human rights

Auto Added by WPeMatico

Venture capital undermines human rights

The future of technology is determined by a handful of venture capitalists. The world’s 10 leading venture capital firms have, together, invested over $150 billion in technology startups. The venture capitalists who run these firms decide which startups today will develop the new platforms and technologies that will shape our lives tomorrow.

There is a startling lack of diversity within the venture capital sector. This means that a small group of men — mostly white men — make decisions that affect all of us. Unsurprisingly, they all too often ignore the broader societal and human rights implications of these investment decisions.

We all live in a world shaped by venture capital. As of 2019, 81% of all venture capital funds worldwide are clustered in just a handful of countries, primarily in the U.S., Europe and China, which in turn are shaping the future of technology. If you spend time on Facebook or Twitter, use Google, travel in an Uber or stay in an Airbnb, then you’ve experienced firsthand the impact of venture capital funding.

Venture capital firms, which provide equity financing for early- and growth-stage startups, play a critical gatekeeper role, deciding which new technologies and technology companies will receive funding.

Venture capital firms need to institute human rights due diligence processes that meet the standards set forth in the UN Guiding Principles on Business and Human Rights.

All businesses — including venture capital — have a responsibility to respect human rights. In order to ensure that their investments are not undermining our human rights, it is therefore critical for venture capital firms to conduct due diligence processes before making investments.

Amnesty International recently surveyed the world’s largest venture capital firms and startup accelerators. Of the world’s 10 largest venture capital firms, not a single one had an adequate human rights due diligence process that met the standards set forth in the UN Guiding Principles on Business and Human Rights.

Unfortunately, this is true of the broader venture capital sector as well. Overall, of the 50 VC firms and three startup accelerators analyzed by Amnesty International, we found that almost all of them lacked adequate human rights due diligence policies and processes.

This failure to carry out adequate due diligence means that a vast majority of VC firms are failing in their responsibility to respect human rights.

This almost complete lack of respect for human rights among the world’s largest venture capital firms has three key impacts. First, and most immediately, it means that venture capital firms invest in companies whose products and services have been implicated in ongoing human rights abuses, such as companies that provide support to the Chinese government’s repression of the Uyghur population in Xinjiang and across China.

Second, it means that venture capital firms continue to fund companies whose business models have a significant negative impact on human rights, including our privacy and labor rights. For instance, leading venture capital firms continue to support companies that rely on app-based or “gig” workers, who often face exploitative or otherwise abusive work conditions, as well as companies whose “surveillance capitalism” business model undermines our right to privacy.

Third, the lack of human rights due diligence by venture capital firms dramatically increases the risk that they fund new and “frontier” technologies without ensuring that adequate human rights safeguards are in place.

For instance, the application of increasingly powerful artificial intelligence/machine learning (AI/ML) tools across a wide variety of sectors risks amplifying existing societal biases and discrimination. Seemingly objective algorithms can be biased by reliance on incomplete or unrepresentative training data, and/or by replicating the unconscious bias of those who developed the algorithms.

This is a critical blind spot, especially as VC-funded startups seek to disrupt such fundamental parts of our lives as education, finance and health.

The negative impacts of the VC firms’ lack of human rights due diligence — especially regarding issues like algorithmic bias — are magnified by these firms’ own lack of gender and racial diversity. For instance, women comprise only 23% of venture capital investment professionals (i.e., those involved in deciding which startups to fund).

The numbers are even worse when it comes to racial diversity — just 4% of investment professionals at VC firms in the U.S. are Latinx, and only 4% are Black. Groups like Blck VC, Diversity VC and digitalundivided have been calling attention to this issue for years, but venture capitalists have been slow to respond so far.

This lack of diversity is mirrored in the gender and racial composition of founders who receive VC funding. In 2018, all-female founding teams received just 2.2% of all U.S.-based venture funding. At the same time, Black and Latinx founders received less than 2.3% of all U.S.-based venture capital funding in 2019.

With power comes responsibility. Venture capital firms need to institute human rights due diligence processes that meet the standards set forth in the UN Guiding Principles on Business and Human Rights.

Further, they should provide support to their portfolio companies to ensure that they comply with human rights standards. Venture capital firms should also publicly commit to hiring more diverse teams, especially in investment-related positions. Finally, they should publicly commit to funding more diverse startup founders as part of their flagship funds.

VC firms have a responsibility to ensure that their investments are not causing harm. A responsibility that they have, to date, largely ignored.

Powered by WPeMatico

Privacy data management innovations reduce risk, create new revenue channels

Mark Settle
Contributor

Mark Settle is a seven-time CIO, three-time CIO 100 award winner and two-time book author. His most recent book is “Truth from the Valley: A Practical Primer on IT Management for the Next Decade.”

Tomer Y. Avni
Contributor

Tomer Y. Avni is an MBA/MS student at the Harvard Business School and the Harvard School of Engineering and Applied Sciences.

Privacy data mismanagement is a lurking liability within every commercial enterprise. The very definition of privacy data is evolving over time and has been broadened to include information concerning an individual’s health, wealth, college grades, geolocation and web surfing behaviors. Regulations are proliferating at state, national and international levels that seek to define privacy data and establish controls governing its maintenance and use.

Existing regulations are relatively new and are being translated into operational business practices through a series of judicial challenges that are currently in progress, adding to the confusion regarding proper data handling procedures. In this confusing and sometimes chaotic environment, the privacy risks faced by almost every corporation are frequently ambiguous, constantly changing and continually expanding.

Conventional information security (infosec) tools are designed to prevent the inadvertent loss or intentional theft of sensitive information. They are not sufficient to prevent the mismanagement of privacy data. Privacy safeguards not only need to prevent loss or theft but they must also prevent the inappropriate exposure or unauthorized usage of such data, even when no loss or breach has occurred. A new generation of infosec tools is needed to address the unique risks associated with the management of privacy data.

The first wave of innovation

A variety of privacy-focused security tools emerged over the past few years, triggered in part by the introduction of GDPR (General Data Protection Regulation) within the European Union in 2018. New capabilities introduced by this first wave of innovation were focused in the following three areas:

Data discovery, classification and cataloging. Modern enterprises collect a wide variety of personal information from customers, business partners and employees at different times for different purposes with different IT systems. This data is frequently disseminated throughout a company’s application portfolio via APIs, collaboration tools, automation bots and wholesale replication. Maintaining an accurate catalog of the location of such data is a major challenge and a perpetual activity. BigID, DataGuise and Integris Software have gained prominence as popular solutions for data discovery. Collibra and Alation are leaders in providing complementary capabilities for data cataloging.

