#25 What (or who) is age verification really going to be effective for?
We have questions...
Ever larger groups are falling victim to the “move fast and break things” mantra championed by Chad Zuckerberg and his sycophant bros.
This week, two perspectives on porn caught my attention:
The first one offers little in the way of novelty. It begins—using iconic examples—by discussing what censorship can do for human creativity, but soon arrives at its destination and points to those who have always used the same tactics to restrict rights.
Initiatives on both sides of the Atlantic to limit access to porn websites carry a rights-restricting component that cannot be ignored.
And let this not be understood in any way as a defense or praise of a repugnant industry that has always preyed on the most vulnerable. In fact, let’s move on to the second headline.
The second is the trivialization of minors using sexual deepfake apps—obviously non-consensual.
No one. I repeat: NO ONE is going to escape this, at the pace this is going.
“Although kids understand that generating non-consensual content with AI is wrong, they assume it's legal, believing that if it were truly illegal, there wouldn't be an app for it. (…) This normalization is partly due to the fact that many 'nudification' apps are available in Google and Apple app stores, and their ability to generate non-consensual AI nudes is openly advertised to students on Google and on social media platforms like Instagram and TikTok.”
We also shouldn’t forget that this trivialization of fake content consumption may partly stem from their habitual use of their favorite video game characters in websites of this kind. Massive amounts of fake content featuring Fortnite, Minecraft, or Overwatch characters—content which these websites proudly showcase through statistics (conveniently omitting data on minors, of course).
Nor should we ignore how the major platforms are doing everything they can to avoid complying with the DSA. That percentage of users they’d lose with the serious verification systems being demanded represents a significant chunk of traffic and profit. That’s why the European Commission is threatening investigations to get the big players to start complying.
There are plagues embedded in human nature. That’s why the key, friends, lies in education (for minors and for the adults who greenlight certain vile projects). Not in prohibition.
You are reading ZERO PARTY DATA. The newsletter on current affairs, technopolies, and law by Jorge García Herrero and Darío López Rincón.
In the few spare moments this newsletter leaves us, we enjoy solving complex issues related to personal data protection. If you’ve got one of those, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.
🗞️News from the DataWorld 🌍
.- Telefónica (Movistar division) is once again under the shadow of a data security breach affecting approximately 22 million customer records. As is often the case in these situations, there's only a basic news report and a “we are investigating” statement (though it has since been confirmed).
In this particular instance, two things stand out: the leaked sample provided by the attacker appears to involve customers from Peru, and the ransom demanded is only $1,500 to avoid publishing the rest. Quite surprising for one of the most recognizable Spanish companies, both inside and outside the country. Maybe there was a mix-up in the Peruvian sol-to-dollar conversion.
Sending a warm hug to the DPO office, which now has just hours to run, draft, and likely notify across multiple jurisdictions.
.- Sounds familiar: Vodafone’s German subsidiary is hit with a €45 million fine. The federal authority (BfDI) has issued two penalties: €15 million for violating Article 28 regarding providers/“associated agencies” involved in customer acquisition, and €30 million for violating Article 32 due to a lack of security in the authentication process for customers using the contracted services management system (MeinVodafone). This security failure allowed potential scammers to illegally register existing customers’ eSim cards, thus compromising phone numbers and SMS authentication.
While we wait for the official resolution to be published, this other article gives a clearer account of what happened.
.- If you're going to copy, copy from the best: following Microsoft’s Recall AI example, North Korea has decided to implement this charming (and, let’s be honest, useful) functionality on all mobile phones—mandatorily. With each passing day, Black Mirror seems more and more naive.
.- In the UK, there are growing calls to improve regulations and safeguards around real-time facial recognition by the police. It appears things are getting out of hand, although the ICO had previously stepped in to halt the King’s Cross case project (back in 2019) still echo.
.- Four of this year’s Pulitzer Prize winners made spectacular use of AI in their work. Take a look.
.- What Manuel Kistner says is striking—and we’ve covered it from different angles at Zero Party Data: “OpenAI—and the others—lose money with every one of your prompts.” So maybe, when investors tire of subsidizing your Ghibli-style selfies and we’ve forgotten how to think and reason, Sam Altman will show up with his new, enticing price tiers.
