How to Write a Paper about the Crisis of Democracy?

Cheerful reception of the “How to Write a Law and Technology Paper?” convinced me that the format has comedy potential. The same disclaimer as previously applies here: this post is for laughs. Of course, I am worried about the state of democracy. But I am also skeptical of the value of repeating the same diagnosis and analysis over and over again. On a theoretical level, a question is crystalizing in my mind: “what is the value of repeating stuff that everyone in a community already knows?” There must be some, otherwise, why do we keep doing it? One day I will attempt an answer. After a few more “ten steps” is suppose. Today, however, enjoy the Friday piece of sit-down-comedy:

Are you concerned about the course that local and global politics have taken lately? Would you like to be remembered as someone who was not indifferent, and tried to have an impact? Does the prospect of actually going to the streets to talk to people and maybe help someone scare you as too much movement and effort? If the answer to all these questions is “yes”, you probably should write a paper about the crisis of democracy. A perfect way to feel like you’re doing something good for society, without actually having to do much.

“But I am no political theorist / constitutional lawyer! what do I know?” – is the thought that might pop up in your head, but be sure to disregard it. Unlike with natural (real) sciences, everyone is an expert on politics, constitution, and democracy.  After a couple of beers especially. Plus, you can use our instruction: How to write a paper about the crisis of democracy (in ten steps):

  1. Start by saying that it seemed in 1989 that it’s the end of history. Cite Fukuyama (and call him a “Neo-Con”. Mention he seems to have changed his mind. Make a little joke about that).
  2. Say that now, however, there are problems all around the world. Be sure to mention Russia, Trump, Turkey, Poland, Brexit, Philipinnes, Brazil and Hungary in the same sentence.
  3. Cite some numbers about how inequality is rising, growth stagnating, whatever, you need numbers (quote Piketty). Say that people nowadays will not be richer than their parents. Call them “losers of globalization”.
  4. Mention China and that maybe actually there is no necessary connection between democracy and market economy. Remind people that Hayek was friends with Pinochet.
  5. Be sure to include that democracy in the West might not be that democratic at all – refer to Citizens United and money in politics in general.
  6. Indicate that causes are actually even more complicated: economy, culture, ideology all play some role.
  7. Say that we are probably doomed. Add an analogy between today and the 1930s. Then say that we do not really know how it’s gonna go. Say that you predict that democracy will go down, or not, or maybe it will change.
  8. Add a splash here and there of buzzwords like “democratic backsliding”, “populism”, “illiberal”, “losers of globalization”. DO NOT ever explain what you mean by democracy or crisis. You must use the term “rule of law” very abundantly and make sure you conflate it with democracy.
  9. Propose to solve the problem by something that sounds simple but is actually very unclear: education, inclusion, regulation of social media. If you want to call your work “interdisciplinary”, mention blockchain.
  10. Say that of course more research is needed, but you wanted to just “start a debate” which is very important.

Congratulations! You just landed on a good side of history! If everything indeed goes down, you will be able to demonstrate that you cared. And if not, one of your predictions materialized, and you were a part of the movement! win-win.

Thanks to Nik and Fil for their comments about the “first draft”, haha.

Published: Automatic detection of unfair contract clauses

The paper summarizing our experimental research on automatic detection of potentially unfair terms of service using machine learning has just been published in the online-first repository of “Artificial Intelligence and Law” journal.

We tagged 50 terms of online service in search of clauses seeming unfair under the European 93/13 Directive, and show that accuracy of the predictor is as high as 93% for some types of clauses, and 78% overall. This could be a first step towards developing tools to empower individual consumers and civil society organizations, as well as public agencies protecting consumer rights.

If you are interested in other papers we have on the matter (explaining the turn towards consumer-empowering AI, and potential to use the same tech to analyze privacy policies), feel free to check out project’s website.

How to Write a Law and Technology Paper?

