Blog

Artificial Intelligence Liability

devin.b.forbush Blog, Uncategorized , , , , , , ,

Artificial Intelligence Liability

By Susan-Caitlyn Seavey

1. Who is Responsible for Harm flowing from AI?   

Most people can easily recognize the immense impact technological developments have had in the recent decade, affecting practically every sector. While the laws and regulations governing our society have somewhat lagged behind these technological advances, we have still managed to create a framework that seems to effectively govern these modern tools. With the implementation and widespread usage of AI, our current legal and regulatory parameters do not neatly fit anymore. We are left with questions about who is ultimately responsible for harms that stem from AI. The issue of liability does not likely have a one size fits all solution, and our government and courts are working to understand and produce the new standards and guidelines AI requires. Stanford Law Fellow, Thomas Weber, says it well: “Generative AI is developing at a stunning speed, creating new and thorny problems in well-established legal areas, disrupting long-standing regimes of civil liability—and outpacing the necessary frameworks, both legal and regulatory, that can ensure the risks are anticipated and accounted for.”[1] Until there is substantial court precedent and more promulgated AI laws, scholars and professionals are limited to discussing different theories of liability that may be suitable for AI, such as strict liability and negligence law.

            In 2023, a man in Belgium ended his life after apparently becoming emotionally dependent on an AI-powered chatbot, leaving behind his wife and two children.[2] Also in 2023, Stanford’s Director of Law, Science and Technology, Professor Lemley, asked chatbot GPT-4 to provide information about himself.[3]> The algorithm offered defamatory information, believing Professor Lemley’s research to actually be a misappropriation of trade secrets.[4] In both of these cases, it is unclear who would and/or could be held liable for the death of the father and for the defamatory information. Traditional liability is long-established with laws and regulations in place and ample case law to support the structure we have created for it. However, AI transcends many of the boxes we have fit other technology into, including the liability framework.

For Professor Lemley to establish the requisite elements of a defamation claim, he would have to prove the bad actor’s intent to defame; the standard requires that a reasonable person should have known that the information was false or exhibited a reckless disregard as to the truth or falsity of the published statement.[5] But how does one show that a robot possesses such requisite intent? It would follow that liability may fall to the developers if intent cannot be apportioned to the AI technology at issue. The apparent irrelevance of intent with AI requires an alternative option to account for liability. A guide of best practices may be helpful to direct AI. “Professor Lemley suggests [that by] implementing best practices, companies and developers could shoulder less liability for harms their programs may cause.”[6] While not specifically broken down, this concept is supported by the Cybersecurity and Infrastructure Security Agency’s (CISA) work to develop “best practices and guidance for secure and resilient AI software development and implementation.”[7]

Continue reading

Surveilled in Broad Daylight: How Electronic Monitoring is Eroding Privacy Rights for Thousands of People in Criminal and Civil Immigration Proceedings

devin.b.forbush Blog , , , , , , ,

Surveilled in Broad Daylight: How Electronic Monitoring is Eroding Privacy Rights for Thousands of People in Criminal and Civil Immigration Proceedings

By Emily Burns   

What is electronic monitoring

Electronic monitoring is a digital surveillance mechanism that tracks a person’s movements and activities[1] by using radio transmitters, ankle monitors, or cellphone apps.[2] Governmental surveillance through electronic monitoring, used by every state in the U.S. and the Federal Government, functions as a nearly omnipotent presence for people in two particular settings: people in criminal proceedings and/or civil immigration proceedings.[3]

In 2021, approximately 254,700 adults were subject to electronic monitoring in the United States, with 150,700 of them in the criminal system and 103,900 in the civil immigration system.[4] While people outside of these systems hold substantial privacy rights against unreasonable governmental searches and seizures of digital materials through Fourth Amendment jurisprudence, the rise of electronic monitoring forces people to “consent” to electronic monitoring in exchange for the ability to be outside of a jail cell. [5]

Within the criminal context, this means that as a condition of supervision, such as parole or probation, certain defendants must consent to “continuous suspicion-less searches” of their electronics and data such as e-mail, texts, social media, and literally any other information on their devices.[6]

