Michael VealeNew 📄: “Denied by Design? Data Access Rights in Encrypted Infrastructures”. Tension: Platforms are using more edge computing/privacy-enhancing tech to learn about the world, keeping data on user's devices — yet also hiding that data from those same users. https://osf.io/preprints/socarxiv/94y6r/ 🧵
Platforms have long encrypted messages (although back-ups less often). #Snowden-related, but also a cost-reducing measure as they get more and more varied international warrants. #Platforms also are encrypting content to avoid costly content regulation (e.g. #OSB, #DSA). #e2ee
The basic logic of this is extreme horizontal dataset sharding. Imagine a dataset with loads of columns, then imagine each row is held on a different device. Techs such as multi-party computation #mpc, local #differentialPrivacy, can make use of this data.
But data is often not visible to the user. Firms claim they do not have to provide rights over it, eg access/portability. Some will put it in the secure enclave of eg a phone; makes it technically very hard to extract (e.g. biometric data).
But data is often not visible to the user. Firms claim they do not have to provide rights over it, eg access/portability. Some will put it in the secure enclave of eg a phone; makes it technically very hard to extract (e.g. biometric data).
This is also a problem because many new laws (e.g. the DSA) provide access to vetted researchers to data; but by moving more and more of it on device, firms can try and shroud their *business models* and practices in secrecy.
#DataProtection: you can still be a #DataController of such shared data. But do rights apply well? No. Confusing interactions with the #HouseholdExemption and with #JointControllership, all discussed in the paper.
Controllers might try and draw on recent case-law by the CJEU in GC and others to claim they are effectively incapable-by-design. This is a problem as platforms both design the vision of the service they offer (e.g. what is the role of an OS) and the detailed implementation.
Similar provisions in e.g. the #DigitalMarketsAct #DMA will struggle, as data cannot just be provided to competitors: requires infrastructural thinking.
Conclusions — data access rights need to be integrated much more into design. Provision of data should become a right to query, but this will not come until we stop thinking about data, and start thinking about infrastructure as the key metaphor instead.
Gloria González Fuster@mikarv do you need to stop thinking about data to start thinking about infrastructures? maybe there's enough room in this village for more than one key metaphor?
@ggf i think we could think about data again once the limits of the metaphor are better known. but yes i do think we should be able to multi metaphor