Cue up some Kenny Loggins and some teenage angst, and remember back to practicing dance moves in the mirror. You probably tried some moves you saw on MTV, some moves your best friend showed you, and tried some stuff you came up with on your own.

You probably did a lot of that behind closed doors, but why bother if you have nothing to hide?

Would it have been a big deal if your brother walked in on you and caught it on video? In the grand scheme of things no, it wouldn’t have been. It’s not like your social security number or other sensitive personal information is being posted to Instagram. But let’s imagine things were slightly different. Instead of there being just a slight chance of someone walking in on you, it was a certainty. You may have ultimately decided that you don’t care, you are going to dance in front of the mirror anyway you can still see how someone always watching could be a deterrent for others.

That’s why the fundamental right to privacy matters. Not just because you need to be able to test out your new moves before breaking them out on the dance floor, but for all of those little things you test out over the course of your life which ultimately add up to your identity. The right to privacy is the protection of an individual’s right to decide who they are.

You should be free to read a self-help book without family, friends, and strangers reading over your shoulder. You should have the space to figure out how to be a better father, how to be more outgoing, how to be more mindful. The less privacy you have (the more personal information others have access to), the less space to make those changes happen.

If you think about it, some of the greatest social changes have come about at least partially thanks to privacy. Without privacy, the American Revolution may not have happened. Without privacy, supporting the underground railroad would have been even more dangerous. Without privacy, there is less space for new ideas to breathe and gain support.

How to Protect Your Privacy as an Individual

So you’ve been convinced either thanks to, or in spite of, this article that privacy is an important right, and you probably want to know what steps you can take to keep your data privacy as intact as possible. There are a number of steps that you can take as an individual to protect your online privacy.

Use a VPN

When you’re at home, the use of a VPN is less likely to be useful. Where it’s going to be most effective for data protection is when you’re out and about connecting to public wifi networks. A VPN protects the contents of your traffic from people who would otherwise be able to snoop on that traffic, whether it’s a criminal, a government, or a corporation.

My favorite way to illustrate what a VPN does is the neighbor next door. If you and your neighbor stick your heads out the window and yell out to each other your plans for the weekend, anyone in the neighborhood who cares to listen can find out what those plans are. However, if you and your neighbor instead talk through cans attached by string, then people in the neighborhood might be able to see that you’re talking, but won’t be able to see what you’re talking about. The VPN is the can and the string for data security: it lets people know that you’re talking to someone, but that’s all.

Be Judicious About Installing Apps and Software

What you install matters. Permissions you grant to various vendors aren’t always just in your best interest. When you grant access to the files on your device, that access exists whether relevant to the software or not. While many apps and softwares will treat your devices with some dignity, many others will not prioritize data privacy.

Do some research before clicking on install. Have a trusted source you can look to for guidance on whether a particular piece of software or app is useful and trustworthy.

Use Trusted Browser Privacy Tools

Here’s a good chance for you to ask your trusted source for help. Get good ad and cookie’ blockers to bolster your online privacy protection. A cookie is a tiny file that your browser saves as a way to remind websites who you are. Most websites can’t work without cookies. A cookie let’s you log in to your accounts and see your personal information. Without the cookie, the website wouldn’t know which computer to show your information to.

However, cookies can also be less useful to you, and more useful to other people. Some cookies collect information about every website you visit. Some cookies are there to give you personalized ads. And some cookies are collecting your data to sell it to others. Cookies are often served to your computer alongside ads, so a good cookie blocker can go a long way. Always get a recommendation from a source you trust, but an example solution would be Privacy Badger, by the Electronic Frontier Foundation.

Another type of privacy tool you can install is forced HTTPS browsing. HTTPS browsing is the more secure version of HTTP. It kind of works like a VPN does, but on a slightly weaker level. In the VPN analogy, using the cans connected with strings would only let people see that your house is communicating with another house. With HTTPS, while an eavesdropper would not be able to understand the content of your conversation, they would be able to tell which people in the houses were talking. While a VPN might seem like a catch-all, having an HTTPS tool can supplement the security of the VPN. There are a number of ways to accomplish forced HTTPS, but one example solution is HTTPS Everywhere, also by the Electronic Frontier Foundation.

