Artificial Intelligence and Law PDF

Artificial Intelligence and Law An introduction Giuseppe Contissa Giuseppe Contissa – AI and Law Artificial Intelligence Di Ray Kurzweil Giuseppe Contissa – AI and Law Between fiction… Giuseppe Contissa – AI and Law …and reality! Giuseppe Contissa – AI and Law Need to worry? Giuseppe Contissa – AI and Law What is intelligence? “Viewed narrowly, there seem to be almost as many definitions of intelligence as there were experts asked to define it.” R. J. Sternberg quoted in Gregory L. & O. L. Zangwill (eds.) The Oxford Companion to the Mind, 1987. “The ability to learn facts and skills and apply them, especially when this ability is highly developed.” Encarta World English Dictionary, 2006 “... ability to adapt effectively to the environment, either by making a change in oneself or by changing the environment or finding a new one...” Encyclopedia Britannica, 2006 “the general mental ability involved in calculating, reasoning, perceiving relationships and analogies…..” Columbia Encyclopedia, sixth edition, 2006 Giuseppe Contissa – AI and Law Artificial Intelligence For thousands of years, we have tried to understand how we think; that is, how a (human) agent can Perceive, understand predict the environment Modify it according to his desires and needs Communicate and co-operate with other agents The field of artificial intelligence, or AI, goes further still: it attempts not just to understand but also to build intelligent entities. Giuseppe Contissa – AI and Law Strong AI and weak AI Strong AI aim: To develop a full intelligence, because intelligence consists of functions that can be realised regardless of the hardware which is used (organic cells, silicon, etc.). Weak AI aim: To develop an AI system capable of simulating intelligence, because intelligence belongs only to human beings (or more generally to biological systems) Giuseppe Contissa – AI and Law Contributions to AI Many disciplines contributed ideas, viewpoints, and techniques to AI: Philosophy (logic, epistemology, ontology) Mathematics (mathematical logic, theories of probability, computability) Economics (decision theory, game theory) Neuroscience (brain and neurons) Psychology, Cognitive Sciences (behaviours, cognition) Computer engineering Linguistics (natural language processing) Robotics and cybernetics Giuseppe Contissa – AI and Law Models of Artificial Intelligence According to Russel and Norvig, approaches to AI can be distinguished according to 2 dimensions: thought processes and reasoning (think) Behaviour (act) and can be measured in terms of fidelity to human performance, or against an ideal performance measure, called rationality. S. Russell and P. Norvig. Artificial intelligence: A modern approach, 2009 Giuseppe Contissa – AI and Law AI definitions Giuseppe Contissa – AI and Law Definition of AI system (AI Act, art. 3) AI system = a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments; Giuseppe Contissa – AI and Law Very brief history of AI (I) 1943: Walter Pitts and Warren McCullock show how artificial neural networks can process information 1950: Alan Turing publishes "Computing Machinery and Intelligence." 1956: At the Dartmouth computer conference, John McCarthy coins the term "Artificial Intelligence”. Statement: "Every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it." 1956: First working AI systems are shown 1958: John McCarthy invents Lisp language Giuseppe Contissa – AI and Law Alan Turing 1938-42 Turing breaks the code used by U- boots (Enigma) Late ’50s: Universal Turing Machine 1950 Turing Test 1954 Death (poisoning) Giuseppe Contissa – AI and Law Turing test A human interrogates a person and a computer with written questions The human interrogator cannot see the person and the computer. They both provide answers using a terminal In giving the answers, the computer pretends to be a person The computer passes the test (is intelligent) if a human interrogator cannot tell whether the written responses come from a person or from a computer The test raised a huge (i.e. Searle and Giuseppe Contissa – AI and Law the Chinese Room) Searle: the Chinese Room Giuseppe Contissa – AI and Law Searle: the Chinese Room Searle imagines himself alone in a room following a computer program for responding to Chinese characters displayed on a monitor. Searle understands nothing of Chinese, and yet, by following a book containing a set of rules for Giuseppe Contissa manipulating symbols and numerals, he produces appropriate strings of Chinese characters that fool those outside into thinking there is a Chinese speaker in the room. The conclusion is that programming a digital computer may make it appear to understand language but does not produce real understanding. Hence the “Turing Test” is inadequate. Such conclusion has been challenged in many ways… Giuseppe Contissa – AI and Law Searle’s argument Computers can behave like human beings, but that does not mean they think and understand like human beings The “understanding” of human language presupposes experience of the world (‘grounding’ problem) Still relevant for today’s “foundation models”? Giuseppe Contissa – AI and Law Is it legal? Article 50 AI Act 1. Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system, unless this is obvious from the point of view of a natural person who is reasonably well-informed, observant and circumspect, taking into account the circumstances and the context of use. Giuseppe Contissa – AI and Law Continuing with history of AI (II) Early ’70s: invention of Prolog Late ’70s: first commercial expert systems ’80s: many experts systems are developed Late ’80s: growing awareness of limitations of current expert systems Late ’80s: new studies on neural networks ’90s: AI Applications in many domains: machine learning, case-based reasoning, multi-agent planning, uncertain reasoning, data mining, translation, vision, virtual reality and games. 1997: Deep Blue defeats Garry Kasparov, world chess champion Late ’90s: Software agents, Web crawlers, Spiders and other AI systems are developed for the web. Giuseppe Contissa – AI and Law Very brief history of AI (III) 2000s: the era of machine learning 2001: The launch of IBM's Watson, a question-answering computer system, later known for its victory on the quiz show Jeopardy!. 2006: Geoffrey Hinton and his team introduced the concept of deep learning 2009: Google announces PageRank, a machine learning based ranking systems 2016: AlphaGo, developed by Google DeepMind, defeated the world champion at Go Giuseppe Contissa – AI and Law Very brief history of AI (IV) 2020s the era of generative AI 2018: The release of BERT (Bidirectional Encoder Representations from Transformers) by Google, which revolutionized natural language processing 2020: The release of GPT-3 by OpenAI, a language model with 175 billion parameters, that demonstrated unprecedented capabilities in natural language 2023: The release of ChatGPT, based on GPT-4 architecture, brought generative AI into mainstream use for conversational AI applications New generative AI systems for assisted creativity and entertainments (DALL-E, StableDiffusion, Copilot) Giuseppe Contissa – AI and Law Interactive systems 34 Giuseppe Contissa – AI and Law Autonomous devices 35 Giuseppe Contissa – AI and Law Specific AI and General AI Specific AI: refers to AI systems that are designed and trained to perform a specific task or set of tasks Voice assistants, recommender systems, playing music, etc. General AI: AI systems possessing the ability to understand, learn, and apply intelligence across a wide range of tasks, similar to human cognitive abilities E.g. general purpose AI systems (GPT4, Claude, LLama) Giuseppe Contissa – AI and Law The growth of AI Giuseppe Contissa – AI and Law Approaches to AI Symbolic AI: Symbolic AI involves the use of high-level, human- readable symbols and rules to represent knowledge and logic. AI systems manipulating these symbols to perform reasoning and problem-solving tasks Sub-symbolic AI This approach involves the use of low-level representations, such as neural networks, to learn patterns and make decisions. Sub-symbolic AI focuses on statistical methods and machine learning, allowing systems to learn from data rather than relying on explicitly programmed rules. Giuseppe Contissa – AI and Law Competing orientations Symbolic AI: Sub-symbolic AI: classical approach the new approach (GOFAI) knowledge from data knowledge from rules automatic learning predetermined behaviour prediction capabilities remain what they are (E.g. face recognition) (E.g. Chess playing) Giuseppe Contissa – AI and Law Symbolic approach Computer as automated reasoner The system is based on 2 main components: Giuseppe