Computer Law & Security Review最新文献

{"title":"When non-consensual intimate deepfakes go viral: The insufficiency of the UK Online Safety Act","authors":"Beatriz Kira","doi":"10.1016/j.clsr.2024.106024","DOIUrl":"10.1016/j.clsr.2024.106024","url":null,"abstract":"<div><p>Advancements in artificial intelligence (AI) have drastically simplified the creation of synthetic media. While concerns often focus on potential misinformation harms, ‘non-consensual intimate deepfakes’ (NCID) – a form of image-based sexual abuse – pose a current, severe, and growing threat, disproportionately impacting women and girls. This article examines the measures implemented with the recently adopted Online Safety Act 2023 (OSA) and argues that the new criminal offences and the ‘systems and processes’ approach the law adopts are insufficient to counter NCID in the UK. This is because the OSA relies on platform policies that often lack consistency regarding synthetic media and on platforms’ content removal mechanisms which offer limited redress to victim-survivors after the harm has already occurred. The article argues that stronger prevention mechanisms are necessary and proposes that the law should mandate all AI-powered deepfake creation tools to ban the generation of intimate synthetic content and require the implementation of comprehensive and enforceable content moderation systems.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106024"},"PeriodicalIF":3.3,"publicationDate":"2024-07-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000906/pdfft?md5=e8c861b6693900d176a62ac2f6801b2e&pid=1-s2.0-S0267364924000906-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141954621","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The blocking of Booking/Etraveli – When the first victim of EU's anti-US tech stand was a European","authors":"Dr. Christian Bergqvist","doi":"10.1016/j.clsr.2024.106025","DOIUrl":"10.1016/j.clsr.2024.106025","url":null,"abstract":"<div><p>It came somewhat unexpected when Dutch <em>Booking</em>'s acquisition of Swedish <em>Etraveli</em> was blocked in the EU as the parties operated in two separate segments of the online economy, hotel accommodation and flight booking, making the merger unproblematic under normal circumstances. However, in the digital economy, nothing is normal as enforcement has tightened, mostly vis-à-vis US tech giants but apparently also vis-à-vis European undertakings. Interestingly, customers' unwillingness to shop around for offers, as otherwise accepted by, e.g., the UK authority, played a role in the outcome. The decision has been challenged before the EU's General Court, providing a case to watch.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106025"},"PeriodicalIF":3.3,"publicationDate":"2024-07-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000918/pdfft?md5=988f2f479691439097c5872023c102cd&pid=1-s2.0-S0267364924000918-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141953090","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Better alone than in bad company: Addressing the risks of companion chatbots through data protection by design","authors":"Pierre Dewitte","doi":"10.1016/j.clsr.2024.106019","DOIUrl":"10.1016/j.clsr.2024.106019","url":null,"abstract":"<div><p>Recent years have seen a surge in the development and use of companion chatbots, conversational agents specifically designed to act as virtual friends, romantic partners, life coaches or even therapists. Yet, these tools raise many concerns, especially when their target audience is comprised of vulnerable individuals. While the recently adopted AI Act is expected to address some of these concerns, both compliance and enforcement are bound to take time. Since the development of companion chatbots involves the processing of personal data at nearly every step of the process, from training to fine-tuning to deployment, this paper argues that the General Data Protection Regulation (“GDPR”), and data protection by design more specifically, already provides a solid ground for regulators and courts to force controllers to mitigate these risks. In doing so, it sheds light on the broad material scope of Articles 24(1) and 25(1) GDPR, highlights the role of these provisions as proxies to Fundamental Rights Impact Assessments (“FRIAs”), and peels off the many layers of personal data processing involved in the companion chatbots supply chain. That reasoning served as the basis for a complaint lodged with the Belgian data protection authority, the full text and supporting evidence of which are provided as supplementary materials.