The dual function of explanations: Why it is useful to compute explanations
توضیحات تابع دوگانه: چرا توضیحات محاسبه مفید است-2020
Whilst the legal debate concerning automated decision-making has been focused mainly on whether a ‘right to explanation’ exists in the GDPR, the emergence of ‘explainable Artificial Intelligence’ (XAI) has produced taxonomies for the explanation of Artificial Intelligence (AI) systems. However, various researchers have warned that transparency of the algorithmic processes in itself is not enough. Better and easier tools for the assessment and review of the socio-technical systems that incorporate automated decision-making are needed. The PLEAD project suggests that, aside from fulfilling the obligations set forth by Article 22 of the GDPR, explanations can also assist towards a holistic compliance strategy if used as detective controls. PLEAD aims to show that computable explanations can facilitate monitoring and auditing, and make compliance more systematic. Automated computable explanations can be key controls in fulfilling accountability and data-protection-by-design obligations, able to empower both controllers and data subjects. This opinion piece presents the work undertaken by the PLEAD project towards facilitating the generation of computable explanations. PLEAD leverages provenance-based technology to compute explanations as external detective controls to the benefit of data subjects and as internal detective controls to the benefit of the data controller.
Keywords: Automated decisions | Artificial intelligence | Explainability | Explainable AI | GDPR
Government procurement law and hacking technology: The role of public contracting in regulating an invisible market
قانون تدارکات دولتی و فناوری هک: نقش قراردادهای عمومی در تنظیم بازار نامرئی-2020
This article considers the purchasing of hacking technology by governments and the role of government procurement processes in regulating the hacking market and reducing risks to the buyer. While the proliferation of hacking technology for government actors has led to various proposed solutions for accountability, little consideration has been given to public purchasing of this technology. This article explores whether public contracting processes could be used to help minimize the risks that arise from the use of government hacking technology, and, if so, the types of contractual clauses and institutional supports that might be useful to achieve that goal. In exploring this issue, this article considers theories of government by contract and the publicization of the private sector. These theories posit that public contracting can be used as a vehicle to impose public considerations—for example, certain policy goals—on the private sector. It argues that requirements of transparency and accountability that inhere on the public sector could be transferred in part to the private sector through the vehicle of a public contract and explores how public contracts for government hacking technology could be structured in order to reduce risks posed by the use of this technology.
Keywords: Hacking | Law | Surveillance | Technology | Procurement | Contracts
Explainable Artificial Intelligence (XAI): Concepts, taxonomies, opportunities and challenges toward responsible AI
هوش مصنوعی قابل توضیح (XAI): مفاهیم ، طبقه بندی ها ، فرصت ها و چالش ها در برابر هوش مصنوعی مسئول-2020
In the last few years, Artificial Intelligence (AI) has achieved a notable momentum that, if harnessed appropriately, may deliver the best of expectations over many application sectors across the field. For this to occur shortly in Machine Learning, the entire community stands in front of the barrier of explainability, an inherent problem of the latest techniques brought by sub-symbolism (e.g. ensembles or Deep Neural Networks) that were not present in the last hype of AI (namely, expert systems and rule based models). Paradigms underlying this problem fall within the so-called eXplainable AI (XAI) field, which is widely acknowledged as a crucial feature for the practical deployment of AI models. The overview presented in this article examines the existing literature and contributions already done in the field of XAI, including a prospect toward what is yet to be reached. For this purpose we summarize previous efforts made to define explainability in Machine Learning, establishing a novel definition of explainable Machine Learning that covers such prior conceptual propositions with a major focus on the audience for which the explainability is sought. Departing from this definition, we propose and discuss about a taxonomy of recent contributions related to the explainability of different Machine Learning models, including those aimed at explaining Deep Learning methods for which a second dedicated taxonomy is built and examined in detail. This critical literature analysis serves as the motivating background for a series of challenges faced by XAI, such as the interesting crossroads of data fusion and explainability. Our prospects lead toward the concept of Responsible Artificial Intelligence , namely, a methodology for the large-scale implementation of AI methods in real organizations with fairness, model explainability and accountability at its core. Our ultimate goal is to provide newcomers to the field of XAI with a thorough taxonomy that can serve as reference material in order to stimulate future research advances, but also to encourage experts and professionals from other disciplines to embrace the benefits of AI in their activity sectors, without any prior bias for its lack of interpretability.
