[General Rules] Potential legal issue with cloud computing

[raphaelmemmesheimer]

We should strongly think of disallowing cloud computing as this can lead at least at European held competitions to trouble in future. I'm not a lawyer, but there is a new data protection law coming (https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) which basically forbids something that teams and the organization can not assure. Also the past few months have shown up that the data that is sent to those services is may not as safe as we think.

Plus I personally don't see any scientific achievement in using cloud services, but that's another topic.

[warp1337]

I totally agree with respect to external cloud computing. External as in: sent to the www

[warp1337]

Side note: I would rename the topic of this issue to "Potential legal issue with cloud computing"

[kyordhel]

I'm not a lawyer but it seems it doesn't apply for @Home.

When you send a RGB-D image with your face to G for processing it, even though your pretty face is there, your identity is not. Data is unlabeled so there is nothing relating those boxels to you. Google might run some deep voodoo ARCNN and find you there, but would be merely a guess since there is nothing on that data saying is you and not your doppelganger or evil twin from hell.

Different is when you use Social Network data in which your identity (profile ID) is bound. Then there are no guesses, but confidences. In those cases the scenario is different.

Yet, we can be extra careful and ban cloud services from @Home. This will mostly harm both SPL but to me is a Go.

[msdejong]

Just to clarify - is this a proposal that would apply to Montreal 2018? Our current infrastructure has been designed to work heavily with cloud services and replacing them with high quality local models would likely not be finished in time for Montreal.

[justinhart]

I'm fairly certain that this doesn't apply to what we're doing. This is saying, "Hey! Remember how it turned out that Google and Facebook just gave US law enforcement our citizens' private emails? We want a law preventing that." This is "that person's data," not "data generated containing the voice or image of that person."

[justinhart]

Also, I don't see why this should apply in Montreal. Canada is not an EU member state.

[kyordhel]

@Michiel29 For Montreal, Cloud Computing will be allowed as stated in the rulebook.

[LoyVanBeek]

I think it is up to team to comply with the applicable local regulations, as for example with WiFi frequencies. Team members sign a waiver form at the beginning of RoboCup, stating that their photo's can be used, but I don't recall the specifics.

Still, when I was dealing with the datasets gathered at tournaments, I never published the data from the speech and person recognition challenges for privacy reasons.

AFAIK, under EU's GDPR, a user of a system can ask for all their data and ask for it to be removed. I think this applies to robots just as well. We're not above the law and teams will have to comply with local rules & legislation.

[kyordhel]

@LoyVanBeek we had some requests from the University to remove all videos/photos from all servers other than the university ones due to new European Regulations? How is it striking in The Netherlands?

What do you think about preparing a new PR banning all cloud computing (i.e. over the internet) from @Home? Sounds like a step back to me in some aspects, but we can't risk voiding local regulations.

[justinhart]

I don't think that it is necessary, and I think that it will harm the league. I like this event partly because I think that it really is helping to push forward the technology. Ignoring some of the amazing cloud services available I think would be a very big mistake, and I think that we could speculate a billion reasons as to why, not the least of which is, "How do you get good speech recognition without a million youtube videos worth of samples to train your system with?"

[kyordhel]

The point here, my dear @justinhart, is that new regulations might be making illegal the use of cloud services during the competition unless we get the permission of all involved people (like proposed in #450).

I do not like this, but we need to be extra careful.

Regarding Speech Recognition, Mozilla Deep Speech sucks so far, but is an evolving offline alternative to Google Services. I think at some point Google might even offer some limited offline version of their speech recognizer, or bend to adapt to EU rules. On the other hand, I must admit I never liked the idea of having a robot dependent of an internet connection.

In any case, such change might affect 2019 or even not be effective till 2020, but we need to prepare. For Montreal, I think, there is nothing to discuss. We got green light.

[justinhart]

I can agree with the proposal in #450, with the exceptions that I've outlined.

[RemiFabre]

Any updates on this for 2019? I understand that cloud computing is an ongoing debate in @Home but I believe is cloud computing a good thing in @Home is a different topic than is cloud computing legal in that particular place?.

My understanding of the rule book's role is a definition of what the robot should be able to do. The "how" is left to the teams. The legality of the "how" seems to be the team’s responsibility entirely. Is this correct?

We’ve been using an US based cloud service, I will ask them directly about this GPDR issue and post back the results.

[RemiFabre]

So I asked Kairos about this (cloud solution for face recognition). The answer was: "We can explore GDRP once we have agreed upon payment terms as it would depend on specific use case"... Also, they just stopped their free plan that was enough for our kind of usage, their paid plans are too expensive and not flexible enough, very disappointing.

We have discussed this RGPD topic internally and found a nice source discussing if any picture falls under the regulation (in french though).The tl dr is that it's an active question with no definitive answer (no jurisprudence yet) but there is an important notion of intent of usage. A picture alone is not systematically under the regulation but if its taken with the intent of identifying the person then it seems that the regulation applies.

[kyordhel]

I don’t see how X or Y solution of Z company to address W feature has anything to do with a legal issue. Regulations state we must have permission of a person to store whatever information of them. That includes not only faces-recognition data, but also their voices, skeletons, thermal images, etc.

To me it is exactly the same having a robot doing cloud-based speech recognition and taking a picture of the competition with my phone and post it on facebook. Both approaches upload information so tech companies can process it. And tech companies will keep the data to enhance their systems. Further, tech giants have it easy bending the law and farming hexabytes of data, while for the scientific community is already challenging to build a dataset large enough without having to request user’s permission.

Nonetheless, people attending to the venue has to sign a permit explicitly allowing us to record and use audio/video/etc for competition purposes. Nobody reads it, but the permit is there in lawyer jargon. Hence, we wouldn't be voiding any regulation for uploading, storing, and re-using anonymous data of people who already gave their consent.

Worst case, we write the RCF and request this permit to be updated so any attending people allow us to cloud-compute, store, and distribute any data retrieved by robot's sensor for sake of science.