Oct 17, 2023

Data Rights Protocol is Working to Automate the Resolution of Data Rights Requests The U.S. may be late to the party when it comes to codifying data privacy protections into law, but the States doing so have made a flashy entrance. California’s Consumer Protection Act (CCPA) quickly became recognized as any jurisdiction’s most stringent privacy protection. Virginia and Colorado have also gone down the path of putting individuals in control of their data. But the CCPA is the legislation that proactive tech companies are complying with for now – in some cases voluntarily, so they can assure customers they are putting privacy first. The CCPA empowers consumers by allowing them to make requests to companies they deal with and direct how their data can be used or stored. Consumers can direct that their data not be sold to other parties, access their data held by a third party, and request its deletion. “The center point is the individual and all their personal data emanations,” explains Daniel ‘Dazza’ Greenwood, the Data Rights Protocol lead at Consumer Reports Digital Lab. “Data Rights Protocol (DRP) is about giving people ownership over their data. It’s narrowly scoped around rights articulated in existing law and must be complied with in a mandatory way by data holders.” Built out of the Consumer Reports Innovation Lab starting in the summer of 2021, DRP is a project that seeks to move state law from manual requests involving several parties to a technical standard that allows for automated resolution of consumer data requests. It’s translating law into code and publishing it to GitHub, detailing its open-source set of API endpoints that will streamline how organizations respond to consumer data requests. “An important part of the protocol design is that it’s better than what’s being done. No statute says people have to adhere to the law through this protocol; it’s voluntary, and our value proposition is to make it so good that people and companies would choose to use it because it’s faster, cheaper, and better,” Greenwood says. The current system to resolve CCPA requests involves a consumer making a request, the business that receives the request, authorized agents that can act on behalf of consumers to make requests of many different businesses, and software providers that help organizations comply with privacy laws. Authorized agents interact with the privacy software providers to detail how data rights requests are made and received. DRP will standardize that across the industry. It will make the process more repeatable and predictable for organizations, giving them cost certainty for managing the requests. DRP released its first stable release on Sept. 12, with version 0.9. It is working with digital privacy firms OneTrust, Transcend, Incogni, and Ethyca to test and implement the protocol into production. The concept makes sense for organizations keen to comply with the law. But what about those with data broker business models that could see compliance as a threat to profitability? “We’ll know definitively by 2025 and 2026 exactly what the propagation and adoption rates look like, and it’s possible that the companies you refer to as the worst offenders may be the last holdouts,” Greenwood acknowledges. “I still think this would be very worth doing because if the vast majority of companies are doing things the same way, it makes it somewhat easier to look at a small number of worst offenders when it comes time for enforcement.” Greenwood points to Spokeo, a founding member of DRP, as an example of a business model that depends on providing other people’s data to its customers. The website offers people lookup for names, emails, phone, and address information. In the future, DRP could extend its utility beyond California. It will start with the CCPA but could provide the same capability in multiple jurisdictions, including where GDPR is in effect. The protocol can specify the consumer’s geography. That will start as a binary between “California” and “voluntary” but could be updated for future versions. If DRP succeeds, it could play a role in a future where a consumer simply uses an app to assert their data rights and can expect they will be respected. Glaze Provides Artists a Defense Against AI Mimicry Where DRP is designed to convey more efficiently what’s already in law, Glaze is a technology that seeks to help artists who feel they are victims who fall into the gap between cutting-edge technology and legal precedent. The backlash to generative AI’s ability to instantly create content in the unique style of well-known creators includes the lawsuits mentioned earlier in this article. Still, those court cases will take months, if not years, to play out, and there’s no guarantee a judge will decide to protect creators. So, the University of Chicago’s computer science department is creating a tool that visual artists can use to protect their work from being used to train an AI algorithm. Artists looking for a way to fight back against AI began reaching out to Shan because of his lab’s earlier work on the Fawkes Project in 2020. The project created a digital cloak that people could put on their selfies before they uploaded them to social media, which prevented training a facial recognition algorithm. Artists wondered if the cloak would protect their artwork from being used for training. Greg Rutkowski is the most famous example of an artist whose work was mimicked by AI image generators like Stable Diffusion or Midjourney. Rutkowski became the most-used prompt for image generators, resulting in thousands of new images that imitated his hyper-detailed fantasy style of artwork flooding the internet. But he’s not the only one affected by the phenomenon. Comics artist Sarah Anderson was shocked to learn from a fan that her style could be easily replicated with the tools; Karla Ortiz found the same, and a long list of other artists now listed as collaborators with Glaze. Current copyright law wasn’t made with AI’s capabilities in mind, Shan says. “Humans can’t process 2 billion images and replicate that work so well. If we had that ability, we’d have different copyright laws,” he says. “The laws have an average human being in mind. So, we’ll see what happens in the current court cases. Does the current law protect artists, or do we need new laws?” To protect the artists they work with, the Glaze team used the open-source Stable Diffusion model to engineer a new type of cloak that protected the style of artwork. The technique is clever, changing just enough pixels in an image to fool an AI algorithm into interpreting it differently while being practically invisible to the human eye. The AI algorithm will still understand the content of an image but not its style, so if Karla Ortiz draws a dog, the ‘Glazed’ image will look like Vincent Van Gogh drew a dog to AI, for example. “AI sees patterns differently than human beings,” Shan explains. “They see an array of pixels, and that’s true of all AI systems. We try to maximize that gap by adding the smallest changes to our perception but the biggest in the model’s perception.” The Glaze team proved that its work was effective at foiling AI and acceptable to artists in a study. It has since released the tools to be available as an application download and an online tool accessible via a web browser. The application has been downloaded more than 1 million times. While Glaze was developed on Stable Diffusion’s model and other AI image generators use proprietary algorithms and are not available for examination, Shan says that Glaze translates well to protect all models. The team is also trying to anticipate countermeasures. Even if large AI companies accept artists’ wishes to prevent their work from training their algorithms, it is becoming increasingly trivial for anyone to train AI using a small training set of images. So bad actors may wish to remove Glaze from artists’ work they want to mimic. So far, Glaze is holding up to its intended effect. “For students that went to art school and worked for decades to create their own unique style, they deserve a chance to make money from this,” Shan says. If Glaze can level the playing field even a small amount, it will be a victory for artists. What Does it Mean for Technology Leaders? A new chapter in digital sovereignty is being written in the next couple of years as the power dynamics between individuals and organizations – especially those with AI-driven business models – are settled through court decisions and legislation. In the meantime, there is uncertainty about how organizations can maintain control over their intellectual property or whether their reputations will be tarnished if they use AI-created content. Current market dynamics incentivize platforms to rush to stake their claims to user data. In March, Zoom changed its terms of service in a way that appeared to permit it to harvest user data for AI training but later backtracked after users protested. In July, Google updated its privacy policy to allow the company to collect and analyze information people share for AI training, and it altered its policy to state that data scraped by its web crawler could also be used for AI training unless users opt-out. Those with access to valuable data will want to either put a price on it, as coding help website StackOverflow did by charging for its API access, or raise prices as X (formerly known as Twitter) did with its APIs. There may be a price on using data for AI training soon. Meanwhile, technology leaders at organizations must look at data security from a new perspective. Not only must they re-evaluate how sensitive their data is in light of AI training, but they should also get ahead of customer requests regarding personal data. Digital sovereignty is a two-way street and must be asserted and respected. How can you navigate this complex landscape of data privacy and AI copyright effectively? Let us know on FacebookOpens a new window , XOpens a new window , and LinkedInOpens a new window . We’d love to hear from you! Image Source: Shutterstock