Don’t Take Quizzes that Require a Facebook Login

You might see a fun quiz floating around your social media feed to find out which Game of Thrones character you are, or what dog breed is most like you. If they ask you to log in using a social media profile before you can take the quiz or see your answers, there’s a good chance that the quiz exists solely to get personal information about you and have little concern for your personal data. Not only are you giving the company basic personal information from your profile, but you are also answering a lot of questions which can give data brokers insight into you as a person. While those insights are often used for presenting relevant advertisements, those insights can also be used to provoke emotional responses and take advantage of vulnerable populations.

Scrub Your Devices and Accounts from Time to Time

Every once in a while, look through all of the apps on your phone or computer, and remove any software that you haven’t used in a while. That app that you installed to set up your Austin City Limits schedule is not necessary the other 362 days of the year delete it for now. Leaving unused apps and software installed on your device provides an insight into your life for companies who are not currently offering you any benefit. You’ll also get the bonus of keeping your device uncluttered and performing at a better clip.

If you often log in to websites or apps using Google, Facebook or some other social profile, then go to your relevant account settings and remove authorization for apps and services that are no longer relevant to you. Here are some links where you can review and remove logins for some of the standard social profiles:

• Facebook
• Google
• Twitter

Phew! Wow, okay, you’re a few steps closer to ensuring your personal privacy! Yay! Now, how do you go about ensuring your company is protective of the personal privacy of its clients, customers, users or employees?

How to be Protective of Privacy as a Business

When you run a business, you control what privacy options are available to people who interact with it. There are some contexts in which you must share data on people, whether it’s necessary to perform some function, part of the sale of a business, or some other reason, there are plenty of legitimate, consumer-friendly ways to share people’s data. Here are some things you can do to ensure people’s data is treated with respect and simultaneously improve your privacy practices and risk management.

Offer a Lot of Options

There are a number of reasons why customers, users, or employees might share different kinds of personal data with you, and there are a number of reasons why they might change their mind. When building out your processes and services try to integrate personal choice into the mix. For example, give people a privacy settings dashboard where they can delete, change, or add information about themselves give them those options for each individual piece of information. You can also give them choices in your privacy settings about what happens with their data. If you offer marketing emails, give them a way to easily opt out of those emails. Try to think of ways to allow people to easily pop in and out of your system in a variety of circumstances to give them control over their personal information.

Be Privacy-Minded when Using Third-Party Services or Bringing on Partners

Think of all of the services which make your company possible: you probably have an internet service provider, an email server, a database provider, a CRM tool, and more. When you take on a partner to help run your business, you are trusting your data with those partners. Make sure that the partners you choose provide at least as much respect of personal data as your own company does. Make sure that they are using appropriate security measures to prevent unauthorized disclosures of people’s data. Look into whether they have had any security breaches or big privacy scandals in recent years. It’s all fairly straightforward stuff, it just needs to be on your radar.

Take Only What You Need

There are pieces of information that are necessary for providing services to people, such as an email address. But there’s a lot of information that just isn’t necessary to run your brand effectively. You might be tempted to gather more information than you need just in case, or you might be gathering data that used to be integral and no longer has a purpose. Every once in a while, have a team meeting and ask yourselves, what data do we actually need? Practice good risk management – toss the stuff that isn’t necessary for business or legal reasons you can’t accidentally mishandle it if you don’t have it in the first place.

Stay Informed

The tech landscape is changing every day. New tools, new methods, and new laws to deal with privacy are always arising, so what worked last year may not be enough this year. Keep up to date with what’s going on in the world of privacy by following updates to the legal system, podcasts, and blogs (like this one). If keeping up to speed on privacy is outside of your wheelhouse, find someone to help. Privacy rights are identity rights, and data should be treated with dignity.

Businesses are subject to a patchwork of state laws regulating the use of personal information. If your company collects private info like bank account numbers, credit card numbers, drivers’ licenses, social security numbers, or even usernames and email addresses, these laws may apply to you. 

As a practical matter, you probably don’t need to worry about a specific state law until you’re collecting personal data from a meaningful number of that state’s residents. 

Still, being aware of what these laws generally require can help you stay compliant as your business expands.

Here’s a high-level look at the major types of data privacy laws:

Security: Protect Personal Information 

With this type of privacy law, the state’s concern is that companies that collect sensitive personal information protect that data from breaches. Make sure you’re adopting reasonable safeguards to protect the security and confidentiality of your customer and employee data. 

