Category: blogpost

Privacy in the Workplace Metaverse of Madness
Anonymous | July 7, 2022

The privacy implications of the metaverse in the workplace must be thoroughly understood and addressed before it becomes our new reality.

What is the Metaverse?

First coined by Neal Stephenson in his novel Snow Crash, the metaverse was a virtual reality escape for those living in a dystopian society, whose physical representations were replaced by avatars.

What was once just an idea based in science fiction is now becoming a virtual reality. Across the professional landscape, rather than promoting it as an escape from reality as shown in the immensely popular game VR Chat, technology companies are racing to infiltrate the corporate world with promises of efficiency never seen before and innovative collaboration experiences.

Paving the Way for Remote Work

According to Ladders, “25% of all professional jobs in North America will be remote by end of next year”.

The COVID-19 pandemic has forced employers to reconsider which roles in their companies need to be in person. It has also precipitated what is referred to as the Great Resignation – employees taking a step back to reassess what is important in life and making drastic career decisions as a result. This shift to remote work is forcing companies to get creative in how they can optimize the experience while also ensuring accountability. It’s no surprise that the metaverse fits nicely into this equation.

Whose metaverse pool will you be swimming in? Will you dip your toe in the water with augmented reality? Or will you dive head first into an immersive virtual reality? The choice may depend on your employer, several of whom have already created the Metaverse Standards Forum.

Privacy Implications

Regardless of how immersive the experience is, be it a pair of glasses worn around the office to facilitate virtual collaboration or a headset you wear while in your pajamas on the couch, they all share similar implications when it comes to your privacy. Shoulder surfing may be a thing of the past as employers will get a front-row view of your experience.

The metaverse implementations and policies are still evolving, but we can look to Meta’s Horizon Workrooms as an example of how companies may address privacy concerns going forward. Horizon Workrooms leverages the Meta Quest headset to provide companies with the ability for their workers to collaborate with each other in a virtual reality environment.

If we overlay Solove’s Taxonomy of Privacy on top of the Quest’s privacy policy, we can get a better understanding of the true scope of impact for the risks to individual privacy that will need to be balanced with the increase in collaboration and accessibility.

In this virtual workroom, the employee, and those they interact with, are under constant surveillance in a way that could not be practically implemented in years past. Cameras already exist in the workplace but are limited in the level of detail they capture. The Quest collects additional data points not regularly seen in privacy policies, including physical features, how the subject moves in a physical space, and detailed speech. The observed and recorded dimensions of personal privacy have expanded beyond observations from an imperfect third-person perspective, to high-quality first-person. Layering artificial intelligence on top of this data, aggregated with both quantitative and qualitative output of employees, can be enticing to efficiency obsessed employers.

Given the sensitive nature of the data at a level of detail incapable in years past, this information could be valuable not just to the company in its never-ending effort to increase profits via employee efficiency, but also serve as a foundation for psychological analysis and behavior research – not to mention pose a serious security risk by nefarious individuals or organizations seeking to gain a competitive advantage or compromising material.

Within the Quest’s privacy policy, they explicitly state that there are secondary uses for this information, such as for the improvement of speech recognition systems. While created in 1974, the Belmont Report retains its relevance even when considering such modern innovations. If and when the improvements to these systems are made, who will be the beneficiaries of such advancements? Per the report’s principle of Justice, the policy could go farther into how this data could be leveraged to improve the lives of those with speech or language disabilities, rather than only those privileged enough to be able to afford one of these devices.

While the metaverse can close physical gaps between employees to facilitate global collaboration, this increase in accessibility introduces new challenges. In the United States of America, the Americans with Disabilities Act has protected those with disabilities and ensured them a safe and productive workplace. Additional protections for those potentially disadvantaged by the use of these devices would need to be evaluated to address accessibility concerns.

It would also be reasonable to assume this is a shared device that not only an employee could use within Horizon Workrooms, but their children for their favorite game. The privacy policy does not explicitly differentiate the collection of data from different users at the device level versus the application level. There is a risk of information dissemination of those without the autonomy to consent.

The Meta Quest policy also states that they collect identifying information to ensure the safety of its users. This results in the lack of anonymity along with the other data points being collected and thus increasing the impact of information disclosure or invasion of privacy for the users. It would be reasonable to expect this type of moderation leveraging personally identifiable information to be replicated across other company’s metaverse to ensure a safe environment that encourages an overall adoption of this technology.

Proceed, with Caution

Breaking down the barriers of physical limitations by enhancing our reality, or establishing a virtual one, can help many achieve great things and has the potential to further innovation and collaboration by leaps and bounds.

And as enticing as that may be, the privacy implications of the metaverse cannot be an afterthought in its implementation. This would necessitate the slowdown of technological advancement to ensure proper caution is exercised. Unfortunately, this may not be an option as competition for the arbiter of the metaverse heats up in order to get their share of a multi-trillion dollar market.

Ethics in Data Management by Design
Anonymous | July 7, 2022

External data has become an essential component of a company’s data strategy, and data brokers are an integral part of the landscape. However, are the policies and regulations able to catch up with the evolving data brokerage domain and data collection methods? Do companies have the same commitment to safeguarding external data the same way they protect their internal data? And even if they are able to capitalize on some of the ambiguities surrounding data management, should they do so at the price of ethics?

Current state

Companies are increasingly exploiting data offered by data providers or obtained through different data subscriptions and in many cases, it has become an integral part of companies’ data strategy. Enterprises utilize external data not only for marketing purposes, but also for a variety of internal use cases, such as ensuring the safety of the company’s personnel and executives, identifying and mitigating reputational risks, and benchmarking company performance across a variety of dimensions, among others. In addition to utilizing the data acquired via data brokers, many organizations also utilize open/public data.

