Blog

Events

Law and Political Economy: Labor, Social Control, and Counterpower

This conference will take place from March 31 to April 2, 2023, at Harvard Law School in Cambridge, Massachusetts. It will feature several panels on technology. If interested, please contact Elettra Bietti for more information. 

News

NYC Mayor Eric Adams put forth a guidance calling members of the public to “lower their face masks to reassure store workers they’re not criminals.” This policy elicited a considerable stir among the community, as it implicated not only public health concerns but also issues of privacy—given Adams’ rationale that removing face masks would afford a better chance for security cameras and law enforcement to “identify criminals.” Against the backdrop of this contention, this policy choice raises serious questions about surveillance, identification, and their discriminatory impact on communities of color. 

The FTC is scaling up its efforts to investigate Twitter’s data and privacy practices, focusing on “whether Twitter has adequate resources to protect its users’ privacy after mass layoffs and budgets cuts” ordered by Elon Musk. As a part of its investigation, the commission is seeking an interview with Musk. FTC is one of a handful enforcement agencies that began scrutinizing Twitter after Musk took over leadership. In response to criticism that the FTC was launching an aggressive campaign to harass Twitter, FTC spokesman Farrar countered that “protecting consumers’ privacy is exactly what the FTC is supposed to do.” 

Gigi Sohn, President Biden’s nominee to the FCC, has withdrawn her nomination. Sohn was re-nominated as the third Democratic commissioner at the start of this Congress, after a party-line split on her nomination last year. Her withdrawal comes after a string of opposition to her nomination to the post, including Senator Manchin who announced that he would vote “no” over “years of partisan activism” and Sohn’s alleged alignment with the movement to defund the police and limit police surveillance tools. 

The FTC has proposed banning BetterHelp, Inc., an online counseling service, from “sharing consumers’ health data, including sensitive information about mental health challenges” for targeted advertising. This proposed order also requires BetterHelp to pay $7.8 million for charges revealing that the company shared consumers’ sensitive mental health data with third parties such as Facebook and Snapchat, despite promises of data confidentiality. For further discussion, see the following paper by Joanne Kim, also linked under “Papers” below: Data Brokers and the Sale of Americans’ Mental Health Data. 

Digital payment systems have taken hold of about 99% of the adult population in India, who have adopted a biometric ID number. Deep-rooted reliance on this digital infrastructure intensified in light of the pandemic, as the Indian government “used ID numbers to manage the world’s largest vaccination drive and deliver financial aid.” This trend proves a salient behavioral shift in what was primarily a cash-driven economy.  

The education ministry of Poland has announced its plan to mandate annual physical fitness tests in schools for children in ages 10 and upwards. This proposal will be followed by the aggregation of resultant data in a national database called Sportowe Talenty (Sporting Talents), administered by the sports ministry. In addition to the Institute of Sport, this database will be analyzed and results shared with relevant ministries to inform policymaking in Poland. 

Papers

Data Brokers and the Sale of Americans’ Mental Health Data by Joanne Kim – This paper discusses in depth the sale of sensitive mental health data in the context of the data broker industry and calls for clearer policies for consumer privacy protections in the U.S. 

“Provable Copyright Protection for Generative Models” by Boaz Barak – This post introduces a paper providing “a formalism that enables rigorous guarantees” on the similarity and lack thereof between “the output of a generative model and any potentially copyright data in its training set.” The research uses both language (transformer) and image (diffusion) models to build algorithms that can provide a training pipeline with minimal degradation in efficiency and quality of output. If interested in further discussion, please reach out to mimee@nyu.edu. 

(Compiled by Student Fellow Stephanie Shim)

On February 28, the FTC and CFPB jointly issued a request for information seeking public input about background screening processes in the rental housing market. The agencies are interested in receiving comments regarding the use of “algorithms, automated decision-making, artificial intelligence, or similar technology . . . in the tenant screening process” as they seek to identify practices leading to unfair housing decisions for potential tenants. Comments can be submitted at Regulations.gov for 90 days.

The Commissioners of the FTC have released a joint statement regarding Amazon’s acquisition of One Medical. The statement acknowledges both companies’ representations that they will not share consumers’ “personal health information” for marketing purposes unless they receive clear consent, but notes that the companies should also clarify how they will use protected health information and patient data beyond health care purposes. Commissioner Bedoya and Commissioner Slaughter issued a separate statement highlighting the shortcomings of U.S. privacy laws and the inapplicability of the HIPAA Privacy Rule to de-identified health data.

The FTC published a blog post cautioning marketers to be more deliberate in the advertising of artificial intelligence. Stressing the ambiguous definition of “artificial intelligence,” the post posits that the term has become a hot marketing term vulnerable to overuse and abuse. The post advises marketers that the FTC is on the lookout for “false or unsubstantiated claims about a product’s efficacy” and presents a set of questions for consideration in advertising decisions.

