Archive

Artificial Intelligence

UK Government sets out proposals for new regulation on AI as call for evidence is launched

…Regulators will apply six principles to oversee AI in a range of contexts with flexibility to implement them.

• Ensure that AI is used safely: requirements to remain commensurate with actual risk – comparable with non-AI use cases. Focus will therefore be on high risk use cases

• Ensure that AI is technically secure and functions as designed: the functioning, resilience and security of a system should be tested and proven, and the data used in training and in deployment should be relevant, high quality, representative and contextualised

• Make sure that AI is appropriately transparent and explainable: Have regard to IP rights and confidential information. Transparency requirements could include disclosure of information about: (a) the nature and purpose of the AI, (b) the data being used and information relating to training data, (c) the logic and process used and where relevant information to support explainability of decision making and outcomes, (d) accountability.

• Consider fairness: design, implement and enforce appropriate governance requirements for ‘fairness’ as applicable to the entities that they regulate

• Identify a legal person to be responsible for AI: accountability and legal liability to rest with an identified or identifiable legal person

• Clarify routes to redress or contestability: regulators to implement proportionate measures to ensure the contestability of the outcome of the use of AI in relevant regulated situations

Like for most digital regulations, the government distinguishes itself from the EU: “Instead of giving responsibility for AI governance to a central regulatory body, as the EU is doing through its AI Act, the government’s proposals will allow different regulators to take a tailored approach to the use of AI in a range of settings” – it said. The point is however, many businesses would wish to do businesses in the EU as well. Therefore the benefits of a more flexible and potentially less burdensome rules may be limited. For example, AI built on rules which contravene EU rules may not be operable in the EU.

BigTech/ Data / Platforms

Safety

Boris Johnson becomes Tech business’ flavour of the month as UK’s controversial Online Safety Bill is delayed

…that is a complete over statement, but the UK government chaos is reported to have been the reason behind the delay to the controversial Online Safety Bill from being passed into law much to the relief of tech businesses. The bill was to deliver the government’s manifesto commitment “to make the UK the safest place in the world to be online while defending free expression“. As you can imagine, this is fiendishly difficult, and riddled with controversy. One person’s idea of illegality (eg. [Insert name of your top tyrant here] should be hanged and quartered – in this case could constitute incitement of hatred and violence, which is unlawful in the UK) is another person’s idea of free expression. Tech platforms are requested to [in short] ensure illegal content is removed and to control “lawful but harmful” content. Non-compliance can lead to executives being jailed and penalty levied amounting to a maximum of 10 percent of global annual turnover [not profits].

Actually, Boris Johnson may be popular this month. At least among the leading tech businesses.

Meanwhile the position may become even more complicated in the US unless the proposed American Data Privacy and Protection Act (ADPPA) comes into play – which as I understand it precludes a separate state privacy law. California governors and other states want to retain the power to set stricter privacy laws than ADPPA provides, especially since the fall out of Roe v Wade.

…but the UK Government have managed to introduce Data Protection and Digital Information Bill into Parliament

…The government says this includes measures to use AI responsibly while reducing compliance burdens on businesses. The digital secretary said “Outside of the EU we can ensure people can control their personal data, while preventing businesses, researchers and civil society from being held back by a lack of clarity and cumbersome EU legislation”…hopefully such a comment will not lead the EU to scrutinise UK’s law and withdraw the UK’s adequacy status, needed to enable data to flow freely between the UK and the EU…

What does the Bill propose?

• Small businesses no longer need to have a Data Protection Officer (DPO) and to undertake lengthy impact assessments, if they are able to manage the risks effectively.
  • Privacy management programmes will be required to ensure they are accountable for how they process personal data.

• Fines for nuisance calls and texts and other serious data breaches under the UK’s existing Privacy and Electronic Communications Regulations (PECR) [yes please!]

• Websites no longer need to seek consent to collect data about your visit (cookie consents). The government’s new opt-out model for cookies means users can set an overall approach to how their data is collected and used online – for example via their internet browser settings [I can imagine privacy groups crying out for an opt-in model – as some people might not know how to opt-out]. However most websites also serve the EU – not sure whether such websites can programme the website operation so that pop ups do not appear if a UK user is visiting the site.

• Provide clarity about when they can obtain user consent to collect or use data for broad research purposes

Possible defective platform at issue in a case where a child ended up being paired with a sexual predator

…Omegle, a chat service which pairs random people up for anonymous chats, was sued when a child ended up being paired with a sexual predator. Omegle sought to rely on Section 230 of the Communications Decency Act of the United States which generally protects websites from liability over content uploaded by users or third parties, but the judge in the case held that the claim did not concern the platform’s failure to moderate content, rather the claim was against defective platform design. The judge characterised the claim as a product liability suit, stating that the website could have implemented measures preventing minors from being paired with adults. The issue though is how this measure could have been implemented without losing anonymity, one of the key feature of Omegle’s services. The case continues. Those in the UK that are in favour of the UK’s Online Safety Bill would have approved the judge’s thoughts. 

Regardless of the outcome of the case, online service providers will increasingly be expected to think about their offering and structure their business to avoid potential foreseeable harms. It also signals potential liability for platforms that are accused of implementing algorithms which keep users (especially youths) addicted to their device. Not only that, there may, in the future be further requirements for businesses to implement positive measures (eg. train algorithms) to make the system to be in compliance with the law. For example, at a virtual event, US FTC Commissioner Slaughter is reported to have stated that ” We need to be actively anti-racist”, and the agency will research into how systems can ensure racial equity. This could mean that the algorithm has to be actively trained to be anti-racist.

Privacy

Amazon responds to US senator’s accusation of liberal sharing of private data captured by Ring with the US police

…Back in April, Democrat Senator Ed Markey essentially said that Amazon’s Ring app (door bell with camera features) allows invasive surveillance, especially as a number of law enforcement authorities are given access to data captured by the Ring device installed on thousands of households across the country. Amazon has written back explaining that everything is transparent and data collected are mostly used for serious crimes. Further info on this in the Delving Deeper section, below.

Class Action strikes streaming service provider Paramount for giving Facebook access to subscribers’ viewing information together with personal information

…the tool used is Facebook’s Pixel. Cause of action is the violation of Video Privacy Protection Act (“VPPA”) of 1988, which objective is to confer onto consumers the power to “maintain control over personal information divulged and generated in exchange for receiving services from video tape service providers.”

Paramount is alleged to have used Facebook’s Pixel tool to supply Facebook with highly personalised information so that it can know its users’ interests to enable Facebook to either target those users with relevant material or to find other users with similar profile to carry out highly specific ad targeting to them. The information shared is to have included name, email address, birthday and address so that Facebook can identify the user’s Facebook profile and what that user watched on Paramount’s streaming service (CBS.com). Similar cases are on foot against Discovery Communications, Nextar Media Group. Similar allegation has been made against Facebook/Meta itself, for embedding the Pixel tool in healthcare providers’ websites.

Google defeats fraud claim that it took data generated by non-Google apps for use in developing new products and competing with other market participants

…there were several reasons, but one of them was that Google had disclosed that it will collect data through non-Google apps. Google said that this indicates that Google would use the data to improve its offering. The Judge considered that there was no misrepresentation.

GDPR means the public sector must stop using Google products says the Danish Data Protection Authority

… In 2020, EU’s top court (CJEU) ruled that it was unlawful to transfer EU citizens’ data to the US where the EU considered had inadequate protection for personal data owing to US’ invasive survelliance programmes under which the government could request US businesses to turn over data under their control (Schrems II decision). Before transferring data to the US, entities must implement additional measures to prevent EU citizen data from passing into the hands of US government. The Danish municipality explained that data was encrypted but the Danish Data Protection Authority stated that such measure was inadequate.

Competition

In preparation for the Digital Markets Act, Google allows other payment services to facilitate in-app purchases for non-gaming apps in the EU

… the impending EU’s Digital Markets Act provides for a ban on requiring app developers to use certain of the gatekeeper’s services (such as payment systems) in order to appear in app stores of the gatekeeper. The offer which only encompasses the EU, is a 3% discount on transactions generated by non-gaming apps that are using an alternative billing system. It had been the case that in-app purchases on Android phones require users to use the Google Play billing system.  There is a question mark over whether this is offer is sufficient to satisfy the Digital Markets Act. An alternative, cheaper billing system will be available for gaming apps too when the Digital Markets Act come in to play. As the majority of in-app purchases are carried out via gaming apps, Google may be trying to take advantage of the little time it has left without having to comply with the Digital Markets Act.

Italian antitrust authority is investigating Google for obstructing data portability

…In the EU, there is a concept called data portability, which means any user can request for personal data held by a platform to be transferred to them to enable the user to switch between different services thereby preventing lock-in to the incumbent service provider.

A company called Weople is in the business of collecting data of subscribers (with their consent), anonymising and aggregating the data to enable ad-targeting without the disclosure of the personal information, and to sell depersonalised information. Weople complained that Google forbade it from collecting its subscribers’ data on their behalf, insisting that the request must be made from the Google account holder’s personal account. This reduces the take up of Weople’s services. Weople claimed that Google was abusing its dominant position.

