owned this note
owned this note
Published
Linked with GitHub
# Subject Access Right workshop
## Introduction Section
### Adrianne Jeffries, The Markup , USA
- meeting with Europeans who’ll file data requests
- California law
- Similar but much weaker data access provision
- In January we’ll start making requests
- Specific issues: labour surveillance ? uber
- Genetics data companies
- GDPR: how to make the public understand what the law is coding and what people can do with it?
- Function creeps where is data being used – GDPR as a way to ensure data is used as promised
### Claudio Agosti, TrackingExposed, Italy
Algorithmic accountability
Labour is intermediated by algorithms
Personal data kept by companies to profile but we don’t know. We need access rights to enforce the rights under the gdpr and
### Paul-Olivier Dehaye, PersonalData.io, Switzerland
Builing an agenda around access requests
Summarizing the paper by kominsky? Binary governance in the GDPR: top down and bottom up - how do individual rights fall into this landscape?
Aims / Hopes: A toolbox to enforce access rights
Gig workers: networks of people who work under algorithms of platforms
Culture of open science: develop an agenda for more open
Consortium for an EU infrastructure protect to ensure algorithmic accountability – building a toolbox
### Gloria Gonzalez
Assistant professor VoB
- Data protection law as a legal expert, a journalist before time to read and write. Work about dp as a personal right for all individuals. Send access request in a stupid way without mentioning gdpr. 3 big themes: transperancy centre of policies on information. Privacy policies are crucial. Think about non facilitation of access request for privacy. Article 23 is vv imp now. National law goes around access requests.how article 80 is developed at national level? Spain: next to kin can access all your data after your death. Interesting to look at how internet decides your info eg gender on tinder twitter.
- Multistake holder group committee about gdpr member useless unless we use it. Commission has to publish reports based on input from the stakeholder. People from industry are all against access right. Civil society is reluctant because they think we’re making a business model out of it. Some people are making money out of it. Reach out to her.
• Gloria Gonzalez Fuster, Vrije Universiteit Brussel, Belgium
- Data protection as a fundamental right in the EU for all individuals
Three themes:
1. Transparency (information in privacy policy) and access rights PP: the only way in which people can be informed and they can enforce access rights: non facilitation of access right
2. National limitations in access rights: 28 nationalities: Art 23 of the GDPR restrictions: strict limitations – this should be discussed
a. Art 80 also relevant how has it been developed in MS
b. Post mortem use of access rights (Spain)
c. Access rights and gender
i. DP law and gender: how can we use the right of access to see on which basis how data controllers/processors decide whether you are F/M
d. EU Commission group multi stakeholder – civil society and industry
i. Report on art 27:
### Hadi Asghari
TU Delft
- Assistant prof at TUD TPM background in cs and PA
- Interest in access right different from legal. Use ar as a tool to do large scale analysis for data science. To see if data ar works. Reducing info asymmetry between society and industry. Figure out companies who are data capital. Interested in mass ar, extremely hard and frustrating to even do a 100. Data sharing between people who have done ar. Leverage for people
• Hadi Asghari , Delft University of Technology, The Netherlands
- Faculty of tech policy: access rights: to use it as a tool to do large scale DS to figure out how privacy enhancing technologies work:
- Reducing information asymmetry – tackling surveillance capitalism
Mass access requests
Facilitate information sharing around AR people have done and leverage the hard work on access rights that people have been doing
### Nayantara
Ad.watch India
Journalist from india. Data protection in India. Working on a project about ads adwatch. Interested in learning what people are doing about ar in Europe. Interested in national id sys and how they make use of that in india. Can gdpr be used to access in india without a law on right of access
Nayantara Ranganathan, ad.watch, India
- Workers rights and DP in India
- Political ads in Adwatch
- What people have been doing in access rights
- How European laws are influencing laws in the Global south
- Can you use the GDPR in other parts of the world
### Bengi
- RA here UvA
- About to start research on SAR
### Tristan Henderson, University of St. Andrews, UK
- Internet measurement background: collect all the data and use it
- Approach access rights from a measurement perspective – Art 20:
- Where tech meets law: the science behind access rights ie crowdsourcing, verification of responses?
- Access rights: it is important to make a request when you know nothing
### Judith
French journalist
Became concerned with personal data. Written an investigative book on tinder to find out their hotness score. Asked tindr for personal data with ar. Received 800 pages. Working on dating apps for 2 years. 2 project: one on insta cost of clothing, less clothes on women more seen, 100 requests to 100 companies, data brokers advertising companies. How to discuss with people when they say don’t have info when you know they do. How to come up with arguments. Have a discussion about what is meant to be anonymous. Ad id or cookie. Digital shadow we’re not aware of. How to investigate food delivery algo and people working.
• Judith Duportail, independent journalist, France
- Tinder – dating apps:
- Two protects: Instagram – less clothes of owmen the more they are seen
- Access requests to data borkers adtechs etc
- How to discuss with people – when they say we don’t have data but htye dohow to talk to them
- What is anonymous: there’s a cookie etc ad id etc there’s a 'second identity’ in a way
- Build a network for agenda setting for example for workers food delivery platforms
### Karolina
Panoptykon
- Lawyer Panopytkon
- Polish
- Watchdog organization
- Law that were being
- Organization that uncovers new data ecosystems
- Proactive than active, started as a watchdog
- Wants to show what gdpr can do for people. AR is the perfect right to focus on. Tells about their imperfection. Digital shadows, digital doubles interested in AR to advertising companies. Problems emerge. Complained against google. Hope for the workshop is to map priorities
- Connect the dots. How can AR be used for bigger things.
### Ala
Data protection lawyer at Noyb
Researcher as well. Pdh at Vienna data portability
Ngo that does data protection in private sector not to public auth. Main focus is filing complaints, respond to follow up not too often but it does but if it does they respond comprehensively. No policy making. As many jurisdictions as possible. Submission to dp award feedback to right of access . personal exp with ar she has done 170 ar in April 2019, sent out to adtech ecosystem. Interesting to observe how partners cooperate. No one replies in one go. However still identified good practices. Wants to learn what others have done. Ar is only used as investigative but not for litigation. Stopped focusing on how badly they respond. Wants to know what we want her org to do. Also working on projects on adtech requirements.
• Ala Krinickytė, n oyb.eu (data protection in the private sector – filing complaints and try litigating in many juristictions as possible and aiming for litigation – EDPB:), Austria
- PhD: data portability
- Personal experience with access rights: filed numeous requests usually to companies in adtech companies: some reveal so much about their partners and others don’t say anything so it is not clear who is telling the truth.
a. Good practices were also encountered
- Whether you see any gaps as regards access area
- We don’t focus on access rights itself but we use it as an investigative tool
- What would you like noyb.eu or other NGOs to do in this field?
- Other projects on adtech environment - SARs, lawfulness,
### Amy
Uk based NGO against govt mass surveillance
15 years 4th strand aimed at reaching outside digital right spheres and involve other sectors. Use algorithms for immigration and see what info they have. Good void to move into. What different sectors do for their work.
- Practical approach to SAR. Bit quiet at the moment. Havent worked out what they want to do. Politics and their ads. How the UK is targeted and manipulation of democracy. Built a tool aimed at mass campaign upto 300 individuals now. Explore more about the issue interested in other people’s questions. We might know but general people still don’t know. Explore how we can learn from these people and we can reach out. Working on adtech but haven’t used SAR for that. Wants to break opaque system
Encourage Other sectors to engage in DP – algorithms : for example immigtation.
Data rights finders: tool focused on the financial sector
Display of ads in social media networks –
- responsibility of political parties as regards political ads: how do political parties use DP to target people. Built a tool to tackle this and started campaign?
Mass data acess and the challenges around that
General public – there’s a mystery around that – encouring other people to engage around this right
- Adtech: opaque system – how do you use access rights to tackle that
### Hugo
Activist and lawyer. Worked with ngos in Europe. Law firm in Paris done ar as data subject. Attorney for inviduals. Police and surveillance. Also provided data request responses help to companies. Data portability and hot it can support new online services and softwre.