Contissa 1. A knowledge representation 2. Methods (algorithms) for automatic reasoning that can be applied to the knowledge representation Giuseppe Contissa – AI and Law Reasoning Moving from a reason (premise) to a conclusion justified by such reason. Giuseppe Contissa The process is supported by reasoning schemes, provided by logic Giuseppe Contissa – AI and Law Legal reasoning and rules In legal domain, a typical reasoning scheme is the application of rules. In fact, legal rules may be seen as conditional (IF…THEN) statements, linking an antecedent to a consequent so that from the former is possible to infer the latter. This corresponds to the idea that legal rules usually connect a set of abstract provision of facts to a legal effect. E.g: if a person y commits the crime x, then y shall be punished with sanction z. If x buys the good z from y, then x shall pay to y the price of z. Formal (and computable) languages: Prolog, RuleML, various commercial solution (Hares/Oracle, Ilog/IBM, etc.) Giuseppe Contissa – AI and Law Rule-based systems General Specific Knowledge knowledge (assumption, (facts, questions rules) for the system) Inference Engine (programme for reasoning Inference Assessment (answer given by the system) Giuseppe Contissa – AI and Law Legal applications Rule base systems are used in the legal domain for legal analysis and automated legal assessment Input: factual description of a (legal) case, or scenario Output: assessment of the facts for a legal perspective, and classification within legal categories Many applications in public administration (taxes, welfare, one-stop shop for enterprises, online legal proceedings, etc.) and in business application (i.e. business rules) Giuseppe Contissa – AI and Law The British Nationality Act as a Logic Program Rule base systems are used in the legal domain for legal analysis and automated legal assessment Input: factual description of a (legal) case, or scenario Output: assessment of the facts for a legal perspective, and classification within legal categories Many applications in public administration (taxes, welfare, one-stop shop for enterprises, online legal proceedings, etc.) and in business application (i.e. business rules) Giuseppe Contissa – AI and Law The British Nationality Act as a Logic Program 1-(1) A person born in the United Kingdom after commencement shall be a British Citizen if at the time of birth his father or mother is: (a) a British Citizen, or (b) settled in the United Kingdom. Rule1: X acquires british citizenship on date Y IF X was born in the u.k. AND X was born on date Y AND Y is after or on commencement of the act AND X has a parent who qualified under 1.1 on date Y. Rule2: X has a parent who qualifies under 1.1 on date Y IF X has a parent Z AND Z was a British citizen on date Y Rule3: X has a parent who qualifies under 1.1 on date Y IF X has a parent Z AND Giuseppe Contissa – AI and Law Z was settled in the u.k. on date Y. A modern example of rule-based system for the law: Oracle Policy Automation Giuseppe Contissa – AI and Law Hypes and winters of AI Over the last decades, AI has gone through a number of ups and downs, excessive expectations being followed by disillusion (the so-called AI winters). AI winters AI explosion Expectations on AI The machine learning Consolidation, The expert hype important but systems limited success The general hype heuristics hype Another AI winter 1955 1975 1990 2019 Giuseppe Contissa – AI and Law AI in the new millennium: The key driver A new spring: Big data to extract patterns and models Computing powers New approach to programming (machine learning) Giuseppe Contissa – AI and Law Big data Collection and processing of enormous amounts of data related to the real and virtual world. Directly by computer systems, through physical sensors with the systems themselves. Giuseppe Contissa Big data represents an amount of information that is impossible for humans to manage. Conversely, they constitute a formidable set of knowledge for machine learning models and their processing systems to learn to automatically perform certain tasks (e.g., image recognition, ad clicks, word identification). Giuseppe Contissa – AI and Law Computer power The growth of computing power: Moore's Law (logarithmic scale) The power of a Giuseppe Contissa computer doubles every 1.5 years. It has increased a million times since the 1950s to today. Giuseppe Contissa – AI and Law Machine learning In machine learning approaches, machines are provided with learning methods, rather than, or in addition to, formalised knowledge. Using such methods, they can automatically learn how to effectively accomplish their tasks by extracting/inferring relevant information from their input data. Programme Input data (procedueral or Output logic-based) Input data Learning Learned (training) algorithms programme New data Output Giuseppe Contissa – AI and Law Approaches to learning Supervised Unsupervised Reinforcement Learning learning learning Machine is given Machine is Machine is given examples of given data feedbacks correct answers (rewards and to cases penalties) It learns to It learns to It learns by itself answer in a identify how to maximise similar way to patterns its score new cases Giuseppe Contissa – AI and Law Supervised learning The learning algorithm of the system (its trainer), uses the training set to build an algorithmic model: a neural network, a decision tree, a set of rules, etc. The algorithmic model is meant to capture the relevant knowledge originally embedded in the training set, namely the correlations between cases and responses. This model is then used, by a predicting algorithm, to provide hopefully correct responses to new cases, by mimicking the correlations in the training set. If the examples in the training set that come closest to a new case (with regard to relevant features) are linked to a certain answer, the same answer will be proposed for the new case. Giuseppe Contissa – AI and Law Supervised learning Learning Training set algorithm Learned algorithmic model Predicted Features of Predicting target for new case Algorithm new case Giuseppe Contissa – AI and Law Supervised Learning: examples Giuseppe Contissa Giuseppe Contissa – AI and Law Example of supervised learning Predictors Outcome Drug Case Injury Drugs Weapon Prior-record Decision yes no 1 none no no yes yes No Bail Weapon 2 bad yes yes serious no 3 none no yes no yes yes no 4 bad yes no yes no Previous Bail record 5 slight yes yes yes no yes 6 none yes yes serious no no No 7 none no yes yes no Bail Bail The decision tree captures the information in the training set through a combination of tests, to be performed sequentially. The first test concerns whether the defendant was involved in a drug related offence. If the answer is positive, we have reached the bottom of the tree with the conclusion that bail is denied. If the answer is negative, we move to the second test, on whether the defendant used a weapon, and so on. Notice that the decision tree does not include information concerning the kind of injury, since all outcomes can be explained without reference to that information. This shows how the system‘s model does not merely replicate the training set; it involves generalisation: it assumes that certain combination of predictors are sufficient to determine the outcomes, other predictors being irrelevant. Giuseppe Contissa – AI and Law Example of supervised learning Predictors Outcome Drug Case Injury Drugs Weapon Prior-record Decision yes no 1 none no no yes yes No Bail Weapon 2 bad yes yes serious no 3 none no yes no yes yes no 4 bad yes no yes no Previous Bail record 5 slight yes yes yes no yes 6 none yes yes serious no no No 7 none no yes yes no Bail Bail The table is the training set. The software that constructs the decision tree, is the learning algorithm. The decision tree itself, is the algorithmic model, which codes the logic of the human decisions in the training set. In this example, the decision tree reflects the attitudes of the decision makers whose decisions are in the training set: it reproduces their virtues and biases. The software that processes new cases, using the decision tree, and makes predictions based on their features of such cases, is the predicting algorithm. Giuseppe Contissa – AI and Law Another example of supervised learning In this case too, the learning algorithm, as applied to this very small set of past decisions, delivers questionable generalisation, such as the prediction that young age would always lead to a rejection of the loan applications and that middle age would always lead to acceptance. Usually, in order to give reliable prediction, a training set must include a vast