Category: Uncategorized

On February 7, PRG’s own Kathryn Taylor published a new piece building Professor Veena Dubal’s article about the gamification of gig work (discussed during the January 23 session of PRG). The article examines the algorithmic transformation of gig worker pay through the lens of dark patterns. The “unpredictable, variable, and personalized” pay structures created by algorithmic labor management, Taylor argues, not only keeps gig workers in a state of highly surveilled precarity, but also manipulates workers into providing additional services. 

On February 6, Google announced its AI chatbot, Bard. Launched to compete with OpenAI’s ChatGPT and Microsoft’s new AI-powered Bing search, it confidently presented a factual error in its first demonstration. Such errors highlight the fact that, for all their power, large language model AI still frequently make up information from thin air. 

On February 7, President Biden called for stricter protections of personal data use and collection, as well as a ban on targeting advertising towards children in his State of the Union address. This came as part of a broader push to limit the power of Big Tech, including calls for stronger antitrust enforcement.

(Compiled by Student Fellow Justin Jin)

Events:

JSD Fellows Stav Zeitouni and Kat Geddes are leading an upper-level reading group called “Propertizing Intangibles in the Digital Age.” The group intends to explore the changes that laws dealing with intangibles have gone through in the digital age, focusing in particular on copyright. For example, digital rights management (DRM) emerged as a response to the erasure of physical constraints on copying brought about by digital technologies. More recently, data firms have found innovative ways to propertize and monetize data despite its intangibility and ambiguity around its copyrightability and patentability. These changes have long-lasting implications for how we think about property and how that’s reflected in the law and in its governance of intangibles. We will explore these themes through a mixture of academic and popular materials.

News:

On January 24, the Department of Justice Antitrust Division, along with the Attorneys General of California, Colorado, Connecticut, New Jersey, New York, Rhode Island, Tennessee, and Virginia, filed a civil antitrust suit against Google in the Eastern District of Virginia. The complaint alleges that Google monopolized a number of key digital advertising technologies through an anticompetitive course of conduct over the last 15 years, allowing the company to take home on average 30% of all digital advertising revenue that uses their technologies. This is DOJ’s second antitrust suit against Google. The first suit, which alleges anticompetitive conduct in Google’s search function, is scheduled for trial in September 2023.

The National Institute of Standards and Technology (NIST) published a long-awaited Artificial Intelligence Risk Management Framework, directed at any organization or individual developing or using AI. The framework describes novel risks posed by AI and highlights core concepts for responsible AI including human centricity, social responsibility, and sustainability.

On January 26, the Office of the Privacy Commissioner of Canada announced the results of an investigation into Home Depot, finding that the company failed to obtain user consent before sharing personal data with Meta in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA), a Canadian law that applies to private-sector organizations that collect, use or disclose personal information in the course of a commercial activity.

Netflix announced that they will be cracking down on password-sharing in the U.S. starting in March 2023, reversing their previous approach which encouraged password-sharing as a form of free advertising. The company’s efforts to deter password-sharing in other countries has seen mixed results.

OpenAI has released a tool to detect when text has been generated by its own ChatGPT and GPT-3 AI tools. 

(Compiled by Student Fellow Talya Nevins)

The use and collection of voice data in general has been in the spotlight in part due to new Microsoft voice-cloning software called VALL-E . Privacy advocates have voiced worries that the VALL-E, Apple’s Siri, and Amazon’s Alexa could be utilized in ways that do not involve the consent of recorded individuals.

The Law and Political Economy (LPE) Project recently published an article by UC Hastings law professor Veena Dubal about the algorithmic gamification of work for gig workers; in this article, Dubal argues that companies’ algorithmic systems risk “undermining the possibility of economic stability and mobility through work by transforming the basic terms of how workers are paid.”

The European Court of Justice recently ruled that the right to access information under Article 15 of the GDPR requires that individuals whose data has been shared to certain recipients must be provided with the “actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive.” Because the ruling stipulates that providing general categories of recipients in response to a data request, rather than the identities of those recipients, is insufficient except in “exceptional cases,” European legal practitioners are now advising companies to “review their internal processes and their templates for responding to access requests so as to avoid fines and damages actions for failure to provide access.”

U.S. fast-food restaurant chain Chick-Fil-A was hit with a new privacy class-action lawsuit last week that alleges it shared personally identifiable information to Meta in violation of the Video Privacy Protection Act (VPPA).