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106019"},"PeriodicalIF":3.3,"publicationDate":"2024-07-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141953089","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Critical points for the processing of personal data by the government: An empirical study in Brazil","authors":"Núbia Augusto de Sousa Rocha ,&nbsp;Alexandre Nascimento de Almeida ,&nbsp;André Nunes ,&nbsp;Humberto Angelo","doi":"10.1016/j.clsr.2024.106023","DOIUrl":"10.1016/j.clsr.2024.106023","url":null,"abstract":"<div><p>The General Law for the Protection of Personal Data (LGPD), issued in Brazil in August 2018, establishes as one of the legal bases for the processing of personal data the execution of public policies by the State. A systematic review of the literature identified the existence of six critical points that represent challenges for public managers in the elaboration and implementation of policies that require the processing of personal data. The objective of this research is to establish the levels of criticality of the factors identified by the literature review, as well as to verify the existence of other critical points on which the literature has not yet advanced. To this end, a group of 11 specialists was selected to participate in the research that used the Delphi Method, a technique that consists of applying a set of questionnaires sequentially and individually, in order to establish a dialog between the participants and build a collective response. The results indicate a coherence between what was verified in the theory and the perception of the specialists. Another 10 critical points for the processing of personal data by the government were mentioned by the participants. In general, the main elements of tension identified addressed the lack of training of public officials and the sharing of personal data.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106023"},"PeriodicalIF":3.3,"publicationDate":"2024-07-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141951122","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Data sovereignty and data transfers as fundamental elements of digital transformation: Lessons from the BRICS countries","authors":"Luca Belli ,&nbsp;Water B. Gaspar ,&nbsp;Shilpa Singh Jaswant","doi":"10.1016/j.clsr.2024.106017","DOIUrl":"10.1016/j.clsr.2024.106017","url":null,"abstract":"<div><p>When talking about digital transformation, data sovereignty considerations and data transfers cannot be excluded from the discussion, given the considerable likelihood that digital technologies deployed along the process collect, process and transfer (personal) data in multiple jurisdictions. An increasing number of nations, especially those within the BRICS grouping (Brazil, Russia, India, China, and South Africa) are developing their data governance and digital transformation approaches based on data sovereignty considerations, deeming specific types of data as key strategic and economic resources, which deserve particular protection and that must be leveraged for national development. From this perspective, this paper will try to shed light on how data sovereignty and data transfers interplay in the context of digital transformations. Particularly, we will consider the various dimensions that compose the concept of data sovereignty and will utilise a range of examples from the BRICS grouping to back some of the key considerations developed with empirical evidence. We define data sovereignty as the capacity to understand how and why (personal) data are processed and by whom, develop data processing capabilities, and effectively regulate data processing, thus retaining self-determination and control. We have chosen the BRICS grouping for three reasons. First, research on the grouping's data policies and digital transformation is still minimal despite their leading role. Second, BRICS account for over 40 % of the global population, or 3.2 billion people (which can be seen as 3.2 billion “data subjects” or data producers, depending on perspective, thus making them key players in data governance and digital transformation. Third, the BRICS members have realised that digital transformation is essential for the future of their economies and societies and have shaped specific data governance visions which must be considered by other countries, especially from the global majority, to understand why data governance is instrumental to foster thriving digital environments.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106017"},"PeriodicalIF":3.3,"publicationDate":"2024-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141960829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Open Banking goes to Washington: Lessons from the EU on regulatory-driven data sharing regimes","authors":"Giuseppe Colangelo","doi":"10.1016/j.clsr.2024.106018","DOIUrl":"10.1016/j.clsr.2024.106018","url":null,"abstract":"<div><p>After representing the main country embracing a market-led approach to Open Banking, the U.S. is on the verge of switching to a regulatory-driven regime by mandating the sharing of financial data. Relying on the Section 1033 of the Dodd-Frank Act, the Consumer Financial Protection Bureau (CFPB) has, indeed, recently proposed a rulemaking on “Personal Financial Data Rights.” As the U.S. is, therefore, apparently following the EU, which has been at the forefront of the government-led Open Banking movement, the paper aims at analyzing the CFPB's proposal by taking stock of the EU experience. The review of the EU regulatory framework and its UK implementation provides useful insights about the functioning and challenging trade-offs of Open Banking, thus ultimately enabling us to assess whether the CFPB's proposal would provide significant added value for innovation and competition or would rather represent an unnecessary regulatory burden.