Business

Microsoft clinches partnership with Netflix to provide ad supported streaming services, beating bids from Comcast and Google

…Maybe Comcast and Google, with their considerable streaming businesses (Peacock and YouTube respectively), were too close for comfort, instead choosing Microsoft, an established platform albeit less known for ad-supported content delivery. Microsoft’s digital ad revenues are derived from Bing search and LinkedIn, neither of which involve streaming. Note however, that Microsoft is poised to power up their gaming business with the purchase of Activision Blizzard for ~$70bn and Netflix is also diversifying into gaming, having tentatively launched last year and purchased three gaming studios. Perhaps because of this convergence, there have been speculations that Microsoft might eventually buy Netflix. Or perhaps Microsoft will continue to generate revenue from similar partnerships using this high profile deal as a springboard. It has recently acquired Xandr, a consumer advertising platform from AT&T, which Microsoft has promptly been able to leverage.

What does Microsoft have to say? It said Netflix’ choice “endorses Microsoft’s approach to privacy, which is built on protecting customers’ information”. So we also have a privacy angle, which is an increasing risk for platforms. Take note: privacy, security, antitrust risks are really real [and see the next news piece that brings home the point]. I’m sure pricing may also have had something to do with it as well, though who knows.

Why is Netflix compelled to offer ad supported streaming?

Netflix’ plan is to provide a cheaper, ad-supported tier to boost subscription numbers. They will be hoping that their current subscribers will continue to buy services without the commercials. It isn’t a good time to be opening up a cheaper offering though, when inflation is high and households are tightening their belts. It will also present a significant cultural change for Netflix which relied on delivering stellar content without the ad interruptions as its USP.  But they are an established company and are likely to have reached a saturation point plus they are now facing vastly increased competition (eg. Disney+, Comcast/Peacock, Apple TV, YouTube, Amazon etc not to mention other competitors for eyeball time, especially TikTok) – at least in the developed countries, so offering a cheaper service is another way of growing. In addition they are expanding internationally and reaching over to gaming.

Disney+ is also in on the act. It is offering ad supported streaming with the aid of Trade Desk, an adTech company to better target subscribers.

Amazon management revealed to have considered shuttering its private label Amazon Basics in the face of heavy antitrust clamp downs

…at the moment, the news is that Amazon has considered lumping Amazon Basics – but this in itself is a big deal because it goes to show how serious regulatory pressures are. Worst case, Amazon could be ordered to break up – for example, into platform and seller. Others have voiced that Amazon’s eCommerce unit should be splintered from AWS cloud business; AWS is so profitable that it can effectively allow the eCommerce business to undercut third party sellers by a significant margin, which dampens competition.

What this brings to the fore though is Amazon’s modus operandi; do business based on cold hearted calculation; the Amazon Basic range has low profit margins – accounting for only a single digit percentage of overall sales. Is it worth the antitrust risk?  – so it asked the question even though that amounts to several billions in revenue (though the important value is the profits, of course. A small percentage of several billions will likely be still significant).

EU antitrust probe

EU has investigated Amazon for potential anticompetitive conduct (essentially self-preferencing), and Amazon has proposed compromises to settle the claim:

• Using data gained from its retail customers to inform Amazon’s own retail business as a result of its dual role as platform and seller: Amazon can assess what products sell well only to manufacture those products itself and place them prominently on its site in preference over others

• Amazon proposes it will not use data from third party retailers to advantage its business

• Operation of the Buy Box which displays an offer from a single seller: EU found that Amazon found it favoured its own retail business and third party sellers that uses its logistics services (called Fulfillment by Amazon, or FBA).

• Amazon promises to treat all sellers fairly, meaning there will be equal chances of winning the Buy Box spot even if the seller doesn’t use an FBA. It will also provide a second offer which might be cheaper but have a long delivery period.

• Operation of Amazon Prime which offers premium services to customers: EU found that Amazon had favoured its own retail business and third party sellers that uses FBA

• Amazon will set non-discriminatory conditions for sellers to qualify to offer goods to Prime customers.
  • Prime sellers can freely choose a non-Amazon logistics services, and will not use data about them.

The EU has asked for comments about Amazon’s concessions. The US looks like it will implement an anti-self-preferencing measure under the American Innovation and Choice Online Act.  These measures may also be called for in the US.

Amazon sues 10,000 Facebook marketplace administrators from co-ordinating fake review postings

…Not all 5 star product rated reviews on Amazon apparently deserve it. For example, Amazon says sellers on its platform had, using an intermediary, incentivised consumers to provide a good review in return for a refund, or other incentives – in this way, sellers ensured that reviewers have actually purchased the product.  The marketplaces paid people that would be willing to rate products highly, and offered their services to the third party sellers on Amazon’s site. Facebook is tackling the issue behind the scenes, but Amazon’s aim was to unveil the culprits behind the operations.

Cloud

German Court suggests Google/Nintendo venture company Niantic to consider settling claim that Pokemon Go infringes a patent licensing firm’s patent

… So, not all cloud patent claims are fintech related. The patent is understood to concern detecting nearby players and connecting them up. The patent licensing company in question is K.Mizra, who is reported to be asserting other patents against Samsung and GM. In the US well over half of patent infringement cases are initiated by patent licensing companies, whose business is to generate revenue from licensing, usually purchased from operating companies.

EVs

Panasonic obtains US aid to build EV battery factory in Kansas

…Panasonic was originally the main supplier of batteries to Tesla, and the move is calculated to strengthen business supplying batteries to Tesla. It already jointly operates a gigafactory in Nevada. Tesla now has other EV suppliers, notably China’s CATL, the world’s largest EV battery maker and in addition has developed its own capability to make EV batteries. Panasonic itself has sought other clients, and has a JV with Toyota. It is not known whether the Kansas venture will also involve a research capability.

Rolls Royce tests planes powered on hydrogen to cut emissions

…hydrogen of course will help with decarbonisation as it will turn into water on combustion. However, hydrogen fuels are expensive because it is so volatile and it is gaseous. This pushes infrastructure and investment costs. Airbus is doing the same with CFM International, which is a joint venture between Safran and General Electric. In the industry, greener fuels are called SAFs, short for Sustainable Aviation Fuels.

Mercedes Formula 1 Team to invest in SAFs

… on a similar theme. The firm will invest millions in its bid to achieve net zero emissions by 2030.

San Francisco official says data needed from autonomous vehicle companies to understand whether they block public roads

…we need to ensure autonomous vehicles are not seen as “roadway litter”, the official is reported to have said at a conference.

Google loses appeal of ~€100million fine in Italy for blocking Enel, a charging app

…the appeal was upheld in a case in which Google was claimed to have abused its dominant position by blocking Enel which operated Juicepass an EV charging app. An app enabled the user to find the nearest charging station and book a timeslot. Google rejected Enel’s application to be included on Android Auto platform because it was “only accepting apps within the Media or short form Messaging categories”, despite allowing its own apps (Google Maps and Wave) to be onboarded.  Google had said that the safety of the app was not guaranteed to not distract drivers and so required further research. Google suggested that Juicepass functionality could be integrated into Google Maps combined with a voice assistant but Enel had resisted handing over its valuable data about its customers, their movements and charge point information.

Gaming

Unity, a mainstream real time 3D graphics engine to merge with mobile adtech company Ironsource

…the Unity software enables developers/digital artists to create games with high fidelity 3D graphics and renders them in real time.  The tie up with mobile ad tech business Ironsource is calculated to enable creators to develop graphics based on data on audience feedback to direct creators as they generate content and help them monetize their creations.

Patents

EU commission to investigate patent pool Alliance for Open Media (AOM) which holds patents concerning compressing video files

…the particular standard is called AV1, and the development of this open source video technology was primarily spearheaded by members of AOM (Amazon, ARM, Cisco, Google, IBM, Intel, Meta, Microsoft, Mozilla, Netflix, and NVIDIA). The EU commission is concerned that AOM is influencing other businesses that are also building AV1, to sign up to a royalty free cross-licensing terms, when they have every right to seek licence fees in respect of any valid patents that are relevant to the AV1 standard. This could chill innovation and so needs investigating, in the EU’s view.

Semiconductors

STMicro and Global Foundaries to build a chip making foundary in France using French State Aid

…Reducing reliance on China and SE Asian countries is key. US is gearing up to hopefully pass its Chips Act which would provide a $52billion subsidy, a significant portion of which would go to manufacturing chips.

Software

Microsoft does a quick U-turn on banning profiting from apps which uses open source software

…why on earth did Microsoft ban monetisation of open source software based apps in the first place?

Microsoft’s objective is apparently to control rampant copying and profiting off other people’s work. A developer develops an app using open source software. A third party can swipe that, may or may not build a service on top of that, and offer the app for a higher price. Sometimes, the third party also uses the original developer’s trade mark (leading to trade mark disputes) so that when things do go wrong, users go to the original developer to get it sorted or get a refund. That can happen because updates and patches developed by the original developer might not reach the secondary app users.

In response to opposing voices, including those which are well known in the field, Microsoft has decided to suspend the rule at least for now. Microsoft may consider implementing a nuanced wording which stops third parties from taking apps based on open source software to onward sell and to offer an app in a way that confuses users as to its origin.

Microsoft under scrutiny

Microsoft subsidiary GitHub (platform which hosts code and supports collaboration) together with OpenAI (research organisation in which Microsoft has a stake) has recently launched Copilot, which is a service that suggests lines of code and functions in real-time. Copilot is driven by OpenAI Codex, trained on a huge library of opensource software data.  Some criticise Microsoft for double standards, as Copilot service – which was built using data from open source projects – is not entirely free.

Copilot also raises other issues which are interesting from an Intellectual Property standpoint, as it could muddy the authorship of software developed using Copilot; not altogether helped by the fact Copilot suggestions are devoid of attribution or applicable licence terms (something Amazon’s rival code generator (called CodeWhisperer) appears to have addressed, as noted by the same critic).