The European Commission has launched a consultation to evaluate funding options for upgrades to the Internet infrastructure needed to ensure capable handling of emerging transformative technologies. The Commission appears to be receptive to the telecommunication industry’s proposal that major tech companies that generate the most traffic should make a significant financial contribution. There is still the remaining question of determining the threshold for what qualifies as a sufficiently large amount of traffic generated.

The Annenberg School for Communication at the University of Pennsylvania released a report analyzing consumer awareness of companies’ use of their data. The report found that a large portion of Americans do not know how companies use their data, believe they have little control over such use, and are frustrated by the perceived corporate control of their digital lives. The report seeks to suggest policies that would allow companies to continue their use of consumer data while keeping in mind its finding that “informed consent at scale is a myth.”

Grocery stores are harvesting shopper data, “enriching” it with more data from third-party brokers, and selling the resulting information to consumer brands for targeted advertising. Kroger and Albertsons, two of the largest supermarket chains in the U.S., claim to share only de-identified or aggregated data. However, it is alarmingly easy to re-identify specific shoppers with just a few variables, which is especially concerning as supermarkets are expanding their selection of products to include health and medical products, which may reveal sensitive private information.

The Italian Data Protection Authority (GPDP) decided that the use of risk stratification algorithms in treating patients is not a part of routine healthcare and that explicit consent of the data subject is required.

(Compiled by Student Fellow Jacob Park)

News:

The Illinois Supreme Court ruled that biometric privacy claims accrue each time one gives their biometric information without prior consent. This sets the stage for massive damage awards; here, White Castle is potentially liable for $17 billion for requiring employees to use a fingerprint scanner to access paystubs. 

The EU Committee on Civil Liberties, Justice, and Home Affairs recommended that the European Commission reject an upcoming EU-US Data Privacy Framework. While the Committee noted that the agreement protects EU citizens who use US companies’ services, it found that the US’s ability to conduct mass warrantless surveillance for national security purposes violates the GDPR.

Many of the largest tech platforms, including Meta, TikTok, and Google, recently divulged information about their active user bases in compliance with the EU’s Digital Service Act.

TikTok has begun providing Research API access to researchers that includes information about content and accounts using the platform, starting with researchers in the US and expanding over time.

The New York Times published a conversation with Bing’s built-in AI chatbot Sydney in which it said it wanted to be alive and was in love with the person it was talking with. However, nothing suggests that AI chatbots are in fact sentient and it is unclear if the media’s coverage of them is precautionary or is irresponsibly fueling hype and fear.

Professor Kate Klonick moderated a live analysis of Supreme Court oral arguments in Gonzalez v. Google among internet law experts. Gonzalez asks whether Section 230(c)(1) of the Communications Decency Act shields platforms of liability when they make targeted recommendations based on content provided by third parties.

Events & Papers:

ILI Fellows Tomer Kenneth and Ira Rubinstein recently wrote a paper analyzing Gonzalez v. Google in which they argue for a nuanced approach to Section 230 immunity.

The journal Business and Politics has made a call for papers for a special issue on “The Future of AI Business, Politics, and Policy.” The submission deadline is March 1, 2023.

(Compiled by Student Fellow Nicholas Tilmes)

Events:

In an upcoming session (Feb 21 at 4:45pm in Furman Hall 210) of the Guarini Colloquium: Regulating Global Digital Corporations, Professor Anu Bradford will discuss her new book, “Digital Empires: The Global Battle to Regulate Technology.” Those interested in attending should email guariniglobal@nyu.edu.

News:

On February 15, Bloomberg Law reported on a proposed rule set to come from President Biden’s Department of Health and Human Services Office for Civil Rights, which aims to protect the privacy of patients who seek reproductive health care. This arrives following the Supreme Court’s Dobbs v. Jackson Women’s Health Organization decision and state bans on abortion.

On February 14, FTC Commissioner Christine Wilson published a WSJ article claiming she was resigning due to Chair Lina Khan’s “disregard for the rule of law and due process.” Wilson cited several examples, including a rulemaking launched last month that aims to ban most noncompete clauses in employee contracts and which she states is contrary to the Supreme Court’s decision in West Virginia v. EPA.

A Gothamist article published February 13 focuses on a new city contract that provides Rikers Island detainees with electronic tablets. Correction officials would be able to surveil correspondence using keyword searches and collect fees for some messaging services. This news comes the day before a vote on whether to ban physical mail and personal packages sent to detainees.

