 Ich komme zu einem der Talks, auf die ich mich am meisten freue. Das ist eine der Talks, die ich vorbeigeg, weil ich diese Projekte sehr viel über den letzten Jahr zeigte. Wer von euch hat etwas von Open Shufa mitbekommen? Wer von euch hat denn mitgemacht bei Open Shufa? Wer hat mit Open Shufa mitgebracht? Mit Open Shufa. Ja, da sind viele Leute hier im Saal. Ich finde es total großartig. Vielleicht können wir diesen Verkampf zahlen. Vielleicht können wir diesen Algorithmen reverseingenieren. Anna arbeitet mit seinen Leuten. Und die zweite Sache, die ich wirklich liebte, war oft eine Gesetze, Open Laws. All of a sudden, da gibt es ein Portal, das alle Federal Laws haben. Genauso fand ich das. Und das ist genau das, was ich vorbeigeg. Also, machen wir schnell jetzt den nächsten Talk. Der nächste Talk, Court in the Acton. Mit Stefan Wehrmeier, Weimar, Palme Zoffer und Arne Semsrott. Guten Morgen. Guten Morgen. Nice to see so many of you so early in the morning. For our talk, Court in the Acton. A title that I'm probably the only one in finding radium using. Well, one more person over there. Never mind. We're going to be giving a short talk on applied hacker ethics. And on, especially the part about using, protecting private data and using open public data. And we have two projects that use this in very different ways. Both of them are about private companies that act as if they were government agencies. Not when it comes to transparency, but in everything else. And we try two different approaches to crack these companies. We'll start with Open Shufa. And after that, we talk about often a Gesetze, and then we should have some time for discussion. Open data with the Shufa credit rating agency is a difficult topic. Shufa has data on almost 70 million people in Germany. And some of their information is very sensitive, because it's financial data and missed payments on lots of people, most of you in this room. And people who don't have a lot to do with Shufa actually tend to think that it's a government agency, but it's a private company that doesn't publish its algorithms. People talk about their scores that are supposed to calculate the probability of somebody paying back a loan. There's not just one Shufa score for each person. There are about 16 of them. But the way they calculate these scores is a company secret. This was upheld in the courts as well. And Shufa doesn't need to publish the way they calculate these scores. But they can't stop people from reverse engineering these scores. And that's what we tried with Open Shufa, which is a project of Open Knowledge Foundation and Algorithm Watch. And its goal is to reverse engineer the Shufa Algorithm. We started a crowdfunding early this year. Many of you supported it and donated. Thank you very much. That allowed us to start this work. We had an advertising spot, for which we could convince the very nice Nico Semsrott to appear. And the idea was, and still is, that everyone can request their own personal data unter GDPR und receive them by mail. We then scan them and redact them. And people can then donate them to us. Many people did so on selbstauskunft.net. They requested their private data and then donated them to us. The Shufa wasn't exactly happy about this project. Very early in this crowdfunding, they added a huge banner to their website, where they said that it's misleading and damaging to security and privacy in Germany. That was great of them. Thank you very much for that, Shufa. Because they had a huge banner on their home page. They opened Shufa, the link to us, and they gave us a lot of traffic. That was really brilliant. Shufa was very unwilling to cooperate throughout the process. There were lots of journalists who tried to research individual cases and to confront Shufa with them. And this is a report from a journalist at the Veld newspaper, who showed how Shufa talks to journalists. Because they exert a lot of pressure on journalists. They tried to prevent reporting at the very last second. They say that they are spreading fake news. This shows quite nicely that Shufa has a lot to hide. And what we could bring to the public is what Vajta is now going to tell you. Okay, so we essentially started to collect the data in May. And basically to implement this idea, protect private data, use public data. In this case, we need essentially private data to get to data that should be public. Or to reverse engineer this data structure of data that should be public in our opinion. In total, there are 100,000 requests to these scoring rating companies. There isn't just Shufa in Germany. We emphasize that repeatedly. There are other companies that use even worse datasets and that are even less well known. But we're always saying we'll start with Shufa, but it's not going to stop there. The really nice thing is in other countries, it's called MyData. We'd like to call it OurData, because we want people to know what this data is and that you can actually donate it. And that you can contribute this to a pool that can be used for the public good and where we can essentially find out more. So over a half a year, we got 3,000 data donations. And we had one problem that when people asked for their data from Shufa, then they got a piece of paper, they got it by letter, then they had to scan it and send it to us. And so a lot of data is lost because maybe the scan quality is bad. So that was the first challenge that you have a switch from one medium to the next. And then there's a break between data because the very simple thing is that we participated on average probably above and different from the societal average. There were a lot of men. It was generally young people who were very urban, who were interested in technology. So the sample really