Contractual responsibilities between the data provider and the consuming companies govern the use of external data to some extent. However, processing external data, merging disparate data sources, and augmenting external data with data received from internal or public sources poses a new set of challenges to the regulations and controls that companies must implement. While there is clear guidance from GDPR, FTC, CalOPPA, and others, several of the above-mentioned domains still lack well-defined policies and remain ambiguous.

In addition to the formal constraint, there is also an opportunity to assess the ethical and behavioral implications of intercompany data management and consumption. Even if there is some ambiguity in data management, the question is whether we should expect businesses to have a higher ethical standard and awareness. In many circumstances, inter-company data privacy groups are primarily concerned with the management of personally identifiable information, with a focus on internal business data. Compliance checks undertaken by these groups are frequently perceived as overhead by delivery teams, and even as an obstacle or significant slowdown in project performance. While many companies have incorporated privacy risk and impact assessments into their operations, as long as these reviews are perceived as an impediment and the performance is measured and driven by time to market, these reviews could potentially generate a false sense of security.

A brighter future?

With the evolution of formal regulations, which will hopefully provide more clear guidance addressing the data brokerage domains and companies’ practices pertaining to external data management and consumption, it would be fantastic to see companies not only improve their internal practices and regulations to comply with the formal regulations but also drive more ethical data practices. Some of these concepts ought to be integrated into the performance measurement of the workforce in order to encourage the installation of ethical data management and subsequent behavioral and cultural shifts. It would be great to see ethics built into the design processes and privacy by design cease being an afterthought and become an integral component of the enterprise data architecture guiding principles.

Wearable devices offer new opportunities and new challenges for drug discovery
Katy Scott | July 7, 2022

Not just Watches
Including devices besides smart watches, health and wellness related wearables are expected to continue to improve as a technology and increase market growth in coming years (Loucks, Bucaille, Stewart, & Crossnan, 2021). The Food and Drug Administration issued Emergency Use Authorizations for 6 wearable monitoring devices to protect health care worker safety against COVID in 2019 (Food and Drug Administration, 2021). This is a placement diagram for one of those devices, a Vital Signs Monitoring System, which tracks electrocardiogram data and downloads it to a smartphone:

Emerging Opportunities
With increasing ubiquity and accuracy of wearable health monitors, it follows that investigators are exploring options to leverage them to improve clinical trials management. Between 35% and 65% of the cost of a clinical trial goes to site focused costs (Serkaya, Wong, Jessup, & Beleche, 2016). A shift toward remote administration using automated data collection and delivery through wearable devices could drive substantial savings. Double digit percentages in development costs could have disruptive effects in the health care industry, making more therapies available to patients at costs they can afford.
In addition to cost savings, at-home biometrics monitoring may overcome barriers to access. For example, some patients decline or attrit from clinical trials due to costs or inconvenience of traveling to a trial site (Thoma, Farrokhyar, McKnight, & Bandari, 2010). As well, some underserved communities enroll less often in trials due to mistrust of the medical experiments (Institute of Medicine (US), 2012); they may feel more comfortable participating from home. Furthermore, some patients, like those suffering from a severe subgroup of Myalgic Encephalomyelitis, cannot make office visits without suffering harm (Centers for Disease Control and Prevention, 2019). At-home monitoring could make study of their disease and progress toward treatments possible.

Unique Challenges
The use of wearables data for clinical trials experiments presents unique challenges compared to a traditional clinical trial. Data integrity and security must be ensured throughout data storage, transmission, and retention. If the data pipeline relies on personally owned Wi-Fi networks and smartphones or tablets, a variety of security solutions would need to be established and maintained throughout trial operation. Reliance on personal infrastructure for data transmission could introduce bias against individuals or communities with less access to internet connectivity or smart devices.

A wearables experiment may need to be designed differently compared to a traditional trial. For example, individual sensors would be used continuously per patient, amplifying potential measurement bias. As well, patients may have more visibility to regular biometrics monitoring which could introduce placebo effects. Finally, the experiments may see greater attrition in subjects due to loss of devices. With measurement assets not under control of the clinic, they risk or damage, theft, or loss before completion of the trial. Investigators would need to plan for all these effects in their experimental design.

A Smart Future
The healthcare industry is ready for the cost savings and equity in recruitment these devices can offer. As long as data security and experimental designs keep pace with the development of wearables, these fun and fashionable accessories could revolutionize medicine in coming years.

References

Centers for Disease Control and Prevention. (2019, November 19). Myalgic Encephalomyelitis/Chronic Fatigue Syndrome- Severely Affected Patients. Retrieved from Centers for Disease Control and Prevention: https://www.cdc.gov/me-cfs/healthcare-providers/clinical-care-patients-mecfs/severely-affected-patients.html

Food and Drug Administration. (2021, July 15). Remote or Wearable Patient Monitoring Devices EUAs. Retrieved from U.S. Food and Drug Administration: https://www.fda.gov/medical-devices/coronavirus-disease-2019-covid-19-emergency-use-authorizations-medical-devices/remote-or-wearable-patient-monitoring-devices-euas

Institute of Medicine (US). (2012). Public Engagement and Clinical Trials: New Models and Disruptive Technologies: Workshop Summary. (p. Working with Underserved Communities). Washington DC: National Academies Press (US).
Loucks, J., Bucaille, A., Stewart, D., & Crossnan, G. (2021, December 1).

