Michael Veale is a technology policy academic who focuses on information technology and the law. He is currently associate professor in the Faculty of Laws at University College London (UCL).

Michael Veale
Alma materUniversity College London
London School of Economics
Maastricht University
Websitemichae.lv

Education

edit

Veale holds a PhD in the application of law and policy to the social challenges of machine learning from UCL,[1] a BSc in Government and Economics from the London School of Economics and a MSc in Sustainability, Science and Policy from Maastricht University.[2]

Academic career

edit

Veale joined the Faculty of Laws at UCL in 2019 as lecturer in Digital Rights and Regulation, and was appointed associate professor in 2021, where he teaches Internet law and privacy law.[1][3] Veale was previously a Digital Charter Fellow at the Alan Turing Institute, the UK's National Centre for AI and Data Science, and the UK Government's Department for Digital, Culture, Media and Sport.[1] Veale is also affiliated with Pennsylvania State University's PILOT Lab and teaches at the New York University Stern School of Business.[4]

Veale has authored and co-authored reports on data and technology policy for the Royal Society,[5] the Law Society of England and Wales[6] and the Commonwealth Secretariat.[7]

Scholarship

edit

Veale's scholarship concerns information technology, law and society. His work has highlighted tensions between the practice and functioning of technologies including machine learning, encryption and Web technologies, and the laws that govern them. Veale's work has been influential among governments, legislators and NGOs. Work with Lilian Edwards on a right to an explanation in data protection law[8] has led to legislative amendments in the UK Parliament,[9] and has been cited by the US Federal Trade Commission,[10] the Article 29 Data Protection Working Party,[11] the Council of Europe,[12][13] the United Nations special rapporteur on Extreme Poverty and Human Rights Philip Alston,[14] the European Parliament,[15][16] European Commission,[17][18][19] and the Information Commissioner's Office.[20] His work on the legality of cookie consent banners has also been cited by the Irish Data Protection Commissioner,[21] Facebook[22] and a range of media outlets.[23][24][25][26] During the COVID-19 pandemic, Veale co-authored the Decentralized Privacy-Preserving Proximity Tracing protocol for Bluetooth contact tracing apps which formed a basis for Apple and Google's partnership protocol, Exposure Notification.[27]

Digital rights activism

edit

Veale is a noted digital rights activist. He is a member of the Advisory Councils of the Open Rights Group and Foxglove, both of which are UK-based NGOs which campaign in favour of privacy and digital rights,[28][29] and advises the Ada Lovelace Institute.[30]

Right of access to personal data

edit

Veale has been involved in a variety of actions concerning the right to access personal data under data protection law.

It has been reported that Veale is party to a complaint to the Irish data protection authority concerning Apple's refusal to provide access to users' personal data in the form of recordings made by Siri,[31][32] stemming from research undertaken by Veale with KU Leuven and the University of Oxford.[33] Apple had reportedly argued that the recordings were anonymised and so did not constitute personal data.[31][32] At the time, the recordings were stored alongside a device identifier rather than a user's name for up to 6 months, and without any identifier at all for up to 18 months beyond that. Apple also said that the device identifier changes if or when Siri is disabled or re-enabled. Apple said it had not currently built a way to access this device identifier on specific users' devices or to search data that it held by an identifier. However, Veale and colleagues pointed out that Apple associates device identifiers with other information stored on its servers, such as the names of contacts, reminders set, and playlist titles that make it possible for anyone with access to the recordings to identify who it relates to "by using easily accessible data sources, like social media". The researchers argued that Apple's refusal to recognise users' right of access under the GDPR prevented them from verifying if Siri was accidentally recording conversation that was not meant to be recorded or using the recordings in inappropriate ways.[33][32]

Complaints from Veale around the refusal by Facebook and Twitter to provide access to data concerning the extent of their Web tracking operations have also reportedly led to investigations by the Irish Data Protection Commission.[34][35][36] The commission's Annual Report lists these complaints as 2 of 27 cross-border inquiries commenced since 25 May 2018, concerning Twitter's use of advertising URL shortening and Facebook's 'Hive' database.[37]

Following the release of the choose-your-adventure style movie Bandersnatch by Netflix in 2019, Veale obtained his and posted his viewing data from Netflix by invoking his right of access under the European Union General Data Protection Regulation (GDPR),[38] leading to an array of coverage of the issue and debates around the use of such information in profiling.[39][40][41][42]