number of examples, each described through a large set of predictors. Giuseppe Contissa – AI and Law Reinforcement learning Reinforcement learning is similar to supervised learning, as both involve training by way of examples. However, in the case of reinforcement learning the systems learns from the outcomes of its own action, namely, through the rewards or penalties (e.g., points gained or lost) that are linked to the outcomes of such actions. For instance, in case of a system learning how to play a game, rewards may be linked to victories and penalties to defeats; in a system learning to make investments, rewards may be linked to financial gains and penalties to losses; in a system learning to target ads effectively, rewards may be linked to users’ clicks, etc. In all these cases, the system observes the outcomes of its actions, and it self-administers the corresponding rewards or penalties. Being geared towards maximising its score (its utility), the system will learn to achieve outcomes leading to rewards (victories, gains, clicks), and to prevent outcomes leading to penalties. With regard to reinforcement learning too, we can distinguish the learner (the algorithm that learns how to act successfully, based on the outcomes of previous actions by the system) and the learned model (the output of the learner, which determines the system’s new actions). Giuseppe Contissa – AI and Law Reinforcement learning 66 Giuseppe Contissa – AI and Law Reinforcement learning: example Giuseppe Contissa Giuseppe Contissa – AI and Law Unsupervised learning In unsupervised learning, finally, AI systems learn directly from the data by searching for patterns and regularities, thus without receiving external instructions, either in advance or as feedback, about what is right or wrong. The techniques for unsupervised learning are used in particular, for clustering, i.e., for grouping the set of items that present relevant similarities or connections (e.g., documents that pertain to the same topic, people sharing relevant characteristics, or terms playing the same conceptual roles in texts). For instance, in a set of cases concerning bail or parole, we may observe that injuries are usually connected with drugs (not with weapons as expected), or that people having prior record are those who are related to weapon. These clusters might turn out to be informative to ground bail or parole policies. Giuseppe Contissa – AI and Law Unsupervised learning: examples Giuseppe Contissa Giuseppe Contissa – AI and Law Learned Models and Neural networks Many techniques have been deployed in machine learning: decision trees, statistical regression, support vector machine, evolutionary algorithms, methods for reinforcement learning, etc. Recently, deep learning based on many-layered neural networks has been very successfully deployed especially, but not exclusively, where patterns have to be recognised and linked to classifications and decisions (e.g., in detecting objects in images, recognising sounds and their sources, making medical diagnosis, translating texts, choosing strategies in games, etc.) Neural networks are composed of a set of nodes, called neurons, arranged in multiple layers and connected by links. They are so-called, since they reproduce some aspects of the human nervous system, which indeed consists of interconnected specialised cells, the biological neurons, which receive and transmit information. Neural networks were indeed developed under the assumption that artificial intelligence could be achieved by reproducing the human brain, rather than by modelling human reasoning, i.e., that artificial reasoning would naturally emerge out of an artificial brain (though we may wonder to what extent artificial neural networks and human brains really share the similar structures and processes Giuseppe Contissa – AI and Law Decision trees Predictors Outcome Drug Case Injury Drugs Weapon Prior-record Decision yes no 1 none no no yes yes No Bail Weapon 2 bad yes yes serious no 3 none no yes no yes yes no 4 bad yes no yes no Previous Bail record 5 slight yes yes yes no Giuseppe Contissa yes 6 none yes yes serious no no No 7 none no yes yes no Bail Bail The decision tree is an algorithmic model, which codes the logic of the human decisions in the training set. The decision tree reflects the attitudes of the decision makers whose decisions are in the training set: it reproduces their virtues and biases. The software that processes new cases, using the decision tree, and makes predictions based on their features of such cases, is the predicting algorithm. Notice that in the example, the decision tree does not include information concerning the kind of injury, since all outcomes can be explained without reference to that information. This shows how the system‘s model does not merely replicate the training set; it involves generalisation: it assumes that certain combination of predictors are sufficient to determine the outcomes, other predictors being irrelevant Giuseppe Contissa – AI and Law Support Vector Machines (SVMs) N Lots Size Income 1 30 mq 4000/M 2 23 mq 1200/M 3 22 mq 1000/M 3 40 mq 4000/M Giuseppe Contissa 4 23 mq 3000/M 5 10 mq 1400/M N … … Giuseppe Contissa – AI and Law Neural networks Neural networks are simplified models of the brain composed of large numbers of nodes (artificial neurons) and synapses that link one neuron to another. Each link has a weight that measure the strength of connection between the nodes. Each neuron has it owns algorithm (it reacts with a specific output to a specific input). Giuseppe Contissa – AI and Law Neural network: how it works Each neuron receives signals in the form of numbers from the connected neurons or external neurons, and these signals are amplified or diminished as they pass through the input connections, depending on the weights of these connections. The neuron applies certain calculations to the input it receives and, if the result reaches the neuron's threshold, the neuron is activated by sending Giuseppe Contissa signals to the connected neurons or outside the network. The activation starts from the nodes that receive the external input and spreads through the network. "" ! = !! "! ! # ! = ! "" ! ! "! ! #!" #!" "! Giuseppe Contissa – AI and Law Training a neural network The training of the network is done by telling the network whether the responses (provided by the output neurons) are right or wrong. If a network response is wrong, the learning algorithm propagates the error backwards in the network (back Giuseppe Contissa propagation), so that the next time that specific neuron in the network is presented with that input, it will give the correct response. Thus, the learning algorithm modifies the network until it reaches the desired performance level. The learned model will be represented by the network and its connections in its final configuration. Giuseppe Contissa – AI and Law Artificial Neuron Input (external or from other Output (external neurons) or to other neurons) Giuseppe Contissa Threshold = 15 Giuseppe Contissa – AI and Law Neural network: structure Output unit Giuseppe Contissa Hidden unit Input unit Giuseppe Contissa – AI and Law Deep learning: networks with multiple layers and kind of links Giuseppe Contissa – AI and Law Neural networks - training set A network can be taught how to recognise characters, by training it An algorithm determines the extent to which each node contributes to a mistake in response to a certain input, and fixes the weights of the connections, so that the next time the network will provide the correct answer to the same input Giuseppe Contissa – AI and Law Deep Learning Giuseppe Contissa – AI and Law ML and Explainability: the «black box» problem A neural network, especially a deep neural network, is capable of performing a lot of calculations on data, at multiple levels, and is therefore efficient, but does not provide meaningful explanations for its results. That is, it is possible to determine how a certain output resulted from the activation of Giuseppe Contissa the network and how this activation, in response to a given input, was determined by the connections between the neurons (and the weights assigned to these connections as a result of training the network) and the mathematical functions governing each neuron. However, this information does not show any meaningful logic for humans: it does not tell us why a certain response was given 'black box' problem Giuseppe Contissa – AI and Law The «black box» Giuseppe Contissa Giuseppe Contissa – AI and Law Large Language Models Giuseppe Contissa Giuseppe Contissa – AI and Law Large Language Models They are very3 large neural networks GPT4: trillions of parameters (links