NOTE: Open Source Software are codes which are publically available, free for anyone to use, modify, improve, develop, add etc. However, it does not necessarily mean you cannot monetise work based on open source software depending on the applicable licence associated with the open source software you have used. Copyleft is perhaps the one everyone needs to be careful of, because that compels any user of that software to make available on the same terms, any modification carried out on that original code. Suppose you were to incorporate some codebase dictated by copyleft licence, then you could be compelled to offer up enormous amounts of work you might have built using it. Again, depending on the applicable licence, it is possible to build additional functionalities or added security on top of the open source software base, or create an AI powered service using open source software as Copilot has done, and monetise the enhanced offering. Businesses usually deploy an Open Source Software manager to ensure compliance.

Delving Deeper

Amazon responds to US senator’s accusation of liberal sharing of private data captured by Ring with the police

…Back in April, Democrat Senator Ed Markey sent the Ring unit of Amazon with the following concerns:  

• Concerns about the Ring business’ surveillance practices and engagement with law enforcement

• His investigation into Amazon illustrates that it has become increasingly difficult for the public to move, assemble, and converse in public without being tracked and recorded:
  • Ring records both video and audio on and around the properties which use Ring
  • Ring stated previously it does not verify compliance

• Damage goes far beyond abstract privacy invasion: individuals may use Ring devices’ audio recordings to facilitate blackmail, stalking, and other damaging practices

• Ring’s tie up with law enforcement is concerning

• more than 2100 policing agencies joined Neighbors Public Safety Service (NPSS), a platform on which participating police departments may request footage from Ring users.
  • Law enforcement thereby circumvent key systems of public accountability
  • No controls imposed on what law enforcement can do with data accessed

• Requested Amazon to make certain commitments, such as to never taking financial contributions, to never provide data access to immigration or federal law enforcement, to never be involved in police sting operations.

Amazon’s response made the following points:

• Audio recording – much used by Ring users to understand what’s going on. Therefore the default which records audio data needs to be maintained.

• Recordings are stored securely in the customer’s Ring account in accordance with Amazon’s standard retention and deletion policies, unless the customer selects a shorter custom retention period. Customers do have the option to manually delete their recordings at any time
  • Ring offers end-to-end encryption of stored recordings

• New York University (NYU) School of Law recently completed an extensive audit of Ring
  • committed to the findings of this audit being made public
  • Requests for Assistance are controlled by the users, not the requesting agencies
  • Most requests concerned video related to relatively serious crimes like “vehicle burglaries and robberies, shootings, home burglaries and robberies, and stolen vehicles.”

• Ring reserves the right to respond immediately to urgent law enforcement requests for information in cases involving imminent danger of death or serious physical injury to any person
• Ring does not allow private security companies on NPSS

In parallel, Amazon has been sued in a potential class action alleging loss sustained owing to Ring’s cyber-security vulnerability. The suit also alleges that Ring shares personal data with (non law-enforcement) third parties.  

Headlines in Tech News of the Week

Irish Data Protection Commission considers the transfer of EU citizens’ data to the US by Meta to be unlawful

…Back in 2020, EU’s top court (CJEU) ruled that it was unlawful to transfer EU citizens’ data to the US where the EU considered had inadequate protection for personal data owing to US’ invasive survelliance programmes under which the government could request US businesses to turn over data under their control (Schrems II decision).   

The Irish Data Protection Commission rendered a draft decision to the effect that Facebook’s reliance on Standard Contractual Clauses (these are terms designed to provide sufficient protection of personal data for data transfers between EU and non-EU countries) did not make the transfer lawful, in light of the Schrems II decision.  If Meta cannot suggest changes to satisfy the Irish Protection Commission, all transfers of EU citizens’ data to the US must be stopped. Meta’s EU headquarters is in Ireland, which is why the Irish Data Protection Commission is taking the lead, but if data authorities in other EU member states do not agree then the issue may be prolonged. The US and EU have since then been trying to put in place a Transatlantic Data Privacy Network, which ensures that US access to EU citizens’ data is proportionate and restricted to instances to only where necessary. Meta will be hoping that the framework will be agreed quickly. It has already threatened to pull out of the EU if it can’t transfer data back to the US.

Seeking of information on drug dealing on Facebook

By way of example about what the EU might mean by inadequate protection of data, I noticed an article covering a dispute going on between a law enforcement authority and Facebook in New Jersey. According to the report, an appellate court last April ruled that law enforcement authority investigating drug dealing can rely on data communication warrants (just need to show probable cause – so the article explains) and did not need a wiretap order (more difficult to obtain – allows surveillance of communications in real time) to gain access to Facebook users’ data collected after the issuance of the warrant.

Having said this, and by the by, the EU Agency for Law Enforcement (Europol) has recently been given expanded powers to receive personal information from tech companies to identify crimes. There is a debate as to whether the new law safeguards the privacy of data subjects.

BigTech/ Data / Platforms

FTC says it will enforce against illegal use and sharing of highly sensitive data

…this is clearly a move as a result of Roe v Wade which enables states to make abortion unlawful. The statement warns that the “potent combination of location data and user-generated health data creates a new frontier of potential harms to consumers”. The statement explains how sensitive data can be collected and sold off to unknown entities:

The FTC mentions that it has in the past carried out enforcement actions bringing home the fact that the concerns are not just hypothetical:

• Copley Advertising:
  • Claim:  using location technology to identify when people crossed a secret digital “fence” near a clinic offering abortion services. Based on that data, the company sent targeted ads to their phones with links to websites with information about alternatives to abortion.
  • Cause of action: Consumer Protection Law violation
  • Settled 2017

• Flo Health (period and fertility tracking)
  • Claim: sharing with third parties – including Google and Facebook – sensitive health information about women collected from its period and fertility-tracking app, despite promising to keep this information private.
  • Cause of action: unfair or deceptive acts or practices, in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.
  • Settled 2021

• OpenX (Adexchange)
  • Claim: collecting children’s location data without parental consent
  • Cause of action: federal children’s privacy protection law violation
  • Settled 2021

• Kurbo/Weight Watchers
  • Claim: indefinitely retaining sensitive consumer data
  • Cause of action: Violation of COPPA (The Children’s Online Privacy Protection Act)
  • The settlement requires the company to pay a $1.5 million fine (2022)

Google takes action to disable updates to popular South Korean KakaoTalk app as a result of it enabling users to bypass Google Play Billing System

…Many will know that, apps on the Android system with In App Purchases must utilise the Google Play Billing system. This is how Google generates a revenue, by levying 15-30% Commission on In App Purchases carried out through apps (and at the same time Google obtains data about what users do using the App).

KakaoTalk enabled users to purchase via its websites, bypassing the Google Play Billing system (such conduct is called sideloading), in contravention of Google’s terms and conditions with app developers.

Uniquely, Korea provided a revision to The Telecommunication Business Act last year prohibiting app store operators from restrictive in-app billing policies like, forcing app developers to offer one method of payment. What Google is reported to have provided for is to allow an alternative payment system to operate, but structured to enable Google to continue receiving commission on purchases made on such alternative systems albeit discounted. KakaoTalk attempted to avoid paying Google altogether. There is a query whether Google’s arrangement complies with the revised Act.

It has been reported that Google’s latest policy change stating it will remove non-complying apps, has prompted the Korea Publishers Association to file a complaint with the Korea Communications Commission (KCC), South Korea’s telecommunications regulator.

EU’s Digital Markets Act provides for a ban on requiring app developers to use certain of the gatekeeper’s services (such as payment systems) in order to appear in app stores of the gatekeeper.

Separately Korea is actively looking at regulating online activities, focussing on establishing fair practices such as dark patterns after reviewing the results of a research which revealed that 97 out of 100 popular apps engaged in dark patterns (this is not defined, but essentially, designing the web interface or operations to influence user behaviour and choice. It will also look at online platforms’ control of fake reviews.

Note that the EU’s current text of Digital Services Act states online platforms shall not design, organise or operate their online interfaces in a way that deceives, manipulates or otherwise materially distorts or impairs the ability of recipients of their service to make free and informed decisions).

Amazon buys 2% stake in Food delivery firm Grubhub

…It’s aim is to boost Prime membership (which encourages consumers to do more with Amazon), for members will get free delivery for one year. At the same time, it justifies the recent Prime membership subscription hike.

UK Competition Authority to investigate Amazon’s potential anti-competitive practices

…the scope of investigation very much overlaps with the one ongoing in the EU.

The investigation will focus on 3 main areas:

• How Amazon collects and uses third-party seller data, including whether this gives Amazon an unfair advantage in relation to business decisions made by its retail arm – see Amazon’s solution as a result of the EU Commission’s probe, below.

• How Amazon sets criteria for allocation of suppliers to be the preferred/first choice in the ‘Buy Box’. The Buy Box is displayed prominently on Amazon’s product pages and provides customers with one-click options to ‘Buy Now’ or ‘Add to Basket’ in relation to items from a specific seller. Again – see below.

• How Amazon sets the eligibility criteria for selling under the Prime label. Offers under the Prime label are eligible for certain benefits, such as free and fast delivery, that are only available to Prime users under Amazon’s Prime loyalty programme.

In parallel, the UK Competition Authority is investigating Amazon (and Google’s) conduct over concerns that they have not been doing enough to combat fake reviews on their sites.