What constitutes reasonable? Do a risk assessment, take demonstrable steps to protect private information, and periodically delete information you no longer need. Use complex passwords and/or set up SSH keys or dual authentication. Consider getting a cybersecurity policy in place and training employees on the importance of data protection. You need to make a genuine effort to protect customer data. 

Notice: Tell Customers When You Get Hacked

These laws require that companies inform customers when their private data may have been compromised in a security breach. Some laws also require notice to the state Attorney General’s office. For example, North Dakota’s privacy law requires a company to inform the AG if more than 250 people were affected by a breach.

Transparency: Disclose How You Use Personal Information

These types of laws require you to inform customers how their personal information is being used. For example, California’s recent data privacy act, the CCPA, requires companies to tell customers if their data is being sold. Post a privacy policy on your website that describes how you are using customer data, and make sure it stays updated. If your actual practices don’t line up with what you say in your privacy policy, you could be the victim of an enforcement action by the FTC.

Control: Let Customers Control Their Personal Information

This is the most progressive of the three types of law. Two examples are the GDPR and the CCPA. So far, it’s the least common type of privacy protection, but these two laws apply broadly to companies not operating in either the EU or California. This type of law allows customers to tell companies not to sell their personal information. For example, the CCPA requires a link customers can click which says, “Do Not Sell My Data.” Nevada’s data privacy law requires companies to have a point of contact customers can reach out to with a similar request. It’s early days for these laws, but if implementation goes well over the next couple years, expect to see more just like them.

A ransomware attack took down the Texas appellate court system, shutting down the entire case management system, blocking court offices from accessing the internet, and potentially encrypting or blocking access to other data as well.

This state court ransomware attack was one of three major attacks on Texas infrastructure in the past year alone. The Texas Department of Transportation was also hit just a few days after the courts’ systems were compromised, and over twenty Texas towns suffered a similar attack in late summer of 2019.

What is Ransomware?

Ransomware is what it sounds like: malware used to make ransom demands. This software exploits security holes and takes over computer systems and takes data hostage either by encryption or blocking user access until the user pays a demanded sum. Once it infects one computer, the ransomware can travel to other computers through the internet and cloud-based file sharing programs. That’s why cyber criminals will often target large organizations to take advantage of the network and infect as many computers as possible.

How to Avoid An Attack

Ransomware protection doesn’t need to be hi-tech. In fact, a lot of ransomware protection measures have few technical requirement. This list will help you get started as you develop your cybersecurity and ransomware protection habits.

Keep systems up to date 

Your number one defense is making sure you keep your operating system and anti-virus security software updated to the latest version. Malicious actors tend to exploit weaknesses in your systems, and software providers, including providers of security software, put out security patches precisely to fix those security gaps as they find them. For instance, the WannaCry attack in 2017, which hit more than 200,000 computers, targeted machines that hadn’t installed the most recent Windows update; computers with the newest update were protected.

Be a cautious and savvy internet user 

One way malicious actors attack computers is by getting users to click on a link or email attachment that triggers a ransomware infection download. In what’s called a phishing attack, they’ll email you from what looks like a legitimate organization, such as a business associate or vendor, and ask you to click on the link in the email to do something that seems normal, such as verify payment information, or register to take advantage of a discount. But as soon as you click, the malicious software download starts. The same can be true of popups online.

To avoid accidentally installing malware, avoid clicking on pop-ups online or links or attachments (even if it is a PDF attachment or other familiar file extension) from suspicious emails or emails from unfamiliar parties. Keep an eye out for typos and grammatical errors in the body of emails (which may indicate that they come from a bad actor). Verify that the domain name in the sending email is a valid company or website. Additionally, when a company reaches out asking for information, ignore the request and contact them independently to verify the source.

Think you can identify phishing attacks?

Think you can identify phishing attacks?

Try this free quiz from Google.

Use strong and varied passwords 

Apart from phishing attacks, malicious actors sometimes engage in brute force password attacks, which basically involve trying as many passwords as possible to break into your system. According to research by one cybersecurity company, nearly a third of ransomware attacks are conducted using brute force techniques.

It may seem like too basic a step to be effective, but actually using a different, hard-to-remember and hard-to-guess password for each of your logins can be a very effective way to thwart these attacks. Try making your password a sentence or phrase rather than just a word, and check out password generators and password managers as options to keep your data safe.