This post is for laughs, a piece of a sit-down comedy. Admittedly, it’s making fun of some things I have written in the past. I wrote it a while ago, on a plane from law&tech conference to another. I wanted to pair it with a serious part: a reflection on what is it that we do, what we should do, what’s the point etc. Somehow, however, I never managed. On the same time, I keep showing this to people on my phone during conferences and they laugh. And laughing is good for you! Hence, I thought I’ll share it, so you can smirk, and maybe someone wiser than me will come up with a serious comment on what is behind this. Ready? Let’s go!

How to write a generic law and technology paper

So, you have given a lecture using the speech generator and now they asked you to write a paper. Worried? No need! The instruction below will help you develop a state-of-the-art contribution in ten steps.

  1. Start with a story. Write a couple-paragraph-long horrifying/utopian story about how a technology you are talking about will soon completely change the world, and undermine one of the legally protected values: property, freedom, equality, transparency, non-discrimination, safety, privacy, anything. Don’t explain what you mean by “technology”, but be sure to mention that it is “disruptive”. If you can find some data (numbers are always impressive), cite it; even better if you can find someone (anyone, really) who has published a prediction that in 5 years everyone will be using this. You can also start with some inspirational quote.
  2. Name the technology: robotics, AI, internet of things, big data, blockchain, algorithms, platforms, sharing economy, wearables, again anything. Say that there is no agreed upon definition of it, then define it anyhow, give a few more examples. If you write about IoT, make sure your example is a fridge ordering milk when you are out of it.
  3. Indicate what are some laws that could apply to this technology – cite some statues, some cases, no need to be comprehensive – just have one that would be unclear in application. Alternatively, take some established concept: liability, personality, accountability etc. and show how this new technology makes its application complicated. This will make everyone think that this is a legal paper. Lawyers usually don’t know much about tech, and non-lawyers seldom read cases – this will make you seem like an expert in the other area than the reader comes from.
  4. State that we need to regulate, in a way that will “mitigate the risks, without impeding the benefits”.
  5. Say that obviously there are some benefits, and list them: pay special attention to how this could be used in education, or medicine, or for any type of empowerment (no need to define).
  6. Say that, however, there are of course also some risks/challenges, and list them. No need to indicate what the criteria of distinction was, also don’t worry about explaining your normative theory (just say “criminal law”, or “consumer law”, or “privacy” etc.). Just list the problems.
  7. Now it’s time to solve a problem: throw around one/three/five ideas on what to do. If you are creative here that’s ok, but you can also go for some safe bets: create a new administrative agency (“FDA for algorithms/robots/databases etc.), incentivize self-regulation and creation of codes of conduct, and education – education is the most important.
  8. (Optional: write a couple of paras explaining why your solutions are better than what other people proposed, or what is already in place. This takes more time, because you actually need to read something. But will make you look like an expert. If you treat people nicely, you might even become a member of a #citationCartel).
  9. Mention blockchain. You can just literally put the word “blockchain” in a random place somewhere in the solution section.
  10. Finish by saying that the issue is obviously complex, so more interdisciplinary perspectives are needed, and that you know you might be wrong, but your first ambition was to draw attention to the problem and start a discussion.

There you go! The paper is essentially ready. You just became an expert in something new, congratulations!!!

Fixing Social Media: Hit the Cause, not Effects, of Grand Bargain

social mediaThis post builds, in part, on the ideas I got during 1st Istanbul Privacy Symposium: Data Protection and Innovations, especially conversations with R.E. Leenes. Everything that is wrong here is obviously my fault; but want to acknoweldge that many point here were inspired by others. 

In his excellent Fixing Social Media’s Grand Bargain Jack Balkin demonstrates how the “nature” of digital capitalism creates perverse incentives for social media companies to surveil, addict and manipulate their users. He then surveys a range of regulatory options, ranging from treating social media as public actors in some ways, to antitrust and pro-competition law, to finally reiterate his intriguing idea to treat social media companies as “information fiduciaries”.

