Fruit of Tainted Tree: An Interesting Metaphor and a Challenge for Data Removal Methods

March 22, 2021

I am not legal eagle. In fact, legal eagles frighten me. I clutch my billfold, grab my sweater, and trundle away as fast as my 77 year old legs permit. I do read legal info which seems interesting. “FTC Says That One Cannot Retain the Fruit of the Tainted Tree.” That’s a flashy metaphor for lawyers, but the “tainted” thing is intriguing. If an apple is stolen and that apple is poisoned, what happens if someone makes apple sauce, serves it to the PTA, and a pride of parents die? Tainted, right?

The write up explains:

the FTC has found that the work product of ill-gotten data is no longer retainable by the developer.

Okay, let’s say a developer creates an application or service and uses information available on a public Web site. But those data were uploaded by a bad actor and made available as an act of spite. Then the intrepid developer recycles those data and the original owner of the data cries, “Foul.”

The developer now has to remove those data. But how does one remove what may be individual datum from a data storage system and a dynamic distributed, modern software component.

Deletions are not really removals. The deletion leaves the data, just makes it unfindable in the index. To remove an item of information, more computational work is required. Faced with many deletions, short cuts are needed. Explaining what deletions are and aren’t in a modern distributed system can be an interesting exercise.

Now back to the tainted tree. If the ruling sticks, exactly what data will have to be removed. Is a single datum a fruit. Years ago, Dun & Bradstreet learned that some of its data, collected then by actual humans talking to contacts in financial institutions or in gyms, could not be the property of the outstanding data aggregation company. A phone number is or used to be a matter of fact. Facts were not something an outfit could own unless they were organized in a work and even then I never understood exactly what the rules were. When I worked in the commercial database business, we tried to enter into agreements with sources. Tedious, yes, but we had a deal and were not los banditos.

Some questions crossed my mind:

  1. How exactly will tainted fruit (apples, baskets of apples, or the aforementioned apple sauce) be removed? How long will a vendor have to remove data? (The Google right to be forgotten method seems sluggish, but that’s just my perception of time, not the GOOG’s or the EC regulators’.)
  2. How will one determine if data have been removed? There are back up tapes and sys admins who can examine data tables with a hex editor to locate certain items of information.
  3. What is the legal exposure of a person who uses tainted fruit which is identified as tainted after reuse? What if the delay is in lawyer time; for example, a year or more later?
  4. What happens when outfits use allegedly public domain images to train an AI and an image is not really public domain? Does the AI system have to be dumped? (I am thinking about Facebook’s push into image recognition.)

Worth watching if this write up is spot on and how the legal eagles circle this “opportunity” for litigation.

Stephen E Arnold, March 22, 2021

Comments

Comments are closed.

  • Archives

  • Recent Posts

  • Meta