Wearable technology in health care: Getting better all the time. Retrieved from Deloitte Insights: https://www2.deloitte.com/us/en/insights/industry/technology/technology-media-and-telecom-predictions/2022/wearable-technology-healthcare.html

Serkaya, A., Wong, H.-H., Jessup, A., & Beleche, T. (2016, April). Key cost drivers of pharmaceutical clinical trials in the United States. Retrieved from NIH National Library of Medicine: https://pubmed.ncbi.nlm.nih.gov/26908540/
Thoma, A., Farrokhyar, F., McKnight, L., & Bandari, M. (2010, June ). How to optimize patient recruitment. Retrieved from NIH National Library of Medicine: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2878987/

 

Teslas are well known for their state-of-the-art monitoring abilities, from location data, battery usage, pressure monitoring, and sentry mode recording. Tesla also offers car insurance for its users at a discounted rate and insured drivers also have the option to enroll in real-time driver safety monitoring. Through this program, Tesla uses its built-in logging and monitoring system in order to evaluate how safely a driver drives and generates a Driver Safety Score from this data. Drivers start off with a safety score of 90, which can go up or down depending on the driver’s behavior, such as speed of braking, sharpness of turns, etc.

The five safety factors that are used to evaluate a driver’s safety score are Forward Collision Warnings per 1,000 Miles, Hard Braking, Aggressive Turning, Unsafe Following, and Forced Autopilot Disengagement. These metrics are used together to compute a Predicted Collision Frequency score as follows:

The PCF is then converted into a 0 to 100 Safety Score using the following formula:

Safety Score = 115.382324 – 22.526504 * PCF

A driver’s monthly insurance premium is then determined based on their safety score for the previous month. This allows Tesla to offer discounts to users based on their driving habits, incentivizing and rewarding users for driving safely. On the other hand, users who are deemed to not be safe drivers, would have their insurance premiums increased. Tesla has stated it estimates those deemed to be “average” drivers would save between 20% to 40% on their monthly premiums compared to competitor insurance offerings, while “good” drivers would save between 30% to 60%.

Other major car insurance companies have also started offering telematics-based insurance rates as well. However, where Tesla beats its competitors is its increased transparency of what metrics are used to evaluate drivers and how. While Tesla openly provides its driver safety score formula, other auto insurance companies do not. Some argue that Tesla’s transparency about how it evaluates drivers allows the system to be easily gamed, while others praise Tesla for being more open and informing drivers how their driving data will be used.

While lower insurance premiums and safer drivers sound like a win-win situation for all parties, this type of continual vehicle monitoring system does raise serious concerns about user privacy. For example, what else is this data being used for? What if this data were to be leaked or sold to a third party such as an employer, who could then make the decision not to hire an individual based on their driving behavior? Given the sophistication of Teslas, what other data is being collected outside of the metrics Tesla has openly outlined? Greater transparency and education about data collection, usage, and retention of vehicle telematics are needed as driver-based insurance programs become more widely available. For now, whether or not to opt into a real-time monitoring-based car insurance program is a personalized choice. Let’s just hope that the decision to opt-in now does not have unexpected lasting consequences in the long run.

Tesla states that if you sell your vehicle, your previous driver safety score will not be used for a new Tesla vehicle that you purchase.

References

https://www.tesla.com/support/safety-score

https://www.vice.com/en/article/akvwge/tesla-drivers-say-they-can-easily-cheat-teslas-safety-score

https://electrek.co/2022/04/01/tesla-insurance-launches-driver-safety-score-in-california-educational-purposes/#:~:text=In%20October%2C%20Tesla%20finally%20launched,between%2030%25%20to%2060%25.

The Deceptive Appeal of Buy Now Pay Later
Anonymous | July 7, 2022

Buy Now, Pay Later (BNPL) companies like Affirm, Klarna, and Afterpay offer consumers with the enticing option to pay for their online purchases in interest-free installments. The BNPL industry has grown rapidly in the past several years, accelerated by the increase in online shopping. Many new players are joining the scene, with Apple Pay Later set to launch in Fall 2022. With this, consumers can now split large costs into smaller, more manageable payments with a click of a button. You can now pay use Affirm to purchase a laptop, buy a brand new wardrobe through Klarna, and even finance your groceries through Afterpay.

At the same time, since consumers now have multiple options to pay over time, it can encourage them to spend impulsively and buy items they cannot afford. It has now become an issue where people are buying everyday household items in installments. Unlike credit cards, the BNPL industry is largely unregulated. They operate outside the legal definition of a loan product and are not subjected to certain US consumer finance regulations (Nguyen, 2021). The terms for each company vary – with some including late fees but not interest, some reporting to credit bureaus and some not. For example, while Afterpay doesn’t charge interest, it collected $64 million in late fees from users in the past 12 months. (Fussell, 2021).

In order to understand the ethical challenges involved, we can apply the Belmont Principles. In terms of respect for persons – we can see that BNPL does not explicitly provide informed consent to their users. For one, the services are deceptively marketed as a payment option, rather than the loan paid in installments that it is. There is also a major lack of transparency in the BNPL process. On Klarna’s website, it simply states “Split the cost of your purchase into 4 interest-free payments, paid every 2 weeks. No interest. No catch.” Affirm explains how their process works in three steps: 1) Go Shopping 2) Choose Your Payment Terms 3) Make Your Payments. Both fail to provide adequate information and explain if and how a soft credit check is performed or the consequences of missing or paying an installment late. As a result, users are unaware of the full terms and conditions before agreeing to these installment loans.

The principle of beneficence states that any research should aim to maximize possible benefits and minimize potential harms. While the industry does provide a service to users, allowing for a supposedly interest-free alternative to those without a credit card, the companies are at the end of the day, profit driven. Without regulation in place, BNPL companies are free to impose fees and apply tactics that may encourage consumers to overspend and accumulate debt without consequences.