Amazon poised to settle with the EU Commission over investigations concerning potential anticompetitive conduct

…there were two types of conduct under investigation.

1. Use of data generated by third party sellers selling items on the eCommerce’s platform to Amazon’s own advantage: Amazon will share data with those third parties to enable them to sell more products online.

• Amazon will make clear how sellers can be included in the Buy Box (as explained above). There is a query whether Amazon favours sellers which use its logistics and delivery services: Amazon said that its will make rival products more visible.

Facebook sues Octopus Data claiming data scraping users’ data infringes copyright and breaches contract

…First a bit of background. In the case LinkedIn v HiQ, LinkedIn sued HiQ in the US alleging breach of Computer Fraud and Abuse Act (CFAA). LinkedIn complained that HiQ had scraped publically accessible data and used the information gained to provide services to various clients. The Ninth Circuit (at least – there are precedents with a different take in other circuits) said that HiQ’s actions did not contravene the Computer Fraud and Abuse Act because all it scraped was publically available information. For example, HiQ did not hack into LinkedIn, or somehow circumvent any technical protection measures to access data.

Contrast this to one of Facebook’s past claims, for example against BrandTotal, which was successful because the Defendant there was found to have breached CFAA because it collected data from password protected sites by using fake user accounts.

The present case advanced by Facebook concerns Octopus Data’s business which require customers to allow Octopus Data (a US subsidiary of a Chinese company) to access their accounts, to then enable Octopus’ software to crawl over data available to those are logged in to Facebook. This includes other users’ birthdays, addresses and phone numbers. Facebook is alleging that Octopus Data is breaching copyright law arguing that users’ content is protected from scraping under the Digital Millennium Copyright Act.

Separately Facebook alleges that Octopus Data has breached the terms of use, which prohibits users from collecting data using autonomous means.

In addition, Facebook (or really I should say, Meta) has sued an individual in the US for scraping data from some 350,000 Instagram users  (Instagram is a Facebook/Meta company) and publishing that on his own website.

Both cases have been started in the Northern District of California

What would a case like this be like in Europe?

In Europe, a copyright based case might be difficult to maintain unless there is some form of creativity in the material that is said to have been copied (although instead there is something called a database right which Facebook might be able to rely on depending on how that database is configured and created).

Cloud technologies

Deep pocketed financial institutions Wells Fargo and Bank of America again hit with patent infringement action which concern cloud native payment processing (ie: settle using your mobile phone) – again

…Cloud computing enabled services have been subject to numerous patent litigation especially in the US. I myself have managed a piece of cloud payment patent litigation over in the UK. Financial institutions which deal with volumes of transactions carried out on mobile phones and other remote devices have been targets because they are so well resourced. Both Wells Fargo and Bank of America have been hit with patent litigation of this nature in the past.

Cyberattack

1 billion Chinese citizens’ data reported to be hacked including name, address, birthplace, national ID number, mobile number, all crime/case details from local Chinese police database

…This has now been confirmed and is the largest hack in history. Data now offered for sale…

Conti, one of the largest criminal organisation famed for their ransomware falls away as Costa Rica refuses to pay ransom

…the FT reports that Costa Rica which has resolutely refused to pay the $1m-$20m ransom has put the nail into Conti. Conti has been crippled by revolts of Ukrainians in the Russian group causing chaos.

Conti had managed to hack 27 ministries in Costa Rica. President Chaves refused to pay up causing disruption to services like tax payments, public healthcare and payment of public sector workers and much more. Large tech companies and other countries (Spain and US notably) have sent support to Costa Rica.

EV

Warren Buffet backed Chinese automaker BYD overtakes Tesla in EV Sales

…No doubt price (about $15k per car) will be the key component of BYD’s success although it has to be noted that BYD cars are hybrids, meaning that they have the traditional internal combustion engine (ICE) built in as well. Tesla has had a particularly rough ride as their factories were forced to close owing to strict covid policies. BYD factories were located in regions which were less affected.

Having said this, BYD is still a force to be reckoned with. It is currently also a significant EV battery maker (estimated 10% of global capacity for EV batteries) having outpaced LG and behind China’s CATL. This means that BYD is highly vertically integrated; with prioritised access to batteries, being one of the key components of an EV (and in insufficient supply).

Interesting statistic: According to the FT, about half of exports of EVs from China accounted for by Tesla. About a third are from Chinese owned European brands such as Volvo and MG, about 14% from European joint ventures in China (eg. VW) and only about 2% from Chinese automakers.   

There are now rumours that Buffet might be selling his stake.

Vehicle-to-everything (V2X) is not progressing owing to regulatory uncertainty and insufficient spectrum allocation says Alliance for Automotive Innovation

…V2X technology is critical to autonomous driving, enabling vehicles to suss out the environment around them by facilitating real-time wireless data sharing between vehicles and infrastructure (eg. traffic lights), other vehicles and road users (pedestrians, bikes etc). V2X which will significantly enhance road safety and help unleash value for users of roads.

Two ingredients are necessary for V2X to be enabled, neither of which, the Alliance says, have sufficient support (the complaint mainly concerns US):

• Sufficient spectrum: US Federal Communications Commissions (under the Trump administration) had shunted off 60% of spectrum which was reserved for intelligence transport systems (like V2X) to other businesses. What they are left with is inadequate.

• Regulation: this is not being progressed fast enough. The Alliance pointed to a fatal bus accident which arose out of interference from unlicensed devices and regulatory uncertainty.

Metaverse / VR / AR / MR / XR

Snap (parent of Snapchat) toys with using NFTs as Augmented Reality filters

…Snap (which the company insists is a camera company), parent of Snapchat and purveyors of AR technology are looking at enabling creators to show NFTs as its AR filters (called Lens – take a look). The strategy is to ensure Snap remains attractive to its young user base. Snap is planning to facilitate creators to monetize their NFTs in the future. Other firms are doing something similar; Meta is offering exclusive access to digital collectibles as is Reddit.

Satellites

Ericsson (Telecoms), Thales (Defence) and Qualcomm (chip maker) come together to provide 5G from Low Earth Orbit (defined to be between 150-2000km) Satellites

…to be deployed within the next few years. It joins Starlink, which does not use cellular technology unlike this venture to provide connectivity, but broadband internet.

Delving Deeper

Ride-hailing company Lyft appeals to the California Public Utilities Commission over its ruling classifying only part of its Trip Data as confidential

…Lyft’s briefing is interesting because it gives you an inside peek into Lyft’s operations. This is why I’ve decided to delve deeper on this development this week.

Lyft said that the ruling correctly determined that the disclosure of GPS coordinates for pick-up and drop-off locations within the Trip Data would constitute an invasion of personal privacy, but the very same data at the census block and zip code level presents no such privacy concerns. Lyft is concerned that this data would allow third parties to track TNC (Transportation Network Companies) users’ movements and reveal their intimate personal associations. Lyft also says that such data is also confidential information.

Note: Census block is a bit like a zip code, it’s a geographical boundary, which encompasses a small area. The coverage is across the entire US and other areas. In a city, a census block looks like a city block bounded on all sides by streets.

Trip Data is a massive database of time-and-date stamped records of every ride completed by the millions of users. Lyft says such data constitute trade secrets because (i) it has independent economic value from not being generally known and (ii) it has made efforts to keep it secret.

How does Lyft use the Trip Data?

Lyft says, in relation to (i), the Trip Data allows Lyft to:

• Licence out that data to third parties – Lyft itself has been approached and there are platforms which sell these sorts of data
• More effectively target its marketing campaigns
• The data is continually collected, compiled and analyzed as an integral aspect of Lyft’s business operations, as the success of Lyft’s business model depends upon continually optimizing the balance between ride demand and vehicle supply.
  • Optimize demand: competitive pricing and promotions, such as ride credits and other discounts
  • Increase the supply of vehicles to areas with high demand: offering drivers minimum hour guarantees, bonuses, and other driver incentives
  • Further analyse the “real-world” effectiveness of incentives, retire incentives that are not effective

What sort of damage will be caused if Data were made available to others?

Lyft also explained the damage caused if Trip Data were disclosed to other TNCs:

• If Lyft’s competitors, including Uber, HopSkipDrive, Wings, Silver Ride, Nomad Transit… were provided access to Lyft’s Census Block Trip Data, they could and would analyze and manipulate that data to gain insights into Lyft’s market share, its pricing practices, its marketing strategies, and other critical aspects of its business that it does not publicly disclose.

• Lowers barrier to entry: A new competitor could enter the market without substantial investment, while existing competitors could use the data to increase their market share, or undercut Lyft’s marketing campaigns, by “free-riding” on Lyft’s data. [This is a double-edged point, it goes to emphasise why incumbents with volumes of granular data (in particular GAFAM – who also have the infrastructure and high compute power) have a huge competitive advantage – which is the reason why regulation is coming into play in the US and the EU, in particular].

Should there be a distinction between claiming the data and the algorithm which can be used on the data?

Lyft also deals with the point.

• The Ruling relies on Cotter v. Lyft, Inc. (N.D. Cal. 2016) which distinguishes between a secret formula possibly being a trade secret and the resulting data derived from a secret formula. It held that an algorithm used to generate Prime Time fares and driver commissions was a trade secret, while the total amount of revenue or commissions generated was not.

