CyberWire Daily - The Right to Be Forgotten with Yale Law School's Tiffany Li
Episode Date: November 22, 2017Our guest today is Tiffany Li. She’s an attorney and Resident Fellow at Yale Law School’s Information Society Project. She's an expert on privacy, intellectual property, and law and policy, and he...r research includes legal issues involving online speech, access to information, and Internet freedom. She’s coauthor of the paper, Humans Forget, Machines Remember: Artificial Intelligence and the Right to Be Forgotten, which will be published soon in Computer Security & Law Review. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Our podcast team is taking a break this week for Thanksgiving,
but don't panic.
We've got brand new extended interviews
with interesting people lined up for you.
And you can get your daily dose of cybersecurity news on our website, thecyberwire.com,
where you can subscribe to our daily news brief and get all the latest cybersecurity news.
Stay with us.
My guest today is Tiffany Lee.
She's an attorney and resident fellow at Yale Law School's Information Society Project.
She's an expert on privacy, intellectual property, and law and policy, and her research includes legal issues involving online speech, access to information, and Internet freedom.
She's also co-author of the paper Humans Forget, Machines Remember, Artificial Intelligence and the Right to be Forgotten,
which will be published soon in Computer Security and Law Review.
The right to be forgotten, generally speaking, is this concept in EU privacy regulation.
It's this concept that people ought to be able to request that data or information about them be removed or deleted from a website or, say,
a search engine. Now, the right to be forgotten is something that is entrenched in EU privacy
regulation, but it's not really relevant to U.S. law, at least not yet. So recently, I co-authored
a piece on artificial intelligence and the right to be forgotten. Specifically, we look at whether
the right to be forgotten is applicable in artificial intelligence or even machine learning
context. And if it is, whether it's something we should be looking at doing more or less of,
and how we should look at legal standards for right to be forgotten in terms of artificial
intelligence. So take me through that intersection there. How does artificial intelligence
intersect with the right to be forgotten?
The right to be forgotten is very interesting to me, I think, because it deals a lot with
the concept of deleting information and deleting records. With artificial intelligence, or even
with advanced machine learning, and here I have to note that I'm not
discussing AI in terms of, say, the Terminator Skynet AI. I'm looking at AI and artificial
intelligence in terms of very advanced machine learning systems that can train themselves and
develop new algorithms and new predictive results based on data that is fed to them or that they gather based on certain
parameters that we program. If we look at this form of AI and then we consider the right to be
forgotten, we get into a few interesting questions that I don't believe are answered in the law right
now. First of all, the law never really defines what it means to comply in terms of actually deleting a record.
So from a technological standpoint, deleting something is not as easy as you might think it is.
It's not so simple as, for example, dragging a file from your desktop and throwing it into that little recycling bin icon.
Deleting a file or deleting a data record can mean a number of
things on the technical end. It could simply mean deleting the record of that data point from the
system index. It could mean overriding that data record. It could mean replacing that data record
with a null value and so on and so forth. There are various ways to actually delete a record,
especially in a machine learning or artificial intelligence environment, when you may have a
large quantity of data and various ways that the researchers who are using that system want to
treat the data. So the first issue there is that the right to be forgotten as it currently stands in the law and as it will be interpreted in the 2018 GDPR
does not really address this issue.
You don't get a firm definition of what it means to delete information
or how to really make this deletion permanent.
This is problematic because the GDPR and EU privacy regulation in general requests that basically every tech company that has any reach into the EU or that reaches EU residents has to comply with this law.
So it's a little difficult, you can imagine, to comply with the law when the law doesn't really make sense or isn't clear on what could happen. So that issue of deletion
not being clear or not being defined correctly is, I think, definitely a problem. And it's a
problem that we address in our paper. Now, why do you think that issue hasn't been properly
addressed so far? Is it an oversight or is it, you know, people are specifically don't want to
address it? The problem of the right to be forgotten and the GDPR in addressing those new technologies
really lies in the sort of gap that we have between technologists and policymakers.
There is definitely a need right now for more interdisciplinary research in law and technology. I think what often happens is you get all the
technologists and tech company representatives in one room. There they can discuss how to actually
create products, how to develop software, how to make tech forward solutions for problems.
In an entirely separate room, not even across the hall, but in a different building sometimes,
there you have the policymakers and the lawyers who are talking about these issues on a policy
or legal level. And they're looking at the same issues. They're trying to figure out privacy.
They're trying to figure out online speech. They're trying to figure out, you know, what sort
of future do we want for our communication systems? But they're not in the same room.
And that's a problem. It's a problem that isn't specific just to the GDPR or the right to be
forgotten. It's a problem that we have in really all of tech policy, both here and in the EU,
as well as in other nations too. So I think the first thing we have to look at when addressing
these issues is if we can simply solve them by increasing interdisciplinary research and interdisciplinary collaboration between technologists and lawyers and policymakers.
From your point of view, what can we expect to change when GDPR does kick into effect next year?
I think a lot can change.
You'll definitely see tech companies kind of scrambling
to keep up. Of course, they've been preparing for years at this point, but there may be changes.
You might see more privacy notices. You might see more pop-ups. You might see different privacy
policy updates, right? Because these companies will have to comply, so they'll suddenly have to
change things. But a lot of what you'll see, I think, will be on the back end. There'll be a lot of change. And there has already been a lot
of change, I personally know, within a lot of technology companies right now, just preparing
for the GDPR. So this means internal policies have been drafted and redrafted and edited and
sent to board members. Teams have been trained and retrained.