The New York Police Department recently filmed concertgoers leaving a Drake concert in a manner that the Surveillance Technology Oversight Project called “highly concerning;” the NYPD said in a statement that this filming was intended purely for a future social media post on local events.

(Compiled by Student Fellow Cooper Aspegren)

News

The European Union Court of Justice invalidated a provision of the EU Anti-Money Laundering Directive that guaranteed access to information on the “real owners” of a company. Some commentators criticized the decision as setting back efforts to fight corruption.

The San Francisco Police Department proposed expanding use of robots capable of using deadly force to respond to incidents. Currently, the remote controlled devices are used for bomb disposal and inspection.

Searches on Twitter for information about the Chinese protests related to the government’s COVID-19 restrictions are returning spam and pornographic content. Disinformation researchers posit that Chinese state actors are publishing this content to prevent access to images of the demonstrations

The Israeli Government issued a draft regulation that would address privacy obligations under GDPR. The proposal includes strong regulatory measures for data originated in Europe.

The City of Houston mandated that certain local businesses constantly record video surveillance outside of their establishments. Houston is the first city to pass such an ordinance. The move drew the criticism of civil rights advocates.

Members of an Iranian hacktivist group breached a system owned by a major Israeli security agency and posted videos from a recent deadly bombing in Jerusalem. It is currently unknown what assets were breached.

Events

The Computer Science and Law Monthly workshop is collecting job profiles for junior job market candidates. The job market profiles will be distributed in the CS+Law Monthly Workshop website and mailing list. Submissions are due December 5^th.

On December 12 and 13, there will be a hybrid conference on Commodification and the Law in Florence, Italy. The conference will feature keynote speeches by Prof. Daniel Markovits (Yale School of Law) and by Dr. Johanna Stark (Max Planck Institute for Tax Law and Public Finance).

On December 1 and 2, the Scuola Superiore Sant’Anna Aula Magna in Pisa, Italy hosted a hybrid conference on the regulation of AI and data in Europe. The conference featured several panels discussing AI and Data regulation strategy in the European Union.

(Compiled by Student Fellow Aditya Trivedi)

News

Google agreed to pay $392 million to 40 states — the largest multi-state privacy settlement in U.S. history — in response to allegations that it broke consumer protection laws by tracking individuals through their devices after location tracking had been turned off. A Google spokesman indicated it no longer tracks individuals in this manner, and that it now allows individuals to use Google Maps incognito.

A class action lawsuit has been filed against Apple for violating the California Invasion of Privacy Act by tracking consumers in mobile apps even with iPhone privacy settings indicating tracking is off.

Two Massachusetts citizens filed a class action lawsuit in federal court alleging the Massachusetts health department installed COVID-19 tracking software on over one million Android phones without users’ consent.

Recent departures from Twitter include CISO Lea Kissner, chief privacy officer Damien Kieran, and chief compliance officer Marianne Fogarty, raising questions on whether it complies with the GDPR’s requirement to have a chief data protection officer.

National Labor Relations Board General Counsel Jennifer Abruzzo announced a greater focus on employee surveillance, requesting regional personnel “vigorously” enforce existing doctrine and proposing “a new framework for protecting employees from intrusive or abusive forms of electronic monitoring and automated management that interfere with Section 7 activity.”

Germany’s Federal Court of Justice (Bundesgerichtshof) submitted a question to the European Court of Justice regarding whether consumer protection authorities can bring data protection claims against Meta on behalf of data subjects.

The United Kingdom is pushing to develop a new data privacy law that might deviate from the GDPR, which will reportedly address the adequacy agreement with the EU that allows UK-EU data flows.

Events

On Thursday, Nov. 24 from 9am to 10am EST, Guarini Global Law and Tech Executive Director Thomas Strein presented a keynote presentation at Digital Legal Talks 2022 on “The Future of European Data Law.”

On Tuesday, Nov. 29 from 12pm to 1pm EST, Winston Wenyan Ma, an adjunct professor of law at the NYU School of Law, will present a U.S.-Asia Law Institute talk on “The Future of US-China Tech Relations: Blockchain, Crypto, and Central Bank Digital Currency.”

(Compiled by Student Fellow Cooper Aspegren)

News

A class action lawsuit was filed against Microsoft, GitHub, and OpenAI alleging large-scale copyright violations in the companies’ GitHub Copilot AI-powered coding assistant.