The third principle of justice advocates for fair treatment for all. Research has found that BNPL users have consisted mostly of younger consumers, as well as those who are low income. At the same time, BNPL is “heavily marketed influencers and brands on TikTok and Instagram” (Bote, 2022). There are currently no safeguards in place for children or younger users, when they are already vulnerable with little credit history and limited financial literacy. This leaves the younger generation susceptible to the dangers of increasing debt involved with BNPL services. Users can easily open multiple BNPL lines to pay for purchases, as opposed to the more complex process of applying for a credit card, getting approved, and then being able to make purchases.

While BNPL services shows no signs of stopping, governments have finally taken notice and have been beginning to take steps towards change. In November 2021, the House Financial Services Committee held a hearing where consumer advocates called for “tighter regulation and more data on how often users default, the potential long-term impact on credit scores, and tighter rules around credit approval” (Fussell, 2022). The Consumer Financial Protection Bureau (CFPB) recently issued a series of orders to five companies collect information on the risks and benefits. As the industry continues to grow, governments need to take action to safeguard consumers and prevent the continued overspending and accumulation of debt.

Privacy Policies: Manufactured Consent 
Angel Ortiz | July 7, 2022

The conversation surrounding privacy policies and terms of service (ToS) has grown in  public interest these recent years, and with it concern on what exactly people are agreeing to when  they “click” accept. This more noticeable interest in the agreed upon terms for the use of one’s private information (as well as its protection) was likely sparked in part by the Facebook/Britannica Analytica breach of privacy scandal of 2018 (Confessore, N. 2018). This  event stirred a social discussion on how companies protect our data and what they are allowed to  do with the data we provide. However, despite this burgeoning unease for the misuse of user  intelligence, it is all too common to find ourselves blindly accepting the ToS of some website or  application, all because we find it too much of a nuisance to read. While it may be true that much  of this behavior is the responsibility of the consumer, one must also wonder what obligations companies have when making their policies. After all, if it is a frequent phenomenon that users accept a ToS solely due to its inconvenience, then one must begin to wonder whether this  bothersome nature is purposely infused into the text for this very reason.

Complexity of Privacy Policies 

In May 2014, the California Department of Justice outlined several concepts privacy  policies should comply with in order to properly disseminate their contents to users. One of these  key principles was “Readability”, in which they specified that privacy policies should (among  other things) use short sentences, avoid the use of technical jargon, and be straightforward (State  of California Department of Justice & Harris, K., 2014). Similarly, the FTC also advocated for  more brief and transparent privacy policies in a report they published in 2012 (Federal Trade  Commission, 2012, p. 60-61). Despite these guidelines, privacy policies seem more complex than  ever before, and this complexity does not necessarily stem from the length of the text.

While there are some excessively long privacy policies, researchers from Carnegie Mellon  University estimated that (on average) it would take 10 minutes to read a privacy policy if one  possessed a secondary education (Pinsent Masons, 2008). While this is somewhat of a long read  for some services, most would argue that they could easily dedicate 10 minutes of their time to  read a privacy policy for a service of more importance. However, the problem with these policies is usually in the complexity of the reading rather than its length. In 2019, The New York Times  published an article where they used the Lexile test to determine the complexity of 150 privacy  policies from some of the most popular websites and applications. They found that most of the  policies required a reading comprehension exceeding the college level to understand (Litman Navarro, K. 2019); for reference, it is estimated that only 37.9% of Americans, who are 25 or  older, have a bachelor’s degree (Schaeffer, K. 2022). At face value, this would mean that a non insignificant portion of the U.S. population does not have the education to understand what some  of these privacy policies entail.

Purposeful Inconvenience? 

Some may conjecture that this complexity is purposefully manufactured with the objective  of inconveniencing consumers into not reading privacy policies before accepting a ToS. While this  is an enticing thought, we cannot disregard that there is a less nefarious explanation for why  privacy policies are written in such a complex manner: legal scrutiny. It is the opinion of some experts such as Jen King, the director of consumer privacy at the Center for Internet and Society,  that privacy policies exist to appease lawyers (Litman-Navarro, K. 2019). That is to say, privacy  policies are not written with consumers as the audience in mind.

Solution 

Regardless of what the real intent behind the complexity of privacy policies is, it is  undeniable that its effect is the inability of some users to properly comprehend them or, at least,  dedicate the time to do so. Therefore, we must ask, how can we solve this problem? Often the  simplest solution is the correct one, and this holds true here as well. If the problem stems from  privacy policies not being written for consumers, then companies should begin writing their  policies with consumers in mind. This would necessarily entail making the texts shorter, more to  the point and reduced in the use of “legalese”.

Conclusion 

It is important for individuals to take the time to properly understand what they are agreeing  to when they accept a ToS, and their corresponding privacy policies. This, of course, is not likely  the norm and most would place the fault of this behavior on the consumers. However, when some  of these policies are made so long and complex that it is not only an inconvenience but an  impossibility for many users to properly comprehend what they are agreeing to, then I would argue  that this common practice is not the fault of the consumer but of the policy makers themselves.  We no longer live in a time where we have the luxury of not partaking of services that intake our  data; as such, it is my hope that as this discussion continues to grow, more policy writers shift  focus to include user understanding in their privacy policies. Otherwise, I suggest we make Law  School cheaper so that more people can obtain degrees in privacy policy comprehension.

References 

Average privacy policy takes 10 minutes to read, research finds. (2008, October 06). Pinsent  Masons. Retrieved July 3, 2022, from https://www.pinsentmasons.com/out law/news/average-privacy-policy-takes-10-minutes-to-read-research-finds#:%7E:text=The%20average%20length%20of%20privacy,take%2010%20minutes% 20to%20read.