Back up your data 

Periodically back up your data on an external drive that you keep unplugged from your computer when you aren’t updating it to have an option to create a system restore point. If ransomware takes over your computer, you’ll need to disconnect your device from the internet and completely wipe the device. If you’ve backed everything up, you’ll be able to do a system restore and access most of your files!

Compartmentalize your organization 

Ransomware spreads from one device to another over the internet and, within companies’ private servers, over file sharing services. To mitigate the effects of an attack, try and compartmentalize data: limit file access to those who absolutely need it. For particularly sensitive departments or roles, like accounting and CFO, you might even consider having two company computers one that’s used to access company accounts and banking information, and which is is on it’s on Virtual Local Area Network, or VLAN, (meaning it doesn’t communicate or share information with the rest of the company network) and another used for normal day-to-day work. This type of segmentation can help prevent ransomware from spreading from an infected computer to your entire network.

When you set out to hire someone, it makes sense that you gather as much information about them as possible. Not just professional qualifications, but personal information like their interests and passions, may influence your subjective decision about whether they’ll be a good fit for your company. After all, hiring and training require a lot of your company’s resources, so you have every right to do your due diligence and increase the odds that you new hire will (1) be able to do the job, and (2) stick around for long enough to make the onboarding costs worthwhile.

However, you can get into some sticky situations when you start perusing a potential hire’s social media accounts. Scrolling through someone’s Facebook or YouTube channel may give you more insight into their personality, but it could also give you some information you’re better off not having. 

(more…)

Yes, Employees Do Have (Some) Privacy Rights

When it comes to privacy at work, employees really don’t have much. The protections available under federal and state law generally don’t apply in the private workplace. That’s in part because there are good reasons for companies to monitor work-related communications. For instance, customer service: you may want to make sure that customers are having quality phone experiences with your sales representatives. Or liability: reviewing employee emails may help you spot and address criminal activity or workplace bullying sooner rather than later.

Still, employers don’t have a free pass to listen in on any and every conversation at work. Here are some high-level guidelines for what is and isn’t allowed in Texas.

Invasion of Privacy Claims

When you listen in on employee phone calls, monitor their email, or search their workspace, you risk what’s called an “intrusion on seclusion” lawsuit. Basically, the employee could sue you for intruding on their private affairs if (1) you as the employer purposefully intruded, and (2) the intrusion would be ”highly offensive” to a reasonable person.

Obviously this isn’t the clearest guidance in the world. Whether or not the intrusion is offensive depends a lot on the context.

For a good business reason, you can probably:

• monitor work email on a work computer
• monitor work phone calls on a company phone

It’s less clear whether you can:

• monitor personal email on a work computer
• monitor work calls on a personal phone
• look at your employees’ social media accounts (from a liability standpoint, it’s much safer not to)

You definitely can’t:

• listen to personal calls on a work or personal phone (note: If you’re monitoring a company phone line to prevent personal calls at work, you need to stop listening right away once you know the call is personal.)
• monitor personal email on a personal computer

If you’re looking to do something in that middle, gray area, you should consult an attorney. And no matter what you’re looking to do, clearly communicate to your employees where they do and do not have an expectation of privacy — and then stick to that promise.

The Bottom Line

If the situation or conversation is clearly personal, and there’s no good business reason for you as the employer to know about it, give your team their privacy. 

On the other hand, if you have a good business reason for monitoring certain communications, and the average person would sort of expect the company to keep an eye on those communications, you’re probably good to listen in. 

No matter what, just make sure you let employees know up front that those communications may be monitored, preferably in a policy that is distributed and signed by everyone on your team. That — and limiting any monitoring activities to the bare minimum required to achieve your purpose — is your best defense against invasion of privacy law suits. Not to mention your better bet for a happy, healthy workplace. 

Stay tuned for another post on a tricky privacy issue: social media and hiring practices.

Dealing with Public Scrutiny:

Has Zoom Gotten It Right?

Video conferencing software company Zoom has been featured in the news for misleading claims that if provides “end-to-end encryption” for users. As it turns out, it does no such thing. The level of encryption it provides is actually much more standard, basically the same protection you get when browsing the internet.

This revelation has put Zoom in the national hot seat, just as its product has become the go-to remote work tool during Covid-19. What lessons can we learn from Zoom’s current predicament?

“Don’t wait until the whole country
is using your product to start crossing
your t’s and dotting your i’s.”

