Everything Is Not Terminator Using State Law Against Deceptive Ai's Use of Personal Data

• Jurisdiction: United States,Federal
• Publication year: 2018
• Citation: Vol. 1 No. 4

John Frank Weaver^*

Although killer drones and autonomous weapons get the most publicity when it comes to the dangers of artificial intelligence ("AI"),¹ there is growing evidence of the dangers posed by AI that can deceive human beings. A few examples from recent headlines:

- AI that can create videos of world leaders—or anyone-saying things they never said;²

- Laser phishing, which uses AI to scan an individual's social media presence and then sends "false but believable" messages from that person to his or her contacts, possibly obtaining money or personal information;³ and

- AI that analyzes data sets containing millions of Facebook profiles to create marketing strategies to "predict and potentially control human behavior."⁴

The last technique was reportedly used in the 2016 American presidential election.⁵ The Facebook profiles in question were supposedly obtained through illicit means, giving Cambridge Analytica, the entity creating the marketing strategies, a wealth of personal data to feed to its AI for analysis.⁶

The problems created by AI doing this work is immediately apparent, particularly to those involved with the technology. "The dangers of not having regulation around the sort of data you can get from Facebook and elsewhere is clear. With this, a computer can actually do psychology, it can predict and potentially control human behavior . . . It's how you brainwash someone. It's incredibly dangerous," notes Jonathan Rust, the director of the Psychometric Centre at the University of Cambridge, which did much of the research Cambridge Analytica relies on.⁷ He goes on to warn, "It's no exaggeration to say that minds can be changed . . . People don't

[Page 267]

know it's happening to them. Their attitudes are being changed behind their backs."⁸

Massachusetts Attorney General Maura Healey has announced that her office will investigate how Facebook and Cambridge Analytica obtained and used the personal data.⁹ However, did Facebook and Cambridge Analytica actually break Massachusetts, or any state, law in a way that is enforceable?¹⁰ If not, what does that say about the state of AI regulation and legal protection for individuals in this country?

Personal Data v. Personal Information in American Law

Data, particularly personal data, is the lifeblood of AI.¹¹ With enough data, AI can create original art,¹² write natural language reports and narratives,¹³ and provide and improve personal assistant services through devices like Amazon's Alexa and Echo.¹⁴ As the examples of deceptive AI above demonstrate, AI can also use personal data to mislead human users. Despite the apparent danger, American law focuses on protecting personal information in order to prevent identity theft, but is largely unconcerned with AI and personal data.

What's the difference between personal data and personal information? Personal data is a broad category of data that includes personal information. Compare the definition of personal data from the European Union's General Data Protection Regulation ("GDPR") and the definition of personal information used in Massachusetts:¹⁵

- Personal data: any information relating to an identified or identifiable natural person.¹⁶

- Personal information: a resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident:

• Social Security number;

• Driver's license number or state-issued identification card number; or

• financial account number, or credit or debit card number, with or without any required security code, access

[Page 268]

code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state, or local government records lawfully made available to the general public.¹⁷

The EU uses personal data in an incredibly broad sense. Anything about you that can be connected to you is personal data: name, social security number, bank account, credit card, internet browsing history, Amazon purchases, social media posts and viewing habits, news articles written about and by you, tweets you are mentioned in, etc. The United States uses personal information narrowly by comparison, focusing on information that could lead to a bad actor gaining access to your credit card or finances. These definitions are consistent with the different approaches to data and privacy in the EU, where privacy and the protection of personal data are considered a fundamental right,¹⁸ and in the United States, where one of the goals of data regulation is to ensure commerce continues to run smoothly.¹⁹

Did Facebook and Cambridge Analytica Violate Any State Laws?

In considering whether or not Facebook and Cambridge Analytica have violated any state laws, it is useful to look briefly at what is required in Europe. Under the GDPR, before any party can capture an individual's personal data, they must inform the subject individual how the personal data will be used²⁰ and must also frequently obtain the consent of that person.²¹ If Facebook wants to collect your data and sell it to a third party for use in marketing, it must first tell you it is going to do that and obtain your consent. If you want to withdraw your consent, you have that right.²² The GDPR also guarantees the "right to be forgotten," which grants individuals the right to require that entities with their personal data erase all of their personal data, subject to certain conditions.²³

State data privacy laws in America are much more limited with regard to sharing personal data. California requires that each party collecting personally identifiable information—a term that

[Page 269]

is somewhere between personal information and personal data in terms of breadth²⁴—conspicuously post its privacy policy, and that requirement has become a widely followed best practice.²⁵However, consent is rarely required before a data capturer can share personal data with a third party.²⁶ Almost every state has a data security breach law, which, in one form or another, requires a party to notify all affected individuals when it experiences a security breach in which those individuals' personal information is compromised.²⁷ But those laws do not apply to personal data broadly, only to personal information. It is unclear at this time if the personal data from the Facebook accounts that Cambridge Analytica included the necessary combinations of name, addresses, credit card number, etc. to be applicable.

At least 15 states have specific statutes and/or regulations that require entities that store personal information to have data security measures.²⁸ However, in general, these state-specific standards may not be very useful in pursuing a legal action against Facebook or Cambridge Analytica because they are general and broadly worded. Most states have only specified that the parties protecting personal information "take reasonable measures to protect and secure" the personal information,²⁹ "implement and maintain reasonable procedures . . . to protect and safeguard from unlawful use or disclosure" the information,³⁰ "implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information,"³¹ etc. Not surprisingly, Massachusetts has provided much more detailed requirements governing how to protect the relevant personal information. These requirements include designating specific employees to maintain security programs,³² requiring that service providers implement security measures,³³ and requiring that covered entities maintain a security system covering their computers that satisfies specific criteria, such as adopting secure user authentication protocols and encryption.³⁴

With regard to the data protection statutes discussed above, Attorney General Healey might have the most success conducting discovery to address four specific issues:

1. Did the Facebook profiles obtained by Cambridge Analytica contain

...