In the civil immigration context, like asylum seekers, immigrants can face a similar “choice:” remain in detention or be released with electronic monitoring.[7]  For immigrants in ICE detention on an immigration bond, this “choice” reads more like a plot device on an episode of Black Mirror than an effect of a chosen DHS policy. While people detained on bond in the criminal system are commonly allowed to be released when they pay at least 10 percent of the bond, ICE requires immigrants to pay the full amount of the bond, which is mandated by statute at a minimum $1,500 with a national average of $9,274.[8] If the bond is not paid, immigrants can spend months or even years in ICE detention.[9] Because many bail bond companies view immigration bonds to hold more risk of non-payment,  companies either charge extremely high interest rates on the bond contracts that immigrants pay or, as in the case of the company Libre by Nexus, ensure the bond by putting an ankle monitor on the bond seeker.[10] For people who must give up their bodily autonomy in order to be released from physical detention by “allowing” a private company to strap an ankle monitor to their body, paying for this indignity comes at a substantial economic cost that many cannot afford: Libre by Nexus charges $420 per month for using the ankle monitor, which is in addition to the actual repayment costs of the bond amount.[11] [12]

Continue reading

Protecting the Biometric Data of Minor Students

devin.b.forbush Blog , , , , , , ,

Protecting the Biometric Data of Minor Students

by Devin Forbush

 

Introduction

At the beginning of this month, in considering topics to comment on and analyze, a glaring issue so close to home presented itself.  In a letter written on January 24, Jamie Selfridge, Principal of Caribou High School, notified parents and guardians of students of an “exciting new development” to be implemented at the school.[1] What is this exciting new development you may ask? It’s the mass collection of biometric data of their student body.[2] For context, biometric data collection is a process to identify an individual’s biological, physical, or behavioral characteristics.[3] This can include the collection of “fingerprints, facial scans, iris scans, palm prints, and hand geometry.”[4]

Presented to parents as a way to enhance accuracy, streamline processes, improve security, and encourage accountability, the identiMetrics software to be deployed at Caribou High School should not be glanced over lightly.[5]While the information around Caribou high school’s plan was limited at the time, aside from the Maine Wire website post and letter sent out to parents & guardians, a brief scan of the identiMetrics website reveals a cost effective, yet in-depth, data collection software that gathers over 2 million data points on students every day, yet touts safety and security measures are implemented throughout.[6] While this brief post will not analyze the identiMetrics software as a whole, it will rather highlight the legal concerns around biometric data collection and make it clear that the software sought to be implemented by Caribou high school takes an opt-out approach to collection and forfeits students’ privacy and sensitive data for the purpose of educational efficiency.

Immediately, I started writing a brief blog post on this topic, recognizing the deep-seated privacy related issues for minors. Yet, the American Civil Liberties Union of Maine beat me to the punch, and on February 13th, set forth a public record request relating to the collection of biometric data to be conducted at Caribou High School due to their concerns.[7] The next day, Caribou High School signaled their intention to abandon their plan.[8] While I was ecstatic with this news, all the work that had been completed on this blog post appeared moot. Yet, not all was lost, as upon further reflection, this topic signaled important considerations. First, information privacy law and the issues related to it are happening in real-time and are changing day-to-day. Second, this topic presents an opportunity to inform individuals in our small state of the nonexistent protections for the biometric data of minors, and adults alike. Third, this reflection can sets forth proposals that all academic institutions should embrace before they consider collecting highly sensitive information of minor students.

This brief commentary proposes that (1) Academic institutions should not collect the biometric data of their students due to the gaps in legal protection within Federal and State Law; (2) If schools decide to proceed with biometric data collection, they must provide written notice to data subjects, parents, and legal guardians specifying (i) each biometric identifier being collected, (ii) the purpose of collection, (iii) the length of time that data will be used and stored, and (iv) the positive rights that parents, legal guardians, and data subjects maintain (e.g., their right to deletion, withdraw consent, object to processing, portability and access, etc.); and (3) Obtain explicit consent, recorded in written or electronic form, acquired in a free and transparent manner.

Continue reading

Blackstone’s Acquisition of Ancestry.com

devin.b.forbush Blog , , , , ,

Blackstone’s Acquisition of Ancestry.com

By Zion Mercado

Blackstone is one of the largest investment firms in the world, boasting over $1 trillion in assets under management.[1] In December of 2020, Blackstone acquired Ancestry.com for a total enterprise value of $4.7 billion.[2] Ancestry is a genealogy service that compiles and stores DNA samples from customers and compares them to the DNA samples of individuals whose lineage can be traced back generations to certain parts of the world.[3] Within Ancestry’s privacy statement, Section 7 states that if Ancestry is acquired or transferred, they may share the personal information of its subscribers with the acquiring entity.[4] This provision was brought into controversy in Bridges v. Blackstone by a pair of plaintiffs representing a putative class consisting of anyone who had their DNA and personal information tested and compiled by Ancestry while residing in the State of Illinois.[5] The suit was brought under the Illinois Genetic Information Privacy Act (“GIPA”) which bars a person or company from “disclos[ing] the identity of any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject of the test” without that person’s permission.[6] In addition to barring disclosure, GIPA may also bar third-party disclosure ,[7] which would then create a cause of action under the act against third parties who compel an entity to disclose genetic information such as the information compiled by Ancestry. In Bridges, it is clear from the opinion that there was virtually no evidence that Blackstone in any way compelled Ancestry to disclose genetic information.[8] However, the language of the statute seems to be unclear as to whether third parties who compel a holder of an individual’s genetic information can be held liable under GIPA. What does seem to be clear from the Seventh Circuit’s reading of the statute is that when an entity acquires another entity that holds sensitive personal information or genetic data, the mere acquisition itself is not proof of compelling disclosure within the meaning of the act.[9]