• Hugo Roy , Lawyer at Baker & Mackenzie, France
- Data access rights as an attorney for indivudlas from gov agencies usually ends up during litigation
- Limit scope of data they want to provide
- Themes: immigration, surveillance, how to contribute to transparency
- Data portability: data access rights in the context of competition to build interoperability
### Paul
Journalist and developer in swiss. 10 years since making fb apps. Freaked him out how it actually worked. Find a way to share ar better
• Paul Ronga , Le Temps, Switzerland
- Main expectation: facilitate information sharing and structuring how to enforce access rights beyond just filing requests
- Two projects: personaldata.io kind of tools may be too difficult for the general people to use
- Help people communicate, make SAR requests
- Credit rating companies:
### Jack , CS Cambridge
- Similar background to tech and info
- How it affects advocacy and how it can be presented because they can be used in many different ways. Interact with people to find out how they’re used. Only around for today, stay in the loops. ICO has put out a call for AR, input to the guidance.
### Jef Ausloos
Phd right to info in Belgium. Data subject rights. Assymetric relationship between. Most of the research is done behind desks. Does empirircal work for rights in practice? Not just what comes back but also what is sent. Interesting and vakluable tool for investigative researchers. A lot of uncapped potential for using SAR in technical ecosystems. Impact of individual on ecosystem. 3) to research thing not much to do with actual controllers. Investigate evolution of sex life social interaction to investigate social trends, won’t be interested in the social media but how it will be done. Grand proposal how the law can help in countering this info assymetery in the hands of big tech players. Independence researchers, its becoming hard for them to use that data. What can the law do to break that assymetery and AR are imp. Interested in hearing a lot more concrete use cases, details, obstacles from everyone. Interested in how this community can work together sustainably, what form will that take? Because we’re all people who are interested in AR as compared to the other side.
• Jef Ausloos, UvA, Netherlands
- Data subjects rights in empowering individuals before big companies
- Empirical work: testing rights in practice
- Interested mostly in the level of compliance: tool for journalism, activism, academia - use it as experts in specific cases: not just in a certain ecosystem but also as regards how it impacts individuals, for example how can you use it as a research method to find out about social dynamics in dating etc
- How the law can counter the data dynamics – what can role the law play in breaking power dynamics?
- Hopes: lessons learned from everyone else
- How to make sure that people here are together more sustainably and what form should that take? How can we capitalize in the fact that all these people are interested in the same topic?
Questions:
are there themes?
Yes, we have to figure out what we can do with this group of people here. One session at the end of the day will be to convert themes into action.
Paul: Inconsistencies in workshop rule: we won’t be here in a week. Not collaborating enough through just 2 note takers and a photo library.
Rene: People can use their own devices other than the 2 note takers. Will set up collaborative note taking for people required.
Parallel breakouts; we breakout in 4 smalled groups and talk about our own interesting use cases and then we come back together at the end and discuss the interesting use cases and we choose the best use case and discuss it in tomorrow’s sessions.
The idea is to keep track of what ideas what shot out and how much time it took for the idea. People right down their ideas on post it and others can join if they want.
Coffee Break
## State of the Art report
State of the Art Report < https://wiki.personaldata.io/wiki/Item:Q2504 >
Roundtable discussion on the draft state-of-the-art report on the use of the right of
access in practice (sent around on 10 December). Participants are invited to read
the report in advance and highlight identified gaps, broader themes, issues and
reflect on the overall value and ideal form for a final version of the report
- Was this document useful?
- Adrienne: good for identifying prior work - used cases on how to use the law - helpful with further projects on the right of access
- Seemed obvious was beyond workshop purposes - not limited to legal text - recommendation: which audience is this report for - this should be made clear
- Rene: purpose is that the language fits this kind of an interdisciplinary group
- recommendation: stand-alone website to make it more accessible?
- Amy: handbool / academic article and it would be more useful to have the handbook format? Explain the basics for non-legal audience for example. Sections exploring positives and negatives and explaining the procedure of a SAR.
- practical handbook?
- Website /
- Interactive / living document: then who's going to update it?
- if this was a page like a wikipedia then it would be easier to update it
- caselaw: links
- Missing: storyline (what brings us together etc) and if it is a report then you can add an appendix
- storyline? identification of tensions - what does that mean? we should make it more clear: is it a finding or?
- Clarification on why particular examples were chosen / why they were included?
- Report is good for guidence for India
- normative impact of the GDPR outside of the EU - being aware of that?
- how do you achieve that? add a chapter or?
- Write something with a very precise angle to achieve ... based on the examples on the document if the intention to publish something. Precise case and explain how it want along.
- For example: concrete steps to take for gig workers - "this is what we did"
- What is effectuated with access rights? Derived - inferred data etc - for example do companies have to give that? but this is actually not a contested issue? Text / the law:
- Article 15(4) missing in slides - third party rights against access rights - in practice the situation is more complex - where the authorities do not have a coherent position that is where we can contribute
- list of these kind of gray areas relevant in the exercise of access rights?
- inferred data
- policy recommendations: what is the purpose / challenges in practice
- seperate two big concerns: efficient format to push some goals and there are multiple narratives - journalism academia etc.
- efficiency: appendix and footnotes
- narrative building:
- Tinder should not be a section of itself - it is an examples how journalists use access rights
- purposes: tools - examples and cases
- purposes:
- types of actors?
- public sector - surveillance, migration and private sector?
- cross-border aspect?
- access request: how do you do that in the EU / different MS or impact on the US ?
- Orienting the paper around identification of tensions and themes and use cases as a context for them
- DPA enforcement and decisions: more examples of decisions: what are the trends? what are the problems and how do different DPAs decide?
- Noyb.eu will launch a GDPR wiki page and publish DPA decisions. they are usually not published in all MS?
- you can engineer a case for litigation to make a good case law:
- Reflect on the broader of the problems of the GDPR with future policy recommendations
- Lack of transparency in DPA practices?
- Third party platforms and data controllers - identity confirmation?
- How do you successfully organise group requests? in connection with the request made for example to the Dutch Tax Authority-
- using a tool to connect data subject and data controller - safety concerns? resistance from data controllers to have get massive access requests.
- data subjects are also resistance because they don't think requests are helping them but for example researchers / journalists etc. how do you divert / can you divert your own interest and the data subjects? this means you need to take necessary safeguards that data subjects' interests are safeguarded when filing access requests.
- methodology - best practices
- Clarify: Scope of the report?
- keeping relevant points but not chopping them out
- Different resources (for example)
- DPA decisions / case law.
- Data from access requests.
- Volunteers for access requests?
- networks will / should be different for each resource
Discussion about the State of the Art Report
Rene:
Draft of the state of the art report for use of right of access by different groups. First reason was to get everyone on the same page. Some people are right in the middle but not the case for everyone. This is a broader picture of DAR in day to day matter of all the fields. We have to look at the report and try to find shared themes, what works? What doesn’t work? What are some strategies that we can use to overcome the obstacles? Will these work even if companies don’t respond in terms of finding balance within what an AR is? Useful to get this story out to the general public. I want to ask if its sueful at all and what can we do to make it more useful? Are there any gaps that can be done better? The idea is to get feedback now and update or fine tune the report at the end of the workshop.
I want to react to what Gloria said, there is a need to work with regulators. This document itself is not meant for that but we can identify things from this report that can be used for the purpose of handing it to the regulators.
Gloria
The introduction makes the purpose of the report clear for the participants. They are open to feedback from the participants about the report about how it can be useful.
Adrianne
It was helpful for us to identify use cases to get insight into the law. She wants to use it for accountability and how powerful it is.
It would be more useful outside the workshop. It’s a shame it is just for us. Also, which community is this for? Because the terms are different for everyone. He thought it was a law journal bevause of all the terms about law but turns out it is for everyone. Maybe the organizers should change the terms so it becomes for everyone.
Rene:
Yes, the introduction points to the law field but the idea is to have the report for everyone. It is good feedback, but it will also be good if the law community picks it up. Although it will be great for academic publication, but the primary goal is to use this for the people here.
It can be turned into a website where everyone can look at the parts that concern or interest them. It can be made more accessible in that way. Theres definitely a lot of things that interest me but I would want to have it on the website so its easier to access.
This is halfway between academic document and a handbook. It needs more introduction about SARs for beginners who want to do SAR themselves. Then, have sections about the positives and the negatives and how they can be used with use case examples. Easier for people to understand how their work will fit in the bigger picture. It is wonderfully written but it should be more useful for day to day activities. One thing missing is policy directions and policy steps.
Paul:
Journalists are probably the best audience for SAR but this report is about all the fields that are doing SAR academic, activist, journalist. Putting it on the website will help a lot for all these people to use it.
Jef:
This was done to put everything in concerned with this workshop. We could not have all the details that are required but of course if we do it on the site we can add however we want. It can be open source and people can add their parts. An interactive tool is a wiser idea. If this was a webpage, it will be easier for user to navigate and link various aspects like case laws and instances to each other. Handbooks will be very helpful but often people fail to update them.