Confessore, N. (2018, November 15). Cambridge Analytica and Facebook: The Scandal and the  Fallout So Far. The New York Times. Retrieved July 3, 2022, from  https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html

Federal Trade Commission. (2012, March). PROTECTING CONSUMER PRIVACY IN AN ERA  OF RAPID CHANGE. https://www.ftc.gov/sites/default/files/documents/reports/federal trade-commission-report-protecting-consumer-privacy-era-rapid-change recommendations/120326privacyreport.pdf

Litman-Navarro, K. (2019, June 13). Opinion | We Read 150 Privacy Policies. They Were an  Incomprehensible Disaster. The New York Times. Retrieved July 3, 2022, from  https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html

Schaeffer, K. (2022, April 12). 10 facts about today’s college graduates. Pew Research Center.  Retrieved July 3, 2022, from https://www.pewresearch.org/fact-tank/2022/04/12/10- facts-about-todays-college graduates/#:%7E:text=As%20of%202021%2C%2037.9%25%20of,points%20from%203 0.4%25%20in%202011.

State of California Department of Justice, & Harris, K. (2014, May). Making your Privacy  Practices Public. Privacy Unit.  https://oag.ca.gov/sites/all/files/agweb/pdfs/cybersecurity/making_your_privacy_practices_publi c.pdf?

Emotional Surveillance: Music as Medicine 
Anonymous | July 7, 2022

Can streaming platforms uphold the hippocratic oath? Spotify’s emotional surveillance patent exemplifies how prescriptive music could do more harm than good when it comes to consumers’ data privacy.

The pandemic changed the way we listen to music. In a period of constant uncertainty, many people turned to music. People also started to listen to more calming, meditative music. During this time, playlists started popping up on Apple Music specially curated with lofi, nature sounds. This category has been defined as ‘Chill’, but takes on many different names. The idea of music and sound therapy continues to be on the forefront of listener behavior today, with a trend on TikTok sharing brown noise sounds (brown noise has more deep, low sound waves compared to white noise, more similar to rain and storms). Brown noise can help alleviate symptoms of ADHD, and is being listened to as a sort of therapy for people who deal with anxiety.

The idea of listening to music as therapeutic is not new, however now there might be an AI tool feeding you the right diagnosis. While there is no cause for concern over someone being suggested a calming playlist, the bigger issue at hand is the direction this could take us in the future, and how surveillance audio driven recommendation systems dilute a user’s right to data privacy. Especially, when a platform wants to recommend music based on audio features that corresponded to the emotional state of the user. This was what was being considered following the patent that Spotify won back in 2021.

Spotify’s patent is a good case study for the direction which many streaming services are headed. Using this example, we can unpack the ways in which a user’s data and privacy is at risk.

The specific language of the patent is as follows:

“There is retrieval of content metadata corresponding to the speech content, and environmental metadata corresponding to the background noise. There is a determination of preferences for media content corresponding to the content metadata and the environmental metadata, and an output is provided corresponding to the preferences.” [5]

Since this patent was granted, there was significant uproar over the potential impacts. In layman’s terms, Spotify was seeking to take advantage of AI to uncover tone, monitor your speech and background noise, and recommend music based on attributes its algorithm correlates to specific emotional states. For example, if you are alone, have been playing a lot of down tempo music and have been speaking to your mom about how you are feeling depressed, the system will categorize you as ‘sad’ and will feed you more sad music.

Since it won the patent, Spotify indicated it had no immediate intention to use the technology. This is a good sign, because there are a few ways that this idea could cause data privacy harm if it was used.

Users have a right to correct the data the app collects.
To meet regulatory standards, Spotify would need to provide the attribution of the emotions that it is categorizing you with based on its audio analysis. If it thinks you are depressed, but you are being sarcastic, how will you as a consumer correct that? Without the logistics to do so, Spotify is introducing a potential privacy harm for its users. Spotify is known to sell user data to third parties, where it could be aggregated and distorted, and you could end up being pushed ads for antidepressants.

Spotify could create harmful filter bubbles.
When a recommendation system is built to continually push content similar to what it thinks a user’s mood is, that is inherently prolonging potentially problematic emotional states. In this example scenario, continuing to listen to sad music when you are depressed can have a harmful impact on your emotional wellbeing, rather than to improve it. As with any scientific or algorithmic experimentation, we know from the Belmont Report that any features built that could affect a user or participants’ health must do no harm. The impact of a filter bubble (where you only get certain content) can mimic the harm done in YouTube’s recommendations, creating a feedback loop maintaining the negative emotional state.

Users have a right to know.
Part of Spotify’s argument for why this technology could benefit the user is that without collecting this data passively from audio, the user must click buttons to select mood traits and build playlists. According to the Fair Information Practice Principles guidelines, Spotify must be transparent and involve the individual in the collection of their data. While a user’s experience is extremely important, they still need to know that this data is being collected about them. Spotify should incorporate an opt-in consent mechanism if they were to move forward with this system.

Spotify still owns the patent for this technology, and other platforms are considering similar trajectories. While the music industry considers breaking into the next wave of how we interact with music and sound, streaming platforms should be careful if they plan on building a recommendation system that will leverage emotion metadata to curate content. This type of emotional surveillance dips into a realm of data privacy which has the potential to cause more harm than good. If any distributed service providers move in this direction, they should consider the implications on data privacy harm.