• Lyft makes clear that it is not claiming trade secret protection because disclosure of data would reveal the particulars of a secret algorithm. It claims trade secret for the experience data itself, derived from Lyft’s interactions with its users

The Ruling states that Lyft failed to make reasonable efforts to keep the information a secret

• One of the reasons why the Ruling states that the information should not be regarded as confidential is because a particular driver or passenger may have access to select information regarding their own ride (such as the zip code or census block from which it originated or the time and date). Lyft explains that this does not mean that the trade secret — i.e., the compilation of data elements associated with millions of individual rides — has become “generally known.”

The point is an interesting one to IP lawyers like myself in view of the proposed Data Act in the EU which provides that users must be able to access data generated data through their use. It would be interesting to see whether the courts of the EU would support Lyft’s argument.

The briefing also addressed the issue of privacy, with Lyft referring to evidence that it says shows that mobility data at the census block and zip code level can be re-identified to track individuals’ movements.

There were many other arguments, but these seemed to me to be the most interesting points.

Why does the government compel data collection from TNCs?

Such data is sought because they are useful for a variety of purposes such as:

• Urban town planning
• Traffic Management
• Provision of more effective Emergency Services
• Law enforcement

Privacy advocates warn that access to data could render it to become a tool for surveillance. As mentioned, this is a point that Lyft supports.

Bonus News

Elon Musk says he’s pulling out from buying Twitter

…whether he can legally do so without breach of contract is another question, given that he has already signed a contract committing to the purchase. He says that Twitter has stated to the SEC (US securities exchange commission) that the proportion of fake accounts/bots was 5% when the reality is much more. He says he should be able to rely on what is claimed publicly by Twitter, a public company.  Because the proportion of real accounts would dictate how much advertisers will be willing to fork out to advertise on Twitter, the percentage of fake accounts on Twitter directly impacts the value of Twitter itself. Twitter has predictably sued.

This piece of tech news doesn’t really impact our future (which is what I cover) but I’ve included it for good measure as everyone is talking about it.  

Headlines in Tech news of the week

Use of TikTok in the US poses national security risk says Federal Communication Commissioner in his letter to Google and Apple CEO

…The letter was not from the FCC itself, meaning that the view may or may not be unanimously shared across the unit. 

The letter is in response to reports that officials in Beijing have been accessing information containing personal data of American citizens. Like many very successful social media/ content sharing platforms, TikTok possess volumes of sensitive data of vast number of users (approx. 80million estimated monthly active users just in the US, according to one statistic – 20 million downloads Q1 2022 alone, the letter notes). TikTok’s user information is however now stored in Oracle servers in the US – but this does not mean that the data is not accessible from elsewhere unless controls are put in place as the letter also notes. 

The Federal Communication Commissioner (Brendan Carter) made the following points:

• TikTok poses unacceptable national security risk, and so in accordance with Google/Apple’s representation that app stores are safe and trusted places, TikTok app needs to be removed.

• TikTok is not what it seems – an app for sharing funny videos, but is a sophisticated surveillance tool.

• It has huge amounts of sensitive data

• Search and browsing histories
  • Keystroke patterns
  • Biometric identifiers such as faceprints and voiceprints
  • Location data
  • Draft messages
  • Metadata
  • Text, images and videos stored on device’s clipboard
  • I would add to this – what we do, where we visit, what we buy, what we like, who we are friends with, who we are not friends with. That latter point is important – one is exposed even if you are not a TikTok user.

• Lists a number of TikTok’s problematic actions, such as

• evading Google’s privacy safeguards,
  • accessing confidential information such as passwords, cryptocurrency wallet addresses and personal messages through the Apple app store,
  • payment of $92million in settlement of a lawsuit which alleged TikTok had “vacuumed up and transferred to servers in China (and other servers accessible from within China) vast quantities or private and personally identifiable user data [of US users]”,
  • payment of $5.7million to settle lawsuit which alleged that TikTok illegally collected data of under 13s.

• TikTok is banned in India, by US military units and private US business operations on the grounds of security concerns. Other US officials, cybersecurity experts, privacy and civil rights groups have stated that TikTok is a security threat.

• The fact that US users’ information is now stored in Oracle’s servers is not sufficient – it doesn’t say if the information is still accessible from China.

TikTok Responds

TikTok Chief Executive Shou Zi Chew said TikTok employees, including those based in China can access data, but it can only access ” subject to a series of robust cyber security controls and authorisation approval protocols overseen by our US-based security team”, in accordance with US demands. Foreign employees going forward, will only be able to access those that TikTok designates as non-sensitive.

What does it mean for Apple and Google?

Note that separately, the Commissioner’s letter could assist Apple and Google’s bid to remain the only app stores in their mobile ecosystem, or at least you have to be properly vetted and authorised to run an app store. This could require the potential app store to have enough resources. Apple and Google are claiming that they need to be able to vet apps that are downloadable on users’ mobile to maintain a high privacy and security environment for users. Although the Commissioner alleges that Apple and Google are not doing their job properly by offering TikTok on their app stores, it may well be that in any event, vetting procedures are required to ensure that users’ data are safeguarded. 

BigTech/ Data / Platforms

Major changes on Android to avoid serious consequences on users from the Roe v Wade fallout

…not only that, should any privacy breaches on Android phones end in prosecution of women seeking abortions unlawfully, it could spur class actions against Google, and massive damage to its reputation. Google has swiftly proposed a couple of measures to minimise risk. The following have been proposed:

• Deletion of location history if they are in the vicinity of abortion clinics [but what if you live near such centres? What about underground abortion clinics? ] and other sensitive areas [like domestic abuse advice centres].
• Access to “app inventory” restricted to utility companies such as device search [presumably this is Google? Or could it be the phone maker, like Samsung?], antivirus and file manager apps, and not to developers generally.
  • App inventory is information on what Apps are installed, or installed and then deleted by any particular user.
  • Information on user’s app inventory has been sold openly for ad-targeting purposes – this exposes users’ interests, and other traits, such as gender, age, sexuality, religion, location etc.

What about Apple?

Apple doesn’t utilise device generated data as much. Data is only stored on the device itself, and when it is synced with other devices, the data transfer is end-to-end encrypted.

Japanese Court orders a platform company kakaku.com to disclose a part of its algorithm to litigation adversary – potential knock on effects on all platform businesses (including GAFAM) that do business in Japan

…the dispute is about the following:

Plaintiff: Hanryumura, a Korean style BBQ restaurant chain operator

Defendant: platform called kakaku.com. It has a tripadvisor type platform services that ranks and recommends restaurants called Tabelog (combination of the words taberu (to eat in Japanese) and blog).

The complaint: Plaintiff says the defendant platform was abusing its superior position in the market contrary to Japanese competition law by designing its algorithms unfairly. Specifically, the plaintiff has complained that its restaurants got low scores just because they are a chain of restaurants. It was claimed that their unfair scoring system has led to a drop in the ratings and the restaurant group has suffered loss.

Results: Plaintiff succeeds in the first instance, Defendant is appealing.

The issue: As part of the appeal the court has ordered the disclosure of part of the defendant’s algorithm to the plaintiff. By doing so, it will allow the court and the plaintiff to assess the fairness of the defendant’s algorithm. Such a ruling will have implications for future litigation in Japan, and bigtech businesses in particular.

Similar issues have arisen at least in the UK. In both Infederation v Google and Kelkoo and Google, the plaintiffs argued that Google’s algorithms favoured its own shopping price comparison services over theirs in breach of competition law and the disclosure of algorithms was sought. In the former case, Google was given the option of giving up part of its defences or allow the plaintiff’s independent search engine optimisation expert to access its algorithms. In the latter case, the court deemed disclosure to be inappropriate at the relatively early stage in the proceedings, among other reasons. Whilst no disclosure of Google’s crown jewel algorithms have been made available to the plaintiff rival companies themselves thus far, that possibility in the UK cannot be discounted, especially if the dispute nears trial.  

The EU Commission is providing for the Digital Services Act which includes transparency measures for online platforms on a variety of issues, including on the algorithms used for recommendations.

…and back to Japan, they will be regulating digital advertising carried out by large platforms to ensure fairness. UK’s competition watchdog is already looking into Google’s practices as it controls the whole of the ad-stack. 

US Senators ask Google to clarify how Spam Filtering Algorithms work on Gmail

…The particular issue raised is that some emails relating to political campaigns may not reach recipients. However, the issue could be a wider one than that – it could be framed as being about how Google is carrying out content moderation.

Senators ask Google whether spam filtering applies equally to political and non-political emails, whether machine learning is used, and if so how, what rules apply if filtering is manually carried out, and whether personal preferences are taken account of.

Twitter challenges Indian Government’s Order to block Tweets

…Carrying on with the theme of content moderation, this is a news piece about the Indian Government having previously written to Twitter warning of “serious consequences” if Twitter declined to comply with take down requests of certain tweets and accounts. According to Indian law, the government has power to block tweets which “threatens the security of the state” or if take down is in the interests of public order.  Non-compliance may result in the imprisonment of Twitter’s compliance officer in India. Twitter says that Indian Government’s asks are beyond the remit of the Government’s legal authority, and has sought to challenge the order. In the past Twitter has been asked to remove tweets concerning major protests by farmers and those that are critical of the way in which the government has handled the covid pandemic.

