#ccpa | Explore Tumblr posts and blogs

eraepoch · 6 months ago

Text

[Full Text] Emerging Media Companies, Tracking Cookies, and Data Privacy -- An open letter to Critical Role, Dropout, and fellow audience members

Summary / TL;DR

Both Critical Role (CR) and Dropout have begun exclusively using links provided by third-party digital marketing solution companies in their email newsletters.

Every link in each of the newsletters (even the unsubscribe link) goes through a third-party domain which is flagged as a tracking server by the uBlock Origin browser extension.

Third-party tracking cookies are strictly unnecessary and come with a wide array of risks, including non-consensual targeted advertising, targeted misinformation, doxxing, and the potential for abuse by law enforcement.

You are potentially putting your privacy at risk every time you click on any of the links in either of these newsletters.

IMO these advertising companies (and perhaps CR/Dropout by proxy) are likely breaking the law in the EU and California by violating the GDPR and CCPA respectively.

Even if Critical Role and Dropout are not directly selling or exploiting your personal data, they are still profiting off of it by contracting with, and receiving services from, companies who almost certainly are. The value of your personal data is priced into the cost of these services.

They should stop, and can do so without any loss of web functionality.

1/7. What is happening?

Critical Role and Dropout have begun exclusively using links provided by third-party digital marketing solution companies in their email newsletters.

[ID: A screenshot of the Dropout newsletter alongside the page’s HTML source which shows that the target destination for an anchor element in the email leads to d2xR2K04.na1.hubspotlinks.com. End ID.]

[ID: A screenshot of the CR newsletter alongside the page’s HTML source which shows that the target destination for an anchor element in the email leads to trk.klclick.com. End ID.]

The domains attached to these links are flagged as advertising trackers by the uBlock Origin browser extension.

[ID: Screenshot of a Firefox web browser. The page displays a large warning icon and reads “uBlock Origin has prevented the following page from loading [...] because of the following filter: `||hubspotlinks.com` found in Peter Lowe’s Ad and tracking server list. End ID.]

[ID: Screenshot of a Firefox web browser. The page displays a large warning icon and reads “uBlock Origin has prevented the following page from loading [...] because of the following filter: `||klclick1.com` found in Peter Lowe’s Ad and tracking server list. End ID.]

In both cases, every link in the newsletter goes through the flagged third-party domain, and the intended endpoint (Twitter, their store page, etc.) is completely obscured and inaccessible from within the email itself. Even the unsubscribe links feed through the tracking service.

You can test this yourself in your own email client by hovering your cursor over a link in the email without clicking it and watching to see what URL pops up. You may have noticed this yourself if you use uBlock Origin as an ad-blocker.

I don’t know for certain when this first started. It’s possible that this has been going on for a year or more at this point, or it may have started just a few months ago. Either way: it ought to stop.

2/7. What is a tracking cookie?

A tracking cookie is a unique, universally identifiable value placed on your machine by somebody with the intention of checking for that value later to identify you (or at least to identify your machine).

Tracking cookies are used by companies to create advertising behaviour profiles. These profiles are supposedly anonymous, but even if the marketing companies creating them are not lying about that (a tough sell for me personally, but your mileage may vary when it comes to corporations with 9-figure annual incomes), the data can often be de-anonymized.

If this happens, the data can be used to identify the associated user, potentially including their full name, email address, phone number, and physical address—all of which may then be associated with things like their shopping habits, hobbies, preferences, the identities of their friends and family, gender, political opinions, job history, credit score, sexuality, and even when they ovulate.

Now, it is important to note that not all cookies are tracking cookies. A cookie is just some data from a web page that persists on your machine and gets sent back to the server that put it there. Cookies in general are not necessarily malicious or harmful, and are often essential to certain web features functioning correctly (e.g. keeping the user logged in on their web browser after they close the tab). But the thing to keep in mind is that a domain has absolute control over the information that has been stored on your computer by that domain, so allowing cookies is a matter of trusting the specific domain that wants to put them there. You can look at the outgoing information being sent from your machine, but its purpose cannot be determined without knowing what is being done with it on the other side, and these marketing companies ought not to have the benefit of your doubt when they have already been flagged by privacy watchdogs.

3/7. What’s the harm?

Most urgently, as I touched on above: The main source of harm is from corporations profiting off of your private data without your informed consent. However, targeted advertising is actually the least potentially harmful outcome of tracking cookies.

1/6. Data brokers

A data broker is an individual or company that specializes in collecting personal data (such as personal income, ethnicity, political beliefs, geolocation data, etc.) and selling or licensing such information to third parties for a variety of uses, such as background checks conducted by employers and landlords, two universally benevolent groups of people.

There are varying regulations around the world limiting the collection of information on individuals, and the State of California passed a law attempting to address this problem in 2018, following in the footsteps of the EU’s GDPR, but in the jurisdiction of the United States there is no federal regulation protecting consumers from data brokers. In fact, due to the rising interest in federal regulation, data broker firms lobbied to the tune of $29 million in the year 2020 alone.

2/6. De-anonymization techniques

Data re-identification or de-anonymization is the practice of combining datasets (such as advertising profiles) and publicly available information (such as scraped data from social media profiles) in order to discover patterns that may reveal the identities of some or all members of a dataset otherwise intended to be anonymous.