isn't perfect. And on May 25th this year, the GDPR was implemented. And from that point onward, the Shufa published less data. That's kind of funny, because if there's a single company that should have prepared itself for GDPR, then it would have been this one company. It's one of the main companies that has personal data and has all this data about every single person. And yeah, not private people should be upset, but this company should be prepared. And that's probably also because the data protection commissioner there didn't think about it enough. In the last seven months, where they just didn't send out data that they should have given out, that really was a problem, because we got fewer pieces of information or couldn't use all of these data points that we had. So the sample that we have isn't really representative. And the aim would have been to have 3,000 perfect datasets and could have essentially model and emulate the Shufa algorithm. And so that's what this looked like before GDPR, if you requested your data. So you see the scores for different sectors. And then after May 25th, it was slightly less. So one thing that we tried to figure out, what are heart factors? So there are several, the different variables. There are several outliers here that I want to emphasize. One is when someone has declared bankruptcy. The other one is if your things you own are seized by the government to essentially pay for things, for money that you own. So these are two things, that's where your credit score goes far down very quickly. In these cases, it actually makes sense. So 95% of the score basically affect three quarters of people. And basically based on this data, they decide whether you can get a smartphone contract. But so the variables that they use to calculate these scores are pretty vague in our opinion. And we also assume that there are problems with incorrect data. For example, there are bad scores without any negative markers that affected 20 people who got a negative score and didn't have any negative data. If you calculate that up for the entire German population that would affect a lot of people. But also if you for example get a bad score and that affects your credit, then you might not even think of this because you have done everything right and you might not think of the fact that maybe they made a mistake. Also allegedly in cases where there is a number of people that have fewer than three data points. So I'd say this is a very thin soup. And the third part is that there are different versions of these scores. There's a version one, version two, version three. Nobody really knows which bank requests, which version and what that means. There's a discrepancy between these score values. And I think these versions very nicely show what happens in the background because there are companies who collect these data that are used in the scoring. They send it to Schufa. They use their non-official model and then a third party uses them and uses the score to deny something to the consumer. It's this chain of people who say that they simply collect the data and don't actually use it and say that they who don't really want to publish how they calculated their scores. And this is one of the large problems if there happens anything, if anything goes wrong in the chain. For example, people who if companies fail to report that people paid back their loans, then the system thinks that the loan is still in force and people can then be denied further loans. Nobody can really find out what causes this, who, what link, which part of the chain causes this, causes the error. There are also the variables of age and gender and moving house. There are things that indicate that, for example, younger people or men have lower scores and also the number of house removals affects your score. So people who move more often have lower scores. But there are people who are forced to move house because they have to run away from something worse. And these people can't prove that their removals were justified because they, for example, had to move to Bavaria, although that's already bad luck. And another nice finding is there are three patterns here. On the left-hand side you see the number of credit cards, the number of bank accounts and the number of mobile contracts. And you can see that the peak is always at the number two. So if you have two credit cards, two bank accounts and two phone contracts, then your score is likely to be very high. I would, of course, never claim but two seems to be better than one. But, for example, if you're moving house only temporarily, you maybe shouldn't register with the offices. On the 30th of October the Council of Experts of the Ministry of Justice published a report on consumer scoring where they said that the algorithm has to be opened up at least partially. And their claims were furthered by publications from the Bavarian Public Broadcaster and Spiegel Online Schufa, of course, responded with a nine-page letter that people were not allowed to quote. The Minister of Justice Bali also wanted more transparency from Schufa. And this led to the promise of electronic requests, the data requests where people will be sent a code by letter that they can then use online to request the data online. So if this works one time you could probably create an account where people can do so regularly and correct where people can correct their own data. We want transparency on how these scores are calculated, how certain things affect the score and that you can perhaps get notifications that tell people that they got negative scores so that they know about it and have a chance to correct them because this usually takes months to correct any mistakes they may have made in this entire process. These