AdTech

edit

In September 2018, Veale, Johnny Ryan (then-Chief Policy and Industrial Relations Officer at Brave),[43] and Jim Killock (executive director of the Open Rights Group) filed a complaint with the UK Information Commissioner's Office (ICO) and the Irish Data Protection Commission (DPC), notifying the data protection authorities about systemic breaches of data protection law by the AdTech industry. They drew specific attention to mass surveillance of Internet users for the purposes of behavioural advertising, and the use of the data gathered and inferred to power real-time-bidding (RTB) auction systems. They suggested that the collection and processing of personal data by players in the adtech industry was without legitimate basis and conducted without legally valid consent, contrary to the GDPR.[44][45] A later academic paper by Veale outlined their argument.[46]

In May 2019, the Irish DPC opened a formal investigation into the AdTech industry.[47]

In June 2019, the ICO responded to the complaint in a report, agreeing that the collection of personal data was "taking place unlawfully". It also agreed that there were "systemic concerns" about the AdTech industry's use of personal data. One of the ICO's deputy commissioners, Simon McDougall, warned the AdTech industry that there was a need for reform, saying "We have significant concerns about the lawfulness of the processing of special category data which we’ve seen in the industry, and the lack of explicit consent for that processing".[48] He also noted that the existing justifications offered by players in the AdTech industry appeared to be insufficient. McDougall also criticised the industry's failure to conduct proper Data Protection Impact Assessments (DPIAs) as required under the GDPR, describing the DPIAs the ICO had reviewed as "generally immature" and lacking "appropriate detail".[49] Veale criticised the ICO's response, stating that:[49][50]

When an industry is premised and profiting from clear and entrenched illegality that breach individuals' fundamental rights, engagement is not a suitable remedy. The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.

The ICO subsequently appeared to take no further action until May 2020, when it announced it was suspending its investigation to avoid putting "undue pressure" on the advertising industry during the COVID-19 pandemic.[51][52] In letters to the complaints, the ICO stated that it was closing the complaint but claimed it intended to "recommence our industry wide investigation into RTB in due course".[53]

In November 2020, Killock and Veale challenged the ICO's decision to closing their complaint in the Upper Tribunal.[54]

Contact-tracing during the COVID-19 pandemic

edit

Veale was part of the research team that developed the Decentralised Privacy-Preserving Proximity Tracing protocol (DP-3T) for contact tracing during the COVID-19 pandemic.[55][56][27]

On April 11, 2020, Veale contacted part of the team developing contact tracing apps for England and Wales, NHSX to warn them that Apple and Google's contact-tracing solutions only allowed for decentralised matching between phones which was incompatible with the UK government's proposed centralised approach. His email stated that:

Apple and Google's new API appears to break (or rather, not allow iPhones of Androids to use) NHS's proposed system, as it only allows decentralised local matching using background BLE [Bluetooth], and does not allow apps to directly access identifiers of individuals they have observed, only to query them with a downloaded list[57]

NHSX maintained that their contact-tracing app was capable of centralised contact-tracing despite these concerns.[58][59] On 18 June 2020, the UK government announced it would abandon its centralised contact-tracing app, and switch to using Apple and Google's decentralised contact-tracing technology, which is based substantially on the DP-3T protocol.[60][61]