A lot of this change is happening on the back end. We'll have more from Tiffany Lee after this short
break. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young
son. But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Learn more at blackcloak.io.
Are the Europeans taking a leadership role on this that we expect to then flow through the rest of the world?
You know, I think it's commonly said about particularly the Americans that we will always trade security for convenience.
And I think the Europeans have a different attitude to privacy than we do.
I have a few different things to say about the points you just made.
So first, I definitely don't agree that the U.S. would be willing to trade security for convenience. I think that is way overseating the current state of affairs.
Americans do care about privacy.
And I would argue that American tech companies do care about privacy, too.
Of course, they also want to innovate.
They also want to hit the bottom line, their goals there.
But privacy is important within the industry and for consumers. As to your point about the EU possibly leading in privacy generally,
I think there are some interesting thoughts on that that you'll hear from people in the EU and
internationally. So as you can expect, most EU scholars and policymakers and practitioners I've
talked to who work in technology believe that the EU is leading
the way in privacy. And many of them believe that this is a good thing, that they are kind of raising
the bar for the rest of us, making privacy an important goal and a human right that we all have
to protect. That is definitely one view. And I can definitely see arguments for that, specifically because EU privacy regulation does target
literally every company in the entire world that operates in the internet or technology space.
So sure, in that sense, they're setting a bar and they're setting a standard.
There is also, though, I think another view, which isn't necessarily mutually exclusive with that EU forward positive
privacy idea. And it's this concept that if the EU is leading in privacy, and the EU is making
basically every other company in every other country follow them, you sort of get into,
you know, what lawyers call a jurisdictional issue.
It sort of sounds like the EU is trying to legislate for the entire world, right? Because right now, every tech company in the world who has any EU customers, any EU residents, they have to follow EU privacy regulation.
So if you believe this is a good thing, sure, fine.
That's definitely happening and it'll happen more. But it's a little concerning to me that, you know, one country or region can
decide the laws for every other country in the world. And I think this is concerning because
if you think about the EU doing something, I would say many of us in what people call the Western world might not really care that
much, right? We might think, sure, privacy is great. The EU usually has values that we agree
with. This is probably not a huge deal. But what happens then is that you get this sort of precedent
that's set. Now that we know the EU can make law that affects technology companies around the world, what does this mean for other countries, for example, China or Russia, or countries that have values that may be a little different than what we see in the US or the EU?
I think there is a significant danger in seeing this sort of legislative jurisdictional creep. I can definitely
see the possibility for some countries to argue that they should be able to do the same thing,
that they should be able to create their own laws and have tech companies around the world follow
their laws. And there are two problems with this, I think. The first problem is it's very difficult
already for tech companies to comply with laws from basically everywhere around the world. It's hard for a tech company to comply
with hate speech laws in Germany, free speech laws in the US, and political speech laws in China.
Those are three entirely different paradigms, and they have to comply with all of them technically.
If you take this sort of EU privacy standard example and you push
it forward, you also get into the issue of companies having to comply with value systems
that maybe we don't want them to comply with. I think we take for granted that privacy and
free speech and all those great democratic values are universal values when they are definitely not.
Well, haven't we seen that,
I mean, with Apple, where because of how much Apple relies on China, both as a market, but also
for manufacturing, that Apple has given into some demands from the Chinese government that
perhaps they would rather not have to give into? We've seen that happen. And different countries have created laws
that specifically require that to happen.
China's cybersecurity law could potentially affect
tech companies outside of China.
Russia's data localization law
affects tech companies outside of Russia
and requires them to have data centers located within Russia
to keep any data on Russian citizens.
So these are just a few of the many examples of ways in which countries are trying to get
mostly U.S.-based tech companies to comply with their local laws.
So how do you see this playing out?
How are we going to, when it comes to policy, with things like artificial intelligence,
the right to be forgotten, and privacy,
what do you think the mechanism, as different cultures around the world, as different countries with different values,
what's the push and pull going to be going forward?
Do you have any sense for what the natural evolution of this is going to be?
I think we're in an interesting time right now.
evolution of this is going to be? I think we're in an interesting time right now. We're in an interesting time because these tech companies are no longer young and brand new, and they are
facing regulation. They're facing regulation in the U.S., in the EU, internationally.
And this sort of conflict of laws, this conflict of the laws of different countries is affecting
them and hitting their bottom line because it's hard to comply. It costs a lot of resources to comply with all these different laws.
So what I see moving forward is most likely there will be some sort of work towards more
internationally agreed upon standards, or at least regionally agreed upon standards.
For example, the AIPAC region actually does have some sort of privacy guidelines,
but they have not really been in play for many years. I can see something similar. We could have
similar trade agreements. We could have a NAFTA for privacy regulation, for example.
Some people even posit that there might be some sort of international law for the Internet eventually.
And I can see that happening.
That could solve some problems.
I do think, though, that right now we're in this really interesting space where if you work in technology or if you work in law or policy related to tech, you really have an opportunity to change how the entire world might see technology in the future.
So it's a huge opportunity, but it's also, of course, filled with many risks and a lot of room
for things to possibly go wrong. Our thanks to Tiffany Lee for joining us. Again, the research
paper she co-authored is Humans Forget, Machines Remember, Artificial Intelligence and the Right
to be Forgotten.
And you can find it online.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.