Law, Privacy and Identity

Question 1

What is legal certainty?

Answer 1

The biggest characteristic of law. It promises certainty about the content of the law (you can find all rules within the e.g. statute), about its enforcement and that it is applied consistently (similar cases are treated similarly).

Question 2

What is the legal syllogism?

Answer 2

It represents the most important form of legal reasoning. It’s an argument with 2 premises (the formulation of a legal rule in t he format IF condition THEN legal consequence; and the description of the facts of a case) and 1 conclusion (the legal consequences that result from applying the rule on the facts).

Question 3

What is classification?

Answer 3

Translating the concrete case description to the abstract case description that matches the rule conditions.

Question 4

What does it mean to use grammatical interpretation of a rule?

Answer 4

It means to match the literal meaning of the words in the rule.

Question 5

What does it mean to use legislative intent interpretation of a rule?

Answer 5

To interpret the rule in a way that suits the original intent of the legislator.

Question 6

What does it mean to use purposive interpretation of a rule?

Answer 6

The judge tries to determine the purpose of the task and can possibly find the circumstances of the specific case and the interests of the people involved important enough to override parts of the rule.

Question 7

What does it mean to reason by analogy?

Answer 7

If there is strictly no rule to apply on a case and it resembles another previous case, the same reasoning/ruling can be applied.

Question 8

What does it mean to distinguish situations?

Answer 8

The judge focuses on the differences between cases and applies different rules.

Question 9

What does it mean to broaden a rule?

Answer 9

The court treats cases which weren’t obviously similar as similar.

Question 10

What is the “Lex superior” rule?

Answer 10

It dictates that in the case of rule conflicts, the hierarchy among lawmakers must be followed. Thus, a law by a higher entity / ruling made by higher court overrides one by a lower entity / court.

Question 11

What is the “Lex specialis” rule?

Answer 11

It dictates that in the case of rule conflicts, the more specific rule overrides the more general one.

Question 12

What is private law?

Answer 12

It concerns relations between citizens. In it, the government as such doesn’t play a role. It includes property, contract, tort law, etc.

Question 13

What is public law?

Answer 13

It concerns the nation as a whole or a class of individuals. In it the government as such plays a role. It includes criminal, constitutional, administrative law, etc.

Question 14

What is procedural law?

Answer 14

It consists of rules for court proceedings, the organization of the judiciary, etc. There are branches of procedural law for each of the major branches of substantive law.

Question 15

What are human (=fundamental) rights?

Answer 15

They are rights that every person has by virtue of existing. They aim to secure for that person certain benefits or freedoms that are of fundamental importance to any human being.

Question 16

What is substantive law?

Answer 16

It consists of rules that give people rights or determine what people should do.

Question 17

What critiques are there for human rights?

Answer 17

They are suboptimal since they infringe the rights of individuals.
They are undemocratic since courts are authorized to ignore/invalidate democratically made legislation because if infringes individual rights.
They are parochial, not universal: it’s unfair to impose normative expectations on non-western countries with different history and traditions.

Question 18

What are negative (=liberty) rights?

Answer 18

They demand the state to refrain from doing something (inaction). E.g. no cencorship.

Question 19

What are positive (=welfare) rights?

Answer 19

They demand that the state does something (action). E.g. promote pluralism in the media.

Question 20

What are the (informal) 6 categories of human rights?

Answer 20

• Rights to the integrity of the person
• Freedom rights
• Political rights
• Welfare rights
• Equality and non-discrimination rights
• Fair trial and administration of justice

Question 21

What are the 3 stages in court proceedings in ECHR?

Answer 21

1. Admissibility: the court has to decide whether the claim satisfies formal requirements for being considered by the court.
2. Merits of the case: did the state comply with the requirements for limiting a right? Was there legitimate aim, was it proportional?
3. Remedy: if the court finds that a right was violated, compensation is given.

Question 22

What are EU regulations, how are they applied?

Answer 22

They are binding legislative acts which are immediately applicable in all member states and overrule national laws.

Question 23

What are EU directives and how are they applied?

Answer 23

They are legislative acts setting objectives that all member states must reach and translate into their national legislation within a defined time frame - so the implementation is up to the member to a certain degree.

Question 24

What is the GDPR and what is its goal?

Answer 24

The General Data Protection Regulation is a regulation (so it applies directly to the whole EU) which sets data security laws. While its focus is on protection of personal data, its aim is also fair treatment and protection of human rights.

Question 25

What is data processing?

Answer 25

Almost anything that can be done with personal data falls within the definition of processing, automated or not.

Question 26

Advantages and disadvantages to how general the GDPR is?

Answer 26

It applies to private and public sector as soon as personal data is processed - it’s good that it has such a broad application. There is no need for a new law whenever some new technology is produced.
However, the rules are quite abstract and up to interpretation or further clarification by data users, which isn’t always ideal.

Question 27

What are the weak points of the GDPR?

Answer 27

1. Compliance is lacking and there’s enforcement deficit (as not much money is poured into this).
2. It only applies to personal data, so data that doesn’t immediately reference people (e.g. “people living in area with postal code X”) is still being used and sold.
3. Explaining AI decisions is very hard, sometimes impossible.

Question 28

What is the EDPB?

Answer 28

The European Data Protection Board has members from all national DPAs from all states. It helps for harmonized application of the GDPR and provides explanations of it when needed, as well as guidelines (=soft laws, not traditional sources of law) on how to apply it.

Question 29

What is the EDPS?

Answer 29

The European Data Protection Supervisor has the main role to ensure compliance when EU institutions process personal data and give input when the European Commission is adopting new legislation.