References

edit
  1. ^ a b c UCL (2019-09-05). "Dr. Michael Veale". UCL Faculty of Laws. Retrieved 2021-04-24.
  2. ^ November 9th; Reviews, 2014|Book; Economy; Environment; Comments, Michael Veale|0 (2014-11-09). "Book Review: Coffee by Gavin Fridell". USAPP. Retrieved 2021-04-24.{{cite web}}: CS1 maint: numeric names: authors list (link)
  3. ^ UCL (2021-07-08). "UCL Laws announces academic promotions for 2020-21". UCL Faculty of Laws. Retrieved 2021-08-11.
  4. ^ "People". PSU PILOT lab. Retrieved 2021-08-11.
  5. ^ The Royal Society and the British Academy (2016). "Data Management and Use: Governance in the 21st Century: Case Studies" (PDF).
  6. ^ The Law Society of England and Wales (2019). "Algorithms in the Criminal Justice System".
  7. ^ Commonwealth Secretariat (2020). Cybersecurity for Elections : A Commonwealth Guide on Best Practice. London: Commonwealth Secretariat. ISBN 978-1-84859-984-0. OCLC 1220920374.
  8. ^ Edwards, Lilian; Veale, Michael (2017). "Slave to the Algorithm? Why a Right to an Explanation is Probably Not the Remedy You are Looking for". Duke Law and Technology Review. 16: 18. doi:10.2139/ssrn.2972855.
  9. ^ "Algorithms, Henry VIII powers, dodgy 1-man-firms: Reg strokes claw over Data Protection Bill". www.theregister.com. Retrieved 2021-08-11.
  10. ^ Williams, Noah (2019). "Keynote of Commissioner Noah Joshua Phillips" (PDF).
  11. ^ "ARTICLE29 - Item". ec.europa.eu. Retrieved 2021-08-11.
  12. ^ Committee of Experts on Internet Intermediaries (MSI-NET) (2017). Study on the Human Rights Dimensions of Automated Data Processing Techniques (in Particular Algorithms) and Possible Regulatory Implications (MSI-NET(2016)06 rev3 FINAL).
  13. ^ Committee of experts on human rights dimensions of automated data processing and different forms of artificial intelligence (MSI-AUT) (2018). A study of the implications of advanced digital technologies (including AI systems) for the concept of responsibility within a human rights framework MSI-AUT(2018)05.
  14. ^ Alston, Philip (2018). "Statement on Visit to the United Kingdom, by Professor Philip Alston, United Nations Special Rapporteur on extreme poverty and human rights" (PDF).
  15. ^ "Understanding algorithmic decision-making: Opportunities and challenges - Think Tank". www.europarl.europa.eu. Retrieved 2021-08-11.
  16. ^ European Parliament. Directorate General for Parliamentary Research Services. (2019). Regulating disinformation with artificial intelligence: effects of disinformation initiatives on freedom of expression and media pluralism. LU: Publications Office. doi:10.2861/003689. ISBN 9789284639472.
  17. ^ European Commission (2018). "Automated decision-making on the basis of personal data that has been transferred from the EU to companies certified under the EU-U.S. Privacy Shield" (PDF).
  18. ^ European Commission. Joint Research Centre (2018). Artificial intelligence : a European perspective. EUR (Luxembourg. Online). LU: Publications Office. doi:10.2760/11251. ISBN 978-92-79-97217-1.
  19. ^ European Commission. Directorate General for Competition. (2019). Competition policy for the digital era. LU: Publications Office. doi:10.2763/407537. ISBN 9789276019466.
  20. ^ Wiper (ICO), Carl (30 October 2017). "Algorithms, ethics and data protection: a regulator's view. Presentation at the scientific meeting of the Royal Society on the growing ubiquity of algorithms in society: implications, impacts and innovations".
  21. ^ Turning the Tables: Academics in the Hot Seat, retrieved 2021-08-11
  22. ^ Egan, Erin (2020). "Communicating About Privacy: Towards People- Centered and Accountable Design" (PDF).
  23. ^ "Cookies crumbling as Google phases them out". BBC News. 2020-01-15. Retrieved 2021-08-11.
  24. ^ "Forskere: DR's og Folketingets hjemmesider er på kant med persondataloven". DR (in Danish). 2020-01-22. Retrieved 2021-08-11.
  25. ^ Smith, Lilly (2020-02-07). "Why you can't escape dark patterns". Fast Company. Retrieved 2021-08-11.
  26. ^ "Cookie consent tools are being used to undermine EU privacy rules, study suggests". TechCrunch. Retrieved 2021-08-11.
  27. ^ a b Troncoso, Carmela; Payer, Mathias; Hubaux, Jean-Pierre; Salathé, Marcel; Larus, James; Bugnion, Edouard; Lueks, Wouter; Stadler, Theresa; Pyrgelis, Apostolos; Antonioli, Daniele; Barman, Ludovic (2020-05-25). "Decentralized Privacy-Preserving Proximity Tracing". arXiv:2005.12273 [cs.CR].