Consent management. Individuals are commonly presented with privacy statements describing the intended use and safeguards that will be employed in handling the personal data they supply to corporations. They consent to these statements — either explicitly or implicitly — at the time such data is initially collected. Osano, Transcend.io and DataGrail.io specialize in the management of consent agreements and the enforcement of their terms. These tools enable individuals to exercise their consensual data rights, such as the right to view, edit or delete personal information they’ve provided in the past.

Powered by WPeMatico

D-ID, the Israeli company that digitally de-identifies faces in videos and still images, raises $13.5 million

If only Facebook had been using the kind of technology that TechCrunch Startup Battlefield alumnus D-ID was pitching, it could have avoided exposing all of our faces to privacy destroying software services like Clearview AI.

At least, that’s the pitch that D-ID’s founder and chief executive, Gil Perry, makes when he’s talking about the significance of his startup’s technology.

D-ID, which stands for de-identification, is a pretty straightforward service that’s masking some highly involved and very advanced technology to blur digital images so they can’t be cross-referenced to determine someone’s identity.

It’s a technology whose moment has come as governments and private companies around the world ramp up their use of surveillance technologies as the world adjusts to a new reality in the wake of the COVID-19 epidemic.

“Governments around the world and organizations have used this new reality basically as an excuse for mass surveillance,” says Perry. His own government has used a track and trace system that monitors interactions between Israeli citizens using cell phone location data to determine whether anyone had been in contact with a person who had COVID-19.

While awareness of the issue may be increasing among consumers and regulators alike, the damage has, in many cases, already been done. Social media companies have already had their troves of images scraped by companies like Clearview AI, ClearView, HighQ and NTechLabs, and much of our personal information is already circulating online.

D-ID is undeterred. Founded by Perry and two other members of the Israeli army’s cybersecurity and offensive cyber unit, 8200, Sella Blondheim and Eliran Kuta, D-ID thinks the need for anonymizing technologies will continue to expand — thanks to new privacy legislation in Europe and certain states in the U.S. 

Meanwhile, the company is also exploring other applications for its technology. The services that D-ID uses to mask and blur faces can also be used to create deepfakes of images and video.

The market for these types of digital manipulations are still in their earliest days, according to Perry. Still, the company’s pitch managed to intrigue new lead investor AXA Ventures, which joined backers including Pitango, Y Combinator, AI Alliance, Hyundai, Omron, Maverick (U.S.) and Mindset, to participate in the company’s $13.5 million round.

D-ID already sees demand coming from automakers who want to use the technology to anonymize their driving monitoring systems — enabling them to record drivers’ reactions, but not any public identifying information. Security technologies that monitor for threats are another potential customer, according to the company. While closed circuit television monitors a physical space, it doesn’t need to collect the identifying information of people entering and exiting buildings.

“The convergence of increased surveillance and individual privacy protection places enterprises in a position where they must either anonymize their stored footage or risk violating privacy laws and face costly penalties.” said Blondheim.  

The technical wizardry that D-ID has mastered is impressive — and a necessary defensive tool to ensure privacy in the modern world, according to its founders. Consumers are demanding it, according to D-ID’s chief executive.

“Privacy awareness and the importance of privacy enhancing technologies have increased,” Perry said.

Powered by WPeMatico

UK’s NHS COVID-19 app lacks robust legal safeguards against data misuse, warns committee

A UK parliamentary committee that focuses on human rights issues has called for primary legislation to be put in place to ensure that legal protections wrap around the national coronavirus contact tracing app.

The app, called NHS COVID-19, is being fast tracked for public use — with a test ongoing this week in the Isle of Wight. It’s set to use Bluetooth Low Energy signals to log social interactions between users to try to automate some contacts tracing based on an algorithmic assessment of users’ infection risk.

The NHSX has said the app could be ready for launch within a matter of weeks but the committee says key choices related to the system architecture create huge risks for people’s rights that demand the safeguard of primary legislation.

“Assurances from Ministers about privacy are not enough. The Government has given assurances about protection of privacy so they should have no objection to those assurances being enshrined in law,” said committee chair, Harriet Harman MP, in a statement.

“The contact tracing app involves unprecedented data gathering. There must be robust legal protection for individuals about what that data will be used for, who will have access to it and how it will be safeguarded from hacking.

“Parliament was able quickly to agree to give the Government sweeping powers. It is perfectly possible for parliament to do the same for legislation to protect privacy.”

The NHSX, a digital arm of the country’s National Health Service, is in the process of testing the app — which it’s said could be launched nationally within a few weeks.

The government has opted for a system design that will centralize large amounts of social graph data when users experiencing COVID-19 symptoms (or who have had a formal diagnosis) choose to upload their proximity logs.

Earlier this week we reported on one of the committee hearings — when it took testimony from NHSX CEO Matthew Gould and the UK’s information commissioner, Elizabeth Denham, among other witnesses.

Warning now over a lack of parliamentary scrutiny — around what it describes as an unprecedented expansion of state surveillance — the committee report calls for primary legislation to ensure “necessary legal clarity and certainty as to how data gathered could be used, stored and disposed of”.

The committee also wants to see an independent body set up to carry out oversight monitoring and guard against ‘mission creep’ — a concern that’s also been raised by a number of UK privacy and security experts in an open letter late last month.

“A Digital Contact Tracing Human Rights Commissioner should be responsible for oversight and they should be able to deal with complaints from the Public and report to Parliament,” the committee suggests.

Prior to publishing its report, the committee wrote to health minister Matt Hancock, raising a full spectrum of concerns — receiving a letter in response.

In this letter, dated May 4, Hancock told it: “We do not consider that legislation is necessary in order to build and deliver the contact tracing app. It is consistent with the powers of, and duties imposed on, the Secretary of State at a time of national crisis in the interests of protecting public health.”

The committee’s view is Hancock’s ‘letter of assurance’ is not enough given the huge risks attached to the state tracking citizens’ social graph data.

“The current data protection framework is contained in a number of different documents and it is nearly impossible for the public to understand what it means for their data which may be collected by the digital contact tracing system. Government’s assurances around data protection and privacy standards will not carry any weight unless the Government is prepared to enshrine these assurances in legislation,” it writes in the report, calling for a bill that it says myst include include a number of “provisions and protections”.