in the network), vast training data process language taking into account the context of words in the long term (transformers) integrate prompts (contexts) with relevant text (but also images) Giuseppe Contissa extremely powerful autocomplete functions (what is the most probable word after...) surprising performance (and strange errors, «allucinations») based on training (stochastic parrot) What they do: They generate all kinds of text (translations, summaries, new documents) They generate computer programmes They answer queries Giuseppe Contissa – AI and Law Giuseppe Contissa Giuseppe Contissa – AI and Law Generative AI StableDiffusion (images) Tabnine (Code) Dall-E / OpenAI (images) Fliki (video) Llama / Meta (text) Giuseppe Contissa – AI and Law AI, ML and the law In recent years, a new area of research has emerged, which addresses legal issues using data analysis techniques and machine learning applied to large legal databases. Legal documents (e.g., laws, judgments, cases, contracts) contain a wealth of knowledge that would benefit from the use of automatic Giuseppe Contissa processing tools. Furthermore, the use of data can contribute to the development and training of systems capable of making determinations autonomously and intelligently (tasks that could be performed by lawyers). Giuseppe Contissa – AI and Law Claudette project Machine learning applied to contracts and privacy policies, for identifying potentially unfair and illegal clauses. A training set corresponding to 100 contracts from Giuseppe Contissa platforms where legal experts have manually annotated recurring potentially unfair clauses (e.g., unilateral resolution, choice of applicable law, limitation of liability) The task is to automatically identify the clause and classify it as fair, unfair, or potentially unfair. Various machine learning and natural language processing (NLP) techniques, such as bag-of-words and support vector machines, are used. Giuseppe Contissa – AI and Law Claudette project Giuseppe Contissa Giuseppe Contissa – AI and Law Claudette.eui.eu Giuseppe Contissa Giuseppe Contissa – AI and Law Predictive Justice Research area that develops systems capable of predicting relevant aspects of legal decisions (e.g., the outcome of future cases, the most relevant rules, the most recurring arguments, etc.). Giuseppe Contissa Predictions can: Relate to present or past events Be based on legal or extra-legal grounds Be based on texts or on case factors, manually annotated or automatically extracted There is a “black box” problem: how to explain judicial predictions in a way that can be useful to judges? Giuseppe Contissa – AI and Law Adele Project Using AI to extract legal knowledge from court cases and predict the outcome of decisions citation extraction, identification of arguments used by judges, and outcome prediction About 250 cases have been manually analyzed Giuseppe Contissa and annotated (e.g., the questions, the reasons, the arguments and their types, the outcome) Various machine learning techniques such as SVM and neural networks have been used. The platform is available online at https://adele- tool.eu Giuseppe Contissa – AI and Law PRO.DI.GI.T Large-scale language models have been applied to tax law decisions to extract abstracts (an activity similar to maximization), keywords, and to automatically index new rulings, through the use Giuseppe Contissa of prompts. Giuseppe Contissa – AI and Law Privacy and data protection: the GDPR The origins of the right to privacy The right to privacy originated in the late 1800s in the US. It is first mentioned in the article ‘The Right to Privacy’ published in 1890 in the Harvard Law Review by Samuel D. Warren and Louis Brandeis. It emerges as a right to confidentiality It has predominantly a negative meaning: the right to exclude the interference of external subjects in one’s private sphere Famously referred to as “the right to be let alone” The evolution of the right to privacy In Europe, the concept of privacy was first represented in the early 1900s in France in an article in a civil law journal, 'Des Droits de la personnalitè' by J.A. Perrau. While the American concept of privacy originated from a need for interpersonal security between citizens linked to the right to property, the European concept of personal data protection emerged as a way to limit interference of public powers in private citizens’ lives. European Convention on Human Rights (1950) Article 8. Right to privacy 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. The new concept of data protection Since the 1970s, alongside the notion of privacy as confidentiality, the notion of privacy as protection of personal data has gained ground, and in parallel, the right to protection of personal data has been acknowledged. This right consists of the right of each individual to control the processing and circulation of information concerning his or her person. Therefore, whereas privacy was thought of as an 'exclusionary right', personal data protection puts the person at the centre with regard to his or her data because these constitute his or her identity. The right to privacy becomes the individual's right to informational self-determination. Personal data protection Fundamental concepts of this new understanding are the information/awareness of the individual concerned regarding the processing of his or her personal data by third parties and the capacity to control such processing, i.e. the possibility of excluding or selectively authorising third parties to such processing. A key instrument is individual's consent, seen as the most prominent pre-requisite for a lawful processing of personal data. Data Protection Directive 1995/46 Charter of Fundamental Rights of EU (2000) Article 7. Respect for private and family life Everyone has the right to respect for his or her private and family life, home and communications. Article 8. Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority. The General Data Protection Regulation Italian privacy law L. 31 December 1996, n. 675 (Tutela delle persone e di altri soggetti rispetto al trattamento dei dati personali), national transposition of Directive 95/46/EC D.Lgs. 30 June 2003, n. 196 (Privacy law code), need to reorganise general and specific data protection law Regulation EU 2016/679, entered into force on May 24, 2018 (directly applicable) D.Lgs. 10 August 2018, n. 101 (needed to adapt Italian Privacy Code’s to the Regulation) Subject matter and objectives (art. 1) 1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. 2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. 3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. Protection of personal data Freedom of data circulation of natural persons vs (linked to freedom of economic initiative at EU level) Other fundamental rights (freedom of information, non-discrimination, etc.) Material scope (art. 2) 1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. It does not apply to: Processing by a natural person in the course of a purely personal or household activity; Processing by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Directive 2016/670) Territorial scope (art. 3) 1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. 2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. Personal data definition Art. 4(1) GDPR ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Identifiability test Recital 26 […] To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as: the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. Anonymisation v. Pseudonymisation Processing Art. 4(2) GDPR ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; Subjects Data subject: natural person whose processed data refers to Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data Data processor: natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; Principles relating to processing of personal data (art. 5) 1. Personal data shall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). Lawfulness of processing (art. 6) 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Consent Free: the person concerned has an effective choice; it may be lacking if the data subject cannot choose, is obliged to consent, or will suffer negative consequences if does not consent Specific: refers to the principle of purpose limitation; consent must be specific to each purpose, i.e. the subject must be able to consent or not to each purpose individually; it may cover separate processing if it has the same purpose Informed: refers to the principle of transparency and the right to information (Art. 13-14); the essential elements must be known (identity of the data controller, purposes, categories of data, exercise of