.- In Wired: a roundup of services that put privacy first. Note: it’s an article aimed at a U.S. audience, with zero local (non-American) suggestions.
.- Uber for nursing in the U.S.: A gig economy “deal” for nurses. “You’re hired exclusively through an app. You have to accept a job to know how much you’ll be paid. The amount—and this is key—depends on how much debt you have: the more indebted you are, the more you need it, and the lower the salary you’ll accept.”
💀Death by Meme🤣
📄High density docs for data junkies☕️
.- Updates on the concept of data controller: in its tightrope-like judgment C‑638/23, the CJEU ruled that:
(i) The GDPR does not require an entity to have legal personality in order to be considered a data controller.
(ii) An entity designated as responsible under national law is a data controller by that designation alone, without needing to independently determine the purposes and means of the processing to be obligated to respond to data subject requests.
(iii) Data subjects may direct their requests to that entity or to any other related entity if they believe it influences the determination of purposes and means of processing. This last point contradicts the position of the European Data Protection Board.
Salsa!!
.- "Updating purpose limitation for AI: a normative approach from law and philosophy” is a paper by Rainer Mühlhoff and Hannah Ruschemeier that aims to introduce the “principle of purpose limitation in the training and downstream use of AI models.”
🤖Robot.txt or the AI staff
.- In the AEPD’s new web section about legal criteria (a recently announced and very welcome idea aimed at regularly reminding us of relevant legal interpretations from their rulings), they revisit the well-known case involving the UIV (International University of Valencia) and its use of facial recognition and real-time monitoring with two cameras to prevent “fraud and impersonation in online exams” (the notorious “proctoring”). It takes us back to the tumultuous COVID era, when nearly everything was deemed “essential public interest,” and which led to several rulings:
That 2020 report, which followed the CRUE's own report and guide.
The “warning resolution” to UNIR (International University of La Rioja), urging them to implement corrective measures to avoid violating the GDPR. It included a reminder that convenience is not the same as necessity in the legal sense.
The resolution that approved UNIR’s system (through dismissal of the complaint) after changes were made and it was confirmed that no biometric data, special categories, or installations on the student's device were involved.
Now, with the current case, it’s yet another reminder that consent without an alternative is worthless, that forced acceptance of terms doesn’t count, that there’s no law justifying such public interest per se, and that AI must also be taken into account. The second camera, which was used to monitor the student’s surroundings to ensure no unauthorized people or objects were present, included some AI functionality—hence its relevance to this section.
We’d include a direct link to the UIV resolution, but we haven’t been able to locate it. That may be the reason why the AEPD didn’t provide one either (aside from the fact that their search tool is… special).
📄Paper(s) of the week
.- The paper of the week is this: The Right to Explanation in the AI Act. Margot Kaminski and Gianclaudio Malgieri have published a phenomenal analysis of the "Right to Explanation" in the AIA. They dive into such minor matters as the relationship between Article 86 of the AIA and Article 22 of the GDPR, whether explanations should be provided proactively or only upon request, and what exactly constitutes a clear and meaningful explanation. The paper explores the different scopes of application and the interplay between the two provisions, all in light of the recent CJEU ruling in Dun & Bradstreet (C-203/22).
.- Analysis of AI Act in the workplace by Chiara Cristofolini focuses on AI tools used by employers for evaluation, testing, and monitoring, as well as the gaps (for some) or helpful exceptions (for others) in the AIA on these issues. We found it via Rosalia Anna D’Agostino.
🧷 Useful tools 🔧
.- Five things you can do with that USB port on your router.
🙄 Da-Tadum-bass
The CIA was caught running a Star Wars-themed front website to communicate with informants. It’s a wild story—not so much because of the front itself, but because it seems like the agency barely put any effort into it. Before the researcher who uncovered it went public, it appears Iran and China had already exploited it for their own counterintelligence operations. While others scramble to legitimize data transfers or tiptoe around the “national security” mantra, states continue playing their double standards game.
Link to the researcher’s explanatory post.
If you think someone might like—or even find this newsletter useful—feel free to forward it.
If you miss any document, comment, or bit of nonsense that clearly should have been included in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next edition.