(Compiled by Student Fellow Rebecca Kahn)

On February 7, PRG’s own Kathryn Taylor published a new piece building Professor Veena Dubal’s article about the gamification of gig work (discussed during the January 23 session of PRG). The article examines the algorithmic transformation of gig worker pay through the lens of dark patterns. The “unpredictable, variable, and personalized” pay structures created by algorithmic labor management, Taylor argues, not only keeps gig workers in a state of highly surveilled precarity, but also manipulates workers into providing additional services. 

On February 6, Google announced its AI chatbot, Bard. Launched to compete with OpenAI’s ChatGPT and Microsoft’s new AI-powered Bing search, it confidently presented a factual error in its first demonstration. Such errors highlight the fact that, for all their power, large language model AI still frequently make up information from thin air. 

On February 7, President Biden called for stricter protections of personal data use and collection, as well as a ban on targeting advertising towards children in his State of the Union address. This came as part of a broader push to limit the power of Big Tech, including calls for stronger antitrust enforcement.

(Compiled by Student Fellow Justin Jin)

Events:

JSD Fellows Stav Zeitouni and Kat Geddes are leading an upper-level reading group called “Propertizing Intangibles in the Digital Age.” The group intends to explore the changes that laws dealing with intangibles have gone through in the digital age, focusing in particular on copyright. For example, digital rights management (DRM) emerged as a response to the erasure of physical constraints on copying brought about by digital technologies. More recently, data firms have found innovative ways to propertize and monetize data despite its intangibility and ambiguity around its copyrightability and patentability. These changes have long-lasting implications for how we think about property and how that’s reflected in the law and in its governance of intangibles. We will explore these themes through a mixture of academic and popular materials.

News:

On January 24, the Department of Justice Antitrust Division, along with the Attorneys General of California, Colorado, Connecticut, New Jersey, New York, Rhode Island, Tennessee, and Virginia, filed a civil antitrust suit against Google in the Eastern District of Virginia. The complaint alleges that Google monopolized a number of key digital advertising technologies through an anticompetitive course of conduct over the last 15 years, allowing the company to take home on average 30% of all digital advertising revenue that uses their technologies. This is DOJ’s second antitrust suit against Google. The first suit, which alleges anticompetitive conduct in Google’s search function, is scheduled for trial in September 2023.

The National Institute of Standards and Technology (NIST) published a long-awaited Artificial Intelligence Risk Management Framework, directed at any organization or individual developing or using AI. The framework describes novel risks posed by AI and highlights core concepts for responsible AI including human centricity, social responsibility, and sustainability.

On January 26, the Office of the Privacy Commissioner of Canada announced the results of an investigation into Home Depot, finding that the company failed to obtain user consent before sharing personal data with Meta in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA), a Canadian law that applies to private-sector organizations that collect, use or disclose personal information in the course of a commercial activity.

Netflix announced that they will be cracking down on password-sharing in the U.S. starting in March 2023, reversing their previous approach which encouraged password-sharing as a form of free advertising. The company’s efforts to deter password-sharing in other countries has seen mixed results.

OpenAI has released a tool to detect when text has been generated by its own ChatGPT and GPT-3 AI tools. 

(Compiled by Student Fellow Talya Nevins)

The use and collection of voice data in general has been in the spotlight in part due to new Microsoft voice-cloning software called VALL-E . Privacy advocates have voiced worries that the VALL-E, Apple’s Siri, and Amazon’s Alexa could be utilized in ways that do not involve the consent of recorded individuals.

The Law and Political Economy (LPE) Project recently published an article by UC Hastings law professor Veena Dubal about the algorithmic gamification of work for gig workers; in this article, Dubal argues that companies’ algorithmic systems risk “undermining the possibility of economic stability and mobility through work by transforming the basic terms of how workers are paid.”

The European Court of Justice recently ruled that the right to access information under Article 15 of the GDPR requires that individuals whose data has been shared to certain recipients must be provided with the “actual identity of those recipients, unless it is impossible to identify those recipients or the controller demonstrates that the data subject’s requests for access are manifestly unfounded or excessive.” Because the ruling stipulates that providing general categories of recipients in response to a data request, rather than the identities of those recipients, is insufficient except in “exceptional cases,” European legal practitioners are now advising companies to “review their internal processes and their templates for responding to access requests so as to avoid fines and damages actions for failure to provide access.”

U.S. fast-food restaurant chain Chick-Fil-A was hit with a new privacy class-action lawsuit last week that alleges it shared personally identifiable information to Meta in violation of the Video Privacy Protection Act (VPPA).

The New York Police Department recently filmed concertgoers leaving a Drake concert in a manner that the Surveillance Technology Oversight Project called “highly concerning;” the NYPD said in a statement that this filming was intended purely for a future social media post on local events.