Hadi:
I missed a storyline. It jumps into data too early. If I’m reading it as a report, I would like the foundation to be laid properly. If it’s a report, a lot of atuff can be out in appendix. If you’re interested in all, it will take too much time.
It will be great to have ot the way people describe but the way it is right now, it can be very useful to throw it to researchers to see what people can take out of this and build on it. It’s a niche use case for the report but its very helpful for his group of researchers.
Gloria:
For me, if I can say, I struggled with lack of story line but the idea of “tension” was very vague. Tension between who and whom? Maybe, that should be defined better so it is clear for everyone.
Adrianne:
Please explain why certain example is included. Point out which one was successful, what are the major differences between the example.
Nayantara:
Regardless of the direction, I find it very useful since it has everything aggregated and I can use it for advocacy back home in India. Especially, if it has a web presence. It will be interesting to see how laws here are different to those India. Data portability law in India missed out certain things because people said even GDPR doesn’t have it.
Rene:
What form will help you the most? What kind of extra layers or chaps can help you?
Nayantara:
The right of access creates a situation that all users of internet can use it but I have to prove that it’s me so it removes the layer of anonymity for all users. If these questions are answered in the report, it will make it better.
Judith
It is very comprehensive. Yes storyline is missing but that was not the purpose. I don’t know how we’ll work but if one task in the sessions can be to complete a task of writing using the themes from the report. Maybe, it will be better to be more precise and make something that can be published using this.
Gloria:
What would you want? Something short. Condense it in 2 pages.
Judith
I don’t know whats going to happen next but if we get concrete things done, maybe those should be oublished in a 2 page story.
Jef:
So you mean 2 page docs with guidelines for every field.
Hadi:
Is there also some agreement on what we can expect from an AR? Who is the authority on that? Companies can come back and say there are studies showing something else.
Rene:
Portability is different. If theres a session on portability we can talk about it but for now we should focus ona access for now. Discussing this will make it complex.
Jack:
My point it this is just guidance in the law. Not orders.
Paul:
Focus on access so we don’t get confused and it is not just guidance it is the authority even if the companies say other wise.
Hadi:
My point was that if you say the authority is a 500 page document I want 2 paragraphs that can be sent to companies if they ask.
Data access and data portability is something new and they are different. Yes we have the text of the law but access has to be put in context, but I didn’t see article 15 para 4 in this which is something controllers have to keep in mind while responding like secrecy of responders. You have variation from practice and its not the same practice for every company. There is a lot of chance for cohesion, the more practice and collaboration will bring clarity.
Rene:
I have a proposal for this. I understand this is a common point. We are working with Michael Veale to get standard access rights. I think it will be very useful if we can put a whiteboard somewhere and collect ideas on things which cast doubt and which need to be addressed,
Adrianne:
Take all this feedback and ask one person from each group on what they want and you can just use this report, take things out and make into a book proposal. “GDPR after 2 year, everything” It will be more useful as a publication.
Gloria
I know these people better and I know they can do much better on the report. I am also very sympathetic towards the recommendations part. I know we can create told by CS for access rights. Companies are developing tools that autmatocally collect data. We can’t differentiate the policy from the academic matters.
Paul:
There’s 2 concerns, efficiency(use this efficiently and push a goal) and building a narrative. Multiple narratives for activists, journalists and academic. The efficiency part should be a footnote and it should be out of the narrative. Some one has to make a narrative and then pass it along to different fields and ask if its helpful. Efficiency is compiling, completeness and comprehensiveness. What has been done after two years?
I love para 30. There is no need for Tinder to be a section on its own. If I was proposing a structure, my structure will be how AR can be used in different ways i.e. societal trends, use cases. The section of examples and researches comes after. It can be left out. The tools are important, and things not related to tools can be left out. Things can be moved around and it can be restructured because it says that we love SAR but we don’t know what it is.
Rene:
2 comments, I agree with the feedback. It went from a list to report 3 weeks ago. I can see the narrative is not laid out explicitly because we did not want to be the main narrators. We wanted people to choose their own narrative. We did not want to give you “Who we are” and dictate the narrative.
In section 2 what’s missing is that we’re only looking at one side. You’re looking at people sending lists but you’re not helping controllers to respond.
Jef:
Its on page 30. A link to IAPP.
Gloria:
Does anyone have questions regarding the restructuring? What can we add or remove? What would be the main thing for you to cover?
Hadi:
It’s interesting what problems can be used for this. I would like to see how it can be sued in different themes? Do it like a literature review and see what themes ar emerging.
Gloria:
Is there an issue of people coming with different backgrounds? Outside of Europe?
Paul:
Even within Europe. Because the challenge is between different themes and different people and how’re they doing something even within Europe.
Karolina:
For me the most interesting parts were the one liners between tensions the themes. I would orient this paper around not the sectors but around the data itself. How can individual cases be used for context.
Noyb
I was wondering if someone has mentioned anything about DPA and their decisions. I appreciate the section but I will be happy if more examples and decisions of the past are shown.
Paul:
It seems there are huge inefficiencies. Some people are doing much more than others like Noyb. So organisations that are doing litigation will use more information than what is in the report.
Gloria:
The decisions of the DPA are not transparent and sometimes the decisions are complex.
Noyb:
We have a team that monitors all the decisions of the DPA and see what precedents are set. We will upload all our information on a wiki to share.
Rene:
For us, it was not helpful for us to expand on DPA. We just wanted to give a flavor of what is going on. One outcome of this workshop, how we can get background of your qork and I can keep an eye on Dutch and Belgium netowkr and DPA decisions. Then, this report can be updated with that information.
I want to support this. I don’t want to get caught in a trap where DPA doesn’t know what they’re doing. DPA should publish their decisions.
Paul:
Technologies can also make a good case for litigation. What makes a good case is the authority of the country. Especially in cases where the laws of a country apply to someone who the law applies to but they are in a different country. My point is that lawyers can really be helped with this handbook and can collaborate for different cases.
Hadi:
Is there a reason that DPA decisions are not open? I don’t understand why they are not transparent like in the US.
Gloria:
There are differences in law of US and EU. Their data protection is different.
Paul:
In Sweden, freedom of info act are very strong. Its so strong that the headers of email of public servant get pushed into a public library. This creates a good opportunity for us to interact.
This is a good point on how the GDPR is used as an example in India that GDPR doesn’t do this so we won’t eother. Maybe we should look at it as this is something even GDPR should even have
Hadi:
This is a very strategic point. It can have a huge impact on research.
Gloria:
Recently, they created a database of decisions so that they can access the database if required.
Paul:
I did a FOI Request on that database and it is absolutely catastrophic because it has a lot of DPA’s, translations and different countries involved. I’m saying is that DPA don’t know how to do their job. They say we don’t have money. If they were transparent it will help them a lot and they will be able to do their job better.
Gloria:
Something that is missing here is that when people use volunteers for SAR they forget to anonymize their presenatation. They show the name and data of of the person who sent the SAR on the slides.
Jack:
I had this comment on a paper of Jeff where you do this. I think its important to debrief people and get the data anonymously. We should get the data from the people through a repository and not ask them to sacrifice themselves for the good of the others.
It makes me think about an issue that we’re missing. The relationship of doing SAR through3rd party. As a controller how do you deal with this? Do you give the data to the third party or do you give it to the subject directly? Are the laws different on this? This is a practical matter.
Gloria:
This is a massive concern for data controllers.
Tristan:
I think its mentioned in the report where they incited everyone to send a SAR to Dutch IRS. My question is how do you successfully do this?
Rene:
I agree with this. The state of the art report for me was to highlight the problems.
We are doing exactly that, mass access requests. We take volunteers and send their request through our tool. People use our tool to send request and the data is sent to the people back. Then there is a third stage of those people sending their data to us.
Paul: What if someone uses this tool to access their wives data?
You have to talk about this to my colleague.
Gloria:
This should be in the state of the art report because it will stop a lot of things.
Paul:
This is very important. Not just for data controllers but also for data subjects. In Brussels, people were advocating for access requests by sharing photographs of people doing Ars. We have to look at how we handle the data of subjects because subjects thing that sending access requests is for us, the researchers but not for them. The reality is that we are trying to make a business model of some kind around access requests.
Amy:
This will be a very good break out. To have a good practice of how to do mass access request.