Among the protections the committee is calling for are limits on who has access to data and for what purpose.

“Data held centrally may not be accessed or processed without specific statutory authorisation, for the purpose of combatting Covid-19 and provided adequate security protections are in place for any systems on which this data may be processed,” it urges.

It also wants legal protections against data reconstruction — by different pieces of data being combined “to reconstruct information about an individual”.

The report takes a very strong line — warning that no app should be released without “strong protections and guarantees” on “efficacy and proportionality”.

“Without clear efficacy and benefits of the app, the level of data being collected will be not be justifiable and it will therefore fall foul of data protection law and human rights protections,” says the committee.

The report also calls for regular reviews of the app — looking at efficacy; data safety; and “how privacy is being protected in the use of any such data”.

It also makes a blanket call for transparency, with the committee writing that the government and health authorities “must at all times be transparent about how the app, and data collected through it, is being used”.

A lack of transparency around the project was another of the concerns raised by the 177 academics who signed the open letter last month.

The government has committed to publishing data protection impact assessments for the app. But the ICO’s Denham still hadn’t had sight of this document as of this Monday.

Another call by the committee is for a time-limit to be attached to any data gathered by or generated via the app. “Any digital contact tracing (and data associated with it) must be permanently deleted when no longer required and in any event may not be kept beyond the duration of the public health emergency,” it writes.

We’ve reached out to the Department of Health and NHSX for comment on the human rights committee’s report.

Let’s go through Matt Hancock’s letter to @HarrietHarman @HumanRightsCtte on the NHSX app and take a closer look at some of these statements 1/ https://t.co/sQe2U8wkiy

— Michael Veale (@mikarv) May 7, 2020

There’s another element to this fast moving story: Yesterday the Financial Times reported that the NHSX has inked a new contract with an IT supplier which suggests it might be looking to change the app architecture — moving away from a centralized database to a decentralized system for contacts tracing. Although NHSX has not confirmed any such switch at this point.

Some other countries have reversed course in their choice of app architecture after running into technical challenges related to Bluetooth. The need to ensure public trust in the system was also cited by Germany for switching to a decentralized model.

The human rights committee report highlights a specific app efficacy issue of relevance to the UK, which it points out is also linked to these system architecture choices, noting that: “The Republic of Ireland has elected to use a decentralised app and if a centralised app is in use in Northern Ireland, there are risks that the two systems will not be interoperable which would be most unfortunate.”

Professor Lilian Edwards, a legal expert from Newcastle University, who has co-authored a draft bill proposing a set of safeguards for coronavirus apps (much of which was subsequently taken up by Australia for a legal instrument that wraps public health contact info during the coronavirus crisis) — and who also now sits as an independent advisor on an ethics committee that’s been set up for the NHSX app — welcomed the committee report.

Speaking in a personal capacity she told TechCrunch: “My team and I welcome this.”

But she flagged a couple of omissions in the report. “They have left out two of the recommendations from my bill — one of which, I totally expected; that there be no compulsion to carry a phone. Because they will just be assumed within our legal system but I don’t think it would have hurt to have said it. But ok.

“The second point — which is important — is the point about there not being compulsion to install the app or to display it. And there not being, therefore, discrimination against you if you don’t. Like not being allowed to go to your workplace is an obvious example. Or not being allowed to go to a football game when they reopen. And that’s the key point where the struggle is.”

The conflict, says Edwards, is on the one hand you could argue what’s the point of doing digital contact tracing at all if you can’t make sure people are able to receive notifications that they might be a contact. But — on the other — if you allow compulsion that then “leaves it open to be very discriminatory” — meaning people could abuse the requirement to target and exclude others from a workplace, for example.

“There are people who’ve got perfectly valid reasons to not want to have this on their phone,” Edwards added. “Particularly if it’s centralized rather than decentralized.”

She also noted that the first version of her draft coronavirus safeguards bill had allowed compulsion re: having the app on the phone but required it to be balanced by a proportionality analysis — meaning any such compulsion must be “proportionate to a legitimate aim”.

But after Australia opted for zero compulsion in its legal instrument she said she and her team decided to revise their bill to also strike out the provision entirely.

Edwards suggested the human rights committee may not have included this particular provision in their recommendations because parliamentary committees are only able to comment on evidence they receive during an inquiry. “So I don’t think it would have been in their remit to recommend on that,” she noted, adding: “It isn’t actually an indication that they’re not interested in these concepts; it’s just procedure I think.”

She also highlighted the issues of so-called ‘immunity passports’ — something the government has reportedly been in discussions with startups about building as part of its digital coronavirus response, but which the committee report also does not touch on.

However, without full clarity on the government’s evolving plans for its digital coronavirus response, and with, inevitably, a high degree of change and flux amid a public health emergency situation, it’s clearly difficult for committees to interrogate so many fast moving pieces.

“The select committees have actually done really, really well,” added Edwards. “But it just shows how the ground has shifted so much in a week.”

This report was updated with additional comment

Powered by WPeMatico

An EU coalition of techies is backing a ‘privacy-preserving’ standard for COVID-19 contacts tracing

A European coalition of techies and scientists drawn from at least eight countries, and led by Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI), is working on contacts-tracing proximity technology for COVID-19 that’s designed to comply with the region’s strict privacy rules — officially unveiling the effort today.

China-style individual-level location-tracking of people by states via their smartphones even for a public health purpose is hard to imagine in Europe — which has a long history of legal protection for individual privacy. However the coronavirus pandemic is applying pressure to the region’s data protection model, as governments turn to data and mobile technologies to seek help with tracking the spread of the virus, supporting their public health response and mitigating wider social and economic impacts.

Scores of apps are popping up across Europe aimed at attacking coronavirus from different angles. European privacy not-for-profit, noyb, is keeping an updated list of approaches, both led by governments and private sector projects, to use personal data to combat SARS-CoV-2 — with examples so far including contacts tracing, lockdown or quarantine enforcement and COVID-19 self-assessment.

The efficacy of such apps is unclear — but the demand for tech and data to fuel such efforts is coming from all over the place.

In the UK the government has been quick to call in tech giants, including Google, Microsoft and Palantir, to help the National Health Service determine where resources need to be sent during the pandemic. While the European Commission has been leaning on regional telcos to hand over user location data to carry out coronavirus tracking — albeit in aggregated and anonymized form.