Using the 1990 census, Professor Latanya Sweeney of the Practice of Government and Technology at the Harvard Kennedy School found that up to 87% of the U.S. population can be identified using a combination of their 5-digit zip code, gender, and date of birth. [Link to the paper.]

Individuals whose datasets are re-identified are at risk of having their private information sold to organizations without their knowledge or consent. Once an individual’s privacy has been breached as a result of re-identification, future breaches become much easier: as soon as a link is made between one piece of data and a person’s real identity, that person is no longer anonymous and is at far greater risk of having their data from other sources similarly compromised.

3/6. Doxxing

Once your data has been de-anonymized, you are significantly more vulnerable to all manner of malicious activity: from scam calls and emails to identity theft to doxxing. This is of particular concern for members of minority groups who may be targeted by hate-motivated attacks.

4/6. Potential for abuse by government and law enforcement

Excerpt from “How period tracking apps and data privacy fit into a post-Roe v. Wade climate” by Rina Torchinsky for NPR:

Millions of people use apps to help track their menstrual cycles. Flo, which bills itself as the most popular period and cycle tracking app, has amassed 43 million active users. Another app, Clue, claims 12 million monthly active users. The personal health data stored in these apps is among the most intimate types of information a person can share. And it can also be telling. The apps can show when their period stops and starts and when a pregnancy stops and starts. That has privacy experts on edge because this data—whether subpoenaed or sold to a third party—could be used to suggest that someone has had or is considering an abortion. ‘We're very concerned in a lot of advocacy spaces about what happens when private corporations or the government can gain access to deeply sensitive data about people’s lives and activities,’ says Lydia X. Z. Brown, a policy counsel with the Privacy and Data Project at the Center for Democracy and Technology. ‘Especially when that data could put people in vulnerable and marginalized communities at risk for actual harm.’

Obviously Critical Role and Dropout are not collecting any sort of data related to their users’ menstrual cycles, but the thing to keep in mind is that any data that is exposed to third parties can be sold and distributed without your knowledge or consent and then be used by disinterested—or outright malicious—actors to de-anonymize your data from other sources, included potentially highly compromising data such as that collected by these period-tracking apps. Data privacy violations have compounding dangers, and should be proactively addressed wherever possible. The more of your personal data exists in the hands of third parties, the more it is to be de-anonymized.

5/6. Targeted misinformation

Data brokers are often incredibly unscrupulous actors, and will sell your data to whomever can afford to buy it, no questions asked. The most high-profile case of the consequences of this is the Facebook—Cambridge Analytica data scandal, wherein the personal data of Facebook users were acquired by Cambridge Analytica Ltd. and compiled alongside information collected from other data brokers. By giving this third-party app permission to acquire their data back in 2015, Meta (then Facebook) also gave the app access to information on their users’ friend networks: this resulted in the data of some 87 million users being collected and exploited.

The data collected by Cambridge Analytica was widely used by political strategists to influence elections and, by and large, undermine democracy around the world: While its parent company SCL had been influencing elections in developing countries for decades, Cambridge Analytica focused more on the United Kingdom and the United States. CEO Alexander Nix said the organization was involved in 44 American political races in 2014. In 2016, they worked for Donald Trump’s presidential campaign as well as for Leave.EU, one of the organisations campaigning for the United Kingdom to leave the European Union.

6/6. The Crux: Right to Privacy Violations

Even if all of the above were not concerns, every internet user should object to being arbitrarily tracked on the basis of their right to privacy. Companies should not be entitled to create and profit from personality profiles about you just because you purchased unrelated products or services from them. This right to user privacy is the central motivation behind laws like the EU’s GDPR and California’s CCPA (see Section 6).

4/7. Refuting Common Responses

1/3. “Why are you so upset? This isn’t a big deal.”

Commenter: Oh, if you’re just talking about third party cookies, that’s not a big deal … Adding a cookie to store that ‘this user clicked on a marketing email from critical role’ is hardly [worth worrying about].

Me: I don’t think you understand what tracking cookies are. They are the digital equivalent of you going to a drive through and someone from the restaurant running out of the store and sticking a GPS monitor onto your car.

Commenter: Kind of. It’s more like slapping a bumper sticker on that says, in restaurant-ese, ‘Hi I’m [name] and I went to [restaurant] once!’

This is actually an accurate correction. My metaphor was admittedly overly simplistic, but the correction specifies only so far as is comfortable for the commenter. If we want to construct a metaphor that is as accurate as possible, it would go something like this:

You drive into the McDonald’s parking lot. As you are pulling in, unbeknownst to you, a Strange Man pops out of a nearby bush (that McDonald’s has allowed him to place here deliberately for this express purpose), and sticks an invisible bumper sticker onto the back of your car. The bumper sticker is a tracker that tells the Strange Man which road you took to drive to McDonald’s, what kind of car you drive, and what (if anything) you ordered from McDonald’s while you were inside. It might also tell him where you parked in the parking lot, what music you were listening to in your car on the way in, which items you looked at on the menu and for how long, if you went to the washroom, which washroom you went into, how long you were in the washroom, and the exact location of every step you took inside the building.