rights, possible automated decision-making process and transfers) Affirmative: it must be obvious that the data subject has consented to the particular processing; a written or oral statement or otherwise positive action is required Consent in practice The limits of consent In online contexts, there are many indications to doubt the validity of consent Consent is often not free: consent is tied to obtaining the service even when the processing is not necessary for its provision, or is influenced by the website interface Consent is often not specific: we cannot provide consent for some processing and refuse it for others; we have to provide 'packaged' consent Consent is often poorly informed: we provide consent without reading and understanding the privacy policy; moreover, the information is provided in a vague and ambiguous way; we do not know who are the subjects who can process our data Consent is often not unambiguous: it is given by clicking on a banner or ticking a box, perhaps along with the terms of service, without any certainty that this action represents an actual choice by the user It is often difficult to revoke consent: certainly more difficult than providing it Special categories of data (art. 9) 1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited. 2. Paragraph 1 shall not apply if one of the following applies: (a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; Rights of the data subjects Right to be informed (artt. 13-14) Right of access (art. 15) Right of rectification (art. 16) Right of erasure (right to be forgotten) (art. 17) Right to restriction of processing (art. 18) Right to data portability (art. 20) Right to object (art. 21) Automated individual decision-making, including profiling (art. 22) Right to be informed (art. 13-14) Implementation of the principles of transparency and fairness At the time the data are obtained (privacy policy) or within a reasonable time if collected from third parties Information to be provided in a clear and transparent manner: The identity and contact details of the data controller, and where present, the data processor The contact details of the DPO The purpose of the processing and its legal basis The legitimate interests pursued by the controller (when letter f) Possible recipients or categories of recipients The existence of an automated decision-making process and significant information on the logic used, as well as the consequences expected... Right of access (art. 15) Right to obtain from the data controller confirmation as to whether or not personal data relating to the data subject are being processed In the affirmative to obtain access, with reference to particular information Functional to the exercise of all control rights (rectification, erasure, object) What you can know à Purposes of the processing, Categories of personal data subject to the processing, Recipients or categories of recipients, Retention period of the data or criteria for determining it; Existence of any rights, including the right to lodge a complaint; Origin of the data; If there is an automated decision-making process including profiling, the logic used and the consequences envisaged by this processing Right to erasure (art. 17) 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1). 2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. Exceptions 3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims. Google Spain With Google Spain decision of 13 May 2014, the Court of Justice of the EU establishes that there is a right to erasure: with respect to the search engine operator even in the case of originally lawful processing when considering the rights and interests at stake the information is no longer necessary in relation to the purposes for which it was originally collected There is a right to de-listing vis-à-vis the search engine Right to data portability (art. 20) The right to obtain a copy of the data undergoing processing in a structured, commonly used and machine-readable format, and to be able to transfer them to another data controller without hindrance The right to obtain the direct transmission of personal data from one controller to another, if technically feasibleNew right, not present in the Code Right to object (art. 21) The right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her Applies only in the case of processing based on the performance of a task carried out in the public interest (subpara. e) and on legitimate interests (subpara. f) Different from right to erasure: operates only in certain cases, but special interests of the subject are sufficient; if anything, consequential (first opposition, then erasure) Automated individual decision- making, including profiling (art. 22) 1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Profiling Article 4, n. 4 ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; Exceptions and safeguards 2. Paragraph 1 shall not apply if the decision: (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller; (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (c) is based on the data subject's explicit consent. 3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. Is there a right of an explanation? Art. 13(2)(f): the controller must inform the data subject of the existence of an automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. General ex ante explanation on the functioning of the automated decision-making system Recital 71: «In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision." Ex post explanation of the individual decision made through an automated system Accountability Art. 5, c. 2 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). Art. 24, c.1 Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. The GDPR ‘new philosophy’ Complexity and variety of processing, difficulty in defining ex ante measures valid for all The data controller is the most competent person to establish how to assess risk and prevent harm. No longer detailed prescriptions, empowerment and proactivity of the controller, commitment to compliance The role of the Authority is no longer preventive but subsequent (supervisory authority): the notification of processing and prior checking are no longer the rule Within a regulatory framework that defines the measure of accountability (i.e. the risk) and the related instruments (instruments of accountability) The data controller becomes the first outpost of protection of the fundamental right to data protection Data protection by design and by default (Art. 25) 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects. 2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons. Accountability obligations Depending on the identity of the data controller, the circumstances of the processing, and the risk involved, there may be some possible obligations. These are: The notification of the data breach (art. 33-34) The data protection impact assessment (DPIA) (art. 35) Prior checking (art. 36) The designation of the DPO (art. 37-39) Supervisory authority (art. 51) Each EU state appoints a supervisory authority. In federal states (such as Germany and Spain), each territory additionally has its own Authority These are independent public authorities in charge of overseeing the application of the GDPR in order to: protect the fundamental rights and freedoms of natural persons with regard to processing and to facilitate the free movement of personal data in the EU Data Protection Supervisory Authorities are the only independent authorities provided for by the European Treaties European Data Protection Board Composed of a 'top officer' from each Member State's authority and the EDPS Extremely important tasks: Advice to the Commission, guidelines, recommendations and best practices on GDPR implementation, accreditation certification bodies, opinion in adequacy decisions As a general rule, decides by simple majority of members Other relevant provisions CHAPTER V - Transfers of personal data to third countries or international organisations CHAPTER VII - Cooperation and consistency CHAPTER VIII - Remedies, liability and sanctions CHAPTER IX - Provisions relating to specific processing situations Internet, the Web and the Semantic Web Giuseppe Contissa What is Internet (1) Network: physical links (optical fibres, telephone lines, radio bridges, Wi-Fi, satellite links), carrying data codified as bit(s) Computers governing the transmission of information on physical links. Such computers are special machine dedicated to such task, and they address messages and supervise the work of other machines on the network Shared protocols and standards that mandate how to organise data in order to transfer them on the network, and how computer systems should interact