Rene:
I think there is a lot to discuss with Jef because there is so much here. I’ve a specific knowledge background and it makes sense to put data in the document in a way that it makes clear what the document does not do. I think the legal part goes out or be more clear. Have a clear goal and not just cases of what is being done. This new perspective was very helpful because we think we are lacking that for now. We know its very limited for now so there is a lot of scoping to do to define what it is and what its not. We do have a lot more stuff that can go in. The one liners can be explained for the next time.
Some of the things can still stay in because other people might be interested in things that the majority aren’t.
Jef
I am still on the fence even after tis conversation. Whether this should be a repository of info because if you wrote with a clear narrative it might be more readable but you miss things. I would still like to have a repository of cases which others can use to build their narrative. I want to make sure other people with completely different perspective.
Jack:
Obviously add your own idea in the report.
Gloria:
Some parallel breakouts can result in textual discussion.
Jef:
The document is open for everyone if a breakout session comes to something that can be added to the report, we are open to it.
Rene:
We can see if it can be changed for now or integrated with an output of this workshop.
Hadi:
A lot of stuff here can go on a wiki and it can be made sustained
Rene:
Of course. There’s different type of stuff on here, cases, AR’s and I think it will be great of for some of them we can come up with an open shared resource.
Paul:
There are different resources here and for all of them there are different consumers and contributors. If you look at it this way, you can make it better.
Jef:
Breakouts will be around themes right after lunch.
Parallel Breakout – Academics
Rene:
Wants to look together at the space academics want to go to. We’re very diverse in terms of answers we look at. The industry about tech/internet measurements is very interesting. Are there common questions between the different fields? What are issues that we collectively want to look at?
Is it more in terms of what our own research challenges that should be addressed?
Research on AR has 2 sides. Research about right of access and using right of access as a research. We should make these possibilities explicit. There’s also research using AR to explore right of access.
Splitting up the 2 themes. Lets start with the right of access. One research theme that I hear about a lot is that there is a lot of focus on how the right of access being used by different groups but there isn’t much focus from the controller’s perspective? We feel that the controllers perspective is lacking.
The ICO call is guidance towards that so that its not just lobbyist driven. One discipline is surveillance studies. A lot of research into this goes into companies by going into companies to analyze both employer and employee. Most people are not aware of AR in terms of surveillance studies. We should understand the surveilled as well as the surveillers. The challenge should be solved along with the surveillance study community. The method used by surveillance studies people is taking ethnographic methods and applying them to rights of access.
The reality of practices inside organisation has sub disciplines, management or the actual practices. The methodology comes from understanding organization. Is adtech scaled to the complication of all these big companies?
Do we also have more legal questions like the discussion on misuse of law for fraud. There is a lot of security questions in tech research. Is there an overlap. How do companies reply and does it fit in legal aspect? Yes, because we are obliged to identify data subjects and the justifications by org are legal arguments. It’s a legal challenge of compliance for both org and subjects. So the tensions cross across all these fields. Releasing data can raise risks for organizations and then what does that mean for researchers? Data controllers can ask for passport and you can ask why? And they can scan it and keep it. You ask why and they won’t have no explanation but if you want the data you have to comply. Also the common thing is the automated responses. You have third party who ask organisations that they’ll take care of responses for org. So there is difference in these approaches. If these are automated on both sides subject as well as org, then it takes away the essence.
It will also be interesting to see what these tools actually do? The tech question is what these tools do and the legal question is what is received and is it in compliance? There is also very little research on download tools. If its automated we can use article 22 to get more info. The law brings about new approaches and there is always a nice coherence between academic and law.
Looking at the research that exists. It is inter disciplinary? They have inter disciplinary aspects but what is in the collective space? There is tech that improves and draws it and there is law that leads it. How do use a third party and how does info flow between these three parties? Can CS jump into this at the start i.e. is there a need for such tool.
There is also a difference in terms of what research we can do right now and what can we do if we had more info. There is always data collection and analysis come later.
The major gap while talking to legal is how to prove that they have personal data about someone if they say they don’t. How can we prove them wrong? Tools and guidance. Tools for collective and emails for individuals. That required guidance i.e. the handbook. So yes we do have some answers but there is still a lot of research that has to go into situations where we know they have our data but we can’t prove it. How do you write it in an email that I know you have data on me and how do you prove it?
Where are the security gaps in this? What tech proofs can you have to tell that you have certain data but that needs collaboration of tech people with less tech researchers. Same goes with legal questions but do you do when the company asks for your passport? A tech person might not know but a law person would know that it is not right. So research is needed into this inter disciplinary.
AN inter disciplnary platform will be very helpful that is tested by everyone i.e. academic, tech and lawyers. EDPS current is very complex. There should be usability testing. These tools require too much tech understanding so there should be usability testing.
The idea of looking forward, having to show what the engineering will look like. How can we make reproducable access right experiments? Something built in UK can it be used in Belgium, Netherlands etc. If its science, it should be re usable.
There is a benefit you can’t have data controllers say its too hard because there is a prototype in UK so it should happen here too. A lot fo controllers that require data to be sent but not receive data. So we can set up a proxy DC that receives data from other DC. We can use the same procedure not just for reproducibility its also good science to have benefits throughout. The legal side i.e. should they even reply to such request because its not a normal subject. They might think its just a guy messing with us? The end goal is to have reproducable esperiments.
It will be nice to look at what type of questions can be answered if we had the big data of access requests. There were more than 200 AR in the room but can we pool everything together? What RQ would you do if you had 2000 responses? If its 2000 to different controllers is nice. It will also be interesting in having 2000 request to same controller. You can see how many average hours one person should have to get a response. We want to know whether people are lying? An example project can be that fitbit data is ytracked by yourself and then you ask fitbit for the data. Then you can compare the data to see if it’s the same to verify. Legally, it is interesting but focus is on people to get the data. There various various things that can be tested depending on the field. People are interested in knowing what they know but also what they do How do they re arrange the data? How they do is what tech they have and what they do is their policies.
Has anyone ever made an art 22 request. Rene has. Found sth that was fully automated. It can be a one paper with one direction because art 22 is a right that people should not be aware of. No point in talking about it since its too complicated.
How do we talk about ethics?
Jef said there are no new ethical challenged but we believe there needs to be more ethical guidance otherwise a lot of bad research will be done. Reproducibility is documenting responses from different points and using them. It should be told that you can’t just scraped social media because its illegal but also unethical because subjects don’t want it. The law says you can if its within ethical standards but we don’t have any ethical standards yet so we need new more ethical standards.
One obstacle is that we don’t have enough data. From a tech POV it is very important to have more data. If we can share the data WITH GUIDANCE it can be very helpful for everyone.
What are the obstacles to sharing?
Its personal data. If you want to do a good analysis, you need a good spread you need personal data. If I have 200 AR I would not want to do that because its personal data.
Would you be willing to do it if you have a description of data without the actual data?
Depends on the RQ that you’re tackling if it can be answered through anonymous.
Maybe we need a standard for meta data sharing.
People are unwilling to share data because if exposes their research practices. Even if they do they can’t answer questions about it. If you have a standard of list of things you need to do before you start the data collection. You can tell that we require certain things from the data sharing. Most of times people wouldn’t want a standard because it won’t help them in answering their questions.
Can we over come this? Would people in this room be willing to share the data?
If there were guidelines, sure we will. If you had a paper that said 10 simple rules to use AR which can serve as a standard. We can ask AR researchers to follow this paper and these steps.
Would the infrastructure be limiting? If someone is following the rules will it hamper their research? These rules will be about data management. If we’re sharing meta data such that its anonymous.
People have done 100 request by just mail using their own methodology. You can use the mail thing with a beautiful method so its easy to track.
Are their translatable rules that can be used for sharing data that it helps researchers across fields?
Cyber crime centre gets data from cloud services about when org have been attacked. Researchers can use that data. There are other research areas with different rules. Researchers had collected data about people and anonymized it. If people collect data and share it, anonymize it themselves its fine like people who participate in life logging. It should take the form of citizen science. You have to focus on the fact that there are aspects of ethics when researchers are handling such data. Otherwise, we can just use citizen science repositories, but we shouldn’t be that community. The agreement is that yes there is potential in sharing.
We will do another workshop tomorrow to give people post its and see if they will be willing to do it themselves i.e. the sharing. We can then break the group and ask people to start tagging an AR of their own to see what data will be shared. We have to come up with a semantic of what data can be shared. Jat is interested in the workshop to get the ball rolling for sharing. The point of this will be to what can be done with the data i.e. figuring out the data flows between organisations.
Should there be a list of questions that can be answered through sharing? How can you compare AR across the globe? The RQ is about compliance with law across different sectors.