1. It’s never too early to do things the right way.

Zoom was founded in 2011 and hit $151 million in revenue by the end of 2018. In 2019 they went public. Yet Zoom only just hired its global compliance officer a couple months ago. Compliance professionals will tell you that your best bet to mitigate risk is to incorporate the value of ‘doing things right’ into your company culture. And as every business owner knows, you start building your culture from day one.

Don’t wait until the whole country is using your product or service to start crossing your t’s and dotting your i’s. Decide now to value compliance. It’ll be easier and cheaper to put controls in place early and build them out as your business scales up.

2. Apologize, Apologize, Apologize

On April 1, Zoom published a blog post apologizing for incorrectly (and misleadingly) using the term end-to-end encryption. The post also provided a little more clarity on Zoom’s real level of security. The same day, Zoom’s CEO also wrote a post taking responsibility for Zoom’s mishandling of user data: “we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry”.

If you’ve missed the mark on something, and the public finds out, you may be tempted to defend your decisions. You’re working with limited resources and competing priorities, after all. Something was bound to slip through the cracks!

Resist that temptation. No matter how good your reasons, they won’t translate well to the public. Instead, make a sincere apology. It’ll go a lot farther in the long run.

3. Publicly Commit to Improve — and Follow Through!

Zoom has publicly committed to a number of steps, including devoting all engineering resources to privacy and security, publishing a transparency report, consulting with third-party data security experts, and forming a certified information security officer (CISO) council to spot and address problems proactively.

This is exactly the kind of detailed, public accountability every company should embrace when they’re trying to fix a systemic issue. By delivering a plan to the community — with a 90-day timeline — Zoom has put itself in a position where failure to deliver on these promises could deal a huge blow to its reputation. Of course this is risky, and it’s important to pick a feasible timeline, but this is an excellent way to get back on track when you’ve lost some of your customers’ trust.

The Upshot

Zoom is still dealing with the fallout of its privacy failure. It’s still getting negative press coverage and may even face an FTC enforcement action. As a business owner, don’t make the same mistake: get your house in order now. Get a bare-bones compliance program in place that can grow with you. And when something does fall through the cracks, apologize and put things right as quickly and transparently as possible.

Secure Your Data While Working from Home

In these strange times, many businesses are having to adapt to remote work for the first time. Now that we’re a couple weeks into this new normal, hopefully you’ve figured out processes for getting the mail, collaborating with team members, and coordinating to get documents signed and notarized. Maybe you’re starting to settle into the reality of an all-remote, all the time, workforce. 

If so, don’t forget to address one more desperately important issue that may have been overlooked in the chaos of these last few weeks: system security. 

Security Basics

Since the start of Covid-19, phishing and cyber crime have increased exponentially. Bad actors may target your systems for a number of reasons- to steal data, to damage company operations or reputation, or even to hijack your computers for use in an attack on someone else. Hopefully you have a cybersecurity policy and an incident response plan in place to mitigate and respond to those risks.

However, the new work from home setup may be creating new weak spots for hackers to exploit. Here are some simple steps to keep your remote workplace secure:

1. Secure Home WiFi Systems

Hackers can break into an employee computer using their home WiFi network. Make sure all your WFH employees have:

• Changed the default password for their router to something secure (we recommend using a secure password generator), and
• Changed the default name of their WiFi network. 

2. Use a VPN

A Virtual Private Network is a secure way to access the internet. It encrypts data so that even if a bad actor intercepts your wifi signal, they’re less likely to be able to actually see any information that you’re sending or receiving over the internet. This is particularly useful when using public WiFi networks, such as at a coffee shop, but having employees use it when working from home means you don’t have to be as worried about their home WiFi security. 

3. Vet New Software

Vet any software you’re using for remote collaboration, like Zoom or Skype, to make sure the providers don’t monitor or record your conversations and that they themselves have adequate security. If a hacker breaks into the software provider, they’ll have an open lane into your computers as well. 

4. Limit Access

When transitioning to WFH, you may have shared remote files with all employees. Now’s the time to go in and claw back access to folders that employees don’t need. Each employee should only have access to the files they absolutely need to do their work. That way, if one computer does get compromised, the hacker only has access to some of your company’s information- not all of it. 

5. Warn Employees

Make sure employees are on guard against phishing attacks. The FTC provides a useful guide on avoiding phishing attacks here. If you’re a Promise Legal client, you may also be eligible for some free vulnerability testing and monitoring to help gauge your level of risk.