The newly unveiled Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) project is a response to the coronavirus pandemic generating a huge spike in demand for citizens’ data that’s intended to offer not just an another app — but what’s described as “a fully privacy-preserving approach” to COVID-19 contacts tracing.

The core idea is to leverage smartphone technology to help disrupt the next wave of infections by notifying individuals who have come into close contact with an infected person — via the proxy of their smartphones having been near enough to carry out a Bluetooth handshake. So far so standard. But the coalition behind the effort wants to steer developments in such a way that the EU response to COVID-19 doesn’t drift towards China-style state surveillance of citizens.

While, for the moment, strict quarantine measures remain in place across much of Europe there may be less imperative for governments to rip up the best practice rulebook to intrude on citizens’ privacy, given the majority of people are locked down at home. But the looming question is what happens when restrictions on daily life are lifted?

Contacts tracing — as a way to offer a chance for interventions that can break any new infection chains — is being touted as a key component of preventing a second wave of coronavirus infections by some, with examples such as Singapore’s TraceTogether app being eyed up by regional lawmakers.

Singapore does appear to have had some success in keeping a second wave of infections from turning into a major outbreak, via an aggressive testing and contacts-tracing regime. But what a small island city-state with a population of less than 6M can do vs a trading bloc of 27 different nations whose collective population exceeds 500M doesn’t necessarily seem immediately comparable.

Europe isn’t going to have a single coronavirus tracing app. It’s already got a patchwork. Hence the people behind PEPP-PT offering a set of “standards, technology, and services” to countries and developers to plug into to get a standardized COVID-19 contacts-tracing approach up and running across the bloc.

The other very European flavored piece here is privacy — and privacy law. “Enforcement of data protection, anonymization, GDPR [the EU’s General Data Protection Regulation] compliance, and security” are baked in, is the top-line claim.

“PEPP-PR was explicitly created to adhere to strong European privacy and data protection laws and principles,” the group writes in an online manifesto. “The idea is to make the technology available to as many countries, managers of infectious disease responses, and developers as quickly and as easily as possible.

“The technical mechanisms and standards provided by PEPP-PT fully protect privacy and leverage the possibilities and features of digital technology to maximize speed and real-time capability of any national pandemic response.”

Hans-Christian Boos, one of the project’s co-initiators — and the founder of an AI company called Arago –discussed the initiative with German newspaper Der Spiegel, telling it: “We collect no location data, no movement profiles, no contact information and no identifiable features of the end devices.”

The newspaper reports PEPP-PT’s approach means apps aligning to this standard would generate only temporary IDs — to avoid individuals being identified. Two or more smartphones running an app that uses the tech and has Bluetooth enabled when they come into proximity would exchange their respective IDs — saving them locally on the device in an encrypted form, according to the report.

Der Spiegel writes that should a user of the app subsequently be diagnosed with coronavirus their doctor would be able to ask them to transfer the contact list to a central server. The doctor would then be able to use the system to warn affected IDs they have had contact with a person who has since been diagnosed with the virus — meaning those at risk individuals could be proactively tested and/or self-isolate.

On its website PEPP-PT explains the approach thus:

Mode 1
If a user is not tested or has tested negative, the anonymous proximity history remains encrypted on the user’s phone and cannot be viewed or transmitted by anybody. At any point in time, only the proximity history that could be relevant for virus transmission is saved, and earlier history is continuously deleted.

Mode 2
If the user of phone A has been confirmed to be SARS-CoV-2 positive, the health authorities will contact user A and provide a TAN code to the user that ensures potential malware cannot inject incorrect infection information into the PEPP-PT system. The user uses this TAN code to voluntarily provide information to the national trust service that permits the notification of PEPP-PT apps recorded in the proximity history and hence potentially infected. Since this history contains anonymous identifiers, neither person can be aware of the other’s identity.

Providing further detail of what it envisages as “Country-dependent trust service operation”, it writes: “The anonymous IDs contain encrypted mechanisms to identify the country of each app that uses PEPP-PT. Using that information, anonymous IDs are handled in a country-specific manner.”

While on healthcare processing is suggests: “A process for how to inform and manage exposed contacts can be defined on a country by country basis.”

Among the other features of PEPP-PT’s mechanisms the group lists in its manifesto are:

  • Backend architecture and technology that can be deployed into local IT infrastructure and can handle hundreds of millions of devices and users per country instantly.
  • Managing the partner network of national initiatives and providing APIs for integration of PEPP-PT features and functionalities into national health processes (test, communication, …) and national system processes (health logistics, economy logistics, …) giving many local initiatives a local backbone architecture that enforces GDPR and ensures scalability.
  • Certification Service to test and approve local implementations to be using the PEPP-PT mechanisms as advertised and thus inheriting the privacy and security testing and approval PEPP-PT mechanisms offer.

Having a standardized approach that could be plugged into a variety of apps would allow for contacts tracing to work across borders — i.e. even if different apps are popular in different EU countries — an important consideration for the bloc, which has 27 Member States.

However there may be questions about the robustness of the privacy protection designed into the approach — if, for example, pseudonymized data is centralized on a server that doctors can access there could be a risk of it leaking and being re-identified. And identification of individual device holders would be legally risky.

Europe’s lead data regulator, the EDPS, recently made a point of tweeting to warn an MEP (and former EC digital commissioner) against the legality of applying Singapore-style Bluetooth-powered contacts tracing in the EU — writing: “Please be cautious comparing Singapore examples with European situation. Remember Singapore has a very specific legal regime on identification of device holder.”

Dear Mr. Commissioner, please be cautious comparing Singapoore examples with European situation. Remember Singapore has a very specific legal regime on identification of device holder.

— Wojtek Wiewiorowski (@W_Wiewiorowski) March 27, 2020

A spokesman for the EDPS told us it’s in contact with data protection agencies of the Member States involved in the PEPP-PT project to collect “relevant information”.

“The general principles presented by EDPB on 20 March, and by EDPS on 24 March are still relevant in that context,” the spokesman added — referring to guidance issued by the privacy regulators last month in which they encouraged anonymization and aggregation should Member States want to use mobile location data for monitoring, containing or mitigating the spread of COVID-19. At least in the first instance.

“When it is not possible to only process anonymous data, the ePrivacy Directive enables Member States to introduce legislative measures to safeguard public security (Art. 15),” the EDPB further noted.