Application of Illinois Biometric Information Privacy Act (BIPA) in the case between Uber Drivers and Microsoft

…The Uber driver plaintiffs say the following steps occurred to register as Uber drivers:

• As applicant to Uber, the prospective Uber drivers were required to submit name, vehicle information, driver’s license, and a profile picture to Uber through its mobile application

• Unbeknownst to Plaintiffs, their pictures were transferred to Microsoft’s Face Application Programming Interface (“Face API”), which is integrated into Uber’s phone application as a security feature

• Microsoft’s Face API collected and analyzed Plaintiffs’ facial biometrics to create a “geographic template” that it compared to the geographic template from the original profile picture to verify their identities. [sic – this part comes from the Order – but the process is a little difficult to understand]

The plaintiffs alleged that Microsoft violated BIPA on the following grounds:

• Microsoft never obtained Plaintiffs’ written consent to capture, store, or disseminate their facial biometrics
• Microsoft also failed to make publicly available the policy regarding retention and deletion of their biometric information, and it profited from receiving that information. Note that there is no allegation that Microsoft failed to comply with the policy.

The judge decided that the plaintiffs did not have standing in the Federal court, remanding the case back to the State Court. However, the important point is that businesses around the world with a global footprint – need to bear in mind the different laws that might apply. It is also interesting to know what sort of processes take place at the backend – I’ve recently been subjected to these sorts of processes for travelling and applying for bank accounts.

Microsoft has recently limited its application of Face API to ensure that its facial recognition tools are utilised responsibly.

Class Action alleging excessive app store charges to commence in the UK and Australia

…these class actions do lag considerably to those already going on in the US, trial date for which is being currently argued.

Amazon’s Prime services changed so it is easier to cancel to comply with EU’s Digital Services Act

…Amazon will provide a clear and prominent Unsubscribe button. Amazon’s Prime services has been easy to subscribe to but much harder to cancel. The unsubscribing process also entailed some explanatory points which had the effect of deterring consumers from cancelling (which may be described potentially as dark patterns). Now consumers should be able to unsubscribe as simply as subscribing.

Cloud

Now Alibaba’s cloud customers can measure, analyse and manage carbon emissions

…This is a launch of a tool called Energy Expert which helps businesses carry out carbon accounting and reporting, identifying sources of carbon from their business activities. It also shows how businesses can improve on energy efficiency.

Alibaba’s cloud services is third largest after Amazon (AWS) and Microsoft (Azure).

Crypto

EU Commission to introduce Markets in Crypto-Assets (MiCA) to regulate crypto-asset dealings

…It encompasses:

• protecting consumers
• ensuring stablecoins are backed up by sufficiently liquid reserves
• ensuring crypto-asset providers are authorised to operate in the EU
• clamping down on money laundering  / terrorism financing – crypto asset transfers have to be traceable, which means that information on the source of the asset and its beneficiary travels with the transaction and is stored on both sides of the transfer. However, if there is no guarantee that privacy is upheld by the receiving end, such data should not be sent. [Quite how that works is a bit of a mystery]
• accounting for the environmental impact and compliance with mandatory minimum sustainability standards.

It does not cover of NFTs.

The ideas are not that dissimilar to the Biden administration’s executive order on cryptocurrencies.

The move will incidentallyl make crypto transactions taxable. However, the central overreach is bound to take away the decentralised nature of cryptoassets which made the framework revolutionary.

Cryptocrash as Three Arrows Capital is liquidated by the Order of the British Virgin Islands Court

…this follows creditor’s suit (Voyager Digital – Canadian crypto lender – lends you money against your crypto) as a result of Three Arrows Capital (3AC) failing to repay its debt of $650m. They had bought into the Luna / Terra cryptocurrency which collapsed in May.  Vauld, which offered up to 40 percent annualised returned to customers to lend out their crypto tokens have disabled withdrawals and trading, as has others such as BlockFi and Celsius.

What’s happening? As venture capitalist Chamath Palihapitiya explains, the world of crypto is completely unregulated, devoid of leverage checks and auditing leaving market participants free to carry out speculative off-chain crypto arbitration. In the case of recently decimated Luna/Terra, you were promised 20% if you bought into Terra (which was purported to be pegged to 1USD) – critically at this point you lose access to your deposit and the deposit goes off the blockchain – and someone will use the deposit to find someone else that will promise to pay more than 20% interest, and so the off-chain trades goes on. Then one of the cryptocurrencies (such as Luna/Terra) collapses, and the lenders start asking for the money back. The borrower then runs off to get their deposit back. There is none to return, and the lender is left with no recourse. 

Learning point: cryptocurrency transactions are not all on-chain. When a cryptoasset is deposited, you can lose all control of it, and if there is a default on the terms, at present there is no recourse.

Cybersecurity

Cybersecurity firm Mandiant says pro-China group Dragonbridge guised as environmental campaigners are undermining rare earth producers in the US and Canada

…Mandiant says the group uses fake Twitter and Facebook accounts to claim US government aided projects to mine rare earths needed for EV batteries and high tech equipment. These projects have as their objective, a reduction in reliance on supply from China and increased self-sufficiency generally. There is a separate question as to whether the Dragonbridge campaigns are spreading disinformation or whether the information is in fact fair, and whether it matters who is perpetrating the information if it is the sort of information that is of public interest.

Google is hoping to purchase Mandiant to strengthen security for its cloud services offering.    　　

Drones

Underwater drones intercepted carrying a load of drugs

…the BBC reports that the unmanned drones travelled underwater from Morocco to Spain. The drones can carry up to 200kg of cargo.

EVs

German competition authority allows Volkswagen and Bosch to work on autonomous driving technology together

…the aim is to catch up with Tesla and Mercedes.

Volvo to open a new EV factory for the first time in 60 years – in Slovakia

…The Slovokian government backed factory will be completely EV, using clean energy and higher levels of automation. Volvo Chief Executive commented to the FT that building a company from scratch enables greater levels of efficiency compared to factories which attempt to modify existing internal combustion engine (ICE) manufacturing factories into an EV one. Some carmakers are presumably shutting down their ICE manufacturing factories only to open up a new EV one for this reason (Ford, Jaguar Land Rover).

According to the same FT article, Volvo’s moves into Slovakia follows that of Volkswagen, Stellantis, Kia and Jaguar Land Rover.

Volvo group company Geely of China buys Chinese smartphone company Meizu

…They say future EVs will be smartphones on wheels. It may then make sense for an auto company to buy smartphone companies which will come with know–how on delivering services through wireless communication technology.

Gaming

Judge orders preliminary injunction against Destiny 2 cheat code distributor from transferring the cheat code to Ukrainian investors

… Destiny 2 game maker Bungie had alleged that Aimjunkies/Phoenix Digital were infringing copyright and trade mark rights by selling cheat codes for the game.  An article on the website torrentfreak.com disclosed the potential sale of the Defendants to Ukranian investors. Bungie sought a narrow injunction against the transfer of Destiny 2 cheat code only, and not the website itself or the whole of the cheat code library owned by the Defendants.

The Defendants say they themselves haven’t copied any Destiny 2 code, and so should not be liable for copyright infringement which require them to have carried out the acts of copying per the copyright law. They say that the software was made by a third party, which they distribute. Furthermore, the Defendants contended that the website has been already sold off to the Ukranian purchaser, so an injunction would be too late. These are very unattractive points that make the Defendants look rather shady. But then again their business itself is.

The Court nevertheless said that Bungie has demonstrated that the Defendants have knowledge of, and/or access to, servers from which future purchasers could download the cheat software, directly from the software’s alleged developers. Further, despite the purported sale, whether the individual defendants will still play some role in the management of Aimjunkies.com is unclear. An injunction was therefore granted. Learning point: in the world of digital/ gaming [and by extension Metaverse] – one has to have eyes and ears peeled for all sorts of rumours and developments through various channels, and then act quick!

Metaverse / VR / AR / MR / XR

Metaverse Dating App Soul, popular in China prepares to list in Hong Kong

…You can now, through your avatar, find your soulmate on the metaverse. The system will know your personality traits so is supposed to be able to work out by virtue of a clever algorithm to identify your perfect match. Because you are anonymous, you can be whatever you want to be, say whatever you want, admit whatever guilty pleasures you may have which you might feel you can share with a stranger.

Hopefully however, there are proper checks carried out. These avatars do look cute, but the platform could become a fertile ground for nefarious characters to prey on more innocent and younger daters. 

Cambridge University Hospital x GigXR showcases HoloScenarios, virtual holographic patients on which medical students can train

…Using Microsoft’s Hololens, medical students attempt to find the best solution to help holographic patients which are overlaid in the real physical world. Seeing really is believing (and understanding better), so check out the clip. No more having to hire actors to simulate particular symptoms for medical students to practice on. It seems that the system has the potential of becoming much simpler, cheaper and more accurate than traditional methods and usable by trainee medics all over the world.  

Satellites/Space

US Federal Communication Commission authorises SpaceX to provide internet services to moving vehicles, such as boats, airplanes and trucks

…The development is significant, because it would mean citizens living in the middle of the countryside can receive great broadband. Farmers can benefit from smart agriculture. Business people can enjoy long haul cruises without worrying about not being connected. Trucks can be autonomously driven across country roads. The list goes on…

Delving Deeper

EU publishes a briefing on the Metaverse, throwing up all sorts of issues that might need regulating

The paper identifies a number of areas that might need to be watched carefully as the Metaverse evolves. A rough summary of issues is as below (and weaving in some thoughts of my own) :

Competition Issues

• Lock in risk: technical solutions, protocols and services that enable interoperability are critical to build the metaverse ecosystem. Open metaverse standards may need to be fostered.