on the network Network software applications. They manage and process data on the network, according to shared protocols and standards. What is Internet (2) All the computers connected to the network, from the mega- computers to the smartphones. They are connected by means of a network connection (cables, radio, satellite, etc.) Virtual entities in the network: web sites, services, games, virtual environments and objects populating them. They are the result of computing processes carried out by computers connected to the network (with the contribution of humans using the network interactively ) Persons and organisations making use of computers in the network Institutions in charge of managing and developing Internet. They govern the network, define the protocols and architectures, assign addresses and ensure the necessary coordination Internet nature Pervasive (fusion of real and virtual) Globalized (and globalizer) Active (Generative) J.C.R. Licklider In 2000, billions of users will use the “Galactic Network” to share information History of Internet 1962 Licklider was the first head of the computer research program at the U.S. Advanced Research Projects Agency (ARPA) 1968 Development of ARPANET, the first packet switching network 1969 first message on the ARPANET was sent from UCLA to Stanford. The message text was the word login; the l and the o letters were transmitted, but the system then crashed. Birth of the Internet ARPANET: the network Packets Data to be transmitted Packet switching vs. Circuit switching Packets and protocols Information is split and transmitted in packets (datagram). Packets are built according to shared protocols Arpa Network, 1973 History of Internet (1970-1990) 1970s expansion of ARPANET (40 nodes). Definition of TCP-IP protocols. 1980s ARPANET switches to using TCP/IP (1983) Internet becomes an open network (network of networks) Military network is split from the Internet Development of an high-speed backbone for NSFNET. Several public and private network are interconnected to NSFNET Many networks based on TCP-IP are developed around the world, and interconnected to Internet 1990s Internet becomes a global network Network of networks ISP= Internet Service Provider (e.g. vodafone, infostrada, TelecomItalia, etc. Internet Backbones ? TCP-IP Suite including 2 main protocols: TCP (Transmission Control Protocol), regulating exchange (transmission and reception) of packets, and IP (Internet Protocol), which regulate the addressing of packets in the network TCP-IP: encapsulation The message consists of a set of encapsulated envelops (or layers) External envelops are abstracted from their underlying envelops’ content In particular, in order to send to the right destination a message, it is sufficient to read the address on the IP envelope, without inspecting the content Internet Model: transmission and reception Transmitting Receiving data data TCP-IP: layers and encapsulation User Data Application User Data Application Layer Header Application TCP Header User Data Transport Layer Header Application IP Header TCP Header User Data Network Layer Header Data Link Application Data Link IP Header TCP Header User Data Data Link Layer Header Header Footer Net-Neutrality Internet is neutral with respect to contents transmitted over the network: – Every content is treated equally (no discrimination, charging differentially or priorities by user, content, site, platform, type of application, mode of communication) – No need to inspect the content of any packet. Consequences: – Is it a protection for freedom and innovation? – Is it a limit for private investment on infrastructures? – Is it a limit to competition? https://obamawhitehouse.archives.gov/node/323681 http://nytimes.com/video/technology/100000002881329/how-net- neutrality-works.html https://www.fcc.gov/document/chairman-pai-proposes-restore-internet- freedom EU rules on net neutrality (open internet): Regulation (EU) 2015/2120 Proxy servers They are remote servers, usually public, that stand between our device (e.g., computer, smartphone) and the server that offers certain network resources The server does not see our IP address but that of the proxy server we have decided to use. May be used to bypass the limitations of geo- blocking or accessing restricted information VPNs VPNs create a virtual private network over the Internet between all the devices that use it. They use security techniques on content, e.g., encryption Used to Access geographically blocked content, to protect one's connection on unsecured public Wi- Fi networks, or to maintain anonymity while browsing online Internet regulation Regulation of cyberspace (Lessig 1998,2006): Law Social Norms Market “Code” Internet standards Internet is based on many common standards (TCP and IP are mong them). The Internet Standards Process: https://www.ietf.org/rfc/rfc2026.txt is the main document specifying procedures for the adoption of an Internet standard 3 Phases: 1. Preparatory phase, including various steps in which differen draft versions of the standards are submitted and discussed by the competent committe. The documents produced are the requests for comments. 2. Adoption of the standard by the competent body/organisation 3. Publication of the standard. The adoption is not mandatory, but the network effects usually applies. IP Address The IP address identify every computer in the network IP address (32-digit binary number) Decimal representation with dots dividing 4 numbers Domain names IP addresses are translated in Domain Names www www Fully qualified domain name www www DNS (Domain Name System) Identification on the net: Server Logs A server log is a log file (or several files) automatically created and maintained by a server of activity performed on it. In particular, a web server log records IP addresses of computers connecting to the server, access time, history of page requests, web browser used for the access: 66.249.65.107 - - [08/Oct/2007:04:54:20 -0400] “GET /support.html HTTP/ 1.1” 200 11179 “-” “Mozilla/5.0 (compatible; Googlebot/2.1; +http:// www.google.com/bot.html)” 111.111.111.111 - - [08/Oct/2007:11:17:55 -0400] “GET /style.css HTTP/1.1” 200 3225 “http://www.loganalyzer.net/” “Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.7) Geckø20070914 Firefox/2.0.0.7” Does it contain personal data? In particular, is the IP a personal data? Is the IP address a personal data? The past: Google: No! http://googlepublicpolicy.blogspot.it/2008/02/are-ip-addresses- personal.html ECJ: Yes! http://curia.europa.eu/juris/document/document.jsf?text=&docid=11 5202&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&c id=363815 The present: The General Data Protection Regulation (Regulation (EU) 2016/679): according to Art. 4(1), “online identifier” is included in the definition of “personal data”, while according to Recital 30, “online identifiers” include IP addresses. Identification: Cookies Set of data sent by the server and stored (by the browser) in a local file in the user’s computer. HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Set-Cookie: PREF=ID=5e66ffd215b4c5e6: TM=1147099841:LM=1147099841:S=Of69M pWBs23xeSv0; expires=Sun, 17-Jan- 2038 19:14:07 GMT; path=/; domain=.google.com Types of cookies 1. Technical cookies used exclusively with a view to carrying out the transmission of a communication on an electronic communications network, or insofar as this is strictly necessary [for providing the service]. They include: session cookies, analytical cookies, functional cookies. no prior consent, but information should be given 2. Profiling Cookies aimed at creating user profiles. They are used to send ads messages in line with the preferences shown by the user during navigation. In the light of the highly invasive nature of these cookies vis-à-vis users' private sphere, Italian and European legislation requires users to be informed appropriately on their use so as to give their valid consent. Cookies: the banner a suitably sized banner is to be displayed on screen immediately a user accesses the home page or any other page of a website, and that such banner is to contain the information listed below: a. That the website uses profiling cookies to send advertising messages in line with the user's online navigation preferences; b. That the website allows sending third-party cookies as well (of course, if this is actually the case); c. A clickable link to the extended information notice, where additional information must be available on the following: i. Use of technical and analytics cookies; ii. Tools available to select the cookies to be enabled; iii. Possibility for the user to configure browser settings as a further mechanism to select the