38 comments

[ 83.4 ms ] story [ 366 ms ] thread
I hope this is broad enough to include the three major credit bureaus and their ilk.
It calls out AI / ML specifically.

Guess our regression models will have to go back to being "statistics". Shame, it felt so much cooler to call them "Machine Learning".

"such as", it's any automated decision making process which includes regression down to a nested tree of if statements
Just thinking out loud: Do people following a checklist count as an automated decision making process?
Legally? I imagine if the checklist was specific and precise enough, and if the people following it were prevented from deviating or circumventing it in any way, or otherwise exercise their own agency, then I think you'd have a chance arguing in court that this process is effectively automated.
I doubt it. A human should be able to tell whether they are breaking the law or doing something that is dangerous and, thus, stop. If a human moved forward with something they should have known was dangerous or illegal, it would be grounds for negligence or worse.
> A human should be able to tell whether they are breaking the law or doing something that is dangerous and, thus, stop.

Yes, but:

- When determining whether or not a process is automated is legally important, it's usually because it is fine (legally) if done by humans - it's doing it automatically, at scale, that is the issues.

- White-collar workers generally don't do things that are obviously dangerous. They're crunching numbers and typing data into forms, and their input is usually a small component of any danger materializing.

The way I see it, the difference here is whether a human worker is able to override their checklist in cases where the action is neither illegal nor dangerous, but they realize it's obviously wrong or unfair.

"Automation" by definition involves the elimination or reduction of human labor, so I don't see how.
I would say in most cases yea, that's all that decision trees are at the end of the day
I got the joke, even if others didn't.
This was a bill in the last (117th) congress, which is now over. Presumably it wasn't passed, since the only action under "Actions" is "Introduced in Senate" on 4/29/2021.

Is this a thing still? Is someone trying to reintroduce it in the new congress?

ps — FYI unpassed bills in the US Congress die at the end of each Congress and must be reintroduced and go through the entire passage process anew to become law in a subsequent congress.

Cynically, we also need to ask if this is merely a feel good bill that was introduced knowing full-well the Senate was never going to pass it, much less deliberate on it.
I think every bill that doesn't get passed is like that, because most of the deliberation goes on in committees. If you look at the history of how the constitution came to exist you'd find out that it has worked like that since before Congress in its present form existed.

I wouldn't be cynical about it though, because advertising a bill to an audience of legislators (and to the public through things like posting a link to it on HN) puts the ideas in people's heads and has an unquantifiable effect on making it happen in the future.

(comment deleted)
(comment deleted)
Most bills are introduced to Congress with little expectation they will pass.

The “cosponsors” tab is illuminating. Bills on track for actual consideration by a committee (the first real step) will typically have several to many cosponsors. Bills that aren’t—like this one—typically have few to zero.

> Most bills are introduced to Congress with little expectation they will pass

This is in part a trial balloon. If a draft is floated and canned, and nobody hears either way about it, that says something. If a vocal minority flips out, on the other hand, that makes it a priority: you've found new group to engage.

>the Senate was never going to pass it, much less deliberate on it.

Deliberation is the easier first step, actually passing it is harder and comes later. I think the correct use of the idiom here would be "the Senate was never going to deliberate on it, much less pass it".

I noticed, on another bill, that congress.gov was slow in updating a bill. There was more up-to-date information on Twitter.

Edit: Unfortunately, I can't find my old comment on the thread that shows which bill and the specific tweet that was better than the official site.

Maybe, but the 117th Congress is over. If this is reintroduced it would be a new bill with a new number.
Based on the summary: The bottom line sounds interesting/valuable, to increase penalties and make it clear noneconomic impacts are important for things like privacy violations. The rest of the summary sounds like it's largely bull. Assessments and periodic reporting don't do much, anyone can spin their data the right way if they want to.
While I would love for something like this to move forward, I think the focus in this bill takes a weird turn. E.g. the definition for "High-Risk Information System" includes as one its 4 criteria:

> involves the personal information of a significant number of consumers regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests;

Systems that allow for discrimination against protected classes are certainly high risk, but I think most of us are more concerned by the identify theft risk online, and more likely to be discriminated against in person.

But the bill does _not_ anywhere mention addresses, social security numbers, banking information, etc. Maybe those things would reasonably be included under one of the other criteria:

> taking into account the novelty of the technology used and the nature, scope, context, and purpose of the information system, poses a significant risk to the privacy or security of personal information of consumers;

Separately they define Personal Information as:

> The term “personal information” means any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device.

That seems like a reasonable definition, but I think an "including but not limited to" list would have been helpful.