Keywords: Explainable Artificial Intelligence | Machine Learning | Deep Learning | Data Fusion | Interpretability | Comprehensibility | Transparency | Privacy | Fairness | Accountability | Responsible Artificial Intelligence
Smartphone platforms as privacy regulators
پلتفرم های گوشی های هوشمند به عنوان تنظیم کننده حریم خصوصی-2020
A series of recent developments highlight the increasingly important role of online platforms in impacting data privacy in today’s digital economy. Revelations and parliamentary hearings about privacy violations in Facebook’s app and service partner ecosystem, EU Court of Justice judgments on joint responsibility of platforms and platform users, and the rise of smartphone app ecosystems where app behaviour is governed by app distribution platforms and operating systems, all show that platform policies can make or break the enjoyment of privacy by users. In this article, we examine these developments and explore the question of what can and should be the role of platforms in protecting data privacy of their users. The article first distinguishes the different roles that platforms can have in ensuring respect for data privacy in relevant ecosystems. These roles include governing access to data, design of relevant interfaces and privacy mechanisms, setting of legal and technical standards, policing behaviour of the platform’s (business) users, coordinating responsibility for privacy issues between platform users and the platform, and direct and indirect enforcement of a platform’s data privacy standards on relevant players. At a higher level, platforms can also perform a role by translating different international regulatory requirements into platform policies, thereby facilitating compliance of apps in different regulatory environments. And in all of this, platforms are striking a balance between ensuring the respect for data privacy in data-driven environments on the one hand and optimization of the value and business opportunities connected to the platform and underlying data for users of the platform on the other hand.
After this analysis of platforms’ roles in protecting privacy, the article turns to the question of what should this role be and how to better integrate platforms in the current legal frameworks for data privacy in Europe and the US. The article will argue for a compromise between direct regulation of platforms and mere self-regulation, in arguing that platforms should be required to make official disclosures about their privacy-related policies and practices for their respective ecosystems. These disclosures should include statements about relevant conditions for access to data and the platform, the platform’s standards with respect to privacy and the way in which these standards ensure or facilitate compliance with existing legal frameworks by platform users, and statements with respect to the risks of abuse of different data sources and platform tools and actions taken to prevent or police such abuses. We argue that such integration of platforms in current regulatory frameworks is both feasible and desirable. It would make the role that platforms already have in practice more explicit. This would help to highlight best practices, create more accountability and could save significant regulatory and compliance resources in bringing relevant information together in one place. In addition, it could provide clarity for business users of platforms, who are now sometimes confronted with restrictive decisions by platforms in ways that lack transparency and oversight.
Keywords: Online platforms | Smartphones | Data protection | Privacy | Regulation | Disclosures
Hong Kong’s data breach notification scheme: From the stakeholders’ perspectives
طرح اعلان نقض داده هنگ کنگ: از دیدگاه ذینفعان-2020
Data breach notification laws have been enacted in an increasing number of economies around the world. These laws establish the requirement for notice in the event of a data breach incident. Although, there are a number of reasons for requiring data breaches to be notified, the primary objective of the laws is to regulate organizations’ data security practices in order to protect the data privacy of its customers. In so doing, the data reporting obligations promote accountability, transparency and trust, thereby improving the overall organizational data security environment. Opinions are, however, divided amongst various private sector stakeholders on the issue of mandatory data breach notification. Drawing on the interviews with 24 private sector representatives with interest in data breach issues, this article documents and examines their position on the appropriate regulatory approach for data breach notification in Hong Kong .© 2021 Rebecca Ong and Sandy Sabapathy. Published by Elsevier Ltd. All rights reserved.
Keywords: Hong Kong | Data breach notification | Qualitative investigation | Stakeholders’ perspectives | Review of personal data (privacy) | ordinance
Debt signaling and outside investors in early stage firms
سیگنال بدهی و سرمایه گذاران خارجی در شرکت های مرحله اولیه-2020
By imposing a market like governance and directing entrepreneurs towards professional management, debt, and especially business debt, can serve as a reliable signal for outside equity investors. Such signals of firm accountability can alleviate the stringent information asymmetry at the early stages of the firm, and become stronger for bank business debt, in the presence of personal debt, and in high capital industries. Using the Kauffman Firm Survey, we find evidence consistent with our hypotheses. Outside investors can rely on the governance role of debt and its underpinnings such as the bank-firm relationship. We also corroborate that young firms tend to focus on growth rather than profitability.
Keywords: Governance | Entrepreneurship | Financing | Information asymmetry | Debt | Equity
Do FOI laws and open government data deliver as anti-corruption policies? Evidence from a cross-country study
آیا قوانین FOI و داده های دولت آزاد به عنوان سیاست های ضد فساد ارائه می شود؟ شواهدی از یک مطالعه متقابل کشور-2020
In election times, political parties promise in their manifestos to pass reforms increasing access to government information to root out corruption and improve public service delivery. Scholars have already offered several fascinating explanations of why governments adopt transparency policies that constrain their choices. However, knowledge of their impacts is limited. Does greater access to information deliver on its promises as an anticorruption policy? While some research has already addressed this question in relation to freedom of information laws, the emergence of new digital technologies enabled new policies, such as open government data. Its effects on corruption remain empirically underexplored due to its novelty and a lack of measurements. In this article, I provide the first empirical study of the relationship between open government data, relative to FOI laws, and corruption. I propose a theoretical framework, which specifies conditions necessary for FOI laws and open government data to affect corruption levels, and I test it on a novel cross-country dataset. The results suggest that the effects of open government data on corruption are conditional upon the quality of media and internet freedom. Moreover, other factors, such as free and fair elections, independent and accountable judiciary, or economic development, are far more critical for tackling corruption than increasing access to information. These findings are important for policies. In particular, digital transparency reforms will not yield results in the anti-corruption fight unless robust provisions safeguarding media and internet freedom complement them.
