Difference between revisions of "Algorithmic Audits"

From SI410
Jump to: navigation, search
m (Scraping Audit)
(Reworded sock puppet audit section and added links)
Line 39: Line 39:
  
 
=== Sock Puppet Audit <ref name="sandvig"/>===
 
=== Sock Puppet Audit <ref name="sandvig"/>===
[[File: Sock Puppet Audit.png|thumbnail|Sock Puppet Audit visual from Sandvig, Christian, et al. "Auditing algorithms: Research methods for detecting discrimination on internet platforms." pg 13]]
+
[[File: Sock Puppet Audit.png|thumbnail|Sock Puppet Audit visual from Sandvig, Christian, et al. "Auditing algorithms: Research methods for detecting discrimination on internet platforms." pg 13]  
Sock puppet audits essentially use computer programs to impersonate users by creating false accounts. This method effectively investigates sensitive topics in difficult-to-access domains, and sock puppets can investigate features of systems that are not public and penetrate groups that are difficult to pinpoint and acknowledge. A large number of sock puppets are required to derive significant findings from the audit. However, this method is still susceptible to CFAA violations requiring the audit's purpose to be strictly for research.  
+
A sock puppet audit uses computer programs to impersonate users by creating false accounts. This method effectively investigates sensitive topics in difficult-to-access [https://en.wikipedia.org/wiki/Network_domain domains], and sock puppets can investigate features of systems that are not public and penetrate groups that are difficult to pinpoint and acknowledge. A large number of sock puppets are required to derive significant findings from the audit. This method is still susceptible to CFAA violations, presenting danger to the researchers conducting the study.
  
 
=== Collaborative or Crowdsourced Audit <ref name="sandvig"/>===
 
=== Collaborative or Crowdsourced Audit <ref name="sandvig"/>===

Revision as of 15:55, 8 April 2021

Currently Being Edited


visual of digital law on computer screen, image sourced from Google

Algorithmic Auditing is a research design that has shown promise in diagnosing the unwanted consequences of algorithmic systems. [1]

Visualization of Algorithmic Audit, Image sourced from Google

The internet runs on algorithms that a majority of people don't understand, meaning it can function relatively unchecked and leaving people with the impression that these algorithms are neutral (unbiased)[2]. A study conducted by the PEW research center in February of 2021 showed that 85% of adults in the U.S utilize the internet daily [3].

This statistic represents billions of people worldwide and emphasizes algorithms' persistence in our daily lives, despite a lack of general understanding. By looking at online platforms as a single entity and analyzing the results they're producing, more can be learned about algorithms and the way they affect society[4].

Background

The rapid advancement observed in the tech industry has revolutionized the way humans work, interact, and communicate. A diverse array of features are integrated into smart applications for maximum availability. At the core of all these real-time digital services lie algorithms which provide essential functions like sorting, segmentation, personalized recommendations, and information management[5].

In the last decade, researchers have identified numerous ethical breaches in online platforms and published their findings. Countries worldwide have rolled out their regulations and laws to keep the Internet safe for their citizens. However, the these efforts do little to limit the international liberties afforded online, including access, anonymity, and privacy. Because technology and algorithms are heavily integrated into humanity, ethical issues arise when algorithms are opaque to public scrutiny. Since the 2000s, the regulation of algorithms has become a concern to governments worldwide due to data and privacy implications, though legislation has made progress in essential areas[6].

Higher education computer science and other similar programs have seen an increase in undergraduate and graduate enrollment, proportional to the tech industry's growth[7]. Awareness about algorithms and digital platforms' infrastructure enables the public to identify ethical breaches in these systems' functionality. This awareness has sparked activism for ethics in technology. For example, Joy Buolamwini identifying the bias in facial recognition technologies or SABRE leveraging their recommendation algorithm to place airlines who paid, higher on the recommendation than their competitors[8].

Types of Audits

Code Audit[9]

Visual of code audit from Sandvig, Christian, et al. "Auditing algorithms: Research methods for detecting discrimination on internet platforms." pg 9

A code audit is based on the concept of Algorithm Transparency, where researchers acquire a copy of the algorithm and vet it for unethical behavior. This is uncommon because software is considered valuable intellectual property, and companies are reluctant to release the code, even to researchers.

An issue with this method is that public interest in software can be malicious. On many platforms, the algorithm designers constantly battle those who try to take advantage of the software, so releasing code for review may cause more harm than good.

Noninvasive User Audit [9]

Visualization of code audit from Sandvig, Christian, et al. "Auditing algorithms: Research methods for detecting discrimination on internet platforms." pg 11

A noninvasive user audit involves researchers requesting assorted input and output data from end users in order to analyze the workings of an algorithm. This form of audit carries the benefit of not interacting with a platform itself, ensuring that the researcher is not accused of tampering. The most challenging aspect of a user audit is generating a truly random and representative sample, making it difficult to identify causality.

