The Majority Report – Your Social Credit Score Is Showing

Back in August, I wondered in this space whether the growing power of the surveillance state would return shame to our society and bring about “The New Puritanism.” China is betting heavily that it will.

Some of you may have caught the recent “60 Minutes” segment with its chilling real-time evocation of an actual Minority Report society.  If life imitates art, life picked a pretty scary model here. Watching a live-stream of pedestrians on a busy city street in China, each accompanied with its own bespoke chyron identifying each passerby with precision made my Boomer blood run cold.  I grew up in New York where J-walking is sport.  In China, J-walk and you end up with your face on a digital wall of shame for all to see.  In a society where conformity is valued, tech has weaponized shame.

But shame isn’t just about safer streets in China.  It’s about social engineering on a grand scale.  China’s Social Credit Initiative is a product of its “top-level design” approach.  Its central objective is the development of a national reputation system, assigning a social credit number that reflects “a qualitative judgment of relevant data about the subject.”  Remember when your high school guidance counselor warned you about the importance of preserving a clean “permanent record”?  Turns out she wasn’t wrong; she was just ahead of her time.

The Chinese make no bones about using surveillance to create and enforce the kind of citizens it wants in its society.  There is actually a magazine published in China that is kind of a malevolent version of Santa’s “naughty and nice” list.  On the red pages are the nice “trustworthy” citizens.  They get cheaper train fare and better insurance rates. On the black pages are the folks who are getting coal in their stockings.

But until I started researching this piece, it did not dawn on me the full scale of what China is about with its social credit scoring.  It is nothing less than a complete re-imaging of governance.  In Next Generation Law: Data Driven Governance and Accountability Based on Regulatory Systems in the West and Social Credit Regimes in China, (Catchy title, no?) Larry Cata Backer suggests that “social credit represents the expression of new forms of governance that are only possible through the correct utilization of big data management.”  (Not sure what “correct” means in this context, but never mind.)  More to the point for Western constitutional societies like ours is this bombshell:

Accountability regimes grounded in behavior standards enforced through data driven analytics may well change the focus of public law from constitution and rule of law to analytics and algorithm.

 Think about that for a minute.  In a social credit system, the law, the lawyers and the regulators become the handmaidens of the state, there only to enforce compliance with whatever behavior the state wishes to see.  In such a society, the data make the rules and blind obedience is not enough.  It isn’t just that you comply; it’s how you comply that counts.  Imagine a society that rewards and punishes you based on your perceived sincerity, as judged by not a human, but a robot.  (See my colleague Ted Claypoole’s work on “brainspray” for more on that.)

At least the Precogs were human.

Will Technology Return Shame to Our Society?

The sex police are out there on the streets
Make sure the pass laws are not broken

Undercover (of the Night), The Rolling Stones

So, now we know that browsing porn in “incognito” mode doesn’t prevent those sites from leaking your dirty data courtesy of the friendly folks at Google and Facebook.  93 percent of porn sites leak user data to a third party. Of these, Google tracks about 74 percent of the analyzed porn sites, while Oracle tracks nearly 24 percent sites and Facebook tracks nearly 10 percent porn sites.  Yet, despite such stats, 30 percent of all internet traffic still relates to porn sites.

The hacker who perpetrated the enormous Capital One data breach outed herself by oversharing on GitHub.  Had she been able to keep her trap shut, we’d probably still not know that she was in our wallets.  Did she want to get caught, or was she simply unashamed of having stolen a Queen’s ransom worth of financial data?

Many have lamented that shame (along with irony, truth and proper grammar) is dead.  I disagree.  I think that shame has been on the outward leg of a boomerang trajectory fueled by technology and is accelerating on the return trip to whack us noobs in the back of our unsuspecting heads.

Technology has allowed us to do all sorts of stuff privately that we used to have to muster the gumption to do in public.  Buying Penthouse the old-fashioned way meant you had to brave the drugstore cashier, who could turn out to be a cheerleader at your high school or your Mom’s PTA friend.  Buying the Biggie Bag at Wendy’s meant enduring the disapproving stares of vegans buying salads and diet iced tea.  Let’s not even talk about ED medication or baldness cures.

All your petty vices and vanity purchases can now be indulged in the sanctity of your bedroom.  Or so you thought.  There is no free lunch, naked or otherwise, we are coming to find.  How will society respond?