are the things we are hoping for in the future. We say that Schufa is only the beginning and not the end. And we want to show what people can do when they share data and when they understand what it means when they give us their private financial data. Das ist meine Lieblingsleit hier draußen. Die Frage ist natürlich, wie kann man die Schufa dazu kriegen in Zukunft wieder mehr Daten rauszugeben? Die geben jetzt nicht alle Daten raus, die sie über einzelne Daten geben. Okay, so the question is, Schufa doesn't simply publish all the data that they have about one individual so we have much more information and we want to force them to give out more information that they have essentially saved about you. So that's also one way of doing this is that we want to sue them. One thing that was also really important is that Minister Barley also demanded this. We hope that that's going to lead to something because this is going to be a law in an ideal case. Yeah, okay. So we have something prepared for this as well. Yes, open laws. We already said in the beginning laws, where do you find them, if you look for a law online then you can find it on different websites, for example Dijur or Bousa. The official website is called Laws on the Internet which is really important because otherwise you don't know where you're putting that URL in and you can find every single law in there and every official guidance. It's pretty current, but sometimes it takes a few days for the current version to be on there. But how does a law actually get to that place, to that point where it's published? And so I've made a quick graphic because usually if you look for how a law is implemented in other words, I try to turn this into a get remote process and present it as such. So you know, well, this is what it looks like. So there's one branch from the ministries, so they basically get a draft that gets to the government that decides on it in the cabinet, then it goes to parliament, then it goes to the second chamber which has the federal representatives in it and then once it's agreed on in parliament then the German government signs it again. So basically they do a get sign, then it goes to the German president who also has to sign it and then it goes into the production release branch Germany, Federal Republic of Germany and it gets merged in there and then it basically is put in place. So only once it's on the production release branch is it actually a law that is enforced before that hasn't actually happened. So basically in the production release branch where is essentially the get log for this and the log for this is the federal law Gazette. Also known as BGBL which shouldn't be confused with the German law book. Basically this is where laws are announced and it's the Gazette where these are promulgated. There is a weird distinction between two German words here that is not relevant for the English translation. But the thing is that these laws are basically published and actually printed out in this Gazette. This was the first federal law Gazette of the Federal Republic of Germany in 1949 where they actually published the basic law of the German Constitution. Unfortunately it looks exactly the same in the year 2018 and this is the law that legalized same sex marriage and that is the so called article law and these article laws that are published in this Gazette change existing laws. So it's basically a patch. So if you look at this it basically tells you that the current that the existing law is changed paragraph 1309 ist changed and then essentially the wording is changed that marriage can be between two people rather than between a man and a woman. I personally think it's super complicated to read. I have no idea what the context for this whole thing is and what I know is this. On the right side then you can see what was added and the problem is that it has to be readable by people and doesn't have to be readable by machines. Open laws, our project was more concerned with legal problems but they are also technical problems because if you look for this website that publishes these things for the Gazette then you get this website very nice, very 2000 and if you look at this a bit you see this publishing company here, Bundesanzeige and what is this publishing company it's a private publishing company now it used to be owned by the government what was privatized in the 80s initially and then in 2006 it was completely privatized and as part of Dumont Media Group you may have heard about them they published several newspapers in Berlin so this Media Group also publishes our laws so if you click a bit further on the website then you can find the free citizen access I love that I click on there and then I get this big green box with a warning and it basically says the electronic version of the federal law is basically an intellectual property protection so basically this media company says that they have intellectual property rights to laws of the federal public of Germany but basically every law is public agency piece of work that is not protected intellectually but the collection of these laws you could say that there is an IP claim there and they are definitely laying the claim to these laws here it is very obvious, they are putting that right on there and they are laying the claim to this particular IP if you try to click a bit further and look into these Gazettes you realize there is no search function there is no OCR of PDFs before 1998 they are just pictures the PDFs are basically with copy and protected against copy and paste and printing them out we may know how to get rid of those we may want to copy and paste something from there some PDF readers might say well you can't do that, you have to put in a password