References 

1 https://montrealethics.ai/discover-weekly-how-the-music-platform-spotify-collects-and-uses-your-data/
2 https://www.musicbusinessworldwide.com/spotifys-latest-invention-will-determine-your-emotional-state-from-your-speech-and-suggest-music-based-on-it/
3 https://www.stopspotifysurveillance.org/
4 https://www.soundofsleep.com/white-pink-brown-noise-whats-difference/
5 https://patents.justia.com/patent/10891948
6 https://georgetownlawtechreview.org/wp-content/uploads/2018/07/2.2-Mulligan-Griffin-pp-557-84.pdf
7 https://theartofhealing.com.au/2020/02/music-as-medicine-whats-your-recommended-daily-dose/
8 https://www.digitalmusicnews.com/2021/04/19/spotify-patent-response/
9 https://www.bbc.com/news/entertainment-arts-55839655

Password Replacement: Your Face Here
Jean-Luc Jackson | July 7, 2022

Biometrics promise convenient and secure logins, making passwords a thing of the past. However, consumers should be aware of possible gaps in security and vigilant of long-term shifts in cultural norms.

Technology leaders such as Microsoft, Apple, and Google are promising an impending future free of passwords. Passwordless authentication methods in use today include text or in-app validation codes, emailed “magic links”, or the user’s biometric data. These biometric-based methods are poised to replace traditional passwords and become the primary authentication systems for users’ big tech. Biometric authentication methods are no longer confined to spy films, consumers can now prove their digital identities using facial and fingerprint scans instead of employing their favorite password management service. These are exciting developments, but consumers should always be wary when exposing sensitive personal information like biometrics. The stakes with biometric data insecurity are high: passwords can be reset, new credit cards can be printed, but biometrics are permanently tied to and identifiable of their source.

The National Academy of Sciences defines biometrics as “the automated recognition of individuals based on their behavioral and biological characteristics [1].” Biometrics take advantage of features that are unique to individuals and that don’t change significantly over time. Commonly encountered examples include a person’s fingerprints, face geometry, voice, and signature. Other contenders include a person’s gait, heartbeat, keystroke dynamics, and ear shape. In other words, the way you walk, your typing patterns, and the contours of your ears are distinctive and could be used to identify you.

The advantage of biometrics in authentication is that they cannot be forgotten or guessed, and they are convenient to present. Microsoft announced in 2021 that consumers could get rid of their account passwords and opt-in to using facial recognition or fingerprint scanning (a service dubbed “Windows Hello”) [2]. Apple and Google have also announced similar biometric passkey technologies to be rolled out later this year [3, 4]. With this momentum, biometrics will soon be ubiquitous across modern smart devices and could one day be the only accepted login method.

Passwordless technologies offered by these tech companies utilize de-centralized security standards like FIDO (Fast IDentification Online). This authentication process involves a pair of public and private keys. The public key is stored remotely on a service’s database while the private key is stored on the user’s device (e.g., a smart phone). When the user proves their identity on their device using biometrics (e.g., with a face scan), the private key is sent to the online service and the login is approved when matched to the remote public key. This design ensures that biometric information remains on the device and is never shared or stored on a server, eliminating the threats of interception or database breaches.

FIDO standards are an example of a de-centralized authentication system since biometric data is verified on-device and is not stored on a central server. A centralized system, on the other hand, authenticates by comparing biometric data to data saved in a central database. These systems are prone to manipulation and data breaches because of the higher potential for attacks. We should be vigilant of organizations that use centralized systems and pay close attention when they are used in government applications, such as storing biometric data about their citizens [5].

Though passwordless methods minimize security risks, gaps do exist. Researchers successfully reconstructed people’s original face images using their on-device data that result from facial recognition scans [6]. The potential to decode numerical representations of biometric data poses the threat of a new form of identity theft. Since biometrics are treated as ground-truth authentication, such a theft would provide a variety of access in a world filled with biometric logins. While most thieves won’t be able to utilize stolen biometric data with off-the-shelf methods, as technology evolves this risk will continue to expand and should receive additional attention.

It’s also possible to create imitation biometrics that allow unwanted access. Fingerprint security has often been bypassed by reproducing a copy of a fingerprint, but a group of researchers in 2018 created a machine learning model that generated fake fingerprints that successfully gained access to smart phones [7]. The continuous advancement of technology yields both benefits and risks depending on who has the tools, reminding us to exercise caution in sharing data and pushing companies to keep consumer protection as a priority.

There is no doubt that biometrics offer added convenience, and the latest authentication standards promise stronger levels of security. But as biometrics become the prevailing authentication method, we normalize the routine use of sensitive personal information in a variety of contexts. Individuals will inevitably grow more accustomed to sharing valuable information with organizations to remain productive members of society. Moving forward, it will be even more important for us as consumers to demand transparency and hold organizations accountable to minimizing data collection to only what is necessary and not using data for secondary purposes.

For context, there is currently no federal regulation regarding biometric privacy. Various states have enacted biometric-specific privacy laws, with Illinois and California leading the way in protecting its citizens. The number of state laws continues to grow, signaling the potential for national regulation soon.