(Compiled by Student Fellow Cooper Aspegren)

News

The European Union Court of Justice invalidated a provision of the EU Anti-Money Laundering Directive that guaranteed access to information on the “real owners” of a company. Some commentators criticized the decision as setting back efforts to fight corruption.

The San Francisco Police Department proposed expanding use of robots capable of using deadly force to respond to incidents. Currently, the remote controlled devices are used for bomb disposal and inspection.

Searches on Twitter for information about the Chinese protests related to the government’s COVID-19 restrictions are returning spam and pornographic content. Disinformation researchers posit that Chinese state actors are publishing this content to prevent access to images of the demonstrations

The Israeli Government issued a draft regulation that would address privacy obligations under GDPR. The proposal includes strong regulatory measures for data originated in Europe.

The City of Houston mandated that certain local businesses constantly record video surveillance outside of their establishments. Houston is the first city to pass such an ordinance. The move drew the criticism of civil rights advocates.

Members of an Iranian hacktivist group breached a system owned by a major Israeli security agency and posted videos from a recent deadly bombing in Jerusalem. It is currently unknown what assets were breached.

Events

The Computer Science and Law Monthly workshop is collecting job profiles for junior job market candidates. The job market profiles will be distributed in the CS+Law Monthly Workshop website and mailing list. Submissions are due December 5^th.

On December 12 and 13, there will be a hybrid conference on Commodification and the Law in Florence, Italy. The conference will feature keynote speeches by Prof. Daniel Markovits (Yale School of Law) and by Dr. Johanna Stark (Max Planck Institute for Tax Law and Public Finance).

On December 1 and 2, the Scuola Superiore Sant’Anna Aula Magna in Pisa, Italy hosted a hybrid conference on the regulation of AI and data in Europe. The conference featured several panels discussing AI and Data regulation strategy in the European Union.

(Compiled by Student Fellow Aditya Trivedi)

News

Google agreed to pay $392 million to 40 states — the largest multi-state privacy settlement in U.S. history — in response to allegations that it broke consumer protection laws by tracking individuals through their devices after location tracking had been turned off. A Google spokesman indicated it no longer tracks individuals in this manner, and that it now allows individuals to use Google Maps incognito.

A class action lawsuit has been filed against Apple for violating the California Invasion of Privacy Act by tracking consumers in mobile apps even with iPhone privacy settings indicating tracking is off.

Two Massachusetts citizens filed a class action lawsuit in federal court alleging the Massachusetts health department installed COVID-19 tracking software on over one million Android phones without users’ consent.

Recent departures from Twitter include CISO Lea Kissner, chief privacy officer Damien Kieran, and chief compliance officer Marianne Fogarty, raising questions on whether it complies with the GDPR’s requirement to have a chief data protection officer.

National Labor Relations Board General Counsel Jennifer Abruzzo announced a greater focus on employee surveillance, requesting regional personnel “vigorously” enforce existing doctrine and proposing “a new framework for protecting employees from intrusive or abusive forms of electronic monitoring and automated management that interfere with Section 7 activity.”

Germany’s Federal Court of Justice (Bundesgerichtshof) submitted a question to the European Court of Justice regarding whether consumer protection authorities can bring data protection claims against Meta on behalf of data subjects.

The United Kingdom is pushing to develop a new data privacy law that might deviate from the GDPR, which will reportedly address the adequacy agreement with the EU that allows UK-EU data flows.

Events

On Thursday, Nov. 24 from 9am to 10am EST, Guarini Global Law and Tech Executive Director Thomas Strein presented a keynote presentation at Digital Legal Talks 2022 on “The Future of European Data Law.”

On Tuesday, Nov. 29 from 12pm to 1pm EST, Winston Wenyan Ma, an adjunct professor of law at the NYU School of Law, will present a U.S.-Asia Law Institute talk on “The Future of US-China Tech Relations: Blockchain, Crypto, and Central Bank Digital Currency.”

(Compiled by Student Fellow Cooper Aspegren)

News

A class action lawsuit was filed against Microsoft, GitHub, and OpenAI alleging large-scale copyright violations in the companies’ GitHub Copilot AI-powered coding assistant.

Australia’s Labor Party introduced a privacy bill including significantly increased penalties for data breaches and an amendment to the Privacy Act extending jurisdiction to foreign organizations doing business in Australia.

The Markup published an investigative piece covering the use of tracking data by political campaigns. 

A new report by independent researchers found that Apple’s own iPhone apps, like the App Store and Apple Music, continue to collect detailed user data even when users turn off tracking settings.

Companies across the tech industry, including Meta, Twitter, Lyft, and Stripe, laid off thousands of workers in the face of an expected recession.

Events

USC Gould professor Erin Miller is giving a talk at Cornell Tech this Thursday, 11/10 about the application of the First Amendment to private actors.

(Compiled by Student Fellow Stephanie Chen)