – perhaps one to generate income through fines if I think cynically. Perhaps it was solely aimed at tech’s big players (Amazon, Facebook, Google and Apple) as a way of ‘getting them’ as they successfully avoid paying tax. The EU claim that the new GDPR law Is applicable anywhere in the world where it impacts an EU citizen doesn’t seem plausible as they have no actual power in other regions. It would take a substantial case to even get to court to debate the fact.
Initially many websites, fearful of a backlash or fine from misinterpretation, misapplication, completely blocked EU users, a denial of service type result. These included most notably the NY Times – here is a link to the article, (https://www.nytimes.com/2018/05/25/business/media/europe-privacy-gdpr-us.html) which thankfully due to an updated policy, we can all read!

As regards to data science, legislation is key to consider when working with various data sets. It relates to ethics – the data scientist must double check that their data they are working with has been sourced legally and ethically – with consent. In many cases the anonymity of the data is vital to the project. Great care must be taken to ensure backward inferences cannot be made so as to identify an individual.

One area of progress I find extremely interesting in machine learning is the privacy focused method of ‘federated learning’. This type of process potentially makes legislation work better as there is less ownership of the data by Google – it is encrypted and kept on the local device. Here is the official Google description and link:
“Federated Learning allows for smarter models, lower latency, and less power consumption, all while ensuring privacy. In addition to providing an update to the shared model, the improved model on your phone can also be used immediately, powering experiences personalized by the way you use your phone.” (https://ai.googleblog.com/2017/04/federated-learning-collaborative.html)

The group discussion on Skype was very interesting to follow. It’s apparent how impractical most of the law is to the average user – terms and conditions statements that stretch to 44 pages will guarantee that only 0.000001% of users read them – meaning that there needs to be some real trust with the company. Also it was interesting to learn that despite translation of these statements the law could only be fully applied in the way intended from where it originated.

In summary this class particularly made me aware of the degree of ethical responsibility you need to have when working with data. If things go wrong it’s not just a spreadsheet that is lost it could be a persons digital identity, bank account, medical history – almost everything!

Leave a Reply

Your email address will not be published. Required fields are marked *