Citations
[1] https://www.ncbi.nlm.nih.gov/books/NBK219892/
[2] https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/
[3] https://developer.apple.com/passkeys/
[4] https://developers.google.com/identity/fido
[5] https://www.technologyreview.com/2020/08/19/1007094/brazil-bolsonaro-data-privacy-cadastro-base/
[6] https://ieeexplore.ieee.org/document/8338413
[7] https://www.wired.com/story/deepmasterprints-fake-fingerprints-machine-learning/

Images
[1] https://www.microsoft.com/en-us/security/business/identity-access/azure-active-directory-passwordless-authentication
[2] https://link.springer.com/referenceworkentry/10.1007/978-1-4419-5906-5_738
[3] https://fidoalliance.org/how-fido-works/

Is TikTok really worth it? U.S. FCC Commissioner doesn’t think so
Anonymous | July 7, 2022

It’s no secret that over the last two years, TikTok has taken over the world as one of the most popular social media applications in the world, in the United States specifically, with 19 million downloads in the first quarter of 2022 alone. American users spend hours daily going through all sorts of videos, from cute dogs to extreme athletes. The algorithm is said to be one of the best in the world, so good that users can’t find a way to log off. TikTok has changed how Americans consume information – with short videos being the new communication norm – as the app shares everything from unsolved crimes to local news, sometimes even faster than the news itself. But amongst the hype, have we ever stopped to consider what type of user data TikTok is collecting?

Commissioner of the Federal Communication Commission (FCC) Brendan Carr is so concerned about TikTok’s data access that he believes the application should be removed entirely from iPhone and Android app stores in the United States. So on June 24, 2022, he asked Apple and Google to take action (Carr, 2022). But he didn’t get too far.

After listening to BuzzFeed News’ leaked recordings from internal TikTok meetings, Carr believes TikTok has “repeatedly accessed nonpublic data about U.S. TikTok users” (Carr, 2022). Carr has also alleged that TikTok’s American employees “had to turn to their colleagues in China to determine how U.S. user data was flowing,” even though TikTok promised the American government that an American-based security team had those controls (Carr, 2022). The user data is extensive – voiceprints, faceprints, keystroke patterns, browsing histories, and more (Carr, 2022).

In the leaked recording, a TikTok official is heard saying, “Everything is seen in China,” about American user data, even though TikTok has repeatedly claimed that the data it gathers about Americans is solely stored in the United States (Meyer, 2022). In any case, China shouldn’t be allowed access to that data, as that isn’t outlined in TikTok’s Terms of Use (TikTok Inc., 2019). In contrast, in other applications like Instagram, that restriction has been clearly stated in their Terms of Use (Meta, 2019).

“At its core, TikTok functions as a sophisticated surveillance tool that harvests extensive amounts of personal and sensitive data,” Carr wrote in his letters to Google and Apple, which were published on his Twitter profile (Carr, 2022). Carr asks these tech giants to remove TikTok from their App Stores, which begs the question – is that allowed? Technically, he’s justified in asking for this. But why?

TikTok’s misrepresentation of where user data is stored puts it out of compliance with the policies both Apple and Google require every application to adhere to as a condition of being available for download (Carr, 2022). However, neither Apple nor Google have responded. Given the cry for help from the FCC, one would think the FCC’s authority over social media would be the final word, but surprisingly, that’s not the case. It turns out the FCC is responsible for ensuring communication infrastructure, but it has zero control over what is being communicated; therefore, it has little to no control over social media. Their net neutrality policy has removed their power of proper social media and big tech regulation. Although they call for it, it doesn’t mean much, as they can’t necessarily act on it (Coldewey, 2020).

Unfortunately, the United States government cannot impose fines on TikTok as no law has been broken. Any action against the tech giant would need to come from Congress, in agreement by both political parties. Without any set regulation, it’s hard to charge TikTok with anything.

TikTok is no stranger to data malpractice. In 2021, TikTok, although denying claims, agreed to pay $92 million to settle a lawsuit that alleged that the app transferred data to servers and third parties in China that could identify, profile, and track the physical locations of American users (Bryan & Boggs, 2021). In 2019, TikTok’s parent company, ByteDance, also reached a settlement with a group of parents who alleged that the company collected and exposed the data of minors, violating an American children’s privacy law (Haasch, 2021).

The controversy didn’t stop there; it continued. TikTok responded to Carr’s claims by saying the recordings were taken out of context. TikTok’s CEO, Shou Zi Chew, in a letter published by the New York Times, said the conversations in the recordings were around an initiative designed to “strengthen the company’s data security program” (Chew, 2022). Chew went into detail about how TikTok prevents data from being routed to China, mainly by having data servers located directly in the U.S., with help from American consulting firms in designing that process (Chew, 2022).

All of this begs the question: is TikTok worth it? Would you risk your data for the videos? Unfortunately, there’s little way to know if TikTok and Chew are following their policies, and the United States government is far from adequately regulating the app. It’s up to you to decide what you should do.

Sources

Bryan, K. L., & Boggs, P. (2021, October 5). Federal Court Approves $92 Million TikTok Settlement. National Law Review. Retrieved July 7, 2022, from http://natlawreview.com/article/federal-court-gives-preliminary-approval-92-million-tiktok-mdl-settlement-over

Carr, B [@BrendanCarrFCC]. (2022, June 28). TikTok is not just another video app. That’s the sheep’s clothing. It harvests swaths of sensitive data that new reports show are being accessed in Beijing. I’ve called on Apple and Google to remove TikTok from their app stores for its pattern of surreptitious data practices. [Tweet]. Twitter. https://twitter.com/brendancarrfcc/status/1541823585957707776

Chew, S. Z. (2022, June 30). TikTok’s Response to Republican Senators. The New York Times. Retrieved July 4, 2022, from https://int.nyt.com/data/documenttools/tik-tok-s-response-to-republican-senators/e5f56d3ef4886b33/full.pdf

Coldewey, D. (2020, October 19). Who regulates social media? TechCrunch. Retrieved July 7, 2022, from https://techcrunch.com/2020/10/19/who-regulates-social-media/

Haasch, P. (2021, November 19). TikTok May Owe You Money From Its $92 Million Data Privacy Settlement. Business Insider. Retrieved July 6, 2022, from https://www.businessinsider.com/tiktok-data-privacy-settlement-how-to-submit-claim-2021-11