Now, as soon as you leave the McDonald’s, the bumper sticker goes silent and stops being able to report information. But, let’s say next week you decide to go to the Grocery Store, and (again, unbeknownst to you), the Strange Man also has a deal with the Grocery Store. So as you’re driving into the grocery store’s parking lot, he pops out of another bush and goes to put another bumper sticker onto your car. But as he’s doing so, he notices the bumper sticker he’s already placed there a week ago that only he can see (unless you’ve done the car-equivalent of clearing your browser cache), and goes “ah, it’s Consumer #1287499290! I’ll make sure to file all of this new data under my records for Consumer #1287499290!”

You get out of your car and start to walk into the Grocery Store, but before you open the door, the Strange Man whispers to the Grocery Store: “Hey, I know you’re really trying to push your cereal right now, want me to make it more likely that this person buys some cereal from you?” and of course the Grocery Store agrees—this was the whole reason they let him set up that weird parking lot bush in the first place.

So the Strange Man runs around the store rearranging shelves. He doesn’t know your name (all the data he collects is strictly anonymous after all!) but he does know that you chose the cutesy toy for your happy meal at McDonald’s, so he changes all of the cereal packaging labels in the store to be pastel-coloured and covered in fluffy bears and unicorns. And maybe you were already going to the Grocery Store to buy cereal, and maybe you’re actually very happy to buy some cereal in a package that seems to cater specifically to your interests, but wouldn’t you feel at least a little violated if you found out that this whole process occurred without your knowledge? Especially if you felt like you could trust the people who owned the Grocery Store? They’re not really your friend or anything, but maybe you thought that they were compassionate and responsible members of the community, and part of the reason that you shopped at their store was to support that kind of business.

2/3. “Everyone does it, get over it.”

Commenter: [The marketing company working with CR] is an industry standard at this point, particularly for small businesses. Major partner of Shopify, a fairly big player. If you don't have a software development team, using industry standard solutions like these is the easy, safe option.

This sounds reasonable, but it actually makes it worse, not better, that Critical Role and Dropout are doing this. All this excuse tells me is that most businesses using Shopify (or at least the majority of those that use its recommended newsletter service) have a bush for the Strange Man set up in their parking lot.

Contracting with these businesses is certainly the easy option, but it is decidedly not the safe one.

3/3. “They need to do it for marketing reasons.”

Commenter 1: Email marketing tools like [this] use tracking to measure open and click rates. I get why you don’t want to be tracked, but it’s very hard to run a sizeable email newsletter without any user data.

Commenter 2: I work in digital marketing … every single email you get from a company has something similar to this. Guaranteed. This looks totally standard.

I am a web programmer by trade. It is my full time job. Tracking the metrics that Critical Role and Dropout are most likely interested in does not require embedding third-party tracking cookies in their fans’ web browsers. If you feel comfortable taking my word on that, feel free to skip the next section. If you’re skeptical (or if you just want to learn a little bit about how the internet works) please read on.

5/7. Tracking cookies are never necessary

We live in a technocracy. We live in a world in which technology design dictates the rules we live by. We don’t know these people, we didn’t vote for them in office, there was no debate about their design. But yet, the rules that they determine by the design decisions they make—many of them somewhat arbitrary—end up dictating how we will live our lives. —Latanya Sweeney

1/3. Definitions

A website is a combination of 2 computer programs. One of the two programs runs on your computer (laptop/desktop/phone/etc.) and the other runs on another computer somewhere in the world. The program running on your computer is the client program. The program running on the other computer is the server program.

A message sent from the client to the server is a request. A message sent from the server to the client is a response.

Cookies are bits of data that the server sends to the client in a response that the client then sends back to the server as an attachment to its subsequent requests.

A session is a series of sequential interactions between a client and server. When either of the two programs stops running (e.g. when you close a browser tab), the session is ended and any future interactions will take place in a new session.

A URL is a Uniform Resource Locator. You may also sometimes see the initialism URI—in which the ‘I’ stands for Identifier—but they effectively refer to the same thing, which is the place to find a specific thing on the internet. For our purposes, a “link” and a URL mean the same thing.

2/3. What do Critical Role and Dropout want?

These media companies (in my best estimation) are contracting with the digital advertising companies in order to get one or more of the following things:

Customer identity verification (between sessions)

Marketing campaign analytics

Customer preference profiles

Customer behaviour profiles

3/3. How can they get these things without tracking cookies?

Accounts. Dropout has an account system already. As Beacon is a thing now I have to assume Critical Role does as well, therefore this is literally already something they can do without any additional parties getting involved.

URL Query Parameters. So you want to know which of your social media feeds is driving the most traffic to your storefront. You could contract a third-party advertising company to do this for you, but as we have seen this might not be the ideal option. Instead, when posting your links to said feeds, attach a little bit of extra text to the end of the URL link so: becomes or or even These extra bits of information at the end of a URL are query parameters, and act as a way for the client to specify some instructions for the server when sending a request. In effect, a URL with query parameters allows the client to say to the server “I want this thing under these conditions”. The benefit of this approach is, of course, that you actually know precisely what information is being collected (the stuff in the parameters) and precisely what is being done with it, and you’ve avoided exposing any of your user data to third parties.