“If measures allowing for the processing of non-anonymised location data are introduced, a Member State is obliged to put in place adequate safeguards, such as providing individuals of electronic communication services the right to a judicial remedy.”

We reached out to the HHI with questions about the PEPP-PT project and were referred to Boos — but at the time of writing had been unable to speak to him.

“The PEPP-PT system is being created by a multi-national European team,” the HHI writes in a press release about the effort. “It is an anonymous and privacy-preserving digital contact tracing approach, which is in full compliance with GDPR and can also be used when traveling between countries through an anonymous multi-country exchange mechanism. No personal data, no location, no Mac-Id of any user is stored or transmitted. PEPP-PT is designed to be incorporated in national corona mobile phone apps as a contact tracing functionality and allows for the integration into the processes of national health services. The solution is offered to be shared openly with any country, given the commitment to achieve interoperability so that the anonymous multi-country exchange mechanism remains functional.”

“PEPP-PT’s international team consists of more than 130 members working across more than seven European countries and includes scientists, technologists, and experts from well-known research institutions and companies,” it adds.

“The result of the team’s work will be owned by a non-profit organization so that the technology and standards are available to all. Our priorities are the well being of world citizens today and the development of tools to limit the impact of future pandemics — all while conforming to European norms and standards.”

The PEPP-PT says its technology-focused efforts are being financed through donations. Per its website, it says it’s adopted the WHO standards for such financing — to “avoid any external influence”.

Of course for the effort to be useful it relies on EU citizens voluntarily downloading one of the aligned contacts tracing apps — and carrying their smartphone everywhere they go, with Bluetooth enabled.

Without substantial penetration of regional smartphones it’s questionable how much of an impact this initiative, or any contacts tracing technology, could have. Although if such tech were able to break even some infection chains people might argue it’s not wasted effort.

Notably, there are signs Europeans are willing to contribute to a public healthcare cause by doing their bit digitally — such as a self-reporting COVID-19 tracking app which last week racked up 750,000 downloads in the UK in 24 hours.

But, at the same time, contacts tracing apps are facing scepticism over their ability to contribute to the fight against COVID-19. Not everyone carries a smartphone, nor knows how to download an app, for instance. There’s plenty of people who would fall outside such a digital net.

Meanwhile, while there’s clearly been a big scramble across the region, at both government and grassroots level, to mobilize digital technology for a public health emergency cause there’s arguably greater imperative to direct effort and resources at scaling up coronavirus testing programs — an area where most European countries continue to lag.

Germany — where some of the key backers of the PEPP-PT are from — being the most notable exception.

Powered by WPeMatico

MIT is reviewing its relationship with AI startup SenseTime, one of the Chinese tech firms blacklisted by the US

The Massachusetts Institute of Technology said it is reviewing the university’s relationship with SenseTime, one of eight Chinese tech companies placed on the U.S. Entity List yesterday for their alleged role in human rights abuses against Muslim minority groups in China.

An MIT spokesperson told Bloomberg that “MIT has long had a robust export controls function that pays careful attention to export control regulations and compliance. MIT will review all existing relationships with organizations added to the U.S. Department of Commerce’s Entity List, and modify any interactions, as necessary.”

A SenseTime representative told Bloomberg, “We are deeply disappointed with this decision by the U.S. Department of Commerce. We will work closely with all relevant authorities to fully understand and resolve the situation.”

The companies placed on the blacklist included several of China’s top AI startups and companies that have supplied software to mass surveillance systems that may have been used by the Chinese government to persecute Uighurs and other Muslim minority groups.

Over one million Uighurs are believed to currently be held in detention camps, where human rights observers report they have been subjected to forced labor and torture.

SenseTime, the world’s mostly highly valued AI startup, provided software to the Chinese government for its national surveillance system, including CCTV cameras. It was the first company to join an MIT Intelligence Quest initiative launched last year with the goal of “driv[ing] technological breakthroughs in AI that have the potential to confront some of the world’s greatest challenges.” Since then, it has provided funding for 27 projects by MIT researchers.

Earlier this year, MIT ended its working relationships with Huawei and ZTE over alleged sanction violations.

Powered by WPeMatico

Osano makes business risk and compliance (somewhat) sexy again

A new startup is clearing the way for other companies to better monitor and manage their risk and compliance with privacy laws.

Osano, an Austin, Texas-based startup, bills itself as a privacy platform startup, which uses a software-as-a-service solution to give businesses real-time visibility into their current privacy and compliance posture. On one hand, that helps startups and enterprises large and small insight into whether or not they’re complying with global or state privacy laws, and manage risk factors associated with their business such as when partner or vendor privacy policies change.

The company launched its privacy platform at Disrupt SF on the Startup Battlefield stage.

Risk and compliance is typically a fusty, boring and frankly unsexy topic. But with ever-changing legal landscapes and constantly moving requirements, it’s hard to keep up. Although Europe’s GDPR has been around for a year, it’s still causing headaches. And stateside, the California Consumer Privacy Act is about to kick in and it is terrifying large companies for fear they can’t comply with it.

Osano mixes tech with its legal chops to help companies, particularly smaller startups without their own legal support, to provide a one-stop shop for businesses to get insight, advice and guidance.

“We believe that any time a company does a better job with transparency and data protection, we think that’s a really good thing for the internet,” the company’s founder Arlo Gilbert told TechCrunch.

Gilbert, along with his co-founder and chief technology officer Scott Hertel, have built their company’s software-as-a-service solution with several components in mind, including maintaining its scorecard of 6,000 vendors and their privacy practices to objectively grade how a company fares, as well as monitoring vendor privacy policies to spot changes as soon as they are made.

One of its standout features is allowing its corporate customers to comply with dozens of privacy laws across the world with a single line of code.

You’ve seen them before: The “consent” popups that ask (or demand) you to allow cookies or you can’t come in. Osano’s consent management lets companies install a dynamic consent management in just five minutes, which delivers the right consent message to the right people in the best language. Using the blockchain, the company says it can record and provide searchable and cryptographically verifiable proof-of-consent in the event of a person’s data access request.


“There are 40 countries with cookie and data privacy laws that require consent,” said Gilbert. “Each of them has nuances about what they consider to be consent: what you have to tell them; what you have to offer them; when you have to do it.”

Osano also has an office in Dublin, Ireland, allowing its corporate customers to say it has a physical representative in the European Union — a requirement for companies that have to comply with GDPR.