The exact language of GIPA that pertains to potential third party liability states that “[n]o person may disclose or be compelled to disclose [genetic information].”[10] In Bridges, Blackstone contended that the recipient of protected information could not be held liable under GIPA even if they compelled disclosure.[11] The plaintiffs, in their complaint, could not cite to any conduct on the behalf of Blackstone that would satisfy federal pleading standards for stating a claim that Blackstone compelled Ancestry to disclose information covered under GIPA.[12] This led the judge to disregard the broader issue surrounding GIPA’s language brought upon by Blackstone’s argument that an entity who receives genetic information cannot be held liable even if it compels disclosure of such information.[13] This issue is, in essence, one of statutory interpretation. Blackstone would have courts interpret the language reading “no person may . . . be compelled to disclose” as only granting a cause of action against a defendant who discloses genetic information, but only “because they were ‘compelled’ to do so.”[14] However, such an instance is already covered by the first part of the phrase “no person may disclose.”[15] Notably, the Bridges court did not address Blackstone’s interpretation of the statute since the claim failed on the merits, however, the judge writing the opinion did cite a lack of precedent on the matter.[16] I believe that the Illinois legislature did not intend to write a redundancy into the statute, and a more protective reading of the statute would extend liability to a third party who compels disclosure of genetic information. The very meaning of the word “compel” is “to drive or urge forcefully or irresistibly” or “to cause to do or occur by overwhelming pressure.”[17] This is an act that we as people (and hopefully state legislators as well) would presumedly want to limit, especially when what is being compelled is the disclosure of sensitive information, such as the results of a genetic test and the necessary personal information that accompanies the test. Again, in the plaintiff’s complaint, there was no evidence proffered indicating that Blackstone in any way compelled disclosure of genetic information from Ancestry.[18] However, if a case were to arise where such an occurrence did happen, we should hope that courts do not side with Blackstone’s interpretation. Although I agree with the notion that merely acquiring an entity who holds genetic or other sensitive information should not give rise to liability, and a mere recipient of such information should not be held liable when they do not compel the holder’s disclosure, an entity, especially an acquiring entity, should not be shielded from liability when they seek to pressure an entity into disclosing the personal information of individuals who have not consented to such disclosure.

[1] Blackstone’s Second Quarter 2023 Supplemental Financial Data, Blackstone (Jul. 20, 2023), at 16, https://s23.q4cdn.com/714267708/files/doc_financials/2023/q2/Blackstone2Q23 SupplementalFinancialData.pdf.

[2] Blackstone Completes Acquisition of Ancestry, Leading Online Family History Business, for $4.7 Billion, Blackstone (Dec. 4, 2020), https://www.blackstone.com/news/press/blackstone-completes-acquisition-of-ancestry-leading-online-family-history-business-for-4-7-billion/.

[3] Frequently Asked Questions, Ancestry.com, https://www.ancestry.com/c/dna/ancestry-dna-ethnicity-estimate-update?o_iid=110004&o_lid=110004&o_sch=Web+Property&_gl=1*ot1obs*_up*MQ..&gclid=5aadd61f 926315a4ec29b2e4c0d617e8&gclsrc=3p.ds#accordion-ev4Faq (last visited Sep. 8, 2023).

[4] Privacy Statement, Ancestry.com (Jan. 26, 2023), https://www.ancestry.com/c/legal/privacystatement.

[5] Amended Class Action Complaint at 8, Bridges v. Blackstone, No. 21-cv-1091-DWD, 2022 LEXIS (S.D. Ill. Jul. 8, 2022), 2022 WL 2643968, at 2

[6] Ill. Comp. Stat. Ann. 410/30 (LexisNexis 2022).

[7] Id.

[8] See Bridges, 66 F.4th at 689-90.

[9] Id. (“we cannot plausibly infer that a run-of-the-mill corporate acquisition, without more alleged about that transaction, results in a compulsory disclosure”).

[10] 410/30 (LexisNexis 2022).