Country music advises us to dance like no one is watching and to love like we’ll never get hurt. When we are alone, we can act closer to our baser instincts.  This is why privacy is protective of creativity and subversive behaviors, and why in societies without privacy, people’s behavior regresses toward the most socially acceptable responses.  As my partner, Ted Claypoole wrote in Privacy in the Age of Big Data,

“We all behave differently when we know we are being watched and listened to, and the resulting change in behavior is simply a loss of freedom – the freedom to behave in a private and comfortable fashion; the freedom to allow the less socially -careful branches of our personalities to flower. Loss of privacy reduces the spectrum of choices we can make about the most important aspects of our lives.

By providing a broader range of choices, and by freeing our choices from immediate review and censure from society, privacy enables us to be creative and to make decisions about ourselves that are outside the mainstream. Privacy grants us the room to be as creative and thought-provoking as we want to be. British scholar and law dean Timothy Macklem succinctly argues that the “isolating shield of privacy enables people to develop and exchange ideas, or to foster and share activities, that the presence or even awareness of other people might stifle. For better and for worse, then, privacy is a sponsor and guardian to the creative and the subversive.”

For the past two decades, we have let down our guard, exercising our most subversive and embarrassing expressions of id, in what we thought was a private space. Now we see that such privacy was likely an illusion, and we feel as if we’ve been somehow gaslighted into showing our noteworthy bad behavior in the disapproving public square.

Exposure of the Ashley Madison affair-seeking population should have taught us this lesson, but it seems that each generation needs to learn in its own way.

The nerds will, inevitably, figure out how to continue to work and play largely unobserved.  But what of the rest of us?  Will the pincer attack of the advancing surveillance state and the denizens of the Dark Web bring shame back as a countervailing force to govern our behavior?  Will the next decade be marked as the New Puritanism?

Dwight Lyman Moody, a predominant 19th-century evangelist, author, and publisher, famously said, “Character is what you are in the dark.”  Through the night vision goggles of technology, more and more of your neighbors can see who you really are and there are very few of us who can bear that kind of scrutiny.  Maybe Mick Jagger had it right all the way back in 1983 when he advised: “Curl up baby/Keep it all out of sight.”  Undercover of the night indeed.

The Sharp End of the Spear

How many times a month do you read about one more hack, or receive a letter from a company that has exposed your information to a threatening force?

We understand that our offices, banks, stores and other data holders are constantly under attack from forces across the globe. The mark of a sophisticated netizen is nonchalance in the face of each accumulating security failure.

But sometimes it takes a personal attack to break through the irony and make us start to worry about a data predator’s effects on our friends,  families, and workplaces.

It started with a call from a co-worker just before 5 PM last Friday. After a few moments of idle chat, I asked her what she needed from me.  She said, “I’m calling about your email.”  Having not sent her an email, I was surprised, but not terribly so.  She could have been responding to an old message or just been mistaken.  “No, I’m looking at it right now and it says ‘URGENT REQUEST’ in the subject line” she insisted.  She had my attention.  I was the subject of a social engineering or “imposter” email scheme.

The spoofed email was ridiculously easy to spot.  It used my full name, including my middle initial, which I never do.  It came from a domain that was so “off” it could have been Philip_P_Gura@spearphishing.com. As mentioned, the subject line said “URGENT REQUEST” and the body of the message all but screamed “mail fraud”.  And yet.

The calls came flooding in, faster than I could answer them.  Emails, too. Some asked if I had been hacked, but most responding to my “urgent request” as if it were the real deal.  The head of our Atlanta office called me from the road to find out what was up.

None of this should have been terribly worrisome to me in today’s “Spy-vs-Spy” world.  After all, we don’t really bat an eye when our credit card credentials are compromised and have gotten used to having to remember a dozen different passwords just to download the Sunday crossword puzzle or change a flight.  But, here’s the thing: it really shook me.  Why?

I may be a jaded tech lawyer, but I am also human.  Someone out there was pretending to be me and, worse, was imposing on the people I work with.  A sense of outrage and violation rose in my chest and I felt like . . .  like I was RESPONSIBLE for the scam somehow.  What had I done?  What website had I visited that had tracked me down and sold my information to the Dark Web?  Had I somehow through carelessness or inaction allowed this imposter under the tent of my firm?  Was I in (gasp!) trouble?

Fortunately for me and my blood pressure, I work with some really fine people who very quickly sorted the situation.  No harm, no foul.  (In fact, one of my colleagues even corresponded a couple of times with the imposter just for grins and general edification.  Turns out the scammer asked my colleague to go to Amazon and buy $400 of gift cards and to send the card numbers to the spoofed email address. You’ve been warned.)