And, for corporate customers with questions, they can dial-an-expert from Osano’s outsourced and freelance team of attorneys and privacy experts to help break down complex questions into bitesize answers.

Or as Gilbert calls it, “Uber, but for lawyers.”

The concept seems novel but it’s not restricted to GDPR or California’s upcoming law. The company says it monitors international, federal and state legislatures for new laws and changes to existing privacy legislation to alert customers of upcoming changes and requirements that might affect their business.

In other words, plug in a new law or two and Osano’s customers are as good as covered.

Osano is still in its pre-seed stage. But while the company is focusing on its product, it’s not thinking too much about money.

“We’re planning to kind of go the binary outcome — go big or go home,” said Gilbert, with his eye on the small- to medium-sized enterprise. “It’s greenfield right now. There’s really nobody doing what we’re doing.”

The plan is to take on enough funding to own the market, and then focus on turning a profit. So much so, Gilbert said, that the company is registered as a B Corporation, a more socially conscious and less profit-driven approach of corporate structure, allowing it to generate profits while maintaining its social vision.

The company’s idea is strong; its corporate structure seems mindful. But is it enough of an enticement for fellow startups and small businesses? It’s either dominate the market or bust, and only time will tell.

Powered by WPeMatico

No technical reason to exclude Huawei as 5G supplier, says UK committee

A UK parliamentary committee has concluded there are no technical grounds for excluding Chinese network kit vendor Huawei from the country’s 5G networks.

In a letter from the chair of the Science & Technology Committee to the UK’s digital minister Jeremy Wright, the committee says: “We have found no evidence from our work to suggest that the complete exclusion of Huawei from the UK’s telecommunications networks would, from a technical point of view, constitute a proportionate response to the potential security threat posed by foreign suppliers.”

Though the committee does go on to recommend the government mandate the exclusion of Huawei from the core of 5G networks, noting that UK mobile network operators have “mostly” done so already — but on a voluntary basis.

If it places a formal requirement on operators not to use Huawei for core supply the committee urges the government to provide “clear criteria” for the exclusion so that it could be applied to other suppliers in future.

Reached for a response to the recommendations, a government spokesperson told us: “The security and resilience of the UK’s telecoms networks is of paramount importance. We have robust procedures in place to manage risks to national security and are committed to the highest possible security standards.”

The spokesperson for the Department for Digital, Media, Culture and Sport added: “The Telecoms Supply Chain Review will be announced in due course. We have been clear throughout the process that all network operators will need to comply with the Government’s decision.”

In recent years the US administration has been putting pressure on allies around the world to entirely exclude Huawei from 5G networks — claiming the Chinese company poses a national security risk.

Australia announced it was banning Huawei and another Chinese vendor ZTE from providing kit for its 5G networks last year. Though in Europe there has not been a rush to follow the US lead and slam the door on Chinese tech giants.

In April leaked information from a UK Cabinet meeting suggested the government had settled on a policy of granting Huawei access as a supplier for some non-core parts of domestic 5G networks, while requiring they be excluded from supplying components for use in network cores.

On this somewhat fuzzy issue of delineating core vs non-core elements of 5G networks, the committee writes that it “heard unanimously and clearly” from witnesses that there will still be a distinction between the two in the next-gen networks.

It also cites testimony by the technical director of the UK’s National Cyber Security Centre (NCSC), Dr Ian Levy, who told it “geography matters in 5G”, and pointed out Australia and the UK have very different “laydowns” — meaning “we may have exactly the same technical understanding, but come to very different conclusions”.

In a response statement to the committee’s letter, Huawei SVP Victor Zhang welcomed the committee’s “key conclusion” before going on to take a thinly veiled swiped at the US — writing: “We are reassured that the UK, unlike others, is taking an evidence based approach to network security. Huawei complies with the laws and regulations in all the markets where we operate.”

The committee’s assessment is not all comfortable reading for Huawei, though, with the letter also flagging the damning conclusions of the most recent Huawei Oversight Board report which found “serious and systematic defects” in its software engineering and cyber security competence — and urging the government to monitor Huawei’s response to the raised security concerns, and to “be prepared to act to restrict the use of Huawei equipment if progress is unsatisfactory”.

Huawei has previously pledged to spend $2BN addressing security shortcomings related to its UK business — a figure it was forced to qualify as an “initial budget” after that same Oversight Board report.

“It is clear that Huawei must improve the standard of its cybersecurity,” the committee warns.

It also suggests the government consults on whether telecoms regulator Ofcom needs stronger powers to be able to force network suppliers to clean up their security act, writing that: “While it is reassuring to hear that network operators share this point of view and are ready to use commercial pressure to encourage this, there is currently limited regulatory power to enforce this.”

Another committee recommendation is for the NCSC to be consulted on whether similar security evaluation mechanisms should be established for other 5G vendors — such as Ericsson and Nokia: Two European based kit vendors which, unlike Huawei, are expected to be supplying core 5G.

“It is worth noting that an assurance system comparable to the Huawei Cyber Security Evaluation Centre does not exist for other vendors. The shortcomings in Huawei’s cyber security reported by the Centre cannot therefore be directly compared to the cyber security of other vendors,” it notes.

On the issue of 5G security generally the committee dubs this “critical”, adding that “all steps must be taken to ensure that the risks are as low as reasonably possible”.

Where “essential services” that make use of 5G networks are concerned, the committee says witnesses were clear such services must be able to continue to operate safely even if the network connection is disrupted. Government must ensure measures are put in place to safeguard operation in the event of cyber attacks, floods, power cuts and other comparable events, it adds. 

While the committee concludes there is no technical reason to limit Huawei’s access to UK 5G, the letter does make a point of highlighting other considerations, most notably human rights abuses, emphasizing its conclusion does not factor them in at all — and pointing out: “There may well be geopolitical or ethical grounds… to enact a ban on Huawei’s equipment”.

It adds that Huawei’s global cyber security and privacy officer, John Suffolk, confirmed that a third party had supplied Huawei services to Xinjiang’s Public Security Bureau, despite Huawei forbidding its own employees from misusing IT and comms tech to carry out surveillance of users.

The committee suggests Huawei technology may therefore be being used to “permit the appalling treatment of Muslims in Western China”.