[11] Bridges, 66 F.4th at 689.

[12] Id. at 690.

[13] Id. at 689.

[14] Brief of the Defendant-Appellee at 41, Bridges v. Blackstone, 66 F.4th 687 (7th Cir. 2023), (No. 22-2486)

[15] 410/30 (LexisNexis 2022).

[16] Bridges, 66 F.4th  at 689 (Scudder, CJ.) (explaining that “[t]he dearth of Illinois precedent examining GIPA makes this inquiry all the more challenging”).

[17] Compel, Merriam-Webster.com, https://www.merriam-webster.com/dictionary/compel (last visited Sep. 9, 2023).

[18] See supra note 11, at 690.

Disclosure of Teen’s Facebook Messages Should be a Red Flag for Us All

editor Blog , , , , , , , , , , , , , ,

Blog

By Will Simpson, Class of 2025

Amidst the fallout of the Supreme Court’s decision on June 24, 2022, to overturn the cornerstone abortion case of 1973, Roe v. Wade, a privacy issue has surfaced: the extent to which digital data can be used against us to prosecute novel forms of criminalized behaviors. To make matters worse, tech giants such as Facebook and Google—who collect and largely control this data—are legally obligated to assist governments with this invasive practice.

Why should we care? While the Fourth Amendment helps protect Americans against unreasonable searches and seizures by the government, private companies are not restricted from archiving our digital data. As a result, the details of our online lives are preserved for potential access by government warrants. Continue reading

The Legal Footholds of Three States and the District of Columbia Against a Technological Goliath

editor Blog , , ,

Written by Hannah G. Babinski, Class of 2024 

I. Introduction

To no one’s surprise, Big Tech is in trouble yet again for attempting to overstep the boundaries of consumer privacy. From the notorious Facebook controversy involving Cambridge Analytica in 2018 to the most recent ballad of chronic misinformation stemming from Spotify’s perpetuation of Joe Rogan’s podcast, it seems that Big Tech’s complacency or even compliance with problematic practices connected to its online presence consistently leaves many Americans scratching their heads. Google is the latest tech conglomerate to stumble in the public arena.

This is not a historic moment for the California-based tech giant whose business model is heavily dependent on its prolific digital advertising, collection, surveillance, and auction of user data, including location tracking which alone earned the company an estimated $150 billion dollars in 2020.[1] In October 2020, the U.S. Justice Department and eleven states sued Google in federal court, alleging that Google abused its dominance over the search engine market—comprising 90% of web searches globally—and online advertising.[2] Then, in December of 2020, ten states separately sued Google in federal court on the grounds of alleged anti-competitive conduct.[3] Undoubtedly, Google’s utter electronic control over the online market is equally as impressive as it is troubling—a sentiment resounded by the bombardment of state-instigated suits—but it pales in comparison to the basis of the most recent lawsuit.

Continue reading

How China is Weaponizing Privacy

editor Blog

Written by Noah Katz, Ohio State University Moritz College of Law

What is China’s new privacy law?

The Personal Information Protection Law (PIPL), which took effect in November 2021, is China’s first comprehensive data privacy law.[1] The PIPL’s impact is immense given that China is home to almost one billion internet users.[2] The new legislation provides a clear framework for regulating the use of personal data, but, if violated, businesses could face massive fines and may even be blacklisted by the Chinese government.[3]

  Continue reading

Words of Wisdom from the Young Privacy Professionals Panel: Highlights and Takeaways 

editor Blog

KELSEY KENNY, Class of 2023

The evening of Thursday, November 4th, Maine Law’s Information Privacy Association, in collaboration with the Mortiz College of Law’s Data Privacy and Cyber Security Club, hosted an informal discussion panel to facilitate a dialogue between law students with an interest in information privacy and six professionals who have had success navigating the early stages of their evolving and dynamic careers in the field. Craig Carpenter, Caroline Hopland, Casey Waughn, Kenesa Ahmad, Lee Matheson, and Scott Bloomberg graciously contributed their time and insights to the forum. Continue reading

For Adequacy There Must Be a Private Right of Action

editor Blog

BRANDON BERG, Class of 2021 (Submitted while a student at Maine Law) 

We are still feeling the ripple effects from the European Court of Justice’s Schrems II decision. Among other things, the decision ripped apart the E.U.-U.S. Privacy Shield with particular exception to the data subject’s inability to seek redress from a court or tribunal. With the goal of U.S. adequacy in mind, the question becomes, how do we move forward? With several privacy bills currently being debated in Congress, one important question must be addressed: do these bills address the judicial remedy concerns cited in Schrems II? Continue reading