Another question is how are people classified by the companies? You don’t know how they are classified by the companies. The other question is to see people who use privacy tools and those who don’t is there a difference between them. Do the things we tell people matter?
Other obstacles/Enablers:
- Enablers is having this community to be able to ask about other’s experience and to bounce things off each other. To compare our responses with people who have done way more AR.
Is there anything stopping us rn from this?
We can meet many new people from workshops but there is fragmentation like legal framework differences between countries. We can have the infrastructure that enables this study. Rene and hadi did the same AR to Canada and EU and compare. This is something that is missing. Obstacle in terms of what one country researcher can do ands what another can’t. We have to sit down and coordinate.
Example of practical use of AR and differences in data.
- Different DPA asks for different info. If you ask someone who used another DPA wouldn’t know about the practices of another DPA.
- There is scope now to do different studies for different member states. Now we have people from different dpa and different countries so it enables us to do a comparative study.
- 100 Ar to similar DC and similar companies in different x countries. Then data can be combined to see differences. DO better than the book unaccountable state of affair.
- Enabler is GDPR makes everything free for the first time. One study where one company asked for money.
- People are interested in quality for usability. Have data from different taxi companies and compare.
- Data sharing will enable such studies and building a repository can really help this study. We can get benefits from this study. One infrastructure can help everyone on it. New researchers don’t have to do it again instead of ad hoc doing everything from scratch. The first study will be important with a small AR. Companies like IKEA, multinationals, banks, super markets etc.
- Can we convert our likes from twitter to endorsements for linkedin?
- I can take my shopping history from one town to another.
- Supermarkets also has face recognition and they get a lot of data from there. Camera say a kid and a message came up that are you sure you’re 18. An AR will tell us for sure if they’re collecting data.
- To wrap up, sharing will also bring trust. You can call people up and ask their opinions with sharing the data.
Report back after Breakput
Journalists:
- Goals
Accountability through public awareness
Obstacles
- Divergent interests source
- A lot of time doing AR. Each request has a lot of back and forth
- Lack of expertise Journalists leaders Dc don’t have expertise. Get your own data get data from friends and do stories on that
- Aggregated data is hard, blind spots, everyone wants to do it. Interested in collective data and crowd sourcing
- Overcoming apathy people feel exhausted by the topic of privacy. People feel they cant do anything about it and they shut down.
- Non-compliance you send a data request and company says no
- Demographic Representation – All whites, all from a certain set. Can be hard to reach out to other communities
- No roadmap: different laws that make govt agencies complied to FOIA requests and people have been doing it for govt companies. GDPR isn’t like that. Journo feel in the dark because they don’t know how to use it.
- Need best practices
Enabler:
- Data download tool – obstacle because companies can deny. Enabler because it gives you a lot of information and get data very easily.
- DPOs sometimes are more compliant.
- Tools like personal data.io are very halpeful
- Tipsters are very helpful due to crowd stories. People who had inside knowledge
- Experts lawyers/ privacy advocates people who can tell you what to do.
- Consumer/community advocate: helps with communities that are not reached out
Trends:
- Newsroom have started ti ask data donation requests
- Laws are passing about data rights
- Capitalize on silicon valley discontent : people have started to have problems with their employers. And they are talking to journalists more. Employer got file from google and tweeted about. The sentiment is shifting and it can be great.
Question: Is there a better term for data donation?
That’s what journalists use. It has many shapes, chromes extensions, organisations that have dataset or individuals that give their data.
This is a paradox because we feel that people should not give their data. It’s a feeling because journalists are always predatory. Someone has to be a victim.
It voluntary. Its opt in. People do it on their own. People are informed enough to say that they give their own data. They’re not coerced.
If you get data from 1000 uber drivers through a union. What can you give them in return? Can you promise that you won’t access their driver history?
We can ask them to remove such things but we cannot make such a promise. We can figure out a way to get around this. It’s a problem with mass collection. You need to know specifically what you’re looking for. They get data that they want and the rest is not required.
Ltigators:
Trends
- Interested in inferred data in context of ads and recommendation system
Goals
- Verify the compliance of the DC, reponding to AR
- Extra evidence or reinforcement of sth unlawful by controller
Obstacles
- Incoherent doctrine diff dpa diff approaches diff standards. Some accept whatever the DC tells them. Some will dig deeper.
- Clarity of the law – info that is revealed to subject should be related to data of that person. Every bit of unclarity is going to be used against you by controller. Response should not have to relate to the subject but can relate to the process. Some dpas accept this
- Identification and verification especially while relying on on cookies. If different people use same pc. Requires national id in this case. One company looked at meta data of a file that omeone else created for a subject. The company looks at the file and the author was someone else and used it as an argument that third party had access to the data so its risky. Company can get away like this. How do you find such cookies
- Any third party rights can be sued to leak the company’s secrets. They can’t tell us how they categorize people because that’s a secret.
- Privacy by design – apple won’t let us see siri data because there is deisgn is such that siri data is not linked to other data.
- Companies will do anything to not reveal anything
Enabler
- The right dpa and filling a complaint against them
- Document every step on the way
- Create a narrative – tell a story and tell everything that you have gone through and it will push the company to respond and dpa will take your side
- Focused request. – when you care about particulars, make it clear in the request.
- Better to have 5 different complaints about different data than to have one complaint with different aspects
- Processing – while we wait
Why don’t journalist become litigators because they have a story to tell? It taps into 15.4 because people can benefit from the story it balances human rights in general.
Would journalists be willing to become litigators? Would you be comfortable making a story, being a complainant.
Journalist might feel its free labor because I will be the face of a case using my time for the NGO.
Strategic litigation relies on free labor.
Its part of roadmap that journo sue the govt because of transparency.
Convergence with journalists. Individual willing to overcome their professional journey and be part of a story. A pursuit of free labor will not be considered. Its better to have a trust relationship before committing to sth like that for a journalist
Also a way to use a good story for litigation.
If you have a big guy doing a AR, companies respond better
Activitst:
What
- Facilitate info sharing
- From india, use SARs here to Indian companies
Obstacles:
- Lack of resources
- Legal retaliation against reverse engineering
- Engaging ppl and outreach – diversity
- Poor connection with litigators
-
Enabler
- Good Connection with journalist
- Funding – if you can get it
- Online tools
- Licensing of data as CCO
- Decoupling systematic and (personal data – data flows) helps make better collutions
Trends:
- Duplication of effort
- Giving up on SAR
- Spinning from instance to another. From political party to next thing relevant to subject
- Building communities of SARs
- Co-option of DAR in India not a threat because no data access
- GDPR impacting other countries’ lesgislation
- SARs are working too well in a sense in some cases - ppl become protected and don’t shsare data. It’s a problem when an individual does it
Academic:
There is an increase of research based on SAR.
What is missing?
- Controller Perspective what they expect? Sociological perspective on why they have a hesitation? There should be knowledge on how a response is made
- Demonstrating difficulty of access – different uses for experts and average people
- Are controllers lying? – can there be ways to test if the answer of AR is right.
What can you do with More Requests?
- Map of data flows multiple AR responses pool together can give us a map
- Comparing over time
Methods:
- FAQ on law for tech/ basic primer for tech ppl – so tech ppl can know how to tackle legal aspect
- Ethical guidance –
Obstacles
- Sharing data – need of standard – need of tech infra
- Guidance on ethics and reproducibility (reproducibility in terms of what we measure and what we answer)
- Legal fragmentations – different DPA Guidance (Belgium dpa says its ok to ask for verification in terms of national ID)
Enablers
- Having this group or this workshop (1 sharing proposal can make it stronger and 2 easier to set up research together like journalists and litigators)
Lets say we have infrastructure to share data, what should we do with messages that contains names and how can we deal with collective work? Should there also be tools that anonymize this data?
The guidance and FAQ can help with this. You just share the topology not the actual data or work in smaller networks to share data with limited groups.
Will we become a data controller then? Yes
Similar to become data donation for journalists. You become a DC because you handle the data and you process it. Will have legal responsibilities.
Aim is to have a bilateral contract with people sharing data.
Dc is imp for research is to show responsibility and to understand how DCs work.
Even within companies there is tension within people who are pro privacy and anti privacy.
One response “I cannot motivate the develoeprs”
Companies don’t think its worth investing in data tools.