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106018"},"PeriodicalIF":3.3,"publicationDate":"2024-07-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141637504","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Algorithmic proxy discrimination and its regulations","authors":"Xi Chen","doi":"10.1016/j.clsr.2024.106021","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106021","url":null,"abstract":"<div><p>As a specific type of algorithmic discrimination, algorithmic proxy discrimination (APD) exerts disparate impacts on legally protected groups because machine learning algorithms adopt facially neutral proxies to refer to legally protected features through their operational logic. Based on the relationship between sensitive feature data and the outcome of interest, APD can be classified as direct or indirect conductive. In the context of big data, the abundance and complexity of algorithmic proxy relations render APD inescapable and difficult to discern, while opaque algorithmic proxy relations impede the imputation of APD. Thus, as traditional antidiscrimination law strategies, such as blocking relevant data or disparate impact liability, are modeled on human decision-making and cannot effectively regulate APD. The paper proposes a regulatory framework targeting APD based on data and algorithmic aspects.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106021"},"PeriodicalIF":3.3,"publicationDate":"2024-07-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141606221","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Ontological models for representing image-based sexual abuses","authors":"Mattia Falduti,&nbsp;Cristine Griffo","doi":"10.1016/j.clsr.2024.105999","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.105999","url":null,"abstract":"<div><p>In recent years, there has been extensive discourse on the moderation of abusive content online. Image-based Sexual Abuses (IBSAs) represent a type of abusive content that involves sexual images or videos. Platforms must moderate user-generated online content to tackle this issue effectively. One way to achieve this is by allowing users to report content, which can be flagged as abusive. In such instances, platforms may enforce their terms of service and prohibit certain types of content or users. Alongside these efforts, numerous countries have been making progress in defining and regulating this subject by implementing dedicated regulations. However, national solutions alone are insufficient for addressing a constantly increasing global emergency. Consequently, digital platforms create their own definitions of abusive conduct to overcome obstacles arising from conflicting national laws. In this paper, we use an ontological approach to model two types of abusive behavior. To do this, we applied the UFO-L patterns to build ontological models and based them on a top-level ontology, the Unified Foundational Ontology (UFO). The outcome is a set of ontological models that digital platforms can use to monitor and manage user compliance with the service provider’s code of conduct.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 105999"},"PeriodicalIF":3.3,"publicationDate":"2024-07-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141593645","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Cyber Resilience Act 2022: A silver bullet for cybersecurity of IoT devices or a shot in the dark?","authors":"Mohammed Raiz Shaffique","doi":"10.1016/j.clsr.2024.106009","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106009","url":null,"abstract":"&lt;div&gt;&lt;p&gt;Internet of Things (IoT) is an ecosystem of interconnected devices (IoT devices) that is capable of intelligent decision making. IoT devices can include everyday objects such as televisions, cars and shoes. The interconnectedness brought forth by IoT has extended the need for cybersecurity beyond the information security realm into the physical security sphere. However, ensuring cybersecurity of IoT devices is far from straightforward because IoT devices have several cybersecurity challenges associated with them. Some of the pertinent cybersecurity challenges of IoT devices in this regard relate to: (i) Security During Manufacturing, (ii) Identification and Authentication, (iii) Lack of Encryption, (iv) Large Attack Surface, (v) Security During Updates, (vi) Lack of User Awareness and (vii) Diverging Standards and Regulations.