In this brief post, I would like to build upon Balkin’s idea, and offer an additional perspective on both the problem and the possible solutions. I want to argue that the role for law is not only to mitigate the results of the “nature” of digital capitalism, but to disrupt the very incentives that led to the Grand Bargain. I first look at the conditions that led the current model, and put to question the assumption that this model is necessary. I also question the assumption that the surveillance and manipulation problem can be fixed within this paradigm. Then, I take look at the “information fiduciaries” proposal, and iterate my reservations towards it, also re-characterizing the ways in which GDPR is constructed. It’s an imperfect instrument, but in my opinion, for different reasons than Balkin puts forward. Finally, I throw in a couple of alternative ideas – coming from consumer law mindset – which are one way to go about changing the very incentives that led to the Grand Bargain.

Where are we?

Obviously, there is not one problem with the ways social media companies currently operate, and so there will be not one solution to all of them. Hence, at some point we could do with a map of what exactly are the challenges, what precisely are the regulatory goals, and what regulatory means have  a chance of bringing these goals about. However, it seems to me that an analysis of the causes and possible cures for the “grand bargain” makes for a good start.

The “grand bargain”, according to Balkin, is: online companies (social media, search engines etc.) offer their marvelous products to users without asking for money, but in exchange collect, analyze and act upon user’s personal data. These companies make money out of advertising. The more time users spend using their products, the more ads they will see. The more data companies have about users, the more effective targeted ad campaigns will be. Hence, the incentive to surveil, addict and manipulate.

This bargain is the “nature” of digital capitalism, Balkin tells us. I could not agree more, if by “nature” we mean an explanation of how things are right now. However, I would question the assumption – especially if we are to talk about political economy – that the things must be this way. Two questions are worth addressing: how did we get where we are; and how can we get out?

How did we get here?

Jaron Lanier interestingly argues that the mistake has been made at the very begging of the Internet’s public existence. We allowed two, possibly contradictory, ideas to flourish at the same time. On the one hand, a radical idea that stuff online should be free. That one should not pay for using browsers, visiting websites, sending emails etc. On the other, the liberal idea that innovation is good and tech entrepreneurship should be incentivized. Given the strong commitment to both, advertising was the only solution. And when online companies realized that the by-product data can be useful, and machine learning algorithms can squeeze a lot of knowledge out of it, the arms race in micro-targeted, behavioral advertising started. Two observations here.

First, it is by no means obvious or proven that targeted advertising leads to “more efficient advertising campaigns, which allow greater revenues”. One obviously assumes that – why else would companies, rational economic actors, spend money on it? But more and more research seems to show that these increased revenues are minimal (if existent at all), and companies’ behavior is a herd phenomenon, based on a hype.

Second, we should seriously ponder the question whether an internet and a public sphere in which stuff is free and on the same time users retain privacy and autonomy is possible. Whether it makes sense to strive for a world where one does not pay with money for using email, social media, browsers and search engines; and in which one retains full (or high) privacy and autonomy. The answer, obviously, will not be binary. But we should spend time thinking whether the trade off between free usage of convenient innovative products, and personal privacy and autonomy, is not inevitable.

“Information fiduciaries” cure symptoms, not the cause

Balkin’s “information fiduciaries” idea has two huge advantages and three problems. It’s a good idea, because it’s 1) simple and 2) possible to realize by courts. It seems to me problematic when one thinks about its 1) operationalization in design process; 2) oversight and enforcement; and 3) the fact that it does not change the perverse incentives, but merely puts legal constraints on how to act upon them.

EU’s adventure with enacting the GDPR seems to make two things clear in the American context. It might be impossible to push any complex data processing regulation through the over-lobbied Congress. And even if it was possible, the result will be so complex and watered-down that it won’t do us any good. That is where employing the concept of a “fiduciary” by the common law courts seems very tempting.

Speaking of GDPR, Balkin is clearly skeptical of this “neoliberal” regulation. As imperfect as GDPR might be, I disagree strongly with his characterization that “GDPR relies heavily on securing end-user consent (…) [and] is still based on a contractual model of privacy protection”. This is an American idea, and with regard to the GDPR, is simply not true. GDPR is an administrative regulation per excellenceIt clearly specifies duties of data controllers, including a need to demonstrate a legal basis of processing, a consent being only one of them. In other words, what companies write in their terms of service and privacy polices does not affect their obligations, and does not change what there are or are not allowed to do with personal data. The “individual rights and transparency” part of the Regulation belongs to the oversight and enforcement side, which relies on the mix of public and private engagement. Realizing that public supervisory authorities will never have enough power to combat huge tech by themselves, GDPR equips individuals with information and access rights, which allows for “class action” by NGOs, increasing the chance of spotting infringements. This is not perfect, but it’s not imperfect for the reasons Balkin invokes. And this helps one see where “information fiduciaries” come short of being the cure.