Internal data collection. Optionally associate a user’s email address with their preferences on the site. Prompt them to do this whenever they purchase anything or do any action that might benefit from having some saved preference, informing them explicitly when you do so and giving them the opportunity to opt-out.

Internal data collection. The same as above, but let the user know you are also tracking their movements while on your site. You can directly track user behaviour down to every single mouse movement if you really want to—again, no need to get an outside party involved to snoop on your fans. But you shouldn’t do that because it’s a little creepy!

At the end of the day, it will of course be more work to set up and maintain these things, and thus it will inevitably be more expensive—but that discrepancy in expense represents profit that these companies are currently making on the basis of violating their fans’ right to privacy.

6/7. Breaking the Law

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her [...] The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information. — General Data Protection Regulation, Art. 21

Nobody wants to break the law and be caught. I am not accusing anyone of anything and this is just my personal speculation on publicly-available information. I am not a lawyer; I merely make computer go beep-boop. If you have any factual corrections for this or any other section in this document please leave a comment and I will update the text with a revision note. Before I try my hand at the legal-adjacent stuff, allow me to wade in with the tech stuff.

Cookies are sometimes good and sometimes bad. Cookies from someone you trust are usually good. Cookies from someone you don’t know are occasionally bad. But you can take proactive measures against bad cookies. You should always default to denying any cookies that go beyond the “essential” or “functional” categorizations on any website of which you are remotely suspicious. Deny as many cookies as possible. Pay attention to what the cookie pop-ups actually say and don’t just click on the highlighted button: it is usually “Accept All”, which means that tracking and advertising cookies are fair game from the moment you click that button onward. It is illegal for companies to arbitrarily provide you a worse service for opting out of being tracked (at least it is in the EU and California).

It is my opinion (and again, I am not a legal professional, just a web developer, so take this with a grain of salt) that the links included in the newsletter emails violate both of these laws. If a user of the email newsletter residing in California or the EU wishes to visit any of the links included in said email without being tracked, they have no way of doing so. None of the actual endpoints are available in the email, effectively forcing the user to go through the third-party domain and submit themselves to being tracked in order to utilize the service they have signed up for. Furthermore, it is impossible to unsubscribe directly from within the email without also submitting to the third-party tracking.

[ID: A screenshot of the unsubscribe button in the CR newsletter alongside the page HTML which shows that the target destination for the anchor element is a trk.klclick.com page. End ID.]

As a brief aside: Opening the links in a private/incognito window is a good idea, but will not completely prevent your actions from being tracked by the advertiser. My recommendation: install uBlock Origin to warn you of tracking domains (it is a completely free and open-source project available on most major web browsers), and do not click on any links in either of these newsletters until they change their practices.

Now, it may be the case that the newsletters are shipped differently to those residing in California or the EU (if you are from either of these regions please feel free to leave a comment on whether or not this is the case), but ask yourself: does that make this any better? Sure, maybe then Critical Role and Dropout (or rather, the advertising companies they contract with) aren’t technically breaking the law, but it shows that the only thing stopping them from exploiting your personal data is potential legal repercussions, rather than any sort of commitment to your right to privacy. But I expect that the emails are not, in fact, shipping any differently in jurisdictions with more advanced privacy legislation—it wouldn’t be the first time a major tech giant blatantly flaunted EU regulations.

Without an additional browser extension such as uBlock Origin, a user clicking on the links in these emails may not even be aware that they have interacted with the advertising agency at all, let alone what sort of information that agency now has pertaining to them, nor do they have any ability to opt out of this data collection.

For more information about your right to privacy—something that only those living in the EU or California currently have—you can read explanations of the legislations at the following links (take note that these links, and all of the links embedded in this paper, are anchored directly to the destinations they purport to be, and do not sneakily pass through an additional domain before redirecting you):

7/7. Conclusion

Never attribute to malice that which can be adequately explained by neglect, ignorance or incompetence. —Hanlon’s Razor

The important thing to make clear here is this: Even if Critical Role and Dropout are not directly selling or exploiting your personal data, they are still profiting off of it by contracting with, and receiving services from, companies whom I believe are. You may not believe me.

I do not believe that the management teams at Critical Role and Dropout are evil or malicious. Ignorance seems to be the most likely cause of this situation. Someone at some marketing company told them that this type of thing was helpful, necessary, and an industry standard, and they had no reason to doubt that person’s word. Maybe that person had no reason to doubt the word of the person who told them. Maybe there are a few people in that chain, maybe quite a few. I do not expect everyone running a company to be an expert in this stuff (hell, I’m nowhere close to being an expert in this stuff myself—I only happened to notice this at all because of a browser extension I just happened to have installed to block ads), but what I do expect is that they change their behaviour when the potential harms of their actions have been pointed out to them, which is why I have taken the time to write this.

PS. To the employees of Critical Role and Dropout

It is my understanding that these corporations were both founded with the intention of being socially responsible alongside turning a profit. By using services like the ones described above, you are, however unintentionally, profiting off of the personal datasets of your fans that are being compiled and exploited without their informed consent. You cannot say, implicitly or explicitly, “We’re not like those other evil companies! We care about more than just extracting as much money from our customers as possible!” while at the same time utilizing these services, and it is my hope that after reading this you will make the responsible choice and stop doing so.