Scraping Audit [9]

Scraping audit visual from Sandvig, Christian, et al. "Auditing algorithms: Research methods for detecting discrimination on internet platforms." pg 12

A scraping audit involves researchers issuing repeated queries to a platform, then observing the results, employing programs that utilize API data mining and webpage scraping. This is an effective method to gather a large quantity of data to be analyzed, however this audit still encounters the issue of securing a random sample.

Another difficulty with this method is the likelihood of being prosecuted under the Computer Fraud and Abuse Act (CFAA), a law which has been criticized as being too vague, as it criminalizes any unauthorized access to a computer. Consent is difficult to obtain from a platform operator in order to perform a scraping audit.

Similaryly, a Terms of Service document on a Website may not have the force of law but some scholarly institutions pose that Internet researchers must not violate the Terms of Internet platforms, making the results from this form of research difficult to publish without proper permissions.

Sock Puppet Audit [9]

[[File: Sock Puppet Audit.png|thumbnail|Sock Puppet Audit visual from Sandvig, Christian, et al. "Auditing algorithms: Research methods for detecting discrimination on internet platforms." pg 13] A sock puppet audit uses computer programs to impersonate users by creating false accounts. This method effectively investigates sensitive topics in difficult-to-access domains, and sock puppets can investigate features of systems that are not public and penetrate groups that are difficult to pinpoint and acknowledge. A large number of sock puppets are required to derive significant findings from the audit. This method is still susceptible to CFAA violations, presenting danger to the researchers conducting the study.

Collaborative or Crowdsourced Audit [9]

Collaborative or Crowdsourced Audit visual from Sandvig, Christian, et al. "Auditing algorithms: Research methods for detecting discrimination on internet platforms." pg 15

A sock puppet audit and a crowdsourced audit only differ in one respect: in the latter design, the tester is a human. While it seems absurd that it would be illegal to use a computer program to act as a user yet legal to hire a person to act like a computer program, indeed this appears to be the case. The CFAA restrictions on unauthorized use are unlikely to be triggered by a genuine human user interacting with an online platform, especially a platform that accepts new user accounts from anyone on the Internet. A great deal of effort goes into preventing automated use of free Internet platforms by malicious bots and computer programs, and these are expressly prohibited in the Terms of Service given by platform providers. Yet an actual human being who is paid to do something with an Internet platform is unlikely to trigger any of these prohibitions.

An example of this is Amazon's Mechanical Turk which allows a large enough testers group to produce significant results through semi-automated crowdsourcing. The only setback is this audit requires a large budget to pay the participants.

Legislation

Image of CFAA text, sourced from Google

Since the internet became a public commodity, the value of information has increased significantly. The US justice system has seen numerous cases involving digital privacy, ownership, plagiarism, hacking, fraud, and more. In response, laws have developed to categorize and respond to common disputes.[10]

Display of Information[11]

In 1984 USCAB declared that the airline sorting algorithm created by SABRE must be known to participating airlines under the Display of Information in the Code of Federal Regulations. This regulatory provision resulted from a bias identified by airlines using SABRE's software, which involved "screen science." and recommending airlines based on privatized criteria and capital incentives. The airlines noticed that American Airlines received prioritization in SABRE's algorithms search results, which led to an investigation by the USCAB and DOJ.

The Communications Decency Act[12]

Section 230 of the Communications Decency Act states that "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." This section is one of the most potent active legislative acts concerning the internet and digital communications and one of its defining limitations. This provision protects service providers from the legal implications of removing content deemed obscene or offensive, even of constitutionally protected speech, as long as it is done in good faith.

US Computer Fraud and Abuse Act[13]

The United states CFAA is an act that attaches sentences to digital behaviors deemed illegal or unlawful and has clearly stated the repercussions for committing such an offense.

The Act states: “The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization but fails to define what ‘without authorization’ means. With harsh penalty schemes and malleable provisions, it has become a tool ripe for abuse and uses against nearly every aspect of computer activity.”

Crime/ Offense Years In Prison
Obtaining National Security Information 10
Accessing a Computer and Obtaining Information 1-5
Trespassing in a Government Computer 1
Accessing a Computer to Defraud and Obtain Value 5
Intentionally Damaging by Knowing Transmission 1-10
Recklessly Damaging by Intentional Access 1-5
Negligently Causing Damage and Loss by Intentional Access 1
Trafficking in Passwords 1
Extortion Involving Computers 5
Attempt and Conspiracy to Commit such an Offense 10

Photo Sharing Law

A law put in place by U.S. Legislation. The Photo Sharing Law outlines the general regulation for photography in the U.S. This resulted from the potential security implications internally and the privacy of citizens. The law mainly outlines these regulations:

  1. Private property is protected and established by the owner of the property, it is illegal to refuse to abide by the owner's requests concerning photographing activity.
  2. Photographing private property from within the public domain is not illegal.
  3. taking pictures of public places objects and structures are legal unless explicitly prohibited.
  4. Outer space requires a license to be issued by the National Oceanic and Atmospheric Administration in advance.
  5. Commercial photography will likely require a permit and proof of insurance.
  6. Photographing accident scenes and law enforcement activities is legal, as long as it doesn't hinder the operations of law enforcement, medical, emergency, or security personnel by filming.
  7. Any filming with the intent of doing unlawful harm against a subject may be a violation of the law in itself.