preferred use of cookies by the website, including at least a reference to the procedure to be followed to configure those settings; d. That on the extended information notice page the user may refuse to consent to the installation of whatever cookies; e. That if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies; The WWW (world wide web) Tim Berners-Lee, a British computer scientist invented the Web on On March 12, 1989 while working at CERN Web standards The web is based on 3 main standards: 1. URL (Uniform Resource Locator), a charachter string that identifies an object on the web, and how to access it: http://en.example.org/test.txt 2. HTML (Hypertext markup language) 3. HTTP (HyperText Transfer Protocol), is an application protocol regulating the interaction between the client computer (requiring the access to a specific web page) and the computer server (providing such pages) Global Hypertext Hypertext is structured text that uses logical links (hyperlinks) between nodes containing text. It allows the user to access documents and browse between the displayed documents and other documents, by means of hyperlinks. Hyperlinks may create legal issues: Deep linking, Framing The «hidden» webs Internet governance Internet development Name and numbers W3C standards Web 2.0 and peer production What is the Web 2.0? Participative web User-generated content social networks User-generated content Peer production Peer production of information content A new model of production and social interaction, favouring cooperating activities which “…are not built around the asymmetric exclusion typical of property […] the inputs and outputs of the process are shared […] in an institutional form that leaves them equally available for all to use as they choose at their individual discretion” Benkler, The Wealth of Networks: How Social Production Transforms Markets and Freedoms Peer production “In the networked information economy, the physical capital required for production is broadly distributed throughout society. Personal computers and network connections are ubiquitous […] whenever someone [...]wants to make something that requires human creativity, a computer, and a network connection, he or she can do so; alone, or in cooperation with others […] Individuals, who interact with each other socially […] these nonmarket collaborations can be better at motivating effort and can allow creative people to work on information projects more efficiently than would traditional market mechanisms and corporations. The result is a flourishing nonmarket sector of information, knowledge, and cultural production, based in the networked environment, and applied to anything that the many individuals connected to it can imagine. Its outputs, in turn, are not treated as exclusive property. They are instead subject to an increasingly robust ethic of open sharing, open for all others to build on, extend, and make their own” Benkler, The Wealth of Networks: How Social Production Transforms Markets and Freedoms Peer production - Examples Open source software But the examples go beyond software, to cover other kinds of content (music, video, multimedia, etc..) Other Examples? Creative works – sharing and use Public and legal debate concerning how to regulate production and use of protected works: videos, music, literary works, etc. Digital formats allow for easy duplication and distribution of content EU/US legal systems (and Italian legal system) introduced a stricter legislation, aimed at preventing unauthorised/unlawful uses of digital works Creative works – sanctions illegal download of protected works – Administrative sanction: fine of 154 euro (art 174-ter LDA) illegal upload, in any form and for any purpose, without the aim of making a profit – Criminal sanction: penalty between 51 and 2.065 euro (art 171 (1) a-bis) illegal upload, with the aim of making a profit – Criminal sanction: 1-4 years Imprisonment + penalty between 2.582 and 15.493 euro (art. 171-ter (2) a-bis) The profit may consist in a price asked for the download, or in the advertising revenue of the website providing the protected content and/or instructions for obtaining it Creative Commons A new licensing model, developed in the US by several scholars and experts, among them in particular Lessig. Easy and flexible system of licenses, with the aim of making works easily accessible. In all the CC licenses, the author always (at least) authorizes users (licensees) to reproduce and distribute the work for non-commercial purposes, and requires users to give attribution, that is that they give the author the credits for the work The author may also authorize derivative works, commercial uses, and require the users to distribute derivative works only under the same license (share-alike clause) 6 main licenses (+ “public domain” license) www.creativecommons.org Lawrence Lessig. Prof. Of Law at Harvard Law School. Former Prof. at Stanford Law School Creative Commons: Licenses https://en.wikipedia.org/wiki/Creative_Commons_license The law of Internet intermediaries From the eCommerce Directive to the DMA/DSA Giuseppe Contissa Federico Galli Marco Billi From the 2000s to today Information dissemination on the Internet Source: prof.dr. Žiga Turk, https://www.europarl.europa.e ? u/cmsdata/140221/PPT%20Tur k%20fake%20news.pdf (modified by the author) Unlawful content and activities on the Internet Privacy and reputation Copyright infringements Cyberbullying and revenge porn Violence, racism, terrorism, hate speech Disinformation and fake news «Fake news» Only 10% of high-quality news comes from social media 40% of creators/readers of 'fake Come si sono informati gli utenti dei social nel 2016 in news' inform themselves on US social media Quid iuris? The direct liability (civil or criminal) of the user for unlawful content (e.g. copyright infringement, offensive content, incitement to commit offences, etc.) The indirect/secondary liability of the Internet service provider for published content or illegal activities carried out by users, recipients of the intermediary service In the next slides we will look at the second case What is the role of the intermediary? Regulatory options for intermediaries enabling third-party content/activities: Immunity from sanctions and injunctions Immunity from sanctions, subjection to injunctions Liability for negligence (civil liability) Strict liability Key issues What is the control on information flows? What should be the control on information flows (unlimited freedom of speech vs. censhorship) Why a liability? Ensuring that people harmed by unlawful conduct can be compensated. Otherwise, users may find it difficult to obtain compensation from the infringer (anonymous users, unreachable, insolvent, viral content – are we all liable?) It could induce the platform to stop or mitigate the consequences of unlawful behaviours (e.g., by removing unlawful content or blocking access) It could even incentivise the platform to prevent unlawful behaviour (e.g. by excluding certain individuals from the platform implementing security measures). Why an immunity? Enabling the Internet economy to endure and grow → responsibility means cost! To preserve current business models, especially those that are free and would otherwise not be able to pay sanctions To protect fundamental freedoms on the Internet, freedom of expression, association, economic initiative, political participation, etc. Collateral censorship: problem or opportunity? The regulation of providers induces providers to regulate their users To avoid sanctions, or obtain benefits, providers may block, censor, or otherwise control the speech of users. Their control (censorship) may prevent illegal or harmful activity, but also limit legitimate expression without adversarial and public control. Eg: Search engines implementing the right to be forgotten; the EU Code of Conduct on Illegal Online Hate Speech, etc. Internet intermediaries law in the US Back to the 90’s. Communication Decency Act (CDA), 1996, Section 230 for all violations, except Federal crimes and Intellectual property Digital Millennium Copyright Act (DMCA / OCILLA) 1998 infringements of copyright Communication Decency Act (CDA) Interactive computer service providers are not liable for information provided by another content provider (s.c. «safe harbour») Keep their immunity when acting in good faith to restrict access to objectionable materials (s.c. «good Samaritan clause») Application: Full immunity from liabilities and injunctions Limited exceptions (e.g. for revenge porn and discrimination) Digital Millennium Copyright Act Provider processing infringing content not liable if Has no actual knowledge that the material