Keywords: freedom of information | open government data | transparency | accountability | corruption | media and internet freedom | cross-country analysis
Achieving strategic benefits from project investments: Appoint a project owner
دستیابی به منافع استراتژیک از سرمایه گذاری پروژه: منصوب کردن صاحب پروژه -2020
Even though we have gotten better at meeting the iron triangle of cost, time, and scope, many projects sti l l do not achieve the strategic benefitsdespecially those that are nonmonetaryddesired in most contemporary projects. Given that no one is specifically accountable for delivering these benefits, it should be no surprise that these projects are largely unsuccessful. We consider multiple possible candidates for this role of accountabilitydthe CEO, the project manager, the sponsor, and the program managerdand find none of them acceptable, thereby necessitating the formalization of a new role: a project owner. The project owner would be accountable for delivering the strategic benefits desired from each project. In this article, we describe the responsibilities of the project owner at each phase of the project, the sources for candidates to fulfill this role, and the training needed for project owners to find success. We conclude with a case study of an organization that has taken this route and discuss the advantages and challenges that resulted from its strategic organizational change initiative.
KEYWORDS : Project management | Organizational change | Project manager | Project success | Project owner | Project lifecycle | management
Blockchain-based accountability for multi-party oblivious RAM
پاسخگویی مبتنی بر بلاکچین برای RAM فراموشی چند طرفه-2019
Recently, oblivious random access machine (ORAM) has been widely used to prevent privacy leakage from user’s access pattern. However, in multi-user scenarios, the obliviousness property of ORAM facilitates the malicious data modification by unauthorized users, which brings a new security challenge of user accountability to ORAM applications. Moreover, based on our observations, existing user accountability schemes for multi-user ORAM induce the extremely unacceptable overhead in both time and storage. What is worse, it is still inherent the traditional cloud accountability problem that the untrusted cloud server may have misbehavior on storing the outsourced data. In this paper, we focus on the issue that how to do accountability for both malicious users and untrusted cloud server without the independent trusted third party server. To address the above problem, we design and implement a Traceable Oblivious RAM, or T-ORAM for short, a cryptographic system that protects the privacy of users and the integrity of outsourced data based on group signatures. It can detect malicious users quickly by utilizing the traceability property of group signatures, and cost less storage overhead comparing with the existing solutions. Then, we further propose a more secure solution of Blockchain-based Traceable Oblivious RAM (BTORAM). Specifically, by introducing the blockchain technology, BT-ORAM can detect the malicious behavior from both malicious users and untrusted cloud server. BT-ORAM is the first accountability work for multi-user ORAM that deal with both malicious users and the untrusted cloud server. Finally, security analysis and experimental results show that our method outperforms the state-of-the-art accountability work for oblivious RAM, S-GORAM, in both security and performance.
Keywords: Oblivious RAM | Accountability | Group signature | Blockchain | Access control
EU GDPR or APEC CBPR? A comparative analysis of the approach of the EU and APEC to cross border data transfers and protection of personal data in the IoT era
GDPR EU یا APEC CBPR؟ تجزیه و تحلیل مقایسه ای از رویکرد اتحادیه اروپا و APEC برای انتقال اطلاعات مرزی و محافظت از داده های شخصی در دوره IoT-2019
This article examines the two major international data transfer schemes in existence today – the European Union (EU) model which at present is effectively the General Data Protection Regulation (GDPR), and the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules system (CBPR), in the context of the Internet of Things (IoT). While IoT data ostensibly relates to things i.e. products and services, it impacts individ- uals and their data protection and privacy rights, and raises compliance issues for corpora- tions especially in relation to international data flows. The GDPR regulates the processing of personal data of individuals who are EU data subjects including cross border data trans- fers. As an EU Regulation, the GDPR applies directly as law to EU member nations. The GDPR also has extensive extraterritorial provisions that apply to processing of personal data outside the EU regardless of place of incorporation and geographical area of operation of the data controller/ processor. There are a number of ways that the GDPR enables lawful international transfer of personal data including schemes that are broadly similar to APEC CBPR. APEC CBPR is the other major regional framework regulating transfer of personal data between APEC member nations. It is essentially a voluntary accountability scheme that initially requires acceptance at country level, followed by independent certification by an accountability agent of the organization wishing to join the scheme. APEC CBPR is viewed by many in the United States of America (US) as preferable to the EU approach because CBPR is considered more conducive to business than its counterpart schemes under the GDPR, and therefore is regarded as the scheme most likely to prevail. While there are broad areas of similarity between the EU and APEC approaches to data protection in the context of cross border data transfer, there are also substantial differences. This paper considers the similarities and major differences, and the overall suitability of the two models for the era of the Internet of Things (IoT) in which large amounts of personal data are processed on an on-going basis from connected devices around the world. This is the first time the APEC and GDPR cross-border data schemes have been compared in this way. The paper concludes with the author expressing a view as to which scheme is likely to set the global standard
Keywords: IoT data | GDPR | CBPR | transborder data flows | data protection | privacy | global standard