> most of us are more concerned by the identify theft

To give a single datapoint, I am much more concerned about automated discrimination than identity theft. (I do agree with you though that the bill ought to cover more information).

> addresses

Until recently, everyone's address were printed in a big book that was sent to every household for free. I lived for years in a country where the government published everyone's address online and never experienced or heard about any issues.

> banking information

Many jurisdictions required banks to (eventually) make whole anyone impacted by theft of banking information.

Don't get me wrong: I wish I had more privacy around my "identity/administrative" data. But we understand pretty well the risks involved there and have some legal mitigations in place.

I think we're just seeing the tip of the automated discrimination iceberg. This data props up almost all of the marketing industry these days, and is spreading faster than laws can be made or than people can comprehend what's occurring.

> Until recently, everyone's address were printed in a big book that was sent to every household for free. I lived for years in a country where the government published everyone's address online and never experienced or heard about any issues.

Back in those days you had to turn up in person to do things like open a bank account, pay a cheque into your bank account, draw money from a bank account, etc. You probably used the same bank (my first bank account only allowed me to draw money from a specific branch, during work hours, and only up to a set limit each month). The bank staff probably knew who you were on sight.

I'm not saying your address should be secret - I agree with you that this is probably OK. I'm saying the attack surface for identity theft is so much larger now that we should probably be more careful than we were.

The problem is that we allow information to be a proxy for turning up in person. Information that is either public record, or very likley to be available in one of the many known or unknown data breaches that occur regularly.

Knowing my mother's maiden name, the history of addresses I've lived at, any of my various ID numbers, account numbers, etc. should not be sufficient to prove identity.

Yeah this is inconvenient for many things but the reality today is that all of this "identifying" information is (or should be) considered public. Stop accepting this, and most of the problems with data breaches and leaks go away.

> Knowing my mother's maiden name, the history of addresses I've lived at, any of my various ID numbers, account numbers, etc. should not be sufficient to prove identity.

What should be, then?

I'd like to see a compartmentalized ID that doesn't have all the information there in one easily human-readable (or scannable) form. For instance, a bar only really needs to know if you're of legal drinking age. They shouldn't be able to get your exact date of birth, your address, a copy of your photo, etc.

It's not an easy answer; I'm not sure I have an answer. I'd say for now, a government photo ID and supporting paper documentation. Not foolproof, and there is a chicken/egg problem there, but at the same time it's much harder to exploit remotely, and its much harder to exploit at any kind of scale.
Agree with “I am much more concerned with automated discrimination than identity theft.”

Bias in automated systems leading to discrimination on basis of a protected class is very dangerous in the hands of government. Given that governments can take your freedom and your life (in some jurisdictions).

As stated we are at the tip Of the iceberg e.g: - https://www.theverge.com/2021/4/13/22382398/robert-williams-...

- https://www.nytimes.com/2022/08/21/technology/google-surveil...

Personally identifiable information (PII) is widely used in regulatory law across industries to include SSN, DoB, bank account numbers, home address, etc... so I don't think that's an issue. They typically don't get so so specific to allow the regulators to use their reasonable judgement
The bill with a catchy name doesn't appear to apply to the government itself.
True, it doesn't seem likely to apply to the government itself.

I'm not a lawyer, but my interpretation is that it may apply to credit bureaus and data brokers. As well, for better or worse, pretty directly affect FinTech.

But I digress, the implications of this bill could result in more unknown unknowns than I realize.

Let me describe the ways bills die:

1. They don't get voted out of committee. That's the case with this bill.

2. All bills die at the end of each session. This bill was from 2021 so had it been voted out of committee it would've died anyway;

3. After getting out of committee it has to be tabled for a vote for the full body (House or Senate). In the House the Speaker sets the agenda. In the Senate, it needs to be brought to the floor but ther ehas to be a vote to end debate and vote on the bill. Current Senate rules require 60 (of 100) votes to end debate. The filibuster allows pretty much any Senator to say they'll filibuster and that's that (unless you can get 60 votes). Note: these rules aren't laid out by the Constintution or anything. They're all just completely made up;

4. If a bill is somehow sponsored, assigned to committee, voted out of committee, brought to the floor, debate is ended and the bill is voted on and passed then it must pass the other chamber. That other chamber gets to amend it however they like. A chamber can spike a bill by adding amendments that those who otherwise might vote for the bill can't politically support;

5. If the bill miraculously passes the other chamber it'll probably be different than the original. A conference from both chambers come together to resolve the differences. They'll agree on a bill that'll go to a straight up or down vote in both chambers (ie no amendments).