is infringing Does not receive a financial benefit from infringing activity Upon notification of alleged infringement expeditiously remove content or block access to it (notice and take down procedure) Notice and Take Down Stages of the procedure: The alleged right holder notifies the provider of the infringement The provider blocks access and forwards the notification to the user (uploader) If the user sends a counter-notification, the provider informs the right holder If the right holder does not initiate the lawsuit, the provider enables access again Provider's neutral role? The law on intermediary in EU E-Commerce directive (2000/31/CE), Art. 12-16. In Italy: d.lgs. 70/2003, art. 14-18 Scope defined by 3 categories of «internet service provider» (ISP): Art. 12, Mere conduit: The transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network Art. 13, Caching: the transmission in a communication network of information provided by a recipient of the service, where the service provider makes an automatic, intermediate and temporary storage of that information, performed for the sole purpose of making a more efficient transmission Art. 14, Hosting: the storage of information provided by a recipient of the service → Mere conduit,caching and hosting ISPs are intermediaries, in the sense that they do not directly produce the content to be transmitted, instead they make available to user the content provided by a third party Mere conduit and Caching Mere Conduit (art. 12) Is not liable when: (a) does not initiate the transmission; (b) does not select the receiver of the transmission; and (c) does not select or modify the information contained in the transmission. Caching (art. 13) Is not liable when: (a) the provider does not modify the information; (b) the provider complies with conditions on access to the information; (c) the provider complies with rules regarding the updating of the information, specified in a manner widely recognised and used by industry; (d) the provider does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information; and (e) the provider acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a court or an administrative authority has ordered such removal or disablement. Hosting provider (art. 14) “[…] is not liable for the information stored at the request of a recipient of the service, on condition that: (a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information. 2. Paragraph 1 shall not apply when the recipient of the service is acting under the authority or the control of the provider. 3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States' legal systems, of requiring the service provider to terminate or prevent an infringement, nor does it affect the possibility for Member States of establishing procedures governing the removal or disabling of access to information. Article 15. No general obligation to monitor 1. Member States shall not impose a general obligation on providers, when providing the services covered by Articles 12, 13 and 14, to monitor the information which they transmit or store, nor a general obligation actively to seek facts or circumstances indicating illegal activity. 2. Member States may establish obligations for information society service providers promptly to inform the competent public authorities of alleged illegal activities undertaken or information provided by recipients of their service or obligations to communicate to the competent authorities, at their request, information enabling the identification of recipients of their service with whom they have storage agreements. Open legal issues Are providers liable when they know that the information is on the platform, but they do not know that it is illegal? Definition of «actual knowledge» What in case of doubts about illegality? When does the recipient of the service act under the authority or the control of the provider? E.g. Uber? In EU a clear «notice and take down» procedure (like in the US) is missing → what about adversarial process? Still the right approach? Big intermediaries (Google, Facebook, Amazon) Have huge economic resources Enjoy a dominant position in the market They are the gatekeepers of information and contribute to public debate/opinions The ensure/limit the effective exercise of information rights They have an active role in selecting, personalising and managing content, automatically They possess the automated tools to detect and classify potentially unlawful contents Marketplace of ideas Real or just an Illusion? Freedom of speech in terms of its optimal outcome in the production of truth Complex algorithms categorize our choices and personalize our online environment, which is used to provide news and information Profiling Personal user data is used to create profiles on tastes, opinions, trends. How content is addressed and viewed is influenced by the profile Retoric of relevance vs. interest in attention/behavioural change (economics of attention) Filter bubbles and polarisation People tend to be exposed to content and information that has attracted them or satisfied similar profiles in the past This general reinforcing effect with respect to their own ideas. This is referred to as ‘filter bubbles’. Risk of deteriorating public debate Legislative developments – Towards a new responsability The 2011 Child Abuse Directive contains obligations to remove and block access to websites that contain or disseminate child sexual abuse and child pornography. The 2017 Terrorism Directive contains similar obligations against online public incitement to acts of terrorism. The 2018 Directive revising the Audiovisual Media Services Directive includes new obligations for video-sharing platforms to tackle hate speech and violent content. The 2019 Directive on Copyright in the Digital Single Market establishes that the exemption of liability for hosting providers does not cover the unauthorised communication or making available to the public of material uploaded by their users and sets out obligations for such providers The new Digital Services Act Distinction between providers of hosting services and the subcategory of online platforms Recital 13: Online platforms, such as social networks or online platforms allowing consumers to conclude distance contracts with traders, should be defined as providers of hosting services that not only store information provided by the recipients of the service at their request, but that also disseminate that information to the public at the request of the recipients of the service Recital 14: The concept of ‘dissemination to the public’, as used in this Regulation, should entail the making available of information to a potentially unlimited number of persons The “new” liability regime of ISPs The rules on indirect liability for ISPs (mere conduit, caching, hosting), based on knowledge and activation for subsequent removal of the unlawful activity/content, remain unchanged (Artt. 4-6) The absence of a general obligation to monitor information remains (Art. 8) The so-called 'Good Samaritan clause' is introduced (Art. 7) ISPs are not considered ineligible for exemption from liability merely because they carry out, in good faith and in a diligent manner, voluntary investigations on their own initiative or take other measures to detect, identify and remove illegal content or to disable access to it Content moderation and AI New important rules on content moderation ‘content moderation’ means the activities, whether automated or not, undertaken by providers of intermediary services, that are aimed, in particular, at detecting, identifying and addressing illegal content or information incompatible with their terms and conditions, provided by recipients of the service, including measures taken that affect the availability, visibility, and accessibility of that illegal content or that information, such as demotion, demonetisation, disabling of access to, or removal thereof, or that affect the ability of the recipients of the service to provide that information, such as the termination or suspension of a recipient’s account; ‘illegal content’ means any information that, in itself or in relation to an activity, including the sale of products or the provision of services, is not in compliance with Union law or the law of any Member State which is in compliance with Union law, irrespective of the precise subject matter or nature of that law; New (personalised) due digiligence obligations VLOP and VLOSE designation On April 25, 2023, the Commission designated As VLOP and VLOSE the following: Very Large Online Platforms (VLOP): Alibaba AliExpress,

Artificial Intelligence and Law PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue