Analysis

Category for analysis updates

Worldcoin: Eye-scanning ID is here

Worldcoin history 

Back in the golden era of blockchain (2018-2019), when questions raised in everyday conversation were promised to be solved by this technology, a group of people started working on an ambitious project called Worldcoin. This project tried to find a solution for the challenge of unique online identification (our so-called digital identity). In particular, Worldcoin developed a system for recording and storing users’ digital biometric data and offering them a reward in the form of digital tokens. The data that Worldcoin gathered were iris scans. To join the user base, people would go to the designated location and consent to have their irises scanned. This was done using a shiny spherical object they named Orb. In the short period that Orb collected data, a significant database of human irises was collected. Least-developed countries had the most users, as was generally expected, because Worldcoin guaranteed tokens as incentives (i.e. money) ‘simply for being human’.

Worldcoin logo and an Orb: a silver sphere with a diagonal copper coloured stripe, and a copper coloured base.
Wordcoin’s Orb custom biometric device. Source: worldcoin.org

The technology behind the identification scheme is the following: Iris scans were digitally obfuscated using a hashing function (this is a cryptography technique in which one set of digital data can be encrypted to match a unique digital key for reading these data). That unique hash was added to the database as each person’s unique identifier. Even though this data is encrypted, significant concerns were raised that a possible data breach could create a privacy and data nightmare. The crypto community had serious concerns about a scary dystopian future, undermining the project. The Worldcoin project was almost forgotten and was considered one of the most ambitious and yet obscure in the crypto community.

The rebirth and rebranding of Worldcoin

Fast forward to 2022, when the Worldcoin project leader, Sam Altman, became globally famous as OpenAI’s CEO. Only half a year after the ambitious ChatGPT launch and global excitement about the predictive language models, Altman pushed the ‘old’ Worldcoin idea into the public space again.  

Earlier this week, the ‘new’ Worldcoin project launched worldwide, but with one significant difference. It is being publicised as ‘a new identity and financial network owned by everyone’. The rebranding is important, because now, the project team claims that what they are building is not distinguishable from the Public Key Infrastructure (PKI) deployed by big companies or the technical internet society. PKI is a set of standards, software, and hardware used in digital certificates and for managing public-key encryption. This is done via certificate authorities, with one of the most notable implementations being the HTTPS protocol used for secure web browsing. Worldcoin will use a cryptographic technique known as zero-knowledge proof or ZKP

This obfuscating technique allows verification that the ‘given statement is true while avoiding conveying any information to the verifier beyond the mere fact of the statement’s truth’. This technique is used in some privacy-oriented cryptocurrencies, and it demonstrates the possibility of user-defined online privacy divisions allowing options to decide what information you want to share with whom. For example, your browser doesn’t need to know all your credentials and data. In fact, it only uses your IP (for geolocation) and information like gender or age for advertising or other purposes. ZKP solutions were tested in COVID-19 tracking apps and are at the core of the EU’s new Digital Identity proposal. Significant concerns exist about the gatekeepers of certificate authorities that store the data. This issue is crucial for sensitive data, such as biometric data collected by the Orbs.

How is this data stored? Is any unencrypted version of the iris data stored in a secure manner (e.g. in the Orb’s temporary internal memory)? Who has access to this data? Or even worse, can it end up on the black market or be misused somehow? In its launch report, Worldcoin claimed that: The Orb sets a high bar to defend against scalable attacks; however, no hardware system interacting with the physical world can achieve perfect security’

One way of looking at Worldcoin is that it is very similar to Apple’s PKI, and there is nothing to be worried about. One difference with Worldcoin is that part of the identifier data will be stored inside Ethereum’s public, open-source blockchain, while World IDs are issued on the Worldcoin protocol The Worldcoin protocol was developed by Tools For Humanity, a company established by the founders of the original Worldcoin project: Alex Blania and Sam Altman. The design ensures that no trusted third party can introduce risks of data handling or accountability related to it. Users have control of the process. However, the past has shown us that human users are usually the weakest link. Human factors include the very real risk that users will share their biometric data like they share their ultrasounds. So far technology has not found a way to limit voluntary violations of privacy and security. The UK data watchdogs at the Information Commissioner’s Office, have already announced a probe into Worldcoin’s privacy and data protection practices.

Interactive infographic available at https://worldcoin.org/home shows a global map marked with different colors of dots showing global users of World IDs, transactions, Activities, and Milestones.
The Worldcoin home page shows this interactive map of its global users.

Another part of the project also makes it significantly different from known PKI schemes, and it’s a digital currency reward that actors get for sharing their biometric data. 

Worldcoin was not accessible in the USA at its launch, and anyone wishing to participate had to confirm that they were outside the USA. The Worldcoin launch report clearly stated that tokens distributed in the system will be only available where laws allow this to happen.

Why is this important? 

Aside from the technological, privacy and data protection, and other ethical questions raised, the financial incentives and infrastructure that are underlying the project will also be scrutinised. 

Only a couple of years ago, Meta (then Facebook) and Mark Zuckerberg announced the launch of the Libra digital token, which, in their words, could offer a solution for cross-globe payments in different currencies across all Meta apps (Facebook, Instagram, and WhatsApp). Meta signed agreements with major payment institutions like Visa and Mastercard and giant online retailers like Ebay, but US legislators torpedoed the project. In three separate hearings in front of the US regulators in the Senate and House, the USA made it clear that no digital coin issued by a private company can be considered an international means of payment, particularly if it is pegged to or in any way related to the US dollar, which is regarded as a global reserve currency. The Libra project was shut down after two years, and mentions of Libra were erased from company websites. 

Digital currencies issued by private companies remain of primary interest to major state powers and international financial organisations, like the USA and the UK and the Bank for International Settlements or the G7’s Financial Stability Board. This, in fact, might be a more significant obstacle for Worldcoin than data collection and privacy issues. 

Worldcoin promotes the ’proof of personhood’ idea, which establishes an individual as both human and unique, and might become indispensable to discern and identify AI identities, like bots, bot farms, and ‘fake humans’. We will certainly hear more about this project.

MOVEit hack: what is it and why is it important?

A string of disclosures

On 31 May, Progress Software Corporation disclosed that its managed file transfer (MFT) software, MOVEit Transfer, is susceptible to a critical SQL injection vulnerability, which allows unauthenticated attackers to acquire access to MOVEit Transfer databases.

On 2 June, the vulnerability received the designation CVE-2023-34362. CVE stands for Common Vulnerabilities and Exposures ID number, which is assigned for publicly disclosed vulnerabilities. Once a CVE is assigned, vendors, industry and cybersecurity researchers can exchange information to develop remediation. 

On 9 July, Progress announced additional vulnerabilities (CVE-2023-35036), which were identified during code reviews. The company also released a patch for new vulnerabilities. On 15 June, a 3rd vulnerability was announced (CVE-2023-35708). 

Threat actors have attacked more than 162 known victims, including the BBC, Ofcom, British Airways, Ernst and Young, Siemens Energy, Schneider Electric, UCLA, AbbVie, and several government agencies with these zero-day vulnerabilities. Sources also report the compromise of the personal data of more than 15.5 million individuals.

Behind the attack

Microsoft attributed the MOVEit hack to Lace Tempest, a threat actor known for ransomware attacks and for running the extortion website of the CLOP ransomware group, data theft, and extortion attacks. On 6 June, the CLOP ransomware gang posted a communication to their leak site demanding that victims contact them before 14 June to negotiate extortion fees for deleting stolen data. 

The identity and whereabouts of the CLOP gang remain unknown to the public. However, security researchers believe the group is either linked to Russia or comprises Russian-speaking individuals. 

Supply chain security flaws 

The MOVEit hack has again highlighted that supply chain security is a significant concern for industries and the public sector. Across the supply chains, who is responsible for what? And how can we ensure cross-sectoral and cross-border cooperation between multiple actors that mitigate security risks?

While national cybersecurity agencies continue publishing guidance on mapping and securing supply chains, the industry implements good practices for reducing vulnerabilities and building secure ICT infrastructures. Still, organisations have different levels of maturity and resources to respond effectively. Luckily, there are ongoing discussions at different levels to address these topics: from international levels to advance the implementation of the relevant UN GGE norms to reduce vulnerabilities and secure supply chains, such as the Geneva Dialogue, to national and industry-specific discussions to develop and adopt new security measures (e.g. SBOM). 

Another challenge lies in conducting effective investigations, with the participation of several states and/or private partners, to identify a threat actor and stop the activity.

Digital policy trends in June 2023

Governing AI: What are the appropriate AI guardrails? 

AI governance remains the number one trend in digital policy as national, regional and global efforts to shape AI guardrails continue.

The EU’s risk-based approach

The European Parliament’s approval of the AI Act is a groundbreaking development. This regulation classifies AI systems based on risk levels and safeguards of civil rights, with severe fines for violations. Next in the legislative process is the so-called trialogues, where the European Parliament, the EU Council, and the Commission have to agree on a final version of the act; there are expectations that this agreement will be reached by the end of the year.

A new study from Stanford suggests that leading AI models are still far off of the responsible AI standards set by the AI Act (the version agreed in the EP), notably lacking transparency on risk mitigation measures. But some in the industry argue that the rules impose too heavy a regulatory burden. A recent open letter signed by some of the largest European companies (e.g. Airbus, Renault, Siemens) notes that the AI Act could harm the EU’s competitiveness and could compel them to move out of the EU to less restrictive jurisdictions. Companies are, in fact, doing their best to shape things: For example, OpenAI lobbied successfully in the EU that the forthcoming AI Act should not consider OpenAI’s general-purpose AI systems to be high risk, which would trigger stringent legal requirements like transparency, traceability, and human oversight. OpenAI’s arguments align with those previously employed by the lobbying efforts of Microsoft and Google, which argued that stringent regulation should be imposed only on companies that explicitly apply AI to high-risk use cases, not on companies that build general-purpose AI systems. 

Given the EU’s track record on data protection rules, its proposed AI Act was anticipated to serve as an inspiration to other jurisdictions. In June, Chile’s Parliament initiated discussions on a proposed AI Bill, focusing on legal and ethical aspects of AI’s development, distribution, commercialisation, and use.

More regional rules are in the works: It has been revealed that ASEAN countries are planning an AI guide that will tackle governance and ethics. In particular, it will address the use of AI for generating misinformation online. The guide is expected to be adopted in 2024. Strong dynamism will occur during Singapore’s chairmanship of ASEAN in 2024. 

Business-friendlier approaches

Considering that Singapore itself is taking a collaborative approach to AI governance and is focused on working with businesses to promote responsible AI practices, the ASEAN guide is not likely to be particularly stringent (watch out, EU?). Softer, more collaborative approaches are also expected to be formulated in Japan and the UK, which believe such an approach will help them position themselves as AI leaders. 

Another country that is taking a more collaborative approach to AI governance is the USA. Last month, President Biden met with Big Tech critics from civil society to discuss AI’s potential risks and implications of AI on democracy, including the dissemination of misinformation and the exacerbation of political polarisation. The US Commerce Department will create a public working group to address the potential benefits and risks of generative AI and develop guidelines to effectively manage those risks. The working group will be led by NIST and comprise representatives from various sectors, including industry, academia, and government.

Patchwork

As countries continue their AI race, we might end up with a patchwork of legislation, rules and guidelines that might espouse conflicting values and priorities. It is no surprise that calls for global rules and an international body are also gaining traction. A future global AI agency inspired by the International Atomic Energy Agency (IAEA), an idea first put forward by OpenAI CEO Sam Altman, has garnered support from UN Secretary-General Antonio Guterres

France is advocating for global AI regulation, with President Macron proposing that the G7 and the Organisation for Economic Co-operation and Development (OECD) would be good platforms for this purpose. France wants to work alongside the EU’s AI Act while advocating for global regulations and also intends to collaborate with the USA in developing rules and guidelines for AI. Similarly, Microsoft’s President Brad Smith called for collaboration between the EU, the USA, and G7 nations, adding India and Indonesia to the list, to establish AI governance based on shared values and principles. 

In plain sight: SDGs as guardrails

However, the road to global regulations is typically long and politically tricky. Its success is not guaranteed either. Diplo’s Executive Director Dr Jovan Kurbalija argues that humanity is missing valuable AI guardrails that are in plain sight: the SDGs. They are current, comprehensive, strong, stringently researched, and immediately applicable. They already have global legitimacy and are not centralised and imposing. These are just a handful of reasons why the SDGs can play a crucial role; there are 15 reasons why we should use SDGs for governing AI.

Digital identification schemes gain traction 

Actors worldwide are pushing for more robust, secure and inclusive digital ID systems and underlying policies. 

Businessman using fingerprint identification to access and protecting personal information data

The OECD Council approved a new set of recommendations on the governance of digital identity centred on three pillars. The first addresses the need for systems to be user-centred and integrated with existing non-digital systems. The second focuses on strengthening the governance structure of the existing digital systems to address security and privacy concerns, while the third pillar addresses the cross-border use of digital identity.

Most recently, the EU Parliament and the Council reached a preliminary agreement on the main aspects of the digital identity framework put forward by the Commission in 2021. Previously, several EU financial institutions cautioned that specific sections of the regulation are open to interpretation and could require significant investments by the financial sector, merchants, and global acceptance networks. 

At the national level, a number of countries have adopted regulatory and policy frameworks for digital identification. Australia released the National Strategy for Identity Resilience to promote trust in the identity system across the country, while Bhutan endorsed the proposed National Digital Identity Bill, except for two clauses that await deliberation in the joint sitting of the Parliament. The Sri Lanka Unique Digital Identity Project (SL-UDI) is underway, and the Thai government introduced the ThaID mobile app to simplify access to services requiring identity confirmation.

Content moderation: gearing up for the DSA

Preparations for the DSA are in full swing, even though the European Commission has already faced its first legal challenge over the DSA, and it did not come from Big Tech as many would have expected. German e-commerce company Zalando filed a lawsuit against the Commission, contesting the categorisation of Zalando as a systemic, very large platform and criticising the lack of transparency and consistency in platform designation under the DSA. Zalando argues that it does not meet the requirements for such classification and does not present the same systemic risks as Big Tech. 

Meanwhile, European Commissioner for Internal Market Thierry Breton visited Big Tech executives in Silicon Valley to remind them of their obligations under the DSA. Although Twitter owner Musk previously said that Twitter would comply with the DSA content moderation rules, Breton visited the company headquarters to perform a stress test to evaluate Twitter’s handling of potentially problematic tweets as defined by EU regulators. Breton also visited the CEOs of Meta, OpenAI, and Nvidia. Meta agreed to a stress test in July to assess the EU’s online content regulations, the decision prompted by Breton’s call for immediate action by Meta regarding its content targeting children

People, Person, Crowd, Adult, Male, Man, Face, Head, Audience, Lecture, Indoors, Room, Seminar, Speech, Thierry Breton
European Commissioner for Internal Market Thierry Breton. Credit: European Commission

The potential of the EU to exert its political and legal power over Big Tech will be demonstrated in the coming months, with the DSA becoming fully applicable in early 2024.

ChatGPT and GDPR: Balancing AI innovation with data protection

By Feodora Hamza

OpenAI’s ChatGPT has gained widespread attention for its ability to generate human-like text when responding to prompts. However, after months of celebration for OpenAI and ChatGPT, the company is now facing legal action from several European data protection authorities who believe that it has scraped people’s personal data, without their consent. The Italian Data Protection Authority has temporarily blocked the use of ChatGPT as a precautionary measure, while  French, German, Irish, and Canadian data regulators are also investigating how OpenAI collects and uses data. In addition, the European Data Protection Board set up an EU-wide task force to coordinate investigations and enforcement concerning ChatGPT, leading to a heated discussion on the use of AI language models and raising important ethical and regulatory issues, particularly those involving data protection and privacy.

Concerns around GDPR compliance: How can generative AI comply with data protection rules such as GDPR? 