The point is, I and a lot of others have written about a “post-privacy” world where it’s only the naïve who still hang on to the mirage of an expectation of privacy and the right to be left alone.  Yet, all it took to shake me out of my ivory cell tower was a clumsy, amateurish and doomed to failure spoof and I lost my cyber-shit.

So, maybe I’ve missed the point of events like the recent Equifax $700 million deal to settle investigations into its massive data breach. Companies like Equifax are supposed to be the guardians at the gate, keeping our transactions private and our credit safe. As business people and casual internet users, we can easily see the wave-peak news items about regulation and forget about the sharks and other risks constantly threatening to break the surface. Like the ocean, the internet is a chaotic wilderness upon which we try to impose human order. Knowing that you have only a one in 11.5 million chance of being attacked by a shark at a US beach is significantly less comforting when a whitetip is chewing on your leg.

It is not easy bringing order to a complicated, multi-jurisdictional medium where predators and scavengers hide easily among an overwhelming number of targets. And, like any attempt to impose order on chaos, the state may go too far or begin to activate its own agendas.  But through it all, we lose sight of the most elemental threats.

Fighting the fraudsters and straight-up criminals is important work.  It takes professionals to lead the charge, and we users bear some responsibility for our own security. In this blog, we talk about the macro issues of law, policy, history, and society, but we may be missing the true prize.

Sometimes we just want to be left alone.

Data Security Diligence Checks — Not Just For Breakfast Anymore

In a statement that is sure to affect any acquisition involving data assets subject to GDPR, the Information Commissioners Office (ICO), the UK’s independent body set up to uphold information rights, appears to have greatly increased an acquirer’s risk of suffering successor liability.

Information Commissioner Elizabeth Denham just announced the ICO’s intention to fine Marriott International, Inc. almost $125 MM for a data breach that occurred at Starwood Hotels Group, which Marriott acquired in 2016.  That was two years before Marriott acquired Starwood and that breach wasn’t discovered until two years after the acquisition.

Citing Marriott for a failure to conduct “proper” due diligence, Commissioner Denham said that she would not hesitate to take “strong action” to protect the rights of the public:

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

We don’t yet know the facts upon which the ICO acted and Marriott has indicated that it intends to “respond and vigorously defend its position.”  What we do know is that our clients should take heed of the many ways that this potentially groundbreaking action may affect acquisitions involving data assets subject to GDPR.

For a start, what is “proper” due diligence? In this case, what we know is that the breach occurred well before the acquisition and wasn’t discovered until well after it closed.  In such a situation, standard representations, warranties, and indemnities could well have proved useless to the acquirer.  Insurance might be unavailing as well because there may have been no breach of applicable reps.  Purchase price holdbacks and escrows could well have expired as well.

We will continue to follow these developments and to report what we learn.  While we await the details of this case, we can already tell you that the strength and depth of your diligence efforts will be the key to avoiding or reducing successor liability for data issues. Our M&A and IP Transactions Groups have been in the forefront of conducting sophisticated, AI-enhanced diligence around data security and privacy for years, as well as the myriad other issues that a savvy buyer must account for in this data-driven world.  If you would like to discuss this development with one of our team members, please let us know.

Are Humans Necessary?

Three seemingly unrelated topics coalesced in my head on this Independence Day Eve Day. First, I am reading proofs of my colleague and fellow HDD blogger Ted Claypoole’s excellent forthcoming new book “The Law of Artificial Intelligence and Smart Machines”, which discusses the ways AI will (and won’t ) replace human capabilities.

Ted, in the most provocative chapter, discusses the question whether AI should ever be granted legal status.  He posits the existence of “HuPPIIs” or “human-produced perceptive intelligent individuals.”  One take-away from that argument is that the human tendency to personify will result in HuPIIs that we will want to treat as friend and relatives.

Then, I was reading about the politicization of the Independence Day celebration on the Mall in DC in the morning paper.

And finally, I was thinking about the guys we just hired to do some yard work here at the lake.  They are from Guatemala.  (I don’t know their immigration status and I frankly don’t give a damn.)  What I do know is that the fellow who came to work in our yard on a scorching July day demonstrated any number of traits that I strongly suggest AI will never duplicate.  And in so doing, he also reminded me, much more than any parade or Korean War era tank, what makes America great.

You see, my friend from Guatemala worked out here from sunup to sundown when his partner came to pick him up.  It was, to quote from the movie “Biloxi Blues”, “Africa hot” that day.  He worked tirelessly, without a break except for the times I came out and demanded he have some ice water and sit on the porch in the shade with me for a few minutes to cool off.