Meta. (2022, January 4). Terms of Use. Instagram. Retrieved June 12, 2022, from https://help.instagram.com/581066165581870

Meyer, D. (2022, June 29). Apple and Google should kick TikTok out of their app stores, FCC commissioner argues. Fortune. Retrieved July 5, 2022, from https://fortune.com/2022/06/29/apple-google-tiktok-iphone-android-brendan-carr-fcc-privacy-surveillance-china-snowden/

Montti, R. (2022, July 5). TikTok Responds To Allegations Of Unsecured User Data. Search Engine Journal. Retrieved July 6, 2022, from https://www.searchenginejournal.com/tiktok-responds-user-data/456633/#close

TikTok Inc. (2019, February 1). Terms of Service. TikTok. Retrieved July 4, 2022, from https://www.tiktok.com/legal/terms-of-service-us?lang=en

The Metaverse and the Dangers to Personal Identity
Carlos Calderon | July 5, 2022

You’ve heard all about it, but what exactly is a metaverse,” and what does this mean for consumers? How is Meta (formerly Facebook) putting our privacy at risk this time?

What is the metaverse?

In October 2021, Mark Zuckerberg announced the rebranding of Facebook to “Meta,” providing a demo of their three dimensional virtual reality metaverse [1]. The demo provided consumers with a sneak peek into interactions in the metaverse, with Zuckerberg stating that “In the metaverse, you’ll be able to do almost anything you can imagine,” [6]. But what implications does such technology have on user privacy? More importantly, how can a company like Meta establish public trust in the light of past controversies surrounding user data?

Metaverse and the User

A key component of the metaverse is virtual reality. Virtual reality describes any digital environment that immerses the user through realistic depictions of world phenomena [2]. Meta’s metaverse will be a virtual reality world users can access through the company’s virtual reality headsets. The goal is to create an online experience whereby users can interact with others. Essentially, the metaverse is a virtual reality-based social media platform.

Users will be able interact with other metaverse users through avatars. They will also be able to buy digital assets, and Zuckerberg envisions a future in which users work in the metaverse.

Given its novelty, it may be hard to understand how a metaverse user’s privacy is at risk.

Metaverse and Personal Identity

The metaverse poses potential ethical issues surrounding personal identity [4]. In a social world, identifiability is important. Our friends need to be able to recognize us; they also need to be able to verify our identity. More importantly, identifiability is crucial in conveying ownership in a digital, as it authenticates ownership and facilitates enforcement of property rights.

Identification, however, poses serious privacy risks for the users. As Solove states in “A taxonomy of privacy”, identification has benefits but also risks, more specifically “identification attaches informational baggage to people. This alters what others learn about people as they engage in various transactions and activities” [5]. Indeed, users in the metaverse can be identified and linked to their physical selves in an easier manner, given the scope of user data collected. As such, metaverse users are at an increased risk of surveillance, disclosure, and possibly black mail from malicious third parties.

What is the scope of data collected? The higher interactivity of the metaverse allows for collection of data beyond web traffic and user product use, namely the collection of behavioral data ranging from biometric, emotional, physiological, and physical information about the user. Data collection of this extent is possible through the use of sensor technologies embedded onto VR headsets. Continuous data collection occurs throughout the user’s time. As such, granularity of user data becomes finer in the metaverse, increasing the chance for identification and its risks.

Metaverse and User Consent

One of the main questions surrounding consent in the metaverse is how to apply it. The metaverse will presumably have various locations that users can seamlessly access (bars, concert venues, malls), but who and what exactly governs these locations?

We propose that the metaverse provide users with thorough information on metaverse location ownership and governance. That is, metaverse companies should explicitly state who owns the metaverse and who enforces its rules, what rules will be applied and when, and should present this information before asking for user consent. In addition, metaverse policies should include a thorough list of what types of user data is collected, and should follow the Belmont Report’s principle of beneficence [3] and include potential benefits and risks that the user may obtain by giving consent. The broad amount of technologies involved further complicate the risks of third party data sharing. Thus, Meta should also strive to include a list of associated third parties and their privacy policies.

Metaverse in the Future

Although these notions of the metaverse and its dangers seem far fetched, it is a reality that we are inching closer to each day. As legislation struggles to keep up with technological advancements, it is important to take preemptive measures to ensure privacy risks in the metaverse are minimal. For now, users should keep a close eye on developing talks surrounding the ethics of the metaverse.

Works Cited

[1] Isaac, Mike. “Facebook Changes Corporate Name to Meta.” The New York Times, 10 November 2021, https://www.nytimes.com/2021/10/28/technology/facebook-meta-name-change.html. Accessed 26 June 2022.

[2] Merriam-Webster. “Virtual reality Definition & Meaning.” Merriam-Webster, https://www.merriam-webster.com/dictionary/virtual%20reality. Accessed 26 June 2022.

[3] National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research. “The Belmont Report: Ethical Principles and Guidelines for the Protection of Human Subjects of Research.” The Commission, 1978.

[4] Sawers, Paul. “Identity and authentication in the metaverse.” VentureBeat, 26 January 2022, https://venturebeat.com/2022/01/26/identity-and-authentication-in-the-metaverse/. Accessed 26 June 2022.

[5] Solove, Daniel. “A taxonomy of privacy.” U. Pa. I. Rev., vol. 154, 2005, p. 477.

[6] Zuckerberg, Mark. “Founder’s Letter, 2021 | Meta.” Meta, 28 October 2021, https://about.fb.com/news/2021/10/founders-letter/. Accessed 26 June 2022.