Australia’s Labor Party introduced a privacy bill including significantly increased penalties for data breaches and an amendment to the Privacy Act extending jurisdiction to foreign organizations doing business in Australia.

The Markup published an investigative piece covering the use of tracking data by political campaigns. 

A new report by independent researchers found that Apple’s own iPhone apps, like the App Store and Apple Music, continue to collect detailed user data even when users turn off tracking settings.

Companies across the tech industry, including Meta, Twitter, Lyft, and Stripe, laid off thousands of workers in the face of an expected recession.

Events

USC Gould professor Erin Miller is giving a talk at Cornell Tech this Thursday, 11/10 about the application of the First Amendment to private actors.

(Compiled by Student Fellow Stephanie Chen)

News

FTC brought an action agaisnt Chegg, the education technology provider.  Responding to their allegedly lax data security practices, the FTC proposed requiring the company to bolster its data security and limiting the data that the company can collect and retain, among a number of other user protections. 

The Center for Democracy and Technology released a report finding that women of color political candidates are more than twice as likely to be subject to mis- and disinformation campaigns and are most likely to be targeted with online and violent abuse. 

The Electronic Privacy Information Center (EPIC) published findings on how the D.C. government uses automated decision-making systems.  Examining many of the automated decision-makers that these city agencies use, EPIC assesses the goals they work towards, and how they take action toward them.  

Events 

This Friday, November 4^th, Silicon Flatirons is hosting a conference on transparency and the tech sector.  The conference will convene a wide range of opinions on tech transparency and prompt discussions on how to take the field forward. 

Guarini Law and Tech is hosting a panel next week on Wednesday, November 9^th from 5:00-7:30 PM.  Alumni and friends of NYU Law will share their experience working in technology and data law, both at law firms and as in-house counsel.  After the panel discussion, NYU Law students will be able to ask questions and join the panelists for a networking reception.  Complete this form to RSVP.

(Compiled by Student Fellow Justin Lee)

News

Uber is rolling out a new advertising branch, which will show riders live ads during their ride using data that Uber collects from their phones.

A father and son shot at a woman sitting in her car after their Ring camera notified them of someone at their front door. The person at their front door was their neighbor, dropping off a package sent to the wrong address.  

Apple rolled out new app store ads, allowing advertisements for apps on the store pages for other apps, but they paused gambling app ads after outcries from other developers. 

Events

On November 2nd, NYU’s Law will be hosting a panel called “FemTech and Privacy: Striking the Balance in a Post-Dobbs Reality.” The event will take place in the Greenberg Auditorium at 5:00 pm, and will be moderated by Professor Melissa Murray. The registration link is here, and the event description is as follows:

In the aftermath of the leaked Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization, warnings to period tracking app users went viral. The message? Ditch them immediately. Weeks later, a New York Times headline countered, “Deleting Your Period Tracker Won’t Protect You.” Join us for a panel discussion with academic, innovation, and advocacy experts who will explore how exactly such data is already or could be used – and misused. What privacy laws or legislation can be leveraged to protect FemTech users? And why does menstrual literacy – with or without tech tools – matter more than ever in our post-Dobbs reality?

(Compiled by Student Fellow Batya Kemper)

Events

On November 2^nd, NYU’s Law will be hosting a panel called “FemTech and Privacy: Striking the Balance in a Post-Dobbs Reality.” The event will take place in the Greenberg Auditorium at 5:00 pm, and will be moderated by Professor Melissa Murray. The registration link is here, and the event description is as follows: 

In the aftermath of the leaked Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization, warnings to period tracking app users went viral. The message? Ditch them immediately. Weeks later, a New York Times headline countered, “Deleting Your Period Tracker Won’t Protect You.” Join us for a panel discussion with academic, innovation, and advocacy experts who will explore how exactly such data is already or could be used – and misused. What privacy laws or legislation can be leveraged to protect FemTech users? And why does menstrual literacy – with or without tech tools – matter more than ever in our post-Dobbs reality?

News

The Biden Administration plans to start a labelling system for rating the cybersecurity of Internet of Things (IoT) devices. This labelling system is meant to help American consumers identify and purchase more secure tech.