&lt;/p&gt;&lt;p&gt;Against this background, the Cyber Resilience Act (CRA) has been proposed to complement the existing EU cybersecurity framework consisting of legislations such as the Cybersecurity Act and the NIS2 Directive. However, does the CRA provide a framework for effectively combating the cybersecurity challenges of IoT devices in the EU? The central crux of the CRA is to lay down and enforce the rules required to ensure cybersecurity of ‘products with digital elements’, which includes IoT devices. To this end, several obligations are imposed on manufacturers, importers and distributors of IoT devices. Manufacturers are mandated to ensure that the essential cybersecurity requirements prescribed by the CRA are met before placing IoT devices in the market. While the cybersecurity requirements mandated by the CRA are commendable, the CRA suffers from several ambiguities which can hamper its potential impact. For instance, the CRA could provide guidance to manufacturers on how to conduct cybersecurity risk assessment and could clarify the meanings of terms such as “&lt;em&gt;limit attack surfaces&lt;/em&gt;” and “&lt;em&gt;without any known exploitable vulnerabilitie&lt;/em&gt;s”.&lt;/p&gt;&lt;p&gt;When the fundamental themes of the CRA is analysed from the prism of the cybersecurity challenges of IoT devices, it becomes clear that the CRA does provide a foundation for effectively addressing the cybersecurity challenges of IoT devices. However, the expansive wording in various parts of the CRA, including in the Annex I Requirements, leaves scope for interpretation on several fronts. Consequently, the effectiveness of the CRA in tackling the Security During Manufacturing Challenge, Identification and Authentication Challenge, Large Attack Surface Challenge and Diverging Standards and Regulations Challenge would be largely contingent on how harmonised standards develop and how the industry adopts them. The CRA seems to be more effective, albeit not fully so, in significantly addressing the Lack of Encryption Challenge, Security During Updates Challenge and Lack of User Awareness Challenge of IoT devices. However, the manner in which the CRA addresses all these","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106009"},"PeriodicalIF":3.3,"publicationDate":"2024-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000761/pdfft?md5=cffbcbbedc6e57f54e9b97ba7eead7ab&pid=1-s2.0-S0267364924000761-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141541621","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Meta-Regulation: An ideal alternative to the primary responsibility as the regulatory model of generative AI in China","authors":"Huijuan Dong ,&nbsp;Junkai Chen","doi":"10.1016/j.clsr.2024.106016","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106016","url":null,"abstract":"<div><p>Generative AI with stronger responsiveness and emergent abilities has triggered a global boom and is facing challenges such as data compliance risks during the pretraining process and risks of generating fake information, which has raised concerns among global regulatory authorities. The European Union, United States, United Kingdom, and other countries and regions are gradually establishing risk-based, scenario-based, and outcome-based governance models for generative AI. China recently introduced new regulations for the management of generative AI, which adopt a governance model focusing on generative AI service providers. It suggests that China is continuing the principle of primary responsibility in Internet governance, which encompasses legal responsibility, contractual obligations, and ethical responsibility. However, the governance model based on primary responsibility emphasizes the accountability of generative AI model service providers, with relatively limited regulation on other important entities such as users and large-scale dissemination platforms, which may not be conducive to achieving China's regulatory goals for the AI industry. In comparison, the Meta-Regulation model could be an ideal alternative for China. As a classic theory explaining the public-private relationship, the ‘Meta-Regulation’ aligns with the generative AI governance requirements. Based on the Meta-Regulation theory, the governance of generative AI in China should move towards a direction of emphasizing safety, transparency, collaborative governance, and accountability. In line with this, it is necessary to include users and large-scale dissemination platforms within the regulatory scope and establish overarching governance objectives that ensure the responsible distribution of duties among stakeholders, with regulatory authorities assuming ultimate oversight responsibility and technical coordination. At the level of specific improvement measures, it is possible to integrate the three stages of model development, usage, and content dissemination of generative AI. During the model development stage, generative AI providers have specific transparency obligations. In the usage stage, a self-regulatory system centered around platform autonomy should be constructed. In the content dissemination stage, the proactive notification obligations of the dissemination platforms should be clearly defined. Additionally, the enforcement of technical interoperability requirements is necessary, thereby promoting the orderly development of generative AI applications.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106016"},"PeriodicalIF":3.3,"publicationDate":"2024-07-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141541620","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}