First, this sounds like a great idea, but even with a good-will company, at some point engineers need guidance on how to implement it. Does showing me ads of sleeping pills at 3 a.m.  go against the duties of care, confidentiality and loyalty? Sure, I guess. Do those duties impose an obligation to pull-off addicting games from my platform? That’s where stuff gets tricky. GDPR’s problem is that it’s long and complex. But the problems caused by social media in 2018 are very complex as well.

Second, if we imagine that social media companies do become information fiduciaries, and even if we assume that their duties are specified sufficiently well, the question is: what do we do if they violate their duties? The big difference between doctors, lawyers and nurses sharing my secret, and social media building up a system that manipulates me and addicts me, is that in the second case I might simply not know. Fiduciary model works perfect, if we assume that people will realize when these duties are infringed. But that is a bold assumption.

Finally, Balkin’s proposal does not really change the incentives to make money out of advertising; it just puts constraints on the ways in which social media companies would be legally allowed to do so. It does not disrupt the grand bargain, it civilizes it. And that is where my biggest skepticism lies. Because, as I wrote above, it just might be impossible to sustain innovation and free access to products without some sort of abuse of power stemming from access to data and control over products.

To “Fix” Social Media, Change their Incentives

Here we get back to the question if the “nature” of the digital capitalism is fixed. And, as Larry Lessig made us see already 20 years ago, the answer is no. Instead of taking it as given and thinking of how to civilize it, let us think how to disrupt the very system that gave rise to these business models.

From the perspective of political economy, my conviction is that we should not (only) regulate data processing, or privacy, directly; but regulate the market in a way that will change the incentives. How?

For example, ban the targeted advertising. Or some forms of it. Or some types of content. Especially if we learn that they do not really work.Ban news feeds shaped by an unknown algorithms. Require that users are in control of the choices. If companies are not allowed to use the data they collect and patterns they infer, the incentive to collect and use it dramatically goes down.

The immediate response I fear is “but the First Amendment!”. I fear it, because I know nothing about it, and cannot properly engage in a discussion. But just let me say: even Americans have bans on ads of cigarettes or alcohol; or rules on ads of medications. Even with the First Amendment there are bans on speech directly endangering the national security (don’t want to use the “t” word, since the perfect surveillance will immediately hit me;). So if social media are/might be addictive and cause mental health problems (as it seems they are); and if they created environments where a foreign power can influence American presidential elections; it seems to me that health or national security could be some arguments justifying such an intrusion.

Or let’s do something else. Make it obligatory to offer a track-free, ad-free, paid option.  Facebook’s yearly revenue is $40 billion, and it has 2 billion users. That is 20 bucks per user per year. We pay ten dollars for Netflix and Spotify and Amazon Prime monthly; why not for Facebook or Google? Sure, that is not an option for many people in less wealthy countries; as I said, it’s of course more complex. And yes, Amazon and Netflix also surveil and addict us. So such a move is not sufficient. But it’s easier to make them stop, when they have a secured income from sources other than abusive ads, manipulation or political propaganda.

Those are obviously imperfect ideas. But they are just one possible way to go about the claim that I’m certain off: the role for law is to change the incentives that led to the “grand bargain”, not only to mitigate the bargain’s results.

CLAUDETTE: Automating Legal Evaluation of Terms of Service and Privacy Policies using Machine Learning

It is possible to teach machines to read and evaluate terms of service and privacy politics for you.

Have you ever actually read the privacy policy and terms of service you accept? If so, you’re an exception. Consumers do not read these documents. They are too long, too complex, and there are too many of them. And even if they did the documents, they have no way to change them.