In the aftermath of the Optus privacy breach, Digital Rights Watch Australia has advocated for reforms to Australia’s Privacy Act, which has an exemption for voter information kept by political parties. They argue that breach of this voter data could have dangerous social and political implications. For more on the issue, see this link. 

A new investigative report reveals that the company Equifax surveilled 1000 of its remote workers to assess their productivity. The company then fired 24 employees who were found to have been juggling two jobs. 

In the UK, the Competition and Markets Authority (CMA) ordered Facebook’s parent company Meta to sell GIPHY, one of its recent acquisitions. The CMA believed that Meta’s acquisition would give the company even more market power.

(Compiled by Student Fellow Kiana Boroumand)

On September 28, the EU Commission published a Proposal for an Artificial Intelligence Liability Directive (AILD, or AI Liability Directive). The purpose of the Directive is to “improve the functioning of the internal market by laying down uniform rules for certain aspects of non-contractual civil liability for damage caused with the involvement of AI systems.” 

On October 4, the EU Parliament voted to approve EU legislation that would standardize mobile charges to be USB Type-C starting in 2024. The legislation (which now only needs final approval by the EU Council) is intended to reduce e-waste, but also has significant implications on interoperability, especially for companies like Apple that make their own separate lightning chargers. Similar legislation for computer chargers may be forthcoming.  

Also on October 4, the White House Office of Science and Technology Policy (OSTP) released a “Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People” describing five principles to “guide the design, use, and deployment of automated systems.” The OSTP has described the Blueprint as a non-binding “white paper” instead of official guidance. The Blueprint was also accompanied by a companion document, “From Principles to Practice: A Technical Companion to the Blueprint for an AI Bill of Rights.” 

In Canada, the Edmonton police service has begun using DNA phenotyping to create computer-generated images of suspects. On October 4, Edmonton detectives utilized the Snapshot DNA Phenotyping Service from Parabon NanoLabs, a US-based DNA technology company. However, pushback led them to retract the computer-generated suspect image they had released two days later.  

On October 5, Joseph Sullivan, former chief security officer of Uber, was convicted of obstruction of proceedings and misprision of a felony regarding an attempted cover-up of a 2016 hack of Uber. He now faces a maximum of five years in prison for obstruction and three years for misprision. This is one of the first instances of criminal charges in response to a data breach. The case is U.S. v. Sullivan (9th Cir. 2022). 

On October 7, President Biden signed an executive order directing the steps the US will take to institute the pending EU-US Data Privacy Framework. While some US parties seem optimistic about the draft, other EU parties like data privacy activist Max Schrems are less so. 

Pending Cases

The Supreme Court is scheduled to hear Gonzalez v. Google LLC (9th Cir. 2021) in its current term, a case about whether Section 230(c)(1) of the Communications Decency Act “immunizes interactive computer services when they make targeted recommendations of information provided by another information content provider, or only limits the liability of interactive computer services when they engage in traditional editorial functions (such as deciding whether to display or withdraw) with regard to such information.” The case was accepted by SCOTUS even though there is not a clear circuit split indicating a particular point of view. 

Gonzalez v. Google comes on the heels of two appellate court decisions about content moderation that have not been granted certiorari by SCOTUS, but which some think might in the future. They are NetChoice, LLC v. Attorney General, State of Florida (11th Cir. 2022), which struck down a Florida law restricting social media platforms’ ability to moderate content, and NetChoice v. Paxton (5th Cir. 2022), which conversely upheld a similar law in Texas.

There is a pending data protection case before the Court of Justice of the EU (CJEU) regarding the scope of damages for GDPR violations: UI v. Österreichische Post AG. An Advocate-General Opinion was issued on October 6 before the CJEU issues a final judgment: an analysis of the opinion by Max Schrems’ group noyb can be found here. 

US “crypto policy advocacy group” Coin Center is suing the Department of Treasury’s Office of Foreign Asset Control (OFAC) over its sanctions of cryptocurrency mixer Tornado Cash. Complaint linked here; Ori Freiman’s take here. 

Upcoming Events

On November 2 at 5 pm EST, the Engelberg Center will host “FemTech and Privacy: Striking the Balance in a Post-Dobbs Reality,” a conversation exploring how FemTech data can be used, and the privacy laws and legislation that can be leveraged to protect users. The event will be in-person in Greenberg Lounge, Vanderbilt Hall. RSVP and more information here.

(Compiled by Student Fellow Toni Xu)