Thank you for reading,

era

Originally Published: 23 May 2024

Last Updated: 28 May 2024

#critical role #dimension 20 #dropout #dropout tv #brennan lee mulligan #sam reich #critical role campaign 3 #cr3 #midst podcast #candela obscura #make some noise #game changer #smarty pants #very important people #web security #data privacy #gdpr #ccpa #open letter

10 notes · View notes

allthecanadianpolitics · 2 years ago

Text

Federal public sector workers’ wages, adjusted for inflation, are no better than they were in 2007, a new report from the Canadian Centre for Policy Alternatives shows.

“The average federal public sector worker’s wages only buy the same today as they did in October 2007,” the CCPA report states. “No other industry—none—has seen average inflation adjusted wages pushed back as far as federal public sector workers.”

Over 100,000 federal public workers hit the picket lines across the country on Wednesday with a two-year expired contract and no wage offers that kept up with the rising cost of living.

Even if the union wins its current wage demands of 4.5% increases each year for three years, “those average federal worker wages would still be 4.8 per cent below the industrial average,” the report notes.

Full article

Tagging: @politicsofcanada

#cdnpoli #canadian politics #canadian news #canada #canadian #workers rights #wages #federal public workers #federal public sector #federal employees #unions #strikes #strike action #CCPA #canadian centre for policy alternatives

88 notes · View notes

shiverandqueeef · 1 year ago

Text

i haven't really seen this being addressed (which could just be the result of it not being discussed within my particular tumblr circle) but I'm wondering if it's not a potential issue for new tumblr users to be joining via their google accounts.

signing up through google wasn't an option for tumblr for a long time and tbh i don't know when that changed, but everytime i go to sign in via email and the little pop up box asks me if i want to sign in via google or facebook i just. well i see fucking red bc jfc the absolute chokehold of a monopoly this one god forsaken company has on the internet is horrific, but also i just don't know enough about tumblr and/or google tos/current laws in the states (where tumblr is based) to know if connecting your blog to a google account is giving them access to data mine on this site

i'll do my own research but if anyone who is more educated on this feels like jumping in i would super appreciate it

#google #data collection #data mining #cyber security #data privacy #gdpr #ccpa

2 notes · View notes

jcmarchi · 3 days ago

Text

Preparing today for tomorrow's AI regulations - AI News

New Post has been published on https://thedigitalinsider.com/preparing-today-for-tomorrows-ai-regulations-ai-news/

Preparing today for tomorrow's AI regulations - AI News

.pp-multiple-authors-boxes-wrapper display:none; img width:100%;

AI is rapidly becoming ubiquitous across business systems and IT ecosystems, with adoption and development racing faster than anyone could have expected. Today it seems that everywhere we turn, software engineers are building custom models and integrating AI into their products, as business leaders incorporate AI-powered solutions in their working environments.

However, uncertainty about the best way to implement AI is stopping some companies from taking action. Boston Consulting Group’s latest Digital Acceleration Index (DAI), a global survey of 2,700 executives, revealed that only 28% say their organisation is fully prepared for new AI regulation.

Their uncertainty is exacerbated by AI regulations arriving thick and fast: the EU AI act is on the way; Argentina released a draft AI plan; Canada has the AI and Data Act; China has enacted a slew of AI regulations; and the G7 nations launched the “Hiroshima AI process.” Guidelines abound, with the OECD developing AI principles, the UN proposing a new UN AI advisory body, and the Biden administration releasing a blueprint for an AI Bill of Rights (although that could quickly change with the second Trump administration).

Legislation is also coming in individual US states, and is appearing in many industry frameworks. To date, 21 states have enacted laws to regulate AI use in some manner, including the Colourado AI Act, and clauses in California’s CCPA, plus a further 14 states have legislation awaiting approval.

Meanwhile, there are loud voices on both sides of the AI regulation debate. A new survey from SolarWinds shows 88% of IT professionals advocate for stronger regulation, and separate research reveals that 91% of British people want the government to do more to hold businesses accountable for their AI systems. On the other hand, the leaders of over 50 tech companies recently wrote an open letter calling for urgent reform of the EU’s heavy AI regulations, arguing that they stifle innovation.

It’s certainly a tricky period for business leaders and software developers, as regulators scramble to catch up with tech. Of course you want to take advantage of the benefits AI can provide, you can do so in a way that sets you up for compliance with whatever regulatory requirements are coming, and don’t handicap your AI use unnecessarily while your rivals speed ahead.

We don’t have a crystal ball, so we can’t predict the future. But we can share some best practices for setting up systems and procedures that will prepare the ground for AI regulatory compliance.

Map out AI usage in your wider ecosystem

You can’t manage your team’s AI use unless you know about it, but that alone can be a significant challenge. Shadow IT is already the scourge of cybersecurity teams: Employees sign up for SaaS tools without the knowledge of IT departments, leaving an unknown number of solutions and platforms with access to business data and/or systems.

Now security teams also have to grapple with shadow AI. Many apps, chatbots, and other tools incorporate AI, machine learning (ML), or natural language programming (NLP), without such solutions necessarily being obvious AI solutions. When employees log into these solutions without official approval, they bring AI into your systems without your knowledge.