• Killer acquisitions: need to be watchful of purchases of nascent start ups with the main objective to prevent it becoming a significant competitor. [Because the metaverse is not dominated by any particular company at present, large businesses might find they fall below the radar of competition rules. Therefore, the EU’s point appears to be that acquisitions in the space need to be scrutinised]

• Antitrust: Need to be aware of following behaviours:

• self-preferencing – platforms in particular can promote its own products and services over third parties’. In part the Digital Markets Act deal with this.
  • dark patterns – designing interfaces to influence users’ behaviour and decision-making
  • sharing of sensitive information between competitors

Data Protection

• Facilitation of collection of biometric data: this includes emotional physiological responses, facial expressions and eye-tracking. Intrusive profiling will also be possible. The draft AI act deals with this to some extent.

• Attribution of liability: metaverse will create a web of relationships, making it very difficult to determine responsibilities and liabilities. Defining data controller and processor may be blurred. Determining who should be responsible for collecting consents and displaying privacy notices may not be straightforward.

• Difficulty in collecting the proper consents and avoiding collection of data from users: Consent may be impossible to obtain where the world is continuous, involuntary and interconnected, meaning it is impossible for users to avoid data collection. However, GDPR [should it apply] requires the active and freely given consent of users to share data with third parties and for a specified purpose (such as ad-targeting, including subliminal advertising). Interaction between avatars may not be private and recorded, and subject to commercial and state surveillance.

• Need to regulate the storage, handling and safeguarding of data used in the metaverse: this includes responsibility for data theft or misuse.

• International data transfers:  interoperability and the movement of users inside and between different metaverses, together with their data and assets, raises the question of data sharing and data portability.

Liabilities

The Digital Services Act may to some extent deal with these issues.

• Illegal and harmful content: New content moderation challenges – it’s hard enough on web2.0, but the fact that you can use avatars which have freedom to operate in 3D make the scope for harmful content particularly acute (sexual harassment or assault, pornographic content modelled on avatars, or misinformation or defamatory content, hate or extremist behaviours, discriminatory behaviours). 

• Intellectual property infringement (including tarnishment) and misappropriation: this is easy to do in the metaverse without being able to ascertain who the perpetrator is.

Use of Artificial Intelligence

• Artificial Intelligence including machine-learning algorithms and deep-learning architectures – these features operating in the metaverse could enable market participants to track and monitor their users and customers in real time and expand the negative impacts. The draft AI Act deals with this to some extent.

Financial Transactions

• Ownership of digital assets: the limits of what the owner of an NFT can do with the digital assets may not be always clear. 

• Fintech regulation:  this may be required and in part be helped by the draft proposal for a regulation on markets in crypto-assets.

Cybersecurity

• Cyberattacks likely to be prolific via devices: hackers may control what the victim can see/hear and experience and could see inside their office or home, with serious security consequences.

The proposal for a regulation on general product safety requires appropriate cybersecurity features for product protection. Cybersecurity resilience act is proposed, which will protect consumers by introducing common cybersecurity rules for digital products and ancillary services.

• New forms of cyber attacks foreseen: selling fake NFTs, illicit use of crypto-currencies and malicious smart contracts

• Virtual crimes: would the law of assault say, apply to an avatar? What about indecent exposure?

• Connections between dark web and the metaverse

• Avatar integrity: identity theft, avatar duplication and misuse creates an issue for interoperability. Identity authentication built on blockchain will be crucial in this respect.

Generally

• Determining Jurisdiction:  This is not straightforward. Is determined by the person’s location/ avatar’s location / server’s location (or contractually determined)?

Other issues

• Employment and Labour laws – if metaverse is used in the workplace
• Mental and physical health of users, including children
• Accessibility and inclusiveness.

US

Roe v Wade overturned – Tech companies attempt to neutralise effect for employees

… As most readers will know, the US Supreme Court has overturned Roe v Wade, meaning that in the US, there is no longer a constitutional right for a woman to obtain an abortion. This means that states can pass laws to ban abortions, should they wish. For example at the moment, there is a temporary injunction on the abortion ban in Texas whereas in Tennessee, the ban is enforceable after six weeks of pregnancy (pregnancy can easily go unnoticed at such an early stage). Tech companies were quick to react, Alphabet (Google) and Apple, (alongside other non-tech companies) said they will pay for employees to travel and receive reproductive care if they live in states where abortion is banned. Presumably there will be confidential channels by which employees can apply. These companies are potentially risking liability because in some states you could be liable if you assist a woman to obtain an abortion. As I understand it, Meta and Microsoft’s offer of support were premised on the provision of assistance being lawful.

Artificial Intelligence

The UK government says copyright will be amended to promote progress in AI

…In its press release, the government said that data mining will not require permission from the copyright owner by anyone with lawful access to the material even if it is protected by copyright. Data mining is an important technique used for example, in training AI in which a software (or a bot) is used to collect and analyse material (eg. internet) for patterns, trends and other useful information. The aim is to make UK a location of choice for data mining and AI development. The government says that it seeks to use Brexit as an opportunity to make its own laws that is pro-technological progress.

What’s the EU position?

It is interesting to bear in mind that there are data mining exceptions under EU’s Copyright Digital Single Market Directive (applicable across the EU):

• Research organisations / cultural heritage organisations are allowed to data mine for a scientific purpose (even if they are carrying out research with a business under certain partnerships). Importantly it is not possible to restrict the ability of research organisations / cultural heritage organisations to data mine provided it has lawful access to the material.
• In cases of data mining by a non research organisation /cultural heritage organisation or for a non scientific purpose, it is possible to data mine without permission if there are no express reservations not to data mine (for example coding on the webpage, licensing agreement term).

The UK position is better than the EU position because it will not be possible to prohibit data mining, provided that the user has lawful access.

What about protection afforded to IP created by AI?

No changes are proposed for UK’s patent inventorship criteria (question of whether an AI can be an inventor) or copyright computer generated works (in accordance with UK copyright law, a literary, dramatic, musical or artistic work which is computer-generated can attract copyright even if there is no human author – this has been debated to be at odds with the EU position which can be argued to require human creation to attract copyright (eg. Case C-145/10 (Painer), Case C-683/17 (Cofemel)).

Microsoft revises its Responsible AI standards, restricts and retires certain capabilities

…Having regard to the fact that certain AI can be used inappropriately, Microsoft have decided to revise its Responsible AI standards and remove certain AI capabilities for use in open-ended ways.

Revised Responsible AI Standards

Microsoft’s revised Responsible AI Standards have the following overarching requirements:

• Accountability
  • Impact Assessments
  • Oversight of significant adverse impacts, including whether the system can be deployed for sensitive use.
  • Fit for Purpose: Document in the Impact Assessment how the system provide valid solutions for the problems they are designed to solve.
  • Data Governance and Management: what data will be collected and processed (labelling, cleaning, enrichment and aggregation) and how will it be used? Which geographic areas?
  • Human Oversight and control: who will carry out troubleshooting, managing, operating, overseeing, and controlling the system during and after deployment? How will the system behaviour be interpreted and how will it be controlled/overridden?

• Transparency
  • System intelligibility for decision making: how will the relevant system behaviour be interpreted in a way that supports informed decision making?
  • Communication to stakeholders: Explain the capabilities and limitations of the AI systems to support stakeholders in making informed choices about those systems
  • Disclosure of AI interaction: inform people that they are interacting with an AI system or are using a system that generates or manipulates image, audio, or video content that could falsely appear to be authentic

• Fairness
  • Quality of Service: make sure the system provides a similar quality of service for identified demographic groups, including marginalized groups. [this will mean AI is not deployable for certain AI uses if there is insufficient data about a certain category or people]
  • Allocation of resources and opportunities: minimize disparities in outcomes for identified demographic groups, including marginalized groups (especially when used in finance, education, employment, healthcare, housing, insurance, or social welfare)
  • Minimization of stereotyping, demeaning, and erasing outputs: Applies to AI systems outputs include descriptions, depictions, or other representations of people, cultures, or society.

• Reliability & Safety
  • Failures and remediations: minimize the time to remediation of predictable or known failures (define predictable failures, including false positive and false negative results for the system as a whole and how they would impact stakeholders for each intended use). How will failures be remedied, how long will take, and will there be oversight to ensure failures can be avoided?
  • Ongoing monitoring, feedback, and evaluation: use the outcomes to improves

• Privacy & Security

• Inclusiveness

Restrictions on some capabilities

Microsoft is advocating for laws to regulate the use of facial recognition but in the meanwhile has decided to limit access to Azure Face API, Computer Vision, and Video Indexer to those that apply for it [Good job! Would say the Ada Lovelace Institute – see below – In the Spotlight]. Those that propose to use Microsoft’s capabilities have to demonstrate that its use will be in accordance with the above Responsible AI standards.

Separately Microsoft said it will retire facial analysis capabilities that purport to infer emotional states and identity attributes such as gender, age, smile, facial hair, hair, and makeup, owing to the lack of consensus on a definition of “emotions,” and the inability to generalize the linkage between facial expression and emotional state across use cases, regions, and demographics. Microsoft also identified stereotyping, discrimination, or unfair denial of services as risks that had to be avoided. However, Microsoft is allowing some limited use, in particular to support technology for people with disabilities, such as SeeingAI.