6. Should that happen and it passes both chambers it goes to the president. The president can veto it directly. Alternatively, the president can "pocket veto", meaning they just let it expire (in 10 days). Or they can sign it;

7. If it is vetoed including a pocket veto it goes back to Congress who can override that veto with a two-thirds vote. Generally this never happens because if it's obvious it will happen a president would rather sign it.

I poin tthis out to say that a lot of times bills will get introduced that have no chance of ever becoming law. Years ago, whichever party was in the minority would always put forward campaign finance reform bills so they could campaign on the issue but they'd almost never be seen again when that same party got into the majority.

You're going to see a lot of this in the current Congress. The narrowly-controlled House is going to vote on a lot of bills for political reasons that they know are going to die on the Senate floor (ie never come to a vote). And that's why people will vote for it: because it has no chance of becoming law.

You also see this in votes. Any vote will largely be (almost) unanimous for, (almost) unanimous against (these rarely come to a vote but it applies to amendments too), narrowly for or narrowly against. Part of this is the propensity for voting on party lines but that's not all of it.

If a given Senator or Congressmen is vulnerable in a coming election, they may get the silent nod from leadership to vote for or against it when it doesn't change the outcome. So instead of a 58-42 Senator vote, you'll see 51-49 as certain Senators will get political cover to "defect" but it's not really defecting at all.

Introducing a bill is almost never news of consequence.

This is all correct.

One other thing I'd note about this bill: no cosponsors. Cosponsors play no formal role, but cosponsors get to take credit if a bill passes. No cosponsors suggests nobody wants to take credit.

If you can get a cosponsor from the opposite party, it means there's at least some interest on the opposite side. And if you can't even get a cosponsor on your own side, it implies that nobody really cares.

That doesn't mean it's a bad thing to do. It's a statement by that legislator of what they believe in. It's a stake in the ground -- one that somebody could use against you if many of your constituents don't like it.

So it's not hypocritical or valueless. But it helps to know more of the context of the actual legislative process, which is a lot more than you learned on Schoolhouse Rock.

Anyone else recall Russell's "And then there were none"?

https://www.abelard.org/e-f-russell.php

------

‘So it appears,’ said the Ambassador dryly. He turned to Grayder. ‘You’ve been around a lot and seen many new worlds in your time. What do you make of all this twaddle, if anything?’

‘It’s a problem in semantics,’ diagnosed Grayder, who had been compelled by circumstances to study that subject. ‘One comes across it on many worlds that have been long out of touch, though usually it hasn’t developed far enough to become tough and unsolvable. For instance, the first fellow we met on Basileus said, cordially and in what he imagined to be perfect Terran, “Joy you unboot now!” ’

‘Yes? And what did that mean?’

‘Come inside, put on your slippers and be happy. In other words, welcome. It wasn’t difficult to understand, Your Excellency, especially when one expects that sort of thing.’ Grayder cast a thoughtful glance at Harrison and continued, ‘Here, the problem seems to have developed to a greater extreme. The language remains fluent and retains enough surface similarities to conceal underlying changes, but basic meanings have been altered, concepts discarded and new ones substituted, thought-forms re-angled and, of course, there is the inevitable impact of locally created slang.’

‘Such as “myob”, ’ offered the Ambassador. ‘Now there is a queer word without recognizable Earth-root. I don’t like the sarcastic way they use it. They make it sound downright insulting. Obviously it has some kind of connection with these obs they keep throwing around. It means “my obligation” or something like that, but the real significance eludes me.’

‘There is no connection, sir,’ put in Harrison. He hesitated, saw that they were waiting for him to go on. ‘On my way back I met the lady who had directed me to Baines’ place. She asked whether I’d found him and I told her I had. We chatted a short while. I asked her what “myob” meant. She said it was initial-slang.’ He stopped and fidgeted uneasily.

‘Keep going,’ urged the Ambassador. ‘After some of the sulphurous comments I’ve heard emerging from the Blieder-room ventilation-shaft, I can stomach anything. What does it mean?’

‘M-y-o-b,’ informed Harrison, slightly embarrassed. ‘Mind-your-own-business.’

I don't think that sort of story is allowed.
(comment deleted)
I'd like to see the FTC work to stop dynamic pricing that has no defensible reason. I get charging more for a bottle of water at a concert or other sort of high demand/premium markets.

But using an algorithm to increase the price of a flight due to my OS, previous clicks, zipcode, previous CC history (eg do I donate?) etc should be illegal.

Things like YieldStar https://futurism.com/rental-prices-algorithm-yieldstar also are pretty concerning because they create a form of market collusion that should be illegal.