Policy actions sorted A-Z.
Policy actions sorted A-Z.
Organisations should set standards, or regulators should enforce standards, on the communication of terms and conditions to users. This would improve users understanding the contract they enter with a digital service.
Terms of Service; Didn’t Read gives an overview of the main points of various digital services terms and conditions, assigning a rating on their fairness to their users.
IF’s Data licences explores how a consistent design pattern can improve people’s understanding of how their data will be used.
Suitably capable regulators are able to inspect, audit and test the code/algorithms of high impact products and services to ensure fairness and safety.
United States: A new regulation, currently in review, would allow the Commodity Futures Trading Commission to inspect the source code of automated trading algorithms.
United Kingdom: The Gambling Commission enforce a standard (PDF) for remote gambling software. Gambling service operators are subject to auditing against this standard.
Regulators may not have the internal skills and understanding to effectively audit code.
Ethics, context and humanity aren’t written into the code.
Code could be written so a product passes an audit but behave differently under normal conditions.
Organisations may perceive code inspections as breaches of their intellectual property rights.
Laws should allow consumers to understand, review and prevent automated decisions made about them, in order to improve the accountability of these processes.
European Union: The General Data Protection Regulation introduces safeguards such as the right to not be subject to an automated decision and the right to have a human intervene in a decision.
United States: The Equal Credit Opportunity Act allows credit applicants to know why their application was rejected.
People have the right to find and request access to data held about them by data controllers so that they can understand what is held about them, by whom and correct errors.
United Kingdom: Subject Access Requests give data subjects the right to access their data under the Data Protection Act. They are entitled to know if their personal data is being processed, to receive a description of the data, to receive a copy of the data and to know the details of the source of the data.
European Union: In Article 16 of the General Data Protection Regulation, data subjects are entitled to have their data altered if it’s inaccurate or incomplete. Data controllers must respond within one month, or within two months if the request is complex.
Elsewhere: Most other G20 countries have legislation that allows data subjects to request their personal data and request corrections. Of particular interest, in the United States, the Children’s Online Privacy Protection Act allows parents to view personal data collected by a website about a child and correct or delete it. In the Quebec region of Canada, data controllers cannot charge a request fee.
Data controllers could make it difficult for people to request their data.
Companies may not keep track of who data is shared with and cannot update historic information.
People can access a history of who has viewed data held about them, so they can understand what is happening to their data and spot fraud and misuse.
United States: Under the Health Insurance Portability and Accountability Act, “patients can request an account of the manner their private health information has been used”.
Credit report services show when lenders have accessed an individual’s credit report.
Create a central database of known software vulnerabilities. This will allow consumers to know what products and services are affected, and help developers fix vulnerable code. Software security research firms typically publish their findings publicly and have a unique vulnerability identifier attached to their work.
There may be inconsistency between software vulnerability databases operated by different organisations.
Government-owned vulnerability databases may be biased in the security interests of that state.
The data from these databases are technical in nature and aren’t accessible by the average consumer.
Government and technical organisations should recommend best practices to developers to ensure safety, particularly in environments where computers have control over the physical environment. Existing guidelines are biased towards space and nuclear science, but there will be a need for consumer advocacy here as self-driving cars near readiness for everyday use.
Services automatically compensate consumers if the performance of a service is below the expected level. This gives consumers value for money and eases the process of getting compensation.
Broadband speed is mapped throughout the country and released as open data. This is either done centrally or crowd-sourced from consumers. This allows policy makers and consumers to understand the quality of provision.
United Kingdom: The telecommunications regulator, Ofcom, releases open data around broadband connection speeds.
United States: The Federal Communications Commission release a yearly report called “Measuring Broadband America” that includes speed samples separated by geographical location.
Australia: The Broadband Availability and Quality Project have mapped broadband speed and technology capability across Australia, assigning A to E ratings on a neighbourhood level.
Canada: CTRC have mapped where broadband Internet services are available and the technologies used to provide those services.
Measurements must be done over a defined period to allow an average broadband speed to be calculated that more accurately reflects the quality of broadband in this area.
Data should be released with enough geographical resolution to make it useful. Showing street level broadband speeds is more useful than showing regional broadband speeds.
Gigabit-speed broadband connections offer up to 1 Gbps (1024 Mbps) of download speed and can theoretically download a 90 minute high definition film in 30 seconds.
Crowd-sourcing is a method of data collection where people independently contribute to a larger data set.
Provide a service where scams can be reported to reduce the effort required for consumers to get redress.
Nations including the United Kingdom, Australia, United States and India operate websites where consumers can report scams. These are operated either by the national police, a regulator or a government department.
International Consumer Protection and Enforcement Network operate a website for reporting international scams.
Some consumers may not be aware that these services exist.
Phishing websites could pose as official scam reporting services.
Software vulnerabilities are included in product recall notices and product recall notices are maintained and made available as open data, so that consumers are aware when they own an unsafe digital product.
European Union: The European Commission operate a database of product recalls. It allows people to subscribe to weekly product notifications.
OECD: Global Recalls collates data about product recalls from OECD member states. This information is available in English and French.
In 2016, the car manufacturer Tesla pushed an over-the-air update following a death caused by its autopilot system.
The changing nature of consumer products like cars mean that recalls can be avoided by pushing updates straight to the device. A report suggests that by 2022, 230 million vehicles could have this functionality.
A faster software update cycle could increase the risk that bugs are undetected.
Implementation of notices is a lost opportunity if it doesn’t incorporate shorter feedback loops.
Data controllers are compelled to publicly report data breaches so that the public know it has occurred and can take action where possible and to incentivise data controllers to maintain secure data handling practices.
European Union: Under Article 33 of the General Data Protection Regulation, data controllers are required to notify data subjects “no later than 72 hours” after having become aware of it.
Mexico: Under the Federal Personal Data Law, the data controller must immediately inform the data subject if a breach of violation of security has been made to the data controller’s security measures that could affect the moral and economic rights of the data subject.
South Korea: Under the Personal Information Protection Act, the data controller must provide individual breach notices to data subjects and file a personal information leakage report to the Ministry of Government Administration and Home Affairs and Korea Internet Security Agency.
Turkey: Under the Data Protection Law, data breaches must be disclosed to the Data Protection Authority and data subjects.
United States: 47 States and the District of Columbia have enacted state-level security breach notification laws. There are no notification laws at Federal level.
The lack of understanding around data breaches may cause consumer panic when they receive notifications.
Notifications on their own may not suffice. They may need to happen in concert with other measures.