He accomplished more in that day than any crew I have ever hired would have in three. My college Spanish is muy feo, but I was able to learn a few things about my friend.  He has been here six years and hopes to return to Guatemala in another two if he can earn enough money.  He wants to go back because he says his country is bonita (beautiful).

When the sun set and he was waiting for his partner to pick him up, I came outside to offer him a cold beer and to thank him for his hard work.  By his smile, you’d have thought I had just handed him the keys to a new Tesla.

Now, I know that you can buy a robot to mow your lawn today and that someday there may well be HuPPIIs who will be adept at  trimming hedges, weeding and planting shrubs.  Not only that, but they will probably know exactly the right time to fertilize based on global weather conditions and be able to speak in whatever language they want.

But, even if that happens, folks who want a better life will always find a way to use their very human capabilities to make it happen.  They will leave their homes, find places that need their skills, work hard and then harder, and delay gratification so that their kids can learn to code and create the next tech boom.  Machine learning is incredible, but it can’t touch the human spirit.

And (sorry Ted), you will never have that moment of human connection that I had with my friend over a cold beer on a scorching day in Georgia with any AI.  Happy Independence Day.

Spin Cycle: How to Ruin Solo Sports Through Social Media and Gamification

These are the days of miracle and wonder

This is the long distance call

The way the camera follows us in slo-mo

The way we look to us all

The way we look to a distant constellation

That’s dying in a corner of the sky

These are the days of miracle and wonder

And don’t cry, baby, don’t cry

Don’t cry

Paul Simon – The Boy In The Bubble

I have a love-hate relationship with my cycling app.  It’s called “Strava”.  If you know a semi-serious cyclist of almost any stripe, ask her about Strava.  I will almost guarantee that if she isn’t actually on it, she will know about it.  It’s become almost ubiquitous in the Lycra-clad, shaved legs set.

So what is it?  Strava, in its own words “turns every iPhone and Android into a sophisticated running and cycling computer . . . . Start Strava before an activity and you can track your favorite performance stats, and afterward, dive deep into your data.”  And millions of us do.

Think of Strava as Facebook for the exercise-addicted.  You post your run, ride, walk, hike, canoe, e-bike ride, hand cycle, ice skate, inline skate, kayak, kitesurf, (not making any of this up; it’s all there), rock climb, roller ski, row, alpine ski, backcountry ski, Nordic ski, snowboard, snowshoe, standup paddle, surf, swim, wheelchair, or windsurf stats along with pictures of your bike leaning against stuff and witty comments.  You can give your friends “kudos”, which are little orange ‘thumbs up” attaboys that appear on your post like Facebook “likes”.  And of course, the app will helpfully notify you when you get kudos and when your friends deserve them.

But wait, there’s more.  Allow me to present the concept of the “Strava segment”.  These are little virtual racecourses that are created by athletes on their local routes.  Once created, they are open for anyone to attempt.  Complete the segment in the fastest time?  Kudos, you are the “KOM” or “QOM”, which stands for King or Queen of the Mountains.  But better keep watching the app, because millions of your friends are now gunning for you and Strava will send you a nice reminder when someone steals your crown and encourage you to go get it back.  Heavy lies the head that wears a crown.

Not stressed about earning crowns?  Strava has you covered, too.  Every time you ride a segment, Strava will either reward you with little medals: gold for a PR, silver for your second fastest time, bronze for third, or will just sit there and silently judge you if you had the gall just to ride for fun, not time.

This is why my supportive wife once said of Strava:  “Congratulations; you found a way to make your hobby just as stressful as your day job.”  She’s not wrong, at least not entirely.  We cyclists do some irrational and downright silly things because of Strava.  I know folks who will go back to the beginning of a ride if they forgot to turn the damn thing on before they started.  Just today, a friend of mine posted his plane trip from Athens to Paris. There’s saying among cyclists that “if it ain’t on Strava, the ride didn’t happen.”  Strava will even bail you out if you forgot to start your computer or aren’t even on the app (yet).  Just ask your buddy to share her ride with you and voila, you have the data.  It isn’t your data, but you can pretend it is.  Who’s to know?

If the app has a glitch and eats your data or your battery runs out while you are riding, many folks feel the need to explain what happened on Strava.  Even worse, many (myself included) will put up a defensive mea culpa on a casual ride, lest the Stravaverse judge your lack of effort harshly.  “Recovery ride”, “EZ Spin”, “Greenway Ride with Hubby & Kiddos”, “First Ride Back after Broken Pelvis” all appear to tell the world, “Hey, I wasn’t even trying today.”