Amazon’s AI assistant Alexa can now speak to you in the voice and style of your dead relatives

…the demo was of a child asking Alexa to read a story in the voice of his dead grandmother. There is a question of whether such a tool would impede the grieving process. There is also the question of abuse. Users could take a person’s casual voicemail (or more likely celebrities’ voices off videoclips) and convert that into Alexa’s voice without their consent. Then there are scams and deepfakes, spread of disinformation that could be facilitated by use of these types of technology. For example, anyone can use the capability to call up parents with their child’s voice seeking the transfer of money or you could make a politician say something he or she didn’t say.  During a consultation on AI and IP in the UK, some voiced the need to expand the scope of performers’ rights under copyright law to address these issues. The UK government have said that the proposal was taken seriously but will be put on hold for now.

BigTech/ Data / Platforms

Google Shopping Case Mark 2? Danish Jobindex complains to the EU Commission that Google is self-preferencing Google for Jobs in breach of competition law

…Stating that the issues are similar to the Google shopping case, Jobindex, which advertises vacancies, made the following complaints:

• Google self-preferences its own service Google for Jobs over other similar services. When a search is made, Google’s job search box appears after the sponsored links, but above the organic search results.

• This is despite the fact that (in Jobindex’s opinion) Google for Jobs service is inferior to that provided by Jobindex. Google’s search results should be ranked according to their objective relevance, but it favours its own tool over others. This breaches the principle of search neutrality, argued Jobindex.

• Some of the jobs that are listed in Google for Jobs originate from Jobindex but there is no reference to Jobindex. Recruiters pay a premium to be listed in reputable sites and should not find itself listed in Google for Jobs whose listings are not always comprised of sound employers.

Google explains that it partners with job providers to help job seekers find the right employer.

In the Google Shopping case, the EU Commission found (2017) that Google violated antitrust provision by systematically giving prominence to its own shopping comparison services over third party’s comparison shopping services. The algorithm which ranks the relevance of search results were not applied to Google’s own services. Last November, the General Court of the European Union confirmed the decision of the EU Commission.

UK to abolish cookie consent pop-ups for each and every website in the long run

…so it said in its response to the consultation on the reform of the UK data protection regime. The consultation revealed that some entities (I assume a lot of them are advertisers) were unable to collect useful information whilst users found cookie consent pop ups annoying. Currently cookies for limited purposes (where essential to provide the service, where needed to transmit communications) do not require the users’ consent. The UK suggests that cookies that enable audience measurement were non intrusive and so ought to be exempted from cookie consents. Other types of cookies which collect personal data (used particularly for ad-targeting) were more intrusive and so ought to be subject to cookie consents. 

The government concluded that in the future, it intends to move to an opt-out model of consent for cookies placed by websites. In practice, this would mean cookies could be set without seeking consent, but the website must give the web user clear information about how to opt out.

In the government response there was no mention of Google’s Privacy Sandbox, which is an alternative technology which enables advertisers to carry out measurement and tracking but at the same time protect user privacy.  It is essentially carried out by aggregating data about conversion (into clicks, purchases) and attribution (from which ad placed on which website). The EU Commission and the UK Competition Authority are examining effects of the Privacy Sandbox on competition.

There is a concern around whether any reform will result in UK losing its adequacy status with the EU, which is necessary for businesses to be able to have free flow of personal data to and from the EU.

How do cookies work?

The main purpose of a cookie is to identify users and possibly prepare customized web pages or to save information – so that when you visit the web site for the second time, it knows your preferences. Third party cookies are where information is sent not to the site you are visiting but also others eg. advertisers on that site. See: https://policies.google.com/technologies/cookies?hl=en-US

Is it OK for a government official to block someone commenting on his Facebook page? – Depends, said a US Court (Sixth Circuit)

…James Freed had a Facebook page. He subsequently became a city manager for Port Huron, Michigan. His Facebook page became too popular and so he carried out the following:

• converted his profile to a “page,” which has unlimited “followers” instead of friends
• chose “public figure” as the page category
• updated Facebook page to reflect his new title
• In the “About” section, he most recently described himself as “Daddy to Lucy, Husband to Jessie and City Manager, Chief Administrative Officer for the citizens of Port Huron, MI.”
• Listed the Port Huron website and the City’s general email and the City Hall address as contact details.
• Posted a mixture of private and public matters

Lindke didn’t approve of how Freed was handling the pandemic and started responding with criticism. Freed blocked Lindke which led him to sue Freed, claiming this blocking violated Lindke’s First Amendment rights.

The US Court sided with Freed saying that the Facebook page was operated in his personal capacity:

• Freed not duty-bound to have a Facebook page
• Facebook page did not belong to the office of city manager – It wouldn’t make sense for Freed’s successor to take over that page
• Government doesn’t employ anyone to operate the page
• No official account directed users to the Facebook page
• The office had no control over the Facebook page                                  

These facts distinguished that of the Second Circuit in Knight First Amendment Institute At Columbia University v. Trump – in that case the plaintiffs succeeded in showing that Trump had violated the First Amendment by blocking users. That Court had held that “While he is certainly not required to listen, once he opens up the interactive features of his account to the public at large he is not entitled to censor selected users because they express views with which he disagrees”

Metaverse

First ever law firm in the Metaverse and issues with it

…I was alerted by this article that a personal injury firm was first set up in the metaverse Decentraland back in December 2021. Given that those donning VR have been known to have injuries – for failing to take account of an obstacle / set of stairs in the real world, it might come across as quite apt – the article says.

Nice though the idea may be, the author talks about some of the regulatory issues that need to be considered:

• How secure will the correspondence be between the lawyer and the client?
• How do you carry out identity checks?
• Where will that data be stored?
• Can that data be deleted (right to be forgotten provided for in data protection laws in some jurisdictions, such as Europe)?

These are issues that need to be accounted for, but soon the technology should catch up to enable law firms to conduct their practice and abide by various regulatory requirements, the article concludes.

In In the Spotlight

Democrats ask US FTC to investigate Apple and Google over transforming online advertising into an “intense system of surveillance” that incentivises unrestrained collection of data from their mobile platforms – in anticipation of the overturning of Roe v Wade

…The letter was written in anticipation of Roe v Wade being overturned.

It all concerns the incorporation of unique tracking identifiers into iOS and Android for ad-targeting purposes. The unique tracking identifiers enable Apple and Google to understand what users do on their mobile phone (eg. what websites do they browse? What sort of questions to they search on Google/ Safari (which uses a Google search engine)? What do they purchase from which website? What in-app purchases do they make?)

• Apple: Until recently, Apple allowed users to opt out, but only through a complicated procedure. Apple now makes it easy for users to opt out. However because this means that third parties cannot track the user, leaving Apple only to be able to exploit the data it presents an antitrust issue (German Competition Authority presently probing). To be precise, as I understand it, users can also opt out of Apple collecting personal data too, but that option is presented to the user in a different way, as addressed in Facebook’s comment letter. Facebook says this is unfair.

• Google: Until recently, users were not able to opt out, and still currently enables tracking by default. Whilst it is possible now for users to opt out, it is a complicated process.

What do unique tracking identifiers enable?

The unique tracking identifiers are not anonymous, and can be used to identify the relevant individual – for example, it is easy to identify which residential address the identifier is associated with by looking at the location data for the identifier in the night-time. In fact, some data brokers have a dataset of unique tracking identifiers linked to personal details of the individual it represents (name, email address, address, telephone numbers etc). The letter says “Apple and Google enabled governments and private actors to exploit advertising tracking systems for their own surveillance and exposed hundreds of millions of Americans to serious privacy harms”.

What’s Roe v Wade got to do with it?

The letter notes that “Data brokers are already selling, licensing, and sharing the location information of people that visit abortion providers to anyone with a credit card. Prosecutors in states where abortion becomes illegal will soon be able to obtain warrants for location information about anyone who has visited an abortion provider. Private actors will also be incentivized by state bounty laws to hunt down women who have obtained or are seeking an abortion by accessing location information through shady data brokers”.

Are the Democrats over-reacting?

It is true that tech companies know users well very well, because they know so much about our private lives, what we do, where we visit, what we buy, what we like, what predilections they have. A high-ranking Catholic priest has in the past been outed as gay when the Catholic news media purchased commercially available location data and worked out that the priest’s phone was used to visit gay bars and private residences whilst using the gay dating up Grindr. When the department store Target used its own customer data to send targeted ads, it disclosed to a man that his teenage daughter was pregnant unbeknownst to him; the man had gone to complain to Target about bombarding his daughter with ads about baby items, apparently encouraging her to fall pregnant despite the fact she was still at high school.

When there are such incidents, it is not possible to say that Democrats’ point is farfetched. In the US, the government has the power to compel companies to turn over data under their control – which is why the top Court in the EU (CJEU) ruled that sending personal data to the US contravened GDPR. FTC has already raised the possibility that emerging technology, such as AI could incentivise surveillance. As the chances of the US government could one day adopt an autocratic regime is not nil, remote though it may seem, one can’t help thinking that it would be prudent to consider these issues to future proof citizens’ rights.

Around the world

UK’s independent legal review commissioned by the Ada Lovelace Institute concluded that technologically neutral framework is needed, so that emerging technologies can be used in a way that is that is “responsible, trustworthy and proportionate”. In that review, it advised that the use of live facial recognition which compares the biometric data to the database or records ought to be banned immediately until biometric technologies are properly regulated.

What can users do?

There are apps which offer end-to-end encryption for reproductive services such as menstrual cycle tracking. There are also VPN apps you can download to safeguard your location data. That way, users’ information will be safe, for example, were there to be a cybersecurity breach/attack, or were that state to decide to prosecute businesses that may have information on women who might have illegally obtained an abortion (because their menstrual cycle ceases and then resumes before term) to turn over data, they will be unable to do so because not such data would be within their control.