Powered by WPeMatico

As FTC cracks down, data ethics is now a strategic business weapon

Daniel Wu
Contributor

Dan Wu is a privacy counsel and legal engineer at Immuta. He holds a JD from Harvard University, and is a PhD candidate for Social Policy and Sociology at The Harvard Kennedy School.

Five billion dollars. That’s the apparent size of Facebook’s latest fine for violating data privacy. 

While many believe the sum is simply a slap on the wrist for a behemoth like Facebook, it’s still the largest amount the Federal Trade Commission has ever levied on a technology company. 

Facebook is clearly still reeling from Cambridge Analytica, after which trust in the company dropped 51%, searches for “delete Facebook” reached 5-year highs, and Facebook’s stock dropped 20%.

While incumbents like Facebook are struggling with their data, startups in highly-regulated, “Third Wave” industries can take advantage by using a data strategy one would least expect: ethics. Beyond complying with regulations, startups that embrace ethics look out for their customers’ best interests, cultivate long-term trust — and avoid billion dollar fines. 

To weave ethics into the very fabric of their business strategies and tech systems, startups should adopt “agile” data governance systems. Often combining law and technology, these systems will become a key weapon of data-centric Third Wave startups to beat incumbents in their field. 

Established, highly-regulated incumbents often use slow and unsystematic data compliance workflows, operated manually by armies of lawyers and technology personnel. Agile data governance systems, in contrast, simplify both these workflows and the use of cutting-edge privacy tools, allowing resource-poor startups both to protect their customers better and to improve their services.

In fact, 47% of customers are willing to switch to startups that protect their sensitive data better. Yet 80% of customers highly value more convenience and better service. 

By using agile data governance, startups can balance protection and improvement. Ultimately, they gain a strategic advantage by obtaining more data, cultivating more loyalty, and being more resilient to inevitable data mishaps. 

Agile data governance helps startups obtain more data — and create more value 

With agile data governance, startups can address their critical weakness: data scarcity. Customers share more data with startups that make data collection a feature, not a burdensome part of the user experience. Agile data governance systems simplify compliance with this data practice. 

Take Ally Bank, which the Ponemon Institute rated as one of the most privacy-protecting banks. In 2017, Ally’s deposits base grew 16%, while those of incumbents declined 4%.

One key principle to its ethical data strategy: minimizing data collection and use. Ally’s customers obtain services through a personalized website, rarely filling out long surveys. When data is requested, it’s done in small doses on the site — and always results in immediate value, such as viewing transactions. 

This is on purpose. Ally’s Chief Marketing Officer publicly calls the industry-mantra of “more data” dangerous to brands and consumers alike.

A critical tool to minimize data use is to use advanced data privacy tools like differential privacy. A favorite of organizations like Apple, differential privacy limits your data analysts’ access to summaries of data, such as averages. And by injecting noise into those summaries, differential privacy creates provable guarantees of privacy and prevents scenarios where malicious parties can reverse-engineer sensitive data. But because differential privacy uses summaries, instead of completely masking the data, companies can still draw meaning from it and improve their services. 

With tools like differential privacy, organizations move beyond governance patterns where data analysts either gain unrestricted access to sensitive data (think: Uber’s controversial “god view”) or face multiple barriers to data access. Instead, startups can use differential privacy to share and pool data safely, helping them overcome data scarcity. The most agile data governance systems allow startups to use differential privacy without code and the large engineering teams that only incumbents can afford.

Ultimately, better data means better predictions — and happier customers.

Agile data governance cultivates customer loyalty

According to Deloitte, 80% of consumers are more loyal to companies they believe protect their data. Yet far fewer leaders at established, incumbent companies — the respondents of the same survey — believed this to be true. Customers care more about their data than the leaders at incumbent companies think. 

This knowledge gap is an opportunity for startups. 

Furthermore, big enterprise companies — themselves customers of many startups — say data compliance risks prevent them from working with startups. And rightly so. Over 80% of data incidents are actually caused by errors from insiders, like third party vendors who mishandle sensitive data by sharing it with inappropriate parties. Yet over 68% of companies do not have good systems to prevent these types of errors. In fact, Facebook’s Cambridge Analytica firestorm — and resulting $5 billion fine — was sparked by third party inappropriately sharing personal data with a political consulting firm without user consent. 

As a result, many companies — both startups and incumbents — are holding a ticking time bomb of customer attrition. 

Agile data governance defuses these risks by simplifying the ethical data practices of understanding, controlling, and monitoring data at all times. With such practices, startups can prevent and correct the mishandling of sensitive data quickly.

Cognoa is a good example of a Third Wave healthcare startup adopting these three practices at a rapid pace. First, it understands where all of its sensitive health data lies by connecting all of its databases. Second, Cognoa can control all connected data sources at once from one point by using a single access-and-control layer, as opposed to relying on data silos. When this happens, employees and third parties can only access and share the sensitive data sources they’re supposed to. Finally, data queries are always monitored, allowing Cognoa to produce audit reports frequently and catch problems before they escalate out of control. 

With tools that simplify these three practices, even low-resourced startups can make sure sensitive data is tightly controlled at all times to prevent data incidents. Because key workflows are simplified, these same startups can maintain the speed of their data analytics by sharing data safely with the right parties. With better and safer data sharing across functions, startups can develop the insight necessary to cultivate a loyal fan base for the long-term.

Agile data governance can help startups survive inevitable data incidents

In 2018, Panera mistakenly shared 37 million customer records on its website and took 8 months to respond. Panera’s data incident is a taste of what’s to come: Gartner predicts that 50% of business ethics violations will stem from data incidents like these. In the era of “Big Data,” billion dollar incumbents without agile data governance will likely continue to violate data ethics. 

Given the inevitability of such incidents, startups that adopt agile data governance will likely be the most resilient companies of the future. 

Case in point: Harvard Business Review reports that the stock prices of companies without strong data governance practices drop 150% more than companies that do adopt strong practices. Despite this difference, only 10% of Fortune 500 companies actually employ the data transparency principle identified in the report. Practices include clearly disclosing data practices and giving users control over their privacy settings. 

Sure, data incidents are becoming more common. But that doesn’t mean startups don’t suffer from them. In fact, up to 60% of startups fold after a cyber attack. 

Startups can learn from WebMD, which Deloitte named as one standout in applying data transparency. With a readable privacy policy, customers know how data will be used, helping customers feel comfortable about sharing their data. More informed about the company’s practices, customers are surprised less by incidents. Surprises, BCG found, can reduce consumer spending by one-third. On a self-service platform on WebMD’s site, customers can control their privacy settings and how to share their data, further cultivating trust. 