As Opice Blum’s data privacy expert Henrique Fabretti Moraes explained, “Mapping the tools in use – or those intended for use – is crucial for understanding and fine-tuning acceptable use policies and potential mitigation measures to decrease the risks involved in their utilisation.”

Some regulations hold you responsible for AI use by vendors. To take full control of the situation, you need to map all the AI in your, and your partner organisations’ environments. In this regard, using a tool like Harmonic can be instrumental in detecting AI use across the supply chain.

Verify data governance

Data privacy and security are core concerns for all AI regulations, both those already in place and those on the brink of approval.

Your AI use already needs to comply with existing privacy laws like GDPR and CCPR, which require you to know what data your AI can access and what it does with the data, and for you to demonstrate guardrails to protect the data AI uses.

To ensure compliance, you need to put robust data governance rules into place in your organisation, managed by a defined team, and backed up by regular audits. Your policies should include due diligence to evaluate data security and sources of all your tools, including those that use AI, to identify areas of potential bias and privacy risk.

“It is incumbent on organisations to take proactive measures by enhancing data hygiene, enforcing robust AI ethics and assembling the right teams to lead these efforts,” said Rob Johnson, VP and Global Head of Solutions Engineering at SolarWinds. “This proactive stance not only helps with compliance with evolving regulations but also maximises the potential of AI.”

Establish continuous monitoring for your AI systems

Effective monitoring is crucial for managing any area of your business. When it comes to AI, as with other areas of cybersecurity, you need continuous monitoring to ensure that you know what your AI tools are doing, how they are behaving, and what data they are accessing. You also need to audit them regularly to keep on top of AI use in your organisation.

“The idea of using AI to monitor and regulate other AI systems is a crucial development in ensuring these systems are both effective and ethical,” said Cache Merrill, founder of software development company Zibtek. “Currently, techniques like machine learning models that predict other models’ behaviours (meta-models) are employed to monitor AI. The systems analyse patterns and outputs of operational AI to detect anomalies, biases or potential failures before they become critical.”

Cyber GRC automation platform Cypago allows you to run continuous monitoring and regulatory audit evidence collection in the background. The no-code automation allows you to set custom workflow capabilities without technical expertise, so alerts and mitigation actions are triggered instantly according to the controls and thresholds you set up.

Cypago can connect with your various digital platforms, synchronise with virtually any regulatory framework, and turn all relevant controls into automated workflows. Once your integrations and regulatory frameworks are set up, creating custom workflows on the platform is as simple as uploading a spreadsheet.

Use risk assessments as your guidelines

It’s vital to know which of your AI tools are high risk, medium risk, and low risk – for compliance with external regulations, for internal business risk management, and for improving software development workflows. High risk use cases will need more safeguards and evaluation before deployment.

“While AI risk management can be started at any point in the project development,” Ayesha Gulley, an AI policy expert from Holistic AI, said. “Implementing a risk management framework sooner than later can help enterprises increase trust and scale with confidence.”

When you know the risks posed by different AI solutions, you can choose the level of access you’ll grant them to data and critical business systems.

In terms of regulations, the EU AI Act already distinguishes between AI systems with different risk levels, and NIST recommends assessing AI tools based on trustworthiness, social impact, and how humans interact with the system.

Proactively set AI ethics governance

You don’t need to wait for AI regulations to set up ethical AI policies. Allocate responsibility for ethical AI considerations, put together teams, and draw up policies for ethical AI use that include cybersecurity, model validation, transparency, data privacy, and incident reporting.

Plenty of existing frameworks like NIST’s AI RMF and ISO/IEC 42001 recommend AI best practices that you can incorporate into your policies.

“Regulating AI is both necessary and inevitable to ensure ethical and responsible use. While this may introduce complexities, it need not hinder innovation,” said Arik Solomon, CEO and co-founder of Cypago. “By integrating compliance into their internal frameworks and developing policies and processes aligned with regulatory principles, companies in regulated industries can continue to grow and innovate effectively.”

Companies that can demonstrate a proactive approach to ethical AI will be better positioned for compliance. AI regulations aim to ensure transparency and data privacy, so if your goals align with these principles, you’ll be more likely to have policies in place that comply with future regulation. The FairNow platform can help with this process, with tools for managing AI governance, bias checks, and risk assessments in a single location.

Don’t let fear of AI regulation hold you back

AI regulations are still evolving and emerging, creating uncertainty for businesses and developers. But don’t let the fluid situation stop you from benefiting from AI. By proactively implementing policies, workflows, and tools that align with the principles of data privacy, transparency, and ethical use, you can prepare for AI regulations and take advantage of AI-powered possibilities.

0 notes

stacylazzaro · 3 months ago

Text

youtube

Today, we dispel the myth that artificial intelligence (AI) is overhyped by showing how it is revolutionizing eCommerce. The movie demonstrates how AI-powered systems like Buyist Pro can quickly analyze difficult circumstances, give actionable insights, and ease problem-solving for non-technical people. It uses the scenario of a small business owner dealing with a customer's allegation of a data breach. Artificial intelligence (AI) can interpret natural language questions and provide pertinent, context-aware answers, improving the usability and efficiency of eCommerce systems.