  28. ^ "Advisory Council". Open Rights Group.
  29. ^ "/mission". Foxglove.
  30. ^ Ada Lovelace Institute (2021). "Rethinking Data".
  31. ^ a b "Who's Listening When You Talk to Your Google Assistant?". Wired. ISSN 1059-1028. Retrieved 2021-08-11.
  32. ^ a b c Correspondent, Mark Bridge, Technology. "Siri users are denied access to their data". The Times. ISSN 0140-0460. Retrieved 2021-04-25. {{cite news}}: |last= has generic name (help)CS1 maint: multiple names: authors list (link)
  33. ^ a b Veale, Michael; Binns, Reuben; Ausloos, Jef (2018-05-01). "When data protection by design and data subject rights clash". International Data Privacy Law. 8 (2): 105–123. doi:10.1093/idpl/ipy002. ISSN 2044-3994.
  34. ^ "Facebook: It's too tough to find personal data in our huge warehouse". Naked Security. 2018-08-29. Retrieved 2021-08-11.
  35. ^ Brandom, Russell (2018-10-13). "Twitter is facing an investigation over data collection in its link-shortening system". The Verge. Retrieved 2021-08-11.
  36. ^ Hill, Rebecca. "Chap asks Facebook for data on his web activity, Facebook says no, now watchdog's on the case". www.theregister.com. Retrieved 2021-08-11.
  37. ^ Irish Data Protection Commissioner (2021). "Annual Report 2020" (PDF).
  38. ^ Porter, Jon (2019-02-13). "Netflix records all of your Bandersnatch choices, GDPR request reveals". The Verge. Retrieved 2021-04-13.
  39. ^ "The One Choice You Weren't Given In Black Mirror: Bandersnatch". Gizmodo Australia. 2019-02-14. Retrieved 2021-08-11.
  40. ^ Bruney, Gabrielle (2019-02-16). "Yep, Netflix Recorded All the Answers You Gave in 'Black Mirror: Bandersnatch'". Esquire. Retrieved 2021-08-11.
  41. ^ "Hackers Can Tell What Netflix 'Bandersnatch' Choices You Make". Wired. ISSN 1059-1028. Retrieved 2021-08-11.
  42. ^ Kircher, Madison Malone (2019-02-13). "Black Mirror: Bandersnatch Saved All Your Answers". Intelligencer. Retrieved 2021-08-11.
  43. ^ Brave (2018-06-20). "Brave Welcomes Dr. Johnny Ryan to its Leadership Team as Chief Policy and Industry Relations Officer". Brave Browser. Retrieved 2021-04-26.
  44. ^ Ryan, Johnny (2018-09-12). "Regulatory complaint concerning massive, web-wide data breach by Google and other "ad tech" companies under Europe's GDPR". Brave Browser. Retrieved 2021-04-26.
  45. ^ "Ending illegal online advertising". Open Rights Group.
  46. ^ Veale, Michael; Zuiderveen Borgesius, Frederik (2021). "Adtech and Real-Time Bidding under European Data Protection Law". German Law Journal. doi:10.31235/osf.io/wg8fq. hdl:2066/253518. S2CID 243311598.
  47. ^ "Google's lead EU regulator opens formal privacy probe of its adtech". TechCrunch. Retrieved 2021-04-26.
  48. ^ "Adtech told to keep calm and fix its 'lawfulness' problem". TechCrunch. Retrieved 2021-04-26.
  49. ^ a b "Privacy experts slam UK's 'disastrous' failure to tackle unlawful adtech". TechCrunch. Retrieved 2021-04-26.
  50. ^ "Response to the ICO's blog on regulating adtech". michael veale. 2020-01-17. Retrieved 2021-04-26.
  51. ^ "ICO statement on Adtech work". ico.org.uk. 2020-07-20. Retrieved 2021-04-26.
  52. ^ "Adtech scores a pandemic pause from UK privacy oversight". TechCrunch. Retrieved 2021-04-26.
  53. ^ "UK's ICO faces legal action after closing adtech complaint with nothing to show for it". TechCrunch. Retrieved 2021-04-26.
  54. ^ "Privacy campaigners file legal challenge against UK's handling of online ads". POLITICO. 2020-11-05. Retrieved 2021-04-26.
  55. ^ DP-3T/documents, DP^3T, 2021-04-21, retrieved 2021-04-24
  56. ^ "Fifth edition of the AI Breakfast: Covid-19: Myths and realities of tracking applications". Data Protection. Retrieved 2021-04-24.
  57. ^ "Michael Veale". Twitter. Retrieved 2021-05-14.
  58. ^ "Michael Veale". Twitter. Retrieved 2021-05-14.
  59. ^ "NHSX 'knew contact-tracing app wouldn't work on iPhones in April'". Digital Health. 2020-06-24. Retrieved 2021-05-14.
  60. ^ "UK abandons contact-tracing app for Apple and Google model". the Guardian. 2020-06-18. Retrieved 2021-05-14.
  61. ^ "UK to replace contact-tracing app with Apple and Google model". Financial Times. 18 June 2020. Retrieved 2021-05-14.
edit