Self-service tools like WebMD’s are part of agile data governance. These tools allow startups to simplify manual processes, like responding to customer requests to control their data. Instead, startups can focus on safely delivering value to their customers. 

Get ahead of the curve

For so long, the public seemed to care less about their data. 

That’s changing. Senior executives at major companies have been publicly interrogated for not taking data governance seriously. Some, like Facebook and Apple, are even claiming to lead with privacy. Ultimately, data privacy risks significantly rise in Third Wave industries where errors can alter access to key basic needs, such as healthcare, housing, and transportation.

While many incumbents have well-resourced legal and compliance departments, agile data governance goes beyond the “risk mitigation” missions of those functions. Agile governance means that time-consuming and error-prone workflows are streamlined so that companies serve their customers more quickly and safely.

Case in point: even after being advised by an army of lawyers, Zuckerberg’s 30,000-word Senate testimony about Cambridge Analytica included “ethics” only once, and it excluded “data governance” completely.

And even if companies do have legal departments, most don’t make their commitment to governance clear. Less than 15% of consumers say they know which companies protect their data the best. Startups can take advantage of this knowledge gap by adopting agile data governance and educate their customers about how to protect themselves in the risky world of the Third Wave.

Some incumbents may always be safe. But those in highly-regulated Third Wave industries, such as automotive, healthcare, and telecom should be worried; customers trust these incumbents the least. Startups that adopt agile data governance, however, will be trusted the most, and the time to act is now. 

Powered by WPeMatico

OneTrust raises $200M at a $1.3B valuation to help organizations navigate online privacy rules

GDPR, and the newer California Consumer Privacy Act, have given a legal bite to ongoing developments in online privacy and data protection: it’s always good practice for companies with an online presence to take measures to safeguard people’s data, but now failing to do so can land them in some serious hot water.

Now — to underscore the urgency and demand in the market — one of the bigger companies helping organizations navigate those rules is announcing a huge round of funding. OneTrust, which builds tools to help companies navigate data protection and privacy policies both internally and with its customers, has raised $200 million in a Series A led by Insight that values the company at $1.3 billion.

It’s an outsized round for a Series A, being made at an equally outsized valuation — especially considering that the company is only three years old — but that’s because of the wide-ranging nature of the issue, according to CEO Kabir Barday, and OneTrust’s early moves and subsequent pole position in tackling it.

“We’re talking about an operational overhaul in a company’s practices,” Barday said in an interview. “That requires the right technology and reach to be able to deliver that at a low cost.” Notably, he said that OneTrust wasn’t actually in search of funding — it’s already generating revenue and could have grown off its own balance sheet — although he noted that having the capitalization and backing sends a signal to the market and in particular to larger organizations of its stability and staying power.

Currently, OneTrust has around 3,000 customers across 100 countries (and 1,000 employees), and the plan will be to continue to expand its reach geographically and to more businesses. Funding will also go toward the company’s technology: it already has 50 patents filed and another 50 applications in progress, securing its own IP in the area of privacy protection.

OneTrust offers technology and services covering three different aspects of data protection and privacy management.

Its Privacy Management Software helps an organization manage how it collects data, and it generates compliance reports in line with how a site is working relative to different jurisdictions. Then there is the famous (or infamous) service that lets internet users set their preferences for how they want their data to be handled on different sites. The third is a larger database and risk management platform that assesses how various third-party services (for example advertising providers) work on a site and where they might pose data protection risks.

These are all provided either as a cloud-based software as a service, or an on-premises solution, depending on the customer in question.

The startup also has an interesting backstory that sheds some light on how it was founded and how it identified the gap in the market relatively early.

Alan Dabbiere, who is the co-chairman of OneTrust, had been the chairman of Airwatch — the mobile device management company acquired by VMware in 2014 (Airwatch’s CEO and founder, John Marshall, is OneTrust’s other co-chairman). In an interview, he told me that it was when they were at Airwatch — where Barday had worked across consulting, integration, engineering and product management — that they began to see just how a smartphone “could be a quagmire of privacy issues.”

“We could capture apps that an employee was using so that we could show them to IT to mitigate security risks,” he said, “but that actually presented a big privacy issue. If [the employee] has dyslexia [and uses a special app for it] or if the employee used a dating app, you’ve now shown things to IT that you shouldn’t have.”

He admitted that in the first version of the software, “we weren’t even thinking about whether that was inappropriate, but then we quickly realised that we needed to be thinking about privacy.”

Dabbiere said that it was Barday who first brought that sensibility to light, and “that is something that we have evolved from.” After that, and after the VMware sale, it seemed a no-brainer that he and Marshall would come on to help the new startup grow.

Airwatch made a relatively quick exit, I pointed out. His response: the plan is to stay the course at OneTrust, with a lot more room for expansion in this market. He describes the issues of data protection and privacy as “death by 1,000 cuts.” I guess when you think about it from an enterprising point of view, that essentially presents 1,000 business opportunities.

Indeed, there is obvious growth potential to expand not just its funnel of customers, but to add more services, such as proactive detection of malware that might leak customers’ data (which calls to mind the recently fined breach at British Airways), as well as tools to help stop that once identified.

While there are a million other companies also looking to fix those problems today, what’s interesting is the point from which OneTrust is starting: by providing tools to organizations simply to help them operate in the current regulatory climate as good citizens of the online world.

This is what caught Insight’s eye with this investment.

“OneTrust has truly established themselves as leaders in this space in a very short time frame, and are quickly becoming for privacy professionals what Salesforce became for salespeople,” said Richard Wells of Insight. “They offer such a vast range of modules and tools to help customers keep their businesses compliant with varying regulatory laws, and the tailwinds around GDPR and the upcoming CCPA make this an opportune time for growth. Their leadership team is unparalleled in their ambition and has proven their ability to convert those ambitions into reality.”

Wells added that while this is a big round for a Series A it’s because it is something of an outlier — not a mark of how Series A rounds will go soon.

“Investors will always be interested in and keen to partner with companies that are providing real solutions, are already established and are led by a strong group of entrepreneurs,” he said in an interview. “This is a company that has the expertise to help solve for what could be one of the greatest challenges of the next decade. That’s the company investors want to partner with and grow, regardless of fund timing.”

Powered by WPeMatico