Question 30

What is DPA?

Answer 30

Data Protection Authorities enforce the application of the GDPR on a state level. Each state has its own DPA (except Germany where there are multiple).

Question 31

What laws are there to fight AI-related discrimination?

Answer 31

1. Non-discrimination laws. They easily ban direct discrimination, but indirect one is more tricky so the ban is more nuanced and vague.
2. Data privacy laws. GDPR has specific revision with rules on automated decision-making. People also have the right to explanation (the organization must provide meaningful explanation on the logic involved in automatic decision making) but it has loopholes.

Question 32

What does it mean to identify?

Answer 32

Matching a person against a list / dataset of stored individuals. Can be done based on identifying numbers, biometry, pseudonyms, attributes, anonymously (using one-time-use numbers, for example).

Question 33

What is authentication?

Answer 33

Proving who you are, based on something you have, something you know or something you are.

Question 34

What is verification?

Answer 34

Matching a person against 1 particular stored template (information about individual).

Question 35

What is identity management, what are its aspects?

Answer 35

Organizing access of humans to computer systems. It includes identification, authentication, authorization, personalization, provisioning.

Question 36

What are the pros and cons to identity management?

Answer 36

It has centralization of control, it is easy to use for the users, it reduces costs and has structed roles within the organization.
However, there’s possible reliability reduction (since there’s a single point of failure) and linking of activities (which harms privacy).

Question 37

What is an identity?

Answer 37

The set of all attributes that hold for a person at a particular time.

Question 38

What are attributes?

Answer 38

Properties of people with some level of stability (name, address, nationality, etc.) which can be identifying or not.

Question 39

What is reputation?

Answer 39

A set of opinions about a person based on their past actions. Digitally, it’s in the form of score / rating which is used to formalize trust in the sharing economy and on platforms.

Question 40

What is zero-knowledge proof?

Answer 40

Proving knowledge of something without revealing it so that no one (and the verifier in particular) overhears/sees it/ etc. It is a complete and sound proof.

Question 41

Who are the players in an attribute-based identity management?

Answer 41

1. User: the individual who collects attributes locally and discloses them secretively.
2. Issuer: a trusted party that issues attributes to the user.
3. Verifier: an organization that accepts attributes from users as part of its authorization process for transactions.

Question 42

List the requirements for attribute-based identity management.

Answer 42

1. Non-transferability of attributes: other people shouldn’t be able to use my attribute.
2. Issuer-unlinkability: the issuer shouldn’t be able to track where I use which attribute.
3. Multi-show unlinkability: service providers shouldn’t be able to connect usage at different providers.
4. Revocation: outdated attributes should be blockable.

Question 43

Challenges in attribute-based identity management?

Answer 43

1. How to prevent over-asking by verifiers?
2. Are assurance levels and data minimalization linked?
3. If GDPR requires privacy by design does that allow only for decentralized architectures?
4. Should the digital identity be based on non-profit basis?
5. Should the identity management be open source?

Question 44

What are the 3 power organizations in NL?

Answer 44

1. Police (which has internal monopoly on the use of force).
2. Army (which has external monopoly on the use of force).
3. Intelligence (which investigates and collects information).

Question 45

What are the tasks of the police? (in NL)

Answer 45

1. Enforcing the law (under supervision of the state)
2. Maintaining public order and safety (under supervision of the local government)
3. Special powers: physical coercion can be used to arrest; investigative powers

Question 46

What are the tasks of the army? (in NL)

Answer 46

1. Territorial defense (national and of allies)
2. Maintaining international order and stability (via UN peace keeping missions)
3. Assisting public authorities in emergency situations (pandemic, flood, etc)
4. Assisting the police when needed (and in those cases the army is subordinate to the police)

Question 47

What are the tasks of intelligence services? (in NL)

Answer 47

1. Protecting democratic order and national security
2. International investigations to learn hidden political agendas based on national priorities
3. Espionage (spying) to protect democracy from foreign threats

Question 48

What is the relation between intelligence services and IT?

Answer 48

Intelligence services are basically IT organizations:

1. They process huge amounts of information
2. The work involves analysis of info like advanced search, classification based on machine learning, etc.
3. Use hacking, planting bugs, decryption, etc. to acquire information

Question 49

What are the key oversight concepts? (for Intelligence services)

Answer 49

1. Necessity: only act if action is needed
2. Proportionality: the means must be in relation to the goals
3. Subsidiarity: there should be no lighter means available
4. Discrimination: the means must be well-targeted

Question 50

Who carries out intelligence oversight?

Answer 50

Independent institutions (TIB checks if minister’s organizations are justified prior mission, and STIVD gets access to all data, public reports, complaints post/during mission) and the parliament.

Question 51

Why use hacking in intelligence services?

Answer 51

Human intelligence is slow, risky and not too reliable. Hacking can be done remotely, under the radar without much risk. It yields more reliable information and a position can be re-exploited. However, there’s some oversight challenges like unknown vulnerabilities, use of commercial tools, unpredictability of how much will be found.

Question 52

What is the standard procedure when applying the GDPR on a specific case for data processing?

Answer 52

1. Check if the GDPR can be applied at all (i.e. is this about personal data? are the people/companies involved in EU, etc) (in articles 1-3)
2. See what kind of processing of data is allowed (basis for processing, article 6) and whether the case abides by that
3. See whether they are processing the data in the proper way (article 5)
   (Optionally, might want to take a look at whether sensitive data is used - article 9; whether it’s automatic - articles 21-22, whether there’s a leak, etc. - articles 32-35)