According to Italian authorities, OpenAI’s disclosure regarding its collection of user data during the post-training phase of its system, specifically chat logs of interactions with ChatGPT, is not entirely transparent. This raises concerns about compliance with General Data Protection Regulation (GDPR) provisions that aim to safeguard the privacy and personal data of EU citizens, such as the principles of transparency, purpose limitation, data minimisation, and data subject rights.

As a condition for lifting the ban it imposed on ChatGPT, Italy has outlined the steps OpenAI must take. These steps include obtaining user consent for data scraping or demonstrating a legitimate interest in collecting the data, which is established when a company processes personal data within a client relationship, for direct marketing purposes, to prevent fraudulent activities, or to safeguard the network and information security of its IT systems. In addition, the company must provide users with an explanation of how ChatGPT utilises their data and offer them the option to have their data erased, or refuse permission for the program to use it.

Electronics, Hardware, Computer Hardware
Padlock symbol for computer data protection system. Source: Envato Elements

Steps towards GDPR compliance: OpenAI’s updated privacy policy and opt-out feature

OpenAI has updated its privacy policy, describing its practices for gathering, utilising, and safeguarding personal data. In a GPT-4 technical paper, the company stated that publicly available personal information may be included in the training data and that OpenAI endeavours to ensure people’s privacy by incorporating models to eliminate personal data from training data ’where feasible’. In addition, OpenAI allows now for an incognito mode on ChatGPT to enhance its GDPR compliance efforts, safeguard users’ privacy, and prevent the storage of personal information, granting users greater control over the use of their data. 

The company’s choice to offer an opt-out feature comes amid mounting pressure from European data protection regulators concerning the firm’s data collection and usage practices. Italy has demanded OpenAI’s compliance with the GDPR by April 30. In response, OpenAI implemented a user opt-out form and the ability to object to personal data being used in ChatGPT, allowing Italy to restore access to the platform in the country. This move is a positive step towards empowering individuals to manage their data.

Challenges in deleting inaccurate or unwanted information from AI systems remain

However, the issue of deleting inaccurate or unwanted information from AI systems in compliance with GDPR is more challenging. Although some companies have been instructed to delete algorithms developed from unauthorised data, eliminating all personal data used to train models remains challenging. The problem arises because machine learning models often have complex black box architectures that make it difficult to understand how a given data point or set of data points is being used. As a result, models often have to be retrained with a smaller dataset in order to exclude specific data, which is time-consuming and costly for companies.

Data protection experts argue that the OpenAI could have saved itself a lot of trouble by building in robust data record-keeping from the start. Instead, it is common in the AI industry to build data sets for AI models by scraping the web indiscriminately and then outsourcing the work of removing duplicates or irrelevant data points, filtering unwanted things, and fixing typos. In AI development, the dominant paradigm is that the more training data – the better. OpenAI’s GPT-3 model was trained on a massive 570 GB of data. These methods, and the sheer size of the data set, mean that tech companies tend to not have full understanding of what has gone into training their models.  

While many criticise the GDPR for being unexciting and hampering innovation, experts argue that the legislation serves as a model for companies to improve their practices when they are compelled to comply with it.  It is presently the sole means available to individuals to exercise any authority over their digital lives and data in a world that is becoming progressively automated.

The impact on the future of generative AI: The need for ongoing dialogue and collaboration between AI developers, users, and regulators

This highlights the need for ongoing dialogue and collaboration between AI developers, users, and regulators to ensure that the technology is used in a responsible and ethical manner. It seems that ChatGPT is facing a rough ride with Europe’s privacy watchdogs. The Italian ban seems to have been the beginning, since OpenAI has not set up a local headquarters in one of the EU countries yet, exposing it to further investigations and bans from any member country’s data protection authority.

However, while the EU regulators are still wrapping their head around the regulatory implications of and for generative AI, companies like OpenAI continue to benefit and monetise from the lack of regulation in this area. With the EU’s Artificial Intelligence Act being passed soon, the EU aims to address the gaps of the GDPR when regulating AI and inspire similar initiatives being proposed in other countries. It seems the impact of generative AI models on privacy will probably be on the regulators’ agenda for many years to come.