Regulators around the world, acknowledging this problem, put in place rules on what these documents must and must not contain. For example, the EU enacted regulations on unfair contractual terms; and recently the General Data Protection Regulation. The latter, applicable since 25th May 2018, makes clear what information must be presented in privacy policies, and in what form. And yet, our research has shown that, despite substantive and procedural rules in place, online platforms largely do not abide by the norms concerning terms of service and privacy policies. Why? Among other reasons, there is just too much for the enforcers to check. With virtually thousands of platforms and services out there, the task is overwhelming. NGOs and public agencies might have competence to verify the ToS and PPs, but lack the actual capability to do so. Consumers have rights, civil society has its mandate, but no one has time and resources to bring them into application. Battle lost? Not necessarily. We can use AI for this good cause.

The ambition of the CLAUDETTE Project, hosted at the Law Department of the European University Institute in Florence, and supported by engineers from the University of Bologna and the University of Modena and Reggio Emilia, is to automate the legal evaluation of terms of service and privacy policies of online platforms, using machine learning. The project’s philosophy is to empower the consumers and civil society using artificial intelligence. Currently artificial intelligence tools are used mostly by large corporations and the state. However, we believe that with efforts of academia and the civil society AI-powered tools for consumers and NGOs can and should be created. Our most technically advanced tool, described in our recent paper, CLAUDETTE: an Automated Detector of Potentially Unfair Clauses in Online Terms of Service, can detect potentially unfair contractual clauses with 80%-90% accuracy. Such tools can be used both to increase consumers’ autonomy (tell them what they accept), and increase efficiency and effectiveness of the civil society’s work, by automating big parts of their job.

Our most recent work has been an attempt to automate the analysis of privacy policies under the GDPR. This project, funded and supported by the European Consumer Organization, has led to the publication of the report: Claudette Meets GDPR: Automating the Evaluation of Privacy Policies Using Artificial Intelligence. Our findings indicate that the task can indeed be automated once a significantly larger learning dataset is created. This learning process was interrupted by major changes in privacy policies undertaken by the majority of online platforms around 25 May 2018, the date when the GDPR started being applicable. Nevertheless, the project led us to interesting conclusions.

Doctrinally, we have outlined what requirements a GDPR-complaint privacy policy should meet (comprehensive information, clear language, fair processing), as well as the ways in which these documents can be unlawful (if required information is insufficient, language unclear, or potentially unfair processing indicated). Anyone – researchers, policy drafters, journalists – can use these “golden standards” to help them asses existing policies, or draft new ones, compliant with the GDPR.

Empirically, we have analyzed the contents of privacy policies of Google, Facebook (and Instagram), Amazon, Apple, Microsoft, WhatsApp, Twitter, Uber, AirBnB, Booking.com, Skyscanner, Netflix, Steam and Epic Games. Our normative study indicates that none of the analyzed privacy policies meet the requirements of the GDPR. The evaluated corpus, comprising 3658 sentences (80.398 words), contains 401 sentences (11.0%) which we marked as containing unclear language and 1240 sentences (33.9%) that we marked as potentially unlawful clauses, i.e. either a “problematic processing” clause or an “insufficient information” clause (under articles 13 and 14 of the GDPR). Hence, there is significant room for improvement on the side of business, as well as for action on the side of consumer organizations and supervisory authorities.

The post originally appeared at the Machine Lawyering blog of the Centre for Financial Regulation and Economic Development at the Chinese University of Hong Kong

“Revolution!” found & re-posted

16735786_10154372043097358_972449225_oThe text below has been found written on a toilet cabin door somewhere around the HLS campus. I was shown a photo of it, and sent a transcript. It’s a piece of fiction, and I don’t know what was the author’s intention. I don’t know who the author is either. I totally disagree with the ideas presented there. Read it critically, and try coming up with better and acceptable ways of dealing with the problems it identifies:

“In the end, it was quite simple. In the end, the history had the answers. And now everything is better.