Ethical Implications

Due to the scale of technology companies, regulation cannot keep pace. As a result, general guidelines and laws for digital interactions. However, as the infrastructure continues to grow, there are new ways for the system to be leveraged in new ways. As a result, Algorithm Audits have become the most efficient way to assess digital platforms and providers' ethical impact on their consumers and users. These Audits have formulated direct ways to check digital platforms and create protections for auditors. However, these methods are difficult to employ and fall short in many areas of regulation. [14]

Research Protections

Because researchers attempting to audit a platform or provider can be targeted by these large tech companies, legislation has been put in place through the CFAA and U.S. Department of Justice to protect the researchers from lawsuits. This resulted from the 2018 court ruling in SANDVIG et al. V. SESSIONS, where four university researchers attempted to scrape information on discrimination in the housing department.

Image of Sadvig Sessions ruling, sourced from Google
SANDVIG et al V. SESSIONS[15]

"On Mar. 27, the United States District Court of D.C. ruled that such actions should not be viewed as criminal under the statute, though it declined to weigh in on whether the professors' conduct would be protected under the First Amendment. Without reaching this constitutional question, the Court concludes that the CFAA does not criminalize mere terms-of-service violations on consumer websites and, thus, that plaintiffs' proposed research plans are not criminal under the CFAA," U.S. District Judge John Bates wrote in his opinion.[16]

Privacy Policies & Anonymity

If attempting to do a code, scraping, or sock puppet audit requires researchers to engage with the digital platform directly. This can be dangerous because technology companies have outlined in their privacy policies restrictions on how users can engage on the forum. Researchers can be flagged for breaking these policies and banned from the platform. This can inhibit researchers' abilities to audit large developed tech companies if they're detected and can lead to lawsuits and further complications when the research is published. These large companies deal with data and can identify a user based on their access point or device metadata, and this can make it hard even to attempt many of the audit types.

References

  1. https://auditingalgorithms.science/?page_id=89#:~:text=Auditing%20Algorithms%3A%20Adding%20Accountability%20to,in%20diagnosing%20the%20unwanted%20consequences
  2. Wagner, B. (2016). Algorithmic regulation and the global default: Shifting norms in Internet technology. Etikk I Praksis - Nordic Journal of Applied Ethics, 10(1), 5-13. https://doi.org/10.5324/eip.v10i1.1961
  3. Perrin, Andrew, and Sara Atske. About Three-in-Ten U.S. Adults Say They Are 'ALMOST Constantly' Online. 26 Mar. 2021, www.pewresearch.org/fact-tank/2021/03/26/about-three-in-ten-u-s-adults-say-they-are-almost-constantly-online/.
  4. Sandvig, Christian, et al. "An algorithm audit." Data and Discrimination: Collected Essays. Washington, DC: New America Foundation (2014): 6-10.
  5. Kotras, Baptiste. "Mass personalization: Predictive marketing algorithms and the reshaping of consumer knowledge." Big Data & Society 7.2 (2020): 2053951720951581.
  6. Goldsmith, J. (2007), "Who Controls the Internet? Illusions of a Borderless World", Strategic Direction, Vol. 23 No. 11. https://doi.org/10.1108/sd.2007.05623kae.001
  7. U.S. Department of Education, National Center for Education Statistics, Higher Education General Information Survey (HEGIS), "Degrees and Other Formal Awards Conferred" surveys, 1970-71 through 1985-86; Integrated Postsecondary Education Data System (IPEDS), "Completions Survey" (IPEDS-C:87-99); and IPEDS Fall 2000 through Fall 2011:https://nces.ed.gov/programs/digest/d12/tables/dt12_349.asp
  8. Copeland, D.G., Mason, R.O., and McKenney, J.L. (1995). Sabre: The Development of Information-Based Competence and Execution of Information-Based Competition. IEEE Annals of the History of Computing, vol. 17, no. 3: 30-57.
  9. 9.0 9.1 9.2 9.3 9.4 Sandvig, Christian, et al. "Auditing algorithms: Research methods for detecting discrimination on internet platforms." Data and discrimination: converting critical concerns into productive inquiry 22 (2014): 4349-4357. pg. 9-15
  10. upcounsel (2020). Internet Law: Everything You Need to Know.
  11. Code, U. S. US Code of Federal Regulations.
  12. Ardia, D. S. (2009). Free speech savior or shield for scoundrels: an empirical study of intermediary immunity under Section 230 of the Communications Decency Act. Loy. LAL Rev., 43, 373.
  13. Griffith, D. S. (1990). The computer fraud and abuse act of 1986: a measured response to a growing problem. Vand. L. Rev., 43, 453.
  14. O'neil, C. (2016). Weapons of math destruction: How big data increases inequality and threatens democracy. Crown.
  15. Lee, A. (2019). Online Research and Competition under the CFAA. Available at SSRN 3259701.
  16. https://cases.justia.com/federal/district-courts/district-of-columbia/dcdce/1:2016cv01368/180080/24/0.pdf?ts=1522488415