Don’t have a cybersecurity policy yet? Consider the benefits of being prepared.

Have you seen this kind of post floating around on your Facebook feed?

I do not give Facebook or any entities associated with Facebook permission to use my pictures, information, messages or posts, both past and future. With this statement, I give notice to Facebook it is strictly forbidden to disclose, copy, distribute, or take any other action against me based on this profile and/or its contents. The content of this profile is private and confidential information. The violation of privacy can be punished by law (UCC 1-308- 1 1 308-103 and the Rome Statute. NOTE: Facebook is now a public entity. All members must post a note like this. If you prefer, you can copy and paste this version. If you do not publish a statement at least once it will be tacitly allowing the use of your photos, as well as the information contained in the profile status updates. FACEBOOK DOES NOT HAVE MY PERMISSION TO SHARE PHOTOS OR Messages.

Sharing this message seems legal and important (it mentions laws!), but I’m sorry to tell you, it doesn’t do anything.

Why doesn’t it do anything? For an agreement to mean anything, both parties have to accept the terms of the agreement. When you post to Facebook, Instagram, or wherever, the company you are posting to is not doing anything to accept your “terms.” The terms that the both of you agreed to are the terms you accepted when you signed up for the platform. Remember those? 

Occasionally, you get an email saying that the terms have been updated, so why can’t you do the same thing when you post to your profile? Because when you signed up for the service and accepted the terms, you agreed that they can change the terms, give you notice, and bind you to the terms – the service made no such promise to you.

What You CAN Do to Protect Your Data

So what options do you have? First, you can delete your account. Depending on the service, they may have the right to whatever data you have shared with them up to that point, but it prevents them from getting any of your new content. That’s your best option for being certain they don’t have your info.

Second, you can take advantage of the account settings provided by the social media platform to restrict the use of your data. For example, you can turn off location access or remove your search history in your Facebook account settings.

Third, you can use browser extensions to prevent trackers from following you around the rest of the internet. The Electronic Frontier Foundation has a series of tools that can help you get started. 

So next time Grandma tells Facebook off – using Facebook – you can help her take actual steps to protect her privacy.

There are various kinds of algorithmic bias, rather, there are various ways in which algorithmic bias manifests itself. This means that there are three avenues by which algorithmic bias can occur, and therefore must be addressed.

Pre-existing

Pre-existing algorithmic bias is the codification of already-present biases (1). If a system designer has a real prejudice that they want to implement into a technological solution, that would be an instance of pre-existing algorithmic bias. Another such instance would be the inclusion of an implicit bias into the system, something that the system designer is not cognizant of as a cause of discrimination. Pre-existing algorithmic bias means a bias that would exist regardless of the algorithmic solution, but the algorithm incorporates that bias into its processes.

Technical

Technical algorithmic bias is the bias that occurs due to the technical limitations of actually presenting the data (2). If an employer is presented top candidates for a position in a structured order not based on scoring, then candidates are either going to be advantaged or disadvantaged- the first name on a list of top candidates will have a significant advantage over those at the bottom of the list. Another example could be that the data gathering mechanism is most robust on the most advanced phones on the market, and the others have a reduced data-set. Technical bias problems reflect a serious difficulty in being objective in presenting results.

Emergent

Emergent algorithmic bias is the development of new biases or new understandings of biases as technology develops (3). For example, if audiobooks became so popular a method of consuming literature that published books were made obsolete, then the deaf population would be negatively impacted. A different example would be the development of a new trend in society which has not been accounted for in creating processes for sorting big data — such as a demographic survey not reflecting third options for gender identifiers following a better social awareness around gender identities.

Current Examples of Algorithmic Bias

Algorithmic bias isn’t a theoretical problem, there are instances of actual bias being implemented right now, and algorithmic bias can often fall under the protections of the disparate impact legal doctrine.