Parallel break-out sessions 1 (Thursday 13:30 – 14:30)
Template:
1. What
2. Obstacles
3. Enablers
4. Trends?
Complainants
Previous SAR Experiences and how you use them:
Ala - experiences:
- General approach: They requested everything, usually without a specific focus on the category of data. SARs used by noyb not necessarily to find out how authorities / controllers comply with access requests or to exercise access rights but to use the data as an evidence to exercise other rights.
o Art 15: controller to explain the purpose plus the legal basis for processing
Category of data – processing based on? And purpose – serving ads
Subject access requests 170 SARs: got the data from requests filed by a third person. There were also requests that aimed at finding out how entities in the AdTech environment track data subjects and to draw the road map of data. Based on this information, they turned this into a complaint, focusing on the legal basis of processing of the legal basis.
For example, taking the consent – the way the consent taking valid or invalid?
Karolina asked questions on the methods to be used in filing SAR requests.
[Addressees and identifiers]
How did noyb identify the companies that you reach out to? What kind of identifiers did noyb use and what kind of response did you receive?
Third party had his own methodology to identify data controllers – cookie ID as the main identifier. Not clear how that cookie was the valid identifier.
- How much effort did it take to ensure compliance with the access requests?
- Depending on who makes the request you get different kinds of responses?
- How often did you get useful responses? 40 out of 170. Some included: Glossary: legitimate impact assessments, kinds of data (location, IP address)
- What were the actors involved? For example – file a request to a newspaper and they relay it to their advertisements. Some companies say we are the processor, and not the controller and then you go to the privacy policy and then you can argue / establish they are the controllers
- Another way they use SARs: have a data subject and make an arrangement with that DS
Jef - experiences:
- Twitter and FB: both related to tracking data
All hyperlink you click go from … and they say not personal data. Then, file a complaint with the Belgian DPA.
One aspect to consider when filing SARs is 'restriction of processing'. When you ask for an access request, on the side, you ask restriction of processing but it is usually ignored.
- Apple: access request regarding Siri data and they said it is not personal data because it is not connected to your Apple ID. But it can be easily be reidentified. They say that it is a privacy by design measure that it is not connected to your Apple ID. Voice recordings attached to calendar etc.
- Belgian DPA case against FB: before they changed their Privacy Policy: mainly focusing on tracking of non-users and when you are logged out.
Hugo - experiences (Complainant perspective)
Twitter: started to push naked photos of women. ‘you might be interested in’ feature that shows someone you don’t follow. The aim was to know Twitter processed the data that the result was to be shown photos of nude women.
- He was sent a list of interests inferred about you that you did not see on Twitter interface. He did not make a case out of it in the end but photos stopped?
- Contextualize – another right affected and connect it to a personal story etc then it can be access request can be useful.
- Access requests usually against police or surveillance systems and helping usually during the litigation phase after filing a request.
o FR – public bodies: depending on the type of authority and access: through CNIL or directly
o Or court system
- Access rights are also complementing and contradicting with other rights
- If you go through CNIL for example that could be a way to go around the trade secret arguments by the companies
- Against companies who don’t want to share the data then you go to CNIL and
- When CNIL receives a response from a company, what happens in the private sector? CNIL usually say not much useful?
DPC requests: Google replied to the SAR directing them to the tool for access request.
In SAR DS specified the data it requested (cookie IP address etc) Google said it was too general.
Complaint against FB: Jef did not get a reply and another journalist with whom they filed the request with got a reply
- copy pasting privacy policy even though you deliberately mention no privacy policy. Who have you shared my data with? Almost never you get a reply on that specific request.
- Art 15 list of information ‘the personal data’ – copy of the erpsonal data – not explicit as you would want? It can be counterargued and find arguments as to why art 15 should relate to you as an individual – not in general what the purpose is – processing relevant to you as well as the sources of data
- concrete data with concrete legal basis. Art 13.
- There are also cases where table on categories of data, legal basis for processing, who received it etc are provided as per your request
Corporate arguments that use any kind of vagueness for non-compliance? For example arguments against anonymization should not be seen as an erasure.
Karolina – obstacles
- Identification, if you don’t use a proper identification most companies don’t comply because they say you are authorized
- Request for Polish journalists – excel sheet of cookie IDs she prepared the draft and the complainant filled it out. Looking at the metadata of the excel sheet the company argued that a third party is involved in the data so they can’t share the data with an unauthorized person. They also said that they (Panoptykon) weren’t officially representing the data subject. If the DS had an account on the website then they would be able to verify that they were her cookie.
- Art 11 is also raised as a counter argument - they are not obliged to collect that data?
- Even if we knew that person that is inferred data and it shows how we profile and it is a trade secret ?
- DPA
- Obstacles and enablers:
- Finding the right enabler - CNIL not a good example for example because they leave the complainants in the dark but at least they will give you useful answers
- Find French data subjects – who can use CNIL – and make DPA consent and then they cooperate to with another MS DPA –
- Use cooperation mechanisms x urgency mechanisms if you are not happy with your DPA or a DPA that is known for good practices - Austria
- Creating a narrative – not just enforcing your ‘right’
- If you want the inferred data, then specify this on your request – not just general remarks
- When companies argue that what you requested is too ‘general’ then you can make your complaint more specific
- Strategically you can file for example five different specific requests against the same data controller
- Duration of responses
-
Obstacles:
Incoherent doctrines among DPAs / unclarity of law
Identification and verification – finding the right identifier
Obligations and limitations based on Art 15(4) – third party rights
Privacy by design / confidentiality and control
Lack of meaningful response – response relating to the data subject filing the request
What – verifying compliance
Extra evidence, reinforcement of the argument
Trends: inferred data in advertising and recommendation context
Baking data
Journalists:
1. What
2. Obstacles
3. Enablers
4. Trends?
Lack of expertise:
Aggregate data: GDPR journalism
Getting people to be engaged, especially those from underrepresented communities
We know the FOIA but we don’t know the GDPR
Do to it ethically: best practices
Data download tools both an obstacle and an enabler. They just relay you to the data download tool but it is also useful because you have access to some information
Enabler: DPA
Big stories come from tips not from data collection… Experts, lawyers, people who know what to look for and where
Trends: ask for more crowdsourcing and data donation (another term?) requests
What shape does data donation take? Chrome extension? It is usually people giving you their data
Aggregate data requests only work if you know what exactly you are looking for
Different DPAs have different approaches: some will accept whatever the company says and some DPA are more investigative: CNIL?
Unclarity of the law: relationship between art 14 and art 15 – data that you request should relate to that person
National identification necessary to comply with the request
Complainants
Suggestion: for creating a narrative and Art 15(4) and third party rights: use journalism – public interest etc
Would you as a journalist use this approach? It is something like a free labor: using my face for an ngo? Journalists want to overcome the obstacles but become the litigants. Then it brings a narrative to your case and authorities take you more seriously.
Activists:
Data controllers don’t respond
Forum shopping and territoriality
Licensing of data
Increasing research on the right of access – empirical and sociological research included
Not a lot of research on the controller perspective – legal as well as technical perspective. There is a certain gap of how controllers respond to such requests. Generally the conception is that the right is not working.
Are the controllers lying? Is there a way to test whether the controller is actually complying?
What can you do if you have more requests? You can then make a map of general data flows around the world – compare over time and different jurisdictions. Then you’ll have a lot of questions on data economy.
Methods: this is also one of the reason why there is not much research. Tech side and legal side need to communicate and there should be an ethical guidance. Lack of it might cause chilling effects on future research if a research is not conducted in a questionable manner from an ethical perspective.
Sharing of data: ethical and legal questions
Reproducibility - shared standards and infrastructure – guidance and FAQs
GDPR : legal level – different implementations, DPA guidances differ
### Parallel breakout session - Thursday 16:00 - 17:15
Identify used cases
Actors, aims, expertise, methods
Who are the actors involved and what are the expertise needed and what we want to achieve
#### Case 1. Is my phone listening to me?
1. Privacy issues: is our phone really listening to us: to whom do we make a request to find out more about this issue?
- Actors: alexa, smart tvs, android apps
- hardware / software
- google apps – it is very easy to activate
- how much would come out of it based on access requests? Meditation apps, facebook, API embedded in the app but sometimes it is not easy to make the connection
- it might involve several actors from whom request can be made platform, apps developers, hardware developers
- some app is listening to you that is connected to your IP address but FB for example is not going to reveal that. The way APIs work, they just integrate it to their systems. For Google it might be easier because they are the hardware provider? Google also runs RTBs – massive amounts of data.
- Expertise: Then what kind of expertise do you need? You need to be able to map the data flows (man in the middle) technical expertise?
- Accidental recording: when you hit record inadvertently
- Google Home and Alexa recording people having sex – similar to not realizing you hit the button, the device thinks you’ve activated it: voice assistant ‘triggered’ accidentally
- Ideal world: people would tell us that this happened and then we would look at their phone, which apps are common and look for suspicious ads from specific number of people?