0 notes

mistpodfics · 2 months ago

Text

Codes and Bots written by ziazippy5379 | @theredshirtsarecoming

A Leverage Podfic read by mistbornhero for CCPA

Alec teaches Breanna her first bit of coding.

Podfic Length: 10:43 minutes

#Leverage #Podfic #Length: 10 - 20 minutes #CCPA #CCPA 2024 #Breanna Casey & Alec Hardison #Alec Hardison

3 notes · View notes

kbirbpods · 2 months ago

Text

[Podfic Link] | Length: 7 minutes, 9 seconds

Original Work: as if he has saved all mankind by suzukiblu

DPxDC: Danny Fenton/Duke Thomas | Rating: General Audiences

Summary:

Duke found something weird on patrol today. He’s day shift, obviously, but near the end of his shift . . . Well, something weird happened. Or he saw something weird, more like.

Notes: my first Ghostlights podfic!

Recorded for the Chromatic Characters Podfic Anthology V with the theme of "family."

& I know that any of my podfics for the anthology could fit the "character of color" slot for my podfic bingo but I love this one so much that I wanted to highlight it! You can find my bingo card here ⋆˙⟡♡

#ghostlights #dpxdc #dp x dc #dp x dc crossover #danny fenton #duke thomas #danny phantom podfic #dpxdc podfic #dc podfic #batfam podfic #ccpa #ccpa 2024 #chromatic characters #chromatic characters podfic anthology #chromatic characters podfic anthology V #kbirb pods #suzukiblu

7 notes · View notes

eraepoch · 6 months ago

Text

Emerging Media Companies, Tracking Cookies, and Data Privacy (An Open Letter to Dropout and Critical Role)

Read the open letter here.

TL;DR:

Both Critical Role (CR) and Dropout are exclusively using links provided by third-party digital marketing solution companies in their email newsletters.

Every link in each of the newsletters (even the unsubscribe link) goes through a third-party domain which is flagged as a tracking server by the uBlock Origin browser extension.

IMO these advertising companies (and perhaps CR/Dropout by proxy) might be breaking the law in the EU and California by violating the GDPR and CCPA respectively.

They should stop.

#critical role #dropout #dimension 20 #game changer #sam reich #data privacy #gdpr #ccpa #open letter

9 notes · View notes

jcmarchi · 9 days ago

Text

AI Meets Spreadsheets: How Large Language Models are Getting Better at Data Analysis

New Post has been published on https://thedigitalinsider.com/ai-meets-spreadsheets-how-large-language-models-are-getting-better-at-data-analysis/

AI Meets Spreadsheets: How Large Language Models are Getting Better at Data Analysis

Spreadsheets have been a core tool for data organization, financial modeling, and operational planning in businesses across industries. Initially designed for basic calculations and simple data management, their functionality has expanded as the need for data-driven insights has grown. Today, enterprises need real-time data analysis, advanced analytics, and even predictive capabilities within the familiar spreadsheet format. As spreadsheet tools become more advanced, many non-technical users find navigating and fully utilizing these complex features increasingly challenging.

Large Language Models (LLMs), advanced AI models capable of understanding and generating human language, are changing this domain. Developed by companies like OpenAI, Microsoft, and Google are reshaping how users interact with spreadsheets. By integrating AI directly into platforms like Excel and Google Sheets, LLMs enhance spreadsheets with natural language capabilities that simplify complex tasks. Users can now perform complex data analysis, automate workflows, and generate insights by simply typing a request in plain language. This shift enables spreadsheets to serve as intuitive, AI-powered tools for data analysis, breaking down technical barriers and democratizing access to meaningful insights across all levels of an organization.

Background on Large Language Models (LLMs)

To understand how LLMs are transforming spreadsheets, it is important to know about their evolution. LLMs are powerful AI systems trained on massive amounts of data, like books, websites, and specialized content. These models learn to understand language nuances, context, and even industry-specific jargon.

In their early days, language models could manage only simple tasks like classifying text. But modern LLMs, such as GPT-4 and LLaMA, are a whole different story. They generate human-like text and can handle complex data processing and analysis, making them incredibly useful for data-intensive tasks like spreadsheet analysis.

A significant advancement came with GPT-3, which improved how models understood and interacted with language. Each new version has gotten better at handling complex tasks, faster at processing queries, and more adept at understanding context. Today, the demand for LLMs in data analysis is so high that the industry is seeing rapid growth, with these models expected to play a significant role in business intelligence.

This progress is reflected in tools like Microsoft’s Copilot for Excel and Google Sheets’ Duet AI, which directly bring LLM capabilities into the spreadsheet software millions already use. These tools enable people to get valuable insights from data without specialized technical skills, which is especially helpful for small and medium-sized businesses. Access to AI-driven data analysis can make a big difference for these companies, providing the same competitive insights typically available to larger companies with data science teams.