How search engines make money and why being the default search engine matters

By Kaarika Das and Arvin Kamberi

Samsung, the maker of millions of smartphones with preinstalled Google Search, is reportedly in talks to replace Google with Bing as the default search provider on its devices. This is the first instance of a threat confronting Google’s long-standing dominance over the search business. Despite Alphabet’s diversified segments, its core business and majority profit accrue from Google Search, which accounted for US$162 billion of US$279.8 billion of Alphabet’s total revenue last year. Naturally, Google’s top agenda is to protect its core business and retain its position as the default search engine in electronic devices like tablets, mobiles, or laptops.

A critical question arises about the underlying business model of online search engines like Google, Bing, Baidu, Yandex, and Yahoo. What do these search engines stand to gain by being the default devices search engine? Let us examine how search engines generate revenue while allowing users to explore the internet for information and content for free.

The profit model of search engines

Search engines make money primarily through advertising (billions of dollars yearly from its Google Ads platform). The working mechanism is as follows: Whenever users can enter a search query into a search engine, the search engine provides a list of web pages and other content related to the search query, including advertisements. Advertisers pay search engines to display sponsored results when users search for specific keywords. These ads typically appear at the top and/or bottom of Search Engine Results Pages (SERPs) and are labelled as ‘sponsored’ or ‘ad’. Search engines get paid based on the number of clicks these ads get. This model is popularly known as the PPC (Pay-Per-Click).

Apart from sponsored listing, search engines also track user data for targeted advertising, using people’s search history. Search engines can easily gather information about users’ search history, preferences, and behaviours. This is done through cookies, IP address tracking, device and browser fingerprinting, and other technologies. Search engines then use these data points to profile their users to improve the targeting of advertisements. For example, if a user frequently searches for details about recipes and food, the search engine may display advertisements for restaurants and related food ingredient products. Thus, the user search history effectively helps improve search engine algorithms and enhances search accuracy by identifying patterns in user behaviour. In capitalising on user data, search engines allow advertisers to manage their advertisements using strategies such as ad scheduling, geotargeting, and device targeting – all made possible because of accumulated user history data!

Google, magnifying glass
Google making money from search engine. Image generated by DALL-E/OpenAI.

The power of default

Let us now delve into the edge granted to a search engine by being the default setup. Regardless of the default search engine, people can always change their search engine on their respective devices based on personal preferences. Despite the absence of any exclusivity, there is massive inertia to change the default search engine. It happens because the effort required to manually navigate to a different search engine to perform search functions makes the transition process a hassle, especially for ordinary people. Parallelly, technologically challenged people may not be aware of alternative search engines and might have no explicit preference for a specific search engine. Even with awareness of alternatives, the effectiveness, performance, and security of the search engine paired with their current device remains unapproved and may lead to apprehension among users.

Therefore, a default search engine further provides a sense of security (however misleading) as its performance and device compatibility are assumed to be vetted by the manufacturers. As a result, being the default search engine is advantageous for search engines as it provides them with a broader audience base leading to increased traffic alongside greater brand recognition. Thus, being the default search engine is vital for a search engine’s success as having large traffic ensures that search engines remain attractive to advertisers, their primary source of revenue – the higher the number of search engine users, the dearer the advertising space becomes, generating better returns.

For users, however, pre-installed search engines deprive them of the choice to select their preferred alternative and select those search engines that do not track user details. In 2019, the European Commission stated that Google had an unfair advantage by pre-installing its Chrome browser and Google search app on Android smartphones and notebooks. To circumvent antitrust concerns, in early 2020, Google enabled Android smartphones and tablets sold in the European Economic Area (EEA) to show a ‘choice screen’ that offered users four search engines to choose from.

While Google pays billions to device manufacturers like Samsung and Apple to remain the default search engine, the ongoing AI leap in the industry has enormous ramifications for the future of internet search and its ensuring business model. With unprecedented developments in AI and search engine functionality integrated with AI, the tussle of search rivals battling for popularity and influence is set to continue.