A LOT has been written about how Strava is killing cycling, so I won’t go there.  What I was exploring as I rode this morning (with Strava running, of course: “Just Thinkin’ Ride”) is the question why the hell do we idiots keep doing it?  Why don’t we just turn the thing off, at least on casual rides?  Why do folks post “activities” like taking a walk on their vacation with the family?  Is it just narcissism?  Addiction?  FOMO?  Anxiety?  Are we data-sick?

And then, it came to me, along with the Paul Simon lyric that is still buzzing in my head.  It’s ART.  It’s cave painting.  We are all Whos screaming to save our lives “WE ARE HERE; WE ARE HERE” to an uncaring world.  Simon sang “Medicine is magical and magical is art”, and what we can do with data these days is nothing if not magical.

“The way we look to us all”.  That’s the best definition of social media I’ve ever heard.  The need somehow to signal to the universe that this is what we did in our flicker of time on this planet.  It’s why oversharing trumps privacy every, single time. It’s why people, myself included, are still on the cluttered and yet barren landscapes of Facebook and Instagram.  This is how I chose to spend my time; this is my tribe; this is what I looked like when I was at my very best; these are things that made me laugh, or cry or want to throw things at the wall.

Is going for a ride without a way to record the data the same as ambling down to the river to paint a landscape without your watercolors or a camera?  Perhaps in some important way, it’s exactly like that.  Whether I earned any kudos, bested myself or others on a segment or two, or took a picture of a funny street sign don’t amount to a hill of beans in this crazy world.  But when I record that data, I am scratching out a pictograph of that crazy world on walls of my digital cave.  And for some reason, viewed that way, I no longer feel like an addict or a slave.  I feel like an artist.  Don’t cry, baby.

Say Pub Cheese

Remember when your high school guidance counselor threatened that your bad grades, crap attitude or sophomoric hi-jinx would become a part of your “permanent record” and follow you for the rest of your life.  While that might once have been a scare tactic, it’s becoming a harsh reality for those in the bar-hopping set and it won’t be long before it expands its reach.

I’m talking about ID scanner companies that are using AI and other technology to indeed create, if not permanent records of about you, your habits and your behavior, records that could easily affect your life in some very material ways.

We are all pretty used to the idea of handing over our drivers’ licenses to get on a plane, rent a car, stay at a hotel, and buy booze or lottery tickets.  (I was general counsel for many years for a fuel and convenience store chain, so I know of which I speak.) What is new here are services that enable, nay encourage, the collection of scads of intimate data along with proof of age AND associating that data with subjective assessments of your behavior.

Services like PatronScan and IDScan advertise the ability to create a dynamic, sharable “no-fly” list for “bad” customers.  According to an article recently published in OneZero, “PatronScan’s reports reveal the company logged where customers live, the household demographics for that area, how far each customer travelled to a bar, and how many different bars they had visited. According to the company’s own policies, the company readily shares the information it collects on patrons, both banned and not, at the request of police. In addition to selling its kiosks to individual bars and nightlife establishments, PatronScan also advertises directly to cities, suggesting that they mandate the adoption of their service.”

Once you make it past the velvet rope, you are then at the mercy of any employee of the bar who has access to the system.  You can be tagged as either a lover or a fighter.  One list includes “Assault,” “disturbance,” “drug possession,” “drug trafficking,” “fake ID,” “fighting,” “gang violence,” “public intoxication,” “sexual assault,” “theft,” “private,” or (helpfully) “other.” Once you are on the naughty list, your infamy may be shared across the entire network.  You may appeal, but it may take years to clear your name.

If this weren’t enough to keep you home on a Friday night, consider that at least one ID scanner company, IDScan,  is taking it up a notch with facial recognition technology.  That’s right; now bars can train a camera on your face while you’re in line to be admitted and match your face to your ID when you scan it at the door.  Do they inform the queue that they are on camera?  That’s up to the bar.

Let’s recap:  Private companies create large databases of personal information, including your face, allow the addition of subjective assessments of your behavior with little to no oversight or standards, disseminate this information across a network of commercial establishments, freely share the information with law enforcement, and lobby municipalities to make the use of such scanners a mandatory part of compliance.  Got that?

This calls for a contest.  How many Constitutional, privacy, civil rights and other social and other legal or ethical ramifications of this technology can you spot?  Winner gets a signed copy of The Privacy in the Age of Big Data.  The judging, much like the bad behavior tags discussed above will be entirely subjective, unscientific and final.  Good luck!