How LLMs are Transforming Data Analysis in Spreadsheets

LLMs are transforming data analysis within spreadsheets, bringing advanced data processing and accuracy improvements directly into familiar tools like Microsoft Excel and Google Sheets. Traditionally, spreadsheet users needed to rely on complex formulas and nested functions for data processing, which could be challenging and error-prone, especially for non-technical users. With LLMs, users can simply input commands in plain language, such as “Calculate the year-over-year growth” or “Highlight sales anomalies,” allowing the model to generate the appropriate formulas or provide instant insights. This natural language capability significantly reduces the time spent on analysis and improves accuracy. This is an advantage in fast-moving fields like e-commerce and finance.

In addition to data processing, LLMs excel at automating essential data-cleaning tasks crucial for accurate analysis. Users can instruct the model to perform tasks like “normalize dates to MM/DD/YYYY” or “fill missing values with the median.” The model executes these processes in seconds, ensuring higher data quality and improving downstream analytics. Studies have shown that AI-powered data cleaning significantly enhances the accuracy of data analysis, making these capabilities particularly beneficial for users who need reliable insights without dedicating extensive time to data preparation.

Another critical benefit of LLMs is their ability to interpret data trends and generate summaries in natural language. For example, a marketer can ask, “What are the primary sales trends over the last year?” and receive a concise summary of critical insights without manually sifting through large datasets. This ease of trend analysis and summary generation has made it simpler for non-technical users to understand and act on data insights. Surveys indicate that many users feel LLMs improve their ability to interpret data for strategic planning, showing a growing reliance on AI for informed decision-making.

LLMs also play a critical role in democratizing data analysis by reducing the need for specialized technical skills. With LLM integrations, non-technical professionals across various departments can access advanced data insights independently. For example, a retail manager can analyze customer trends without relying on a data specialist. This accessibility allows organizations to make data-driven decisions at every level, promoting a culture of informed, agile decision-making.

LLMs are now embedded directly into spreadsheet tools, with examples like Microsoft’s Copilot in Excel and Google’s Duet AI in Google Sheets. These integrations enable generating formulas, categorizing data, and visualizations using simple language prompts. A financial analyst, for instance, could type, “Show a trend line for quarterly revenue growth,” and the model will produce the visualization, streamlining a task that would otherwise be manual and time-consuming.

Challenges and Limitations of LLMs in Data Analysis

While LLMs bring powerful capabilities to data analysis, they come with significant challenges and limitations. These issues are particularly relevant in sensitive or high-stakes environments where accuracy and privacy are essential.

First, data privacy and security are a vital concern. Since many LLMs are cloud-based, they pose potential risks for sensitive data exposure. Regulations like GDPR and CCPA enforce strict data protection requirements, so companies using LLMs must ensure compliance by implementing robust security protocols. Solutions include using models that process data locally or enhancing encryption and data anonymization. These measures help mitigate data leakage or unauthorized access risks, which is critical when dealing with personal or proprietary information.

Another challenge is accuracy and reliability. While LLMs are highly advanced, they are not immune to errors. They may misinterpret vague or complex prompts, potentially leading to incorrect insights. This is especially problematic in areas like finance or healthcare, where decisions based on faulty data can have significant consequences.

LLMs also struggle with noisy or context-lacking datasets, impacting output accuracy. To address this, many organizations incorporate human oversight and AI verification checks to validate outputs, ensuring they meet reliability standards before being used in critical decisions.

In addition, technical limitations make the integration of LLMs within existing systems, such as spreadsheets, challenging. Processing large datasets in real-time or scaling up LLM applications requires substantial computational resources. Moreover, because LLMs need frequent updates to stay relevant, especially for domain-specific tasks, maintaining them can be resource-intensive. For many businesses, balancing these technical demands with the benefits of LLMs is an ongoing challenge.

These limitations highlight the need for strategic planning, especially for organizations looking to integrate LLMs effectively while protecting data integrity and ensuring operational reliability.

Future Trends and Innovations

The future of LLMs in spreadsheet-based data analysis is promising, with some exciting developments anticipated. One big trend is customization and personalization. Future LLMs are expected to learn from users’ past interactions, tailoring their responses to specific preferences. This means users could get faster, more relevant insights without adjusting settings each time.

Collaboration is another area where LLMs are set to improve. Soon, multiple users can work together on the same spreadsheet, making real-time updates and decisions. This could transform spreadsheets into powerful, collaborative tools where team members can instantly exchange ideas and see changes.

Additionally, we may soon see the integration of multimodal AI capabilities. This technology allows LLMs to simultaneously work with text, numbers, images, and structured data. Imagine analyzing a dataset that combines sales figures with customer reviews within a single spreadsheet. This would provide a more complete and holistic view, making analysis more comprehensive and insightful.

These developments will make LLMs even more helpful, helping users make smarter, faster decisions and collaborate more effectively.

The Bottom Line

The rise of LLMs in spreadsheets is changing how we interact with data. What once required complex formulas and specialized skills can now be handled by simply typing what we need in everyday language. This shift means that data analysis is no longer reserved for technical experts. Now, professionals from all backgrounds can tap into powerful insights, make informed decisions, and get the most out of their data.

Yet, like any innovation, LLMs bring both opportunities and challenges. Data privacy, model reliability, and technical demands are fundamental considerations for companies adopting these tools. Businesses need to use LLMs thoughtfully, ensuring they protect sensitive information and validate the insights AI generates.

0 notes