On GDPR compliance, the Right to be forgotten and Artificial Intelligence, OW2con'18, June 7-8, 2018, Paris
1 like260 views
The document discusses the right to be forgotten and how it relates to AI. It covers several key points: 1) The human mind has a paradox of forgetting, while AI systems do not forget as humans control what data is input, stored, and deleted from AI systems. 2) The right to be forgotten is defined as an individual's right to have personal information deleted from online sources. 3) Google received over 347,000 requests to remove about 1.2 million websites under the right to be forgotten and denied 58% of requests. 4) While deletion removes data from search indexes, it typically only marks it as deleted in databases rather than fully removing it.
On GDPR compliance, the Right to be forgotten and Artificial Intelligence, OW2con'18, June 7-8, 2018, Paris
- 1. On GDPR compliance, the Right to be Forgotten and AI Cristina Rosu, DPO XWiki SAS by
- 2. Human mind and the paradox of forgetting • Ars memoriae vs. Ars oblivionalis - Cicero, Themistocles & Umberto Eco • The psychological memory: short term vs. long term
- 3. AI “mind” *humans control it 1. Data input 2. The storage 3. The deletion - no forgetting paradox
- 4. What is AI? (really long story short)
- 5. ...Glimpses of the real story, still short Reinforcement learning Neural Networks / “Deep Learning” backpropagation algorithm: passing an input through forwards the neural network, comparing the result to the “model” result. After, all the nodes from output (front) to input (back) are updated.
- 6. A right to be forgotten - definition = The right of the individual to obtain the deletion of personal information posted online by the data owner himself or a third party, even if it was legally posted.
- 7. The European perspective on the Right to be forgotten • Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data • C-131/12 - Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González • Article 17 EU GDPR "Right to erasure ('right to be forgotten')"
- 8. On the Google Spain v AEPD and Mario Costeja González case at the Court of Justice of the European Union, in 2012 • Deleting two pages of La Vanguardia, with a notice for a real-estate auction • The Directive 95/46/EC is directly applicable to Google Inc. • The search engine qualifies as a “data controller” • “...a right to address himself to a search engine service provider in order to prevent indexing of the information relating to him personally, published legally on third parties’ web pages...”
- 9. Some statistics on deletion for GDPR compliance If your company receives a request based on the right to be forgotten, what is the method you would use to delete the content? France USA UK Germany Spain Basic deletion 34% 28% 24% 23% 26% Free data wiping solution (without proof) 21% 25% 33% 27% 35% Secure data erasure solution (with proof) 46% 43% 38% 44% 38% I don’t know 0% 4% 6% 6% 1% Other 0% 0,4% 0% 0% 0%
- 10. By October 2016, Google received 347,533 separate requests to remove aprox. 1.2 million websites. 58% of the requests were denied. EU country Total removal requests % of URL’s removed % of URL’s removed France 247,832 48.4% 51.6% Germany 222,319 48.2% 51.8% U.K. 163,205 38% 62% Spain 104,240 37.2% 62.8% Italy 86,002 29.7% 70.3% Austria 23,274 47,7% 52,3% Belgium 37,472 45.7% 54.3%
- 11. Criteria for evaluating delisting requests 1. Data subject’s role in public life 2. Nature of information • Bias toward an individual’s strong privacy interest (personal financial information; related to an individual’s intimate and sex life; private information about minors; private contact or identification information etc.) • Bias toward a public interest (related to criminal activity; relevant to political discourse and governance; relates to public health etc.) 3. Source 4. Time
- 12. A right to delisting vs. social forgetting • The “boomerang” effect and the paradox of forgetting • Collecting links of delisted items
- 13. When a record is deleted using the SQL interface in relevant databases, it is only marked as deleted and gets removed from the search indexes. Deletion in MySQL:
- 14. Viviane Reding, the European Commission’s vice-president (2010 - 2014) ‘‘It is clear that the right to be forgotten cannot amount to a right of the total erasure of history.’’
- 15. Numbers related to the information that is collected from users • As of the third quarter of 2017, Facebook had 2.07 billion monthly active users. • Google announced over 2 billion monthly active devices on Android in May 2017. • Google Drive now has 800 million users and Google Photos has more than 500 million monthly users in 2017.
- 16. AI has no reasoning, will, desire, ethics beside our own. Image from "Explaining and Harnessing Adversarial Examples" by Ian J. Goodfellow, Jonathon Shlens, Christian Szegedy
- 17. Apple’s “most advanced” face ID tech that can detect if someone is trying to get into your phone with a probability of 1 in 1 million Can’t tell these 2 women co-workers apart
- 18. Forgetting in algorithmic memory “obfuscation” = to produce misleading, false or ambiguous information parallel to the relevant one
- 19. The right to be forgotten impacts machine learning algorithms • Erasure of one data • Making data less sensitive • Functional encryption algorithms • Pseudonymization • Data anonymization
- 20. Possible approaches • Data minimization • Interdisciplinary research addressing innovative technological solutions and dedicated legal norms for the AI model
- 21. Possible approaches • Take control over your data • Use ethical products that respect your privacy as a user Examples of open source projects: - Mastodon - decentralized social network - Matrix - encrypted end-to-end chat - Cryptpad - zero knowledge collaborative editor
- 22. Feel free to contact me! E-mail: [email protected] @cristina.r:matrix.org @[email protected]
- 23. Thank you!