There used to be two big internet companies, providing services to more than a billion people. These services became essential to the societies’ functioning. Yet, these companies were not really respecting the rights of the people. Privacy was inexistent, freedom of speech and assembly often violated, right to digital property not respected at all. Many wise women and men spent thousands of hours thinking about how to make these companies respect human rights of their users. Regulation? No one wanted to regulate. Competition? There was no competition. Petition? They didn’t listen.

Then, somebody remembered how the constitutionalism was born. When the states, not multibillion transnational firms, were major sources of human rights violation. Sure, there were philosophers, cool ideas, public discontent… But in the end, a lot of French people got mad, rallied together, demolished a few buildings, killed a few people, and said: look, here is a list of principles that one needs to follow while governing the state, otherwise we do it again.

And so, a few thousand people gathered in one valley, stormed the HQ of the two companies, demolished this and that, pondered beheading some people, handed over a list  of principles to some of these people and placed some new people on some positions. And said: govern your platforms based in these principles, or else.

Revolution. It worked once, why wouldn’t it work again?

It’s much better now. Is it perfect? No. Was it ideal way to do it? No. Is it better than it was? Waay better.

The notions of public and private actors are contingent and fluid. The notion of the power public in nature is fixed. And the nature of the social universe is such that when such a power is not tamed, it gets tamed.

In the end, it was quite simple.”

As I wrote above, terrifying story. So I repost it here, for us to be able to think of better ways of dealing with the problem of uncontrolled power that might one day emerge with some internet companies.

We have an innovation problem…

…but as in ‘alcohol problem’. innovationx

The last time I checked, innovation was not a fundamental right protected by any constitution. And yet, for the reasons that are nor particularly clear to me, it so often seems to be an argument that trumps (..) strengthening legal protection of consumers or privacy. In a discussion, whether in the classroom or over a beer, whenever someone even mentions regulating the algorithms, or taking a stronger stance on the internet giants’ practices, there is always someone else to say: “No, this will slow down/impede the innovation!”. And then, you’re supposed to say “a, yeah, sorry”.

Really? We’ve had 20 years of that innovation now, should we not run a little assessment of what went fine and what went wrong and whether this really is the way to go? Three points.

Firstly, we have numerous laws that impede innovation, and everyone seems to acknowledge their importance. We have product safety laws and standards, we have rules on clinical trials of drugs on humans and animals, we have labour law – all of these clearly make innovation in many spheres more expensive, longer and difficult. But we have them, to protect human health, life and well being; even if the innovation in these spheres could also contribute to these values.

Secondly – what type of innovation are we talking about? Even more apps and platforms. Spotify and Netflix, and Uber, and Deliveroo. Even better targeted advertising. Even more stuff can be done on one’s smartphone. Cool, it’s convenient, it makes life easier for some of us, but is also has side effects – alienation, uberification of economy, new types of addictions, fake news, filter bubbles – I could go on, but you know all that.

And yet, even though it’s clear and obvious that Google, Facebook et al. are openly violating  European personal data protection law, consumer law on unfair commercial practices and unfair terms, discrimination law; as well as all the values not yet explicitly protected by law (because “innovation”); so many people seem to be fine with that. We won’t regulate them, we won’t actually enforce the laws we have in place, because that could slow down the Progress.

Don’t get me wrong – I’m neither advocating a harsh regulation of new technologies, nor a large-scale enforcement of the laws we created before their emergence. On the contrary, I think we need a proper, informed, balanced and serious discussion on what to do with the law and regulation in the new reality. However, innovation should not be an argument against protection of privacy, increasing transparency or combating discrimination.

I get it: privacy is not as fundamental a value as life and health. But a new dating app, or the fact that your automatically generated playlist is now so perfect, or that you can order any pizza you want, are not as socially valuable as a new medications either.

Thirdly, and finally, I wonder where this comes from? Why are we so easily lured by this rhetoric? Who created it? These are the questions, and this is a post, in the  research-I-would-do-if-only-I-had-time series. I don’t know, though I have a guess. It’s a mix of our modernist idolisation of progress, and really good PR of big business. And that we mistook our lives getting more convenient for our lives getting better.

All I wanted to say it that privacy is not absolute, but neither is innovation. And that we should start thinking about what type of it are we buying at what cost.