- Case: usually the phone has FB and messenger app and when you delete the app the issue is gone
- How do you file an access request? From whom do you request the data? Google and amazon: you can listen to your voice recordings
- There is a group where it happens unintentional and also third parties involved and that is how they will avoid liability. Probably FB getting the data from a third party.
- Purposes: ‘Spouseware’, copyright, profiling:
o Enforcement: crowdsourcing, people reporting / volunteers and run an app to see what’s on their phone, HTML / proxy of traffic – apps: SAR
- File SAR to: apps
- Then what do happens when all this data is collected ,where does it go to? Google –
- OR: using traditional investigative methods for to tackle the ‘is my phone listening to me’ issue
- Strategic benefits: So you filed an access request: what happens then? In the end you just see ads? And litigation? Problem is, being listened to without consent. Awareness raising? Cultural perceptions of being sneaked in.
- Then the solution will be that they will automate it and no one will listen – avoid liability.
- Being informed – consent
- Home assistants -
-
Tomorrow – next steps: come up with a plan
#### Case 2. Facebook non-user profiling
2. the other question would be Facebook profiling non-users / when you log off – to what extent? If you are a non-user how can you request your data? What would be the procedure like if we want to make an access request?
- What are the access rights’ role in relation to this?
- Delete FB account, delete it, make a new one, your friends on your old account requested
o Actors involved: FB: Fashion ID: you can also connect to the website with FB plugins as the co-controller and then if a lot of people do that then websites send the access request to FB, it might be a pressure.
- No easy way of filing an access request unless you have an account
- How do you file a request if you are a non-user?
- What does FB with the data / accounts of dead people?
- Spain: if someone dies, people de facto related to you can access your data?
#### Case 3. Supermarkets FR
3. AH – supermarkets: facial recognition/AI systems in self-checkouts
- Carrefour (BE) asking ‘are you sure you are over 18?’
- Tech vendors
- Purposes / aims – accountability and awareness, journalism story
- Expertise required: legal, journalism
- Methods: volunteers, SARs, experiments, interview of security vendors
- Location apps: traffic – direct you to some other route but actually not they are just testing: access request – the reason you took me through that route: is that because it is faster or because you were testing?
- If it was testing, how would people react? But can you make an access request on that? Purpose – you want to know the purpose for which they use their data?
- Women sent through dark alleys or directing people through certain routes. point – data processing has impacts on you but access request is not going to be very helpful with that? Hard to make a case
Interplay between research and litigation.
Parallel Breakout
- Usecase 1: the debt collectors of Switzerland.
- Usecase 2: Genealogy companies or historians for dead people but the Vatican gives information for descendants of their forefathers who were dad. Ancestory.com is the data controller and they have data that I didn’t provide but my sibling did. How do they balance data rights of a sibling against a person?
- Usecase 3: Amazon has much more data than they tell (clickstream) because they personalize every instance of their site.
- Usecase 4: Make a successful data portability to transfer data to the subject directly. To involve legal and technical people for lobbying. Limitations on data portability in the scope of the law. You can see the problems of art 15, the difference is that you have more uncharted territory and its more difficult. It is easy for DCs to say no in this case.
The use case of interest is the clickstream one.
Actors: Customers, Researchers, shopping.eu, NGO (that helps file complaints-offers legal assistance), DPA
Aims: to highlight discrimination, ask for more access, make shopping.eu compliant, prove we’re getting incomplete responses, get complete response, prove non compliance
Expertise: tech, legal analysis, participant from different member states, schemes that are used are are fool proof and compliant.
Shopping websites use personal data to give personalized experience but they discriminate based on users.
Group A
Does my phone listen to me?
- Major issue for society
- People tried but couldn’t answer this question
- Can we have an AR to whoever is listening
- If you manage to prove that at some point, the phone is listening to you, a lot of data can come in.
- People did studies for facebook but the conclusion is that they’re not listening.
- Try and find out the purpose. Is it for ads or spying?
- There is also an example of camera being turned on every time your using an app with camera access
Access Request by non-users of Facebook
- What happens when a non-user sends an AR to a platform?
Are supermarkets using facial recognition or AI to detect theft on self checkout?
- New messages come up when someone else uses a card of a regular user.
- Interesting for many people or users
- In UK they also have screens to see right in your face?
- Amazon’s London store that is fully automated and digitized
Group B
Smart Cities
- Another term for big brother surveillance
- Actors: municipality, police, security, citizens, vendors/service providers, Uni that help with smart city research, Marginalized groups, Immigrants, tech, non-tech and govt itself.
- Raise awareness among public servants
- Opportunity: extra information source, comprehensiveness, FOIA requests to these cities
- Relatibility to citizens
- Expertise: tech, former experts who worked on smart cities, legal experts, Toronto Citizens, Security Expert and industry expertise
- Priorities: Mapping the system through FOIA and gathering data, identifying actors and data subjects like transit authorities, find an ally inside, share info strategically, identify obstacles and overcome them and define the wanted (what are the desired findings and desired outcomes, do we want smart cities to stop?)
- There were 2 themes, 1thinking about harms important to find sth that involves harm and sth that relates to us right here so they looked at employer surveillance, think about interconnectedness between smart cities stakeholders)
Group C
- Govt use of data, real time bidding, unnecessary identification, dating apps, health info, facial recog, credit scoring and banks
- CCTV cameras and biometrics: interested to see how data is returned other than atext based system like a video, what processes can be done on the video
- Actors: Law enforcement, system operators
- There is also other people’s data with ours in a video and hence it is valid for companies to deny. They will use that excuse to deny the AR.
- A person has walked around Amsterdam and there are cameras. Can they make an AR to command and control and they’ll tell me it’s really hard but on search engines you can put in your picture and get related data? In Amsterdam, a site had cameras around Amsterdam and bits of freedom employee walked in the camera and then used facial recognition to identify the camera and now the site doesn’t allow zooming in too much.
- If you’re refused entry in a place, you can ask for more data on them. They will also ask you to specify the time you were at the place so they can have a reasonable time frame and realistically identify us.
- Schipol: “CCTV online but your privacy is ensured. Wifi and Bluetooth tracking but privacy ensured”
- We have older AR to Schipol we can use those to make better ones now
- Credit Rating: Risk based society
- Actors: credit score agency, loaning/banks companies, phones+people sharing data
- Aims: understand the parameters
- Risk based is applied to a lot of other themes, to go to a larger ecosystem than just one
Direct Marketing
- Look at sites that you only visit once but they still keep tracking you
- Using GDPR and other similar directives
Schipol can be very interested because peole from other countries use it. Polish, Uk people can also use it.
There’s already much going on because we have to take off shoes and open bags. Last time AR resulted in Schipol saying we don’t keep the data, we delete it in 3 days. They redirect you to a non sense website. Its about keeping track of responsibility.
We can also look at body scans over time.
To differentiate, we can look at what’s actually required for security and whats redundant.
Group D:
- Usecase 1: the debt collectors of Switzerland.
- Usecase 2: Genealogy companies or historians for dead people but the Vatican gives information for descendants of their forefathers who were dad. Ancestory.com is the data controller and they have data that I didn’t provide but my sibling did. How do they balance data rights of a sibling against a person?
- Usecase 3: Amazon has much more data than they tell (clickstream) because they personalize every instance of their site.
- Usecase 4: Make a successful data portability to transfer data to the subject directly. To involve legal and technical people for lobbying. Limitations on data portability in the scope of the law. You can see the problems of art 15, the difference is that you have more uncharted territory and its more difficult. It is easy for DCs to say no in this case.
Shopping websites use personal data to give personalized experience but they discriminate based on users.
- Actors: Customers, Researchers, shopping.eu, NGO (that helps file complaints-offers legal assistance), DPA
- Aims: to highlight discrimination, ask for more access, make shopping.eu compliant, prove we’re getting incomplete responses, get complete response, prove non-compliance
- Expertise: tech, legal analysis, participant from different member states, schemes that are used are fool proof and compliant.
- Priorities: Non-compliance in different members states, launch litigation that goes outside of privacy to competition or anti -rust, can we make this foolproof idea applicable to other domains like adult websites, pirate bay etc
- In complete AR can be a double edged source
Clarification on the idea:
In this case we analyze, amazon.com and we are looking at how different persons will get different recommendations based on how people use it?
Tech shaows the discrimination but to show the complain we have to do SAR
Shopping website will say that there are third party (suppliers) who set the price and it will be even difficult to pinpoint availability so SAR will be helpful in this case.
If we find non compliance from shopping website, its on the shopping website to prove that they are not compliant.
The researchers start with no history but still get different recommendations.
How would you defend these fake researchers in court? – have bailiff sit so they can tell if the method is right or not.
The interface tells you that we don’t consider past activities but its still being used in this case. Either they lie or they have to accept what they do.
Some people did it on Amazon.com and found there was no difference is prices but they found something else that amazon pushes their own products. SAR can help understand the process.
Voting:
Anonymous Voting
1) How to SAR facebook as a non user?
2) Supermarkets
Day2
---Information/Knowledge Sharing---
The idea is to have all the different groups in the room who have done AR. As a researcher, we want to know what AR others have done and that will also be helpful for others. There are a variety of use cases. We want to have a system for sharing information about SAR and to give shape to that idea we have this workshop. It can only work if there is a consensus and a collective need. There are three questions that have to be answered on post its handed out:
1) As a [role], I would like to access a collective database of SAR-responses [or parts of SAR responses] with others for [use case]
2) As a [role], I am willing to share my SAR-response with others so that [use case]
3) As a [role], if asked to share, I have these concerns [concerns]
Later in the workshop, people will be split into groups and they will tag their own SARs.
----Parallel Breakout Facebook Group----
The goal of the session is to look at the Facebook use case and make solid aims i.e. make them concrete and come up with an ideal methodology on how to formulate a SAR in this case. What problems should be solved now before solving the problem? Should we focus on only Facebook or non-user of any service? The problem is the difficulty to send a SAR to Facebook and get a response and we have to derive a solution. We will work on a strategy in how to get data from Facebook. We will also try to document the strategies used by Facebook to show them to regulators. Do we want to do the best practice? It’s nice to have the long-term perspective but for now we should be doing stuff. By doing we’ll get to the ideal case quicker. In addition to what was said, we will also try to have a frame where everyone understands what the workshop tried to do. We will want to have a tool to make SARs and sharing the responses. In this session, we should converge on the methodology for the most effective SAR. It is not about the tool can become effective but the methodology used by researchers should become perfect.
Options for methodology are, 1) to get our data back or 2) to understand what Facebook is doing. Why would people SAR Facebook? We want to prove that even if you’re not registered on Facebook, but you still have rights if they have your data.
As a non-Facebook user, I want to know if they track my data. As an ex Facebook user, I want to know if they’ve actually tracked my data. It’s not just about proving rights but also to see how they’re processing it. Facebook sent e-mails to person who didn’t have an account. People wanted to delete their account, but Facebook would send them emails and ask to not go. As a researcher, I am also interested in other platforms like ancestry (DNA) which track me without being subscribed to them. Facebook also tracks through cookies and so you don’t need an account for that.
This case is not about registered users, but this is about cases where data is collected by other sources by the company. When you accept a cookie, you accept Facebook. A problem with cookie tracking is a lot of websites are not compliant on that end and so you still have that kind of tracking. Will Facebook say that they don’t have data from cookies, but will they deny it? It is classified as audience network when theirs parties use Facebook infrastructure to place their own ads. When we use these services, we become users of Facebook.
Facebook defines non-registered users and they can show them ad and they know what websites this non-user has been to in the past. So we have three distinct reasons to pursue this, 1) what Fb is doing 2) We want to go beyond fb into genealogy scenario and 3) use Fb as a test case for that and we can demand data from companies we’re not registered to. All ad-tech companies are like that i.e. you’re not registered to them by they still collect data. Paul got data back from Facebook by forcing FB to create a new portal to get the users data back. The portal tells who has collected knowledge about you. However, this is just partial information. If Paul had the support of litigators, he could’ve actually involved bigger parties like advertisements. What is Facebook’s legal strategy? Other than the portal that lets you download.
We want to focus on non-users and ex-users. In researcher’s experience, Facebook has a delaying tactic. When you try to download your data from Facebook, it gives different errors. Then they ask your ID and tell you to blur the parts that are sensitive but later on they deny/stall the request for parts are blur. We will also focus on practices like this and we want to give advice for counter play to others. It seems that no one has made a request to Facebook as non-users. We should make a request to Facebook as a non-user. When this was done to Google, they replied that you have to be a user. One of us can visit the Facebook page of Noyb and check if that’s trackable. You can also send SARs to Facebook pages of companies to companies. Facebook reaches out and tells group to forward them if they received any SARs. This example was for a user. Facebook asked for the letter sent by the person to the group.
What is the Facebook procedure of treating non-users? If a SAR is received, it has to be treated within the GDPR law. What would FB say if I say I am Donald Trump and visit the page of personaldata.io on Facebook? They can detect it the person is not a Facebook user and hence we don’t know. The ID obligation is on Facebook as well as the group admins. We have found an untested ground because Facebook don’t have it in their privacy policy. They don’t know if non-users would ever send SARs. Panopytkon sent SAR to google for non-user of Google. Google denied.
Personaldata.io Admin tells Fb that they have a SAR. Facebook asks them to forward the SAR. Paul made an AR from his twitter personal account to twitter organization account. He sent that to Facebook and Facebook asked for more information again. We have to explore this. If you don’t send anything in this case, they can easily deny. Users can still use GDPR even has non-user as long as they can prove tracking.
Will facebook be able to respond to a SAR based on a cookie instead of a user?
It will be great if we can help people who wanrt to do SAR and get a response that the company doesn’t have any data.
Noyb found that the cookie banner on some sites don’t work. Even if you opt-out, the tracking still goes on.
What will a non facebook user look like?
What are you expecting to get back in the case of a user contacts Facebook and claims he’s not a user?
Facebook will redirect you to your account and they will never send data gathered from non-user sources i.e. like cookies?
If they do the same with an ex user, you can ask them why do you have my info still?
You can also ask for info about user data and info about the cookies?
If there’s a third part app, it would probably know your info and a new phone won’t be helpful. A better option will be to attack the middle app and get to Facebook?
Maybe we should send a request the ad Facebook which is the Umbrella company?
Desired Information:
1) Receive all information on non-users
Identification
- IP Address
- Cookie IDs
- Consent Settings
Facebook’s Strategy
- Delaying tactics
- Non sensical responses
Risks:
Actions:
- Series of Experiments
- Make a traditional SAR focussed on non-user and ex-user
- Joint Controller Experiment
- New Facebook account – Does some activity – and deletes the account.
- Controlled Experiment – new phone – user who doesn’t have an account
- SAR the Facebook Inc. (the big company that holds the subsidiaries)
- Focus on SAR to Facebook as a non-user and see what data we require.
- Paul can experiment by getting his kids a phone and he will save their numbers on his phone which has a Fb app to see if a shadow profile is made.
Should we do an experiment that we can do or a one that normal people can do?
The only way to get around Facebook is to sue them. Noyb do SARs first and then sue. The process should be reverse. You sue the company and ask for data so you combine the investigative and forensic aspects.
The different objectives in the room goes from wishes to make facebook to change to researchers just wanting their data back. In India, Facebook employs third party data collectors who ID the people for them. Facebook says its deletes data but those third parties don’t.
1) Do a SAR to see if they actually delete data
2) Do a SAR to prove that cookie is valid ID and they should give info on that cookie.
Non-users already have a shadow profile and as soon as they make an account Facebook brings that shadow profile up.
A kid who doesn’t have a profile on Facebook still gets their name appear on Facebook search because he was playing a game on Facebook. He had a Facebook profile without a picture, and you can send them friend requests.
Room agrees this is an interesting scenario. We don’t have enough details to make this case. This is also challenging for DPAs because the user won’t be representing themselves, but his parents will and what if they’re divorced or they don’t agree.
The case that we are doing is Trystan doing a SAR for his daughter. His daughter plays Minecraft. How will we identify her in a SAR? We can submit the device ID for identification.
Trystan can also do an AR on his own account as an ex user.
Steps for us:
1- We provide a cookie ID
2- We provide IP Address
3- We say that we are sole user of the device
4- We ask for all info from our accounts
5- We ask for all URLs and derived data
[FLOWCHART PICTURE HERE]
Areas for future:
- Proportionality of Verification
- When you mandate somebody
There are a lot of perspectives and ways for a non-user to file a SAR to Facebook but Facebook can always deny if they want so we have to learn and improve.
To summarize, we focused on the non-user case. Our desired outcomes are to use this case as an example for others, to map Facebook’s strategies, to litigate, to get info back, to make Facebook compliant.