Chicago Police Department’s Heat List

The Chicago Police Department has turned towards a predictive policing initiative in order to reduce gun violence (4). The CPD is using a technology that takes various, unknown factors into account, runs those factors through an algorithm, and scores people as part of a “heat list.” Oftentimes, those on the heat list are then directly communicated with by the CPD to notify them that they are on the CPD’s radar as people to watch. The people on the heat list are either invited to a community meeting, notified through communications, or are told in person at their homes. The software’s variables as well as the maker of the software are completely unknown and unexamined., all that has been revealed is that criminal history, known criminal associates, and whether you have been the victim of a crime are somehow included in the process. Given the serious nature of the consequences of a computer program determining who is most likely to become a criminal, it was inevitable that a lawsuit would emerge in order to determine the underlying processes for the program. The Chicago Sun-Times has filed a lawsuit in Cook County’s Court of Chancery under the Freedom of Information Act to find out the nature of the algorithm, the maker of the algorithm, and the race of each person on the list, among other factors (5). The CPD refused the initial FOIA request, claiming it would be “unduly burdensome” to provide those details. Clearly, the Chicago Sun-Times is suspicious of the discriminatory impact that could face Chicago residents due to this program. 

Statistics have shown that Black Communities have a higher instance of poverty and crime, and if being a known associate of someone who has been convicted of a crime is a factor in these heat lists, then black communities will be disproportionately singled out by these heat lists. If it cannot be shown that there is a high accuracy of identifying criminals beforehand, then the undue attention to these identified citizens should be stopped. However, there is a larger problem. Perhaps police officers are first looking at suspects who are on the heat lists, or even identifying suspects solely through the heat lists, this could lead to a conviction or even just a guilty plea because an undue amount of trust is placed in these systems, and police officers end up attempting to rationalize a person’s activity into being part of a given crime. Then, the accuracy of the system goes up, feeding into the confidence of officers in the system and further punishing communities who have been initially identified by the system. 

Credit Scores

The same problems with confirmation bias can occur within other contexts. Credit scores often reflect a class division along racial lines (6). Some credit scoring systems look to the personal relationships of a particular person in order to determine whether they associate with people who pay back their loans on time. The more people they associate with who are good borrowers, the higher the inferred likelihood that the person will also be a good borrower. However, many minority groups are more likely to have a lower credit score (7). A member of a minority is likely to begin with a lower credit score based on being a member of that group because one’s associations are likely to be largely composed of one’s own ethnic group, even though the score doesn’t directly consider race as a factor. 

Air BnB

Discriminatory practices can take a more subtle form, when the discrimination is merely being enabled by the provider. Such as the case with AirBnB, where users were discriminatorily rejecting accommodation to users on the basis of race- unintentionally enabled by the online platform. AirBnB and others in the same position could easily be motivated to serve the discriminatory interests of its user base – happy users leads to more sales and more revenue. 

Facial Recognition Technology

Facial recognition technology has a difficult time identifying black people (8). In addition to disrupting face swaps on Snapchat, it causes foundational problems for technology that utilizes facial recognition. For example, as self-driving cars loom, society has grappled with the problem of who the car will opt to save in case of a crash (9). It is a given that the car will make decisions based on many factors, including the number of people at risk given a particular course of action. If the car is unable to recognize the actual number of people at risk because it can’t recognize black faces riding in a passenger vehicle, then the number of black people who die in unavoidable car accidents will be higher than lighter skinned people.

---

1. http://www.nyu.edu/projects/nissenbaum/papers/biasincomputers.pdf
2. http://www.nyu.edu/projects/nissenbaum/papers/biasincomputers.pdf
3. http://www.nyu.edu/projects/nissenbaum/papers/biasincomputers.pdf
4. http://time.com/4966125/police-departments-algorithms-chicago/
5. https://drive.google.com/file/d/0B1_UcIgpv9WHUk1fT1FNd09na1RjMHJUUkowZloxaHVBQlg0/view
6. https://www.theatlantic.com/technology/archive/2016/12/how-algorithms-can-bring-down-minorities-credit-scores/509333/
7. https://www.federalreserve.gov/boarddocs/rptcongress/creditscore/creditscore.pdf at O-13
   • “Differences in credit scores among racial or ethnic groups and age cohorts are particularly notable because they are larger than for other populations. For example, the mean normalized TransRisk Score for Asians is 54.8; for non-Hispanic whites, 54.0; for Hispanics, 38.2; and for blacks, 25.6 (figure )-1). Credit scores by age increase consistently from young to old: The mean TransRisk Score for individuals younger than age 30 was 34.3; for those aged 62 or older, it was 68.1”
8. http://www.pbs.org/wgbh/nova/next/tech/ai-bias/
9. http://science.sciencemag.org/content/352/6293/1573