of course that's stupid and then the pages themselves actually where you have a law on a page they include ads in the footer and then for example says things like oh you can go into this website where you can look at all of these things and you think that's kind of inappropriate and it's not actually related to the lawmaking process itself aber man bekommt das natürlich auch an but of course you can also access this in a different way because you can essentially get a subscription for a half year it costs you just it'll cost you just 99€ and then suddenly all of these documents can be printed you can take out pieces of text so it's basically copy and paste also get this as an e-mail you'll get it via newsletter and so also when you're getting it via e-mail the subscription actually costs 108€ for six months one thing we also wanted to know is how did this publishing company get to publish all of these things and was privatised and so we tried to get this contract you can find this request on fragtenstadt and it's quite interesting because there's a lot blacked out here so i would say maybe 50% we appealed but that's currently going on but the justification for this blacking out for these blacked out places was that it said this includes when the contract went into force and until when it's in force and what the position of these laws is in terms of IP laws so we couldn't even figure that out from this contract because the ministry blacked it out and then they basically said it was just in keeping this secret because it could influence the economic situation of this publishing company and that's why it had to be blacked out our reaction is these federal lawsuits was to publish these federal lawsuits on oftenegasetze.de which is a German website where these things are published it means open laws we did that with Johannes Anne and I together that's a pretty nice website you can search them, you can download them their text versions and so the ministry of justice can find it as well we also published it on the internet so we don't just have open laws.de we also have open laws on the internet.de here the startup so this is the startup page a comparison of the features that we have the it is in excess they can't print it, you can't search it we actually have text versions of older versions as well we basically have these four versions across years we have these four different versions if you download these gigabytes of PDFs and want to use them, do that we think these are public data, you can do that we also have stable links the other version unfortunately doesn't have stable links so we also have PDFs all of these are session links so we can't even give a link to someone we have RSS feeds and of course everything is free thank you the reaction was pretty positive like here thank you and the legal community also reacted in a very positive way so a law professor essentially wrote blog posts about this and were like oh this is great this hadn't been moving forward for several years so this legal community was very happy and positive about this as well and now minister of justice ballet also said that she will take this federal log is that away from the Dumont publishing company at least that's what one newspaper titles puts in their headline an electronic version of this has been in the planning for a while but which is currently only in vision to start being published in 2021 and so at that point it only has to be published online anymore but the thing that was new is that even the previous federal log is that should be put online and should be searchable for free by the government so now the government is essentially taking charge of this and that I think is definitely improvement and I hope we contributed to that to actually finally implement this decision one thing that's also interesting is that the company jurist is the first company that retweeted this tweet and they do something similar but not with a loss but with court decisions which is also a company that maybe we should have a look at some time so how is this going to continue we are waiting for a lawsuit actually we're not that we're not that certain because we don't think we did anything wrong but we will see how this continues maybe we already have something in our mailbox we are going to continue cleaning up this Gazette a bit we for example notice that some of the metadata on their website are incorrect for example dates are corrupted are impossible to pass and of course there are loads of other Gazettes in Germany for example the ministerial Gazette which is also very important for the federal government there are many other levels that have their own Gazettes for example the federal states but all the municipalities and many of these are probably in the hands of private publishing companies many of them are publicly available but many others only have paid access and we should continue to strive for availability here and you can help with that so that was Open Shufa and often a Gazette both of these are projects by Open Knowledge Foundation and we try to we try to break these rules that these ancient companies are trying to impose on us both Shufa and the publishing company of the federal Gazettes are ancient companies they have always done things the way they do now but we are trying to see what we can change in other rooms my mics were usually on already thanks for the talk it was very interesting I just joined y'all we have a few minutes for Q&A please go to the microphones mic 2 please in the beginning in the middle of the year someone said that the entire business model of Shufa is basically affected by GDPR could be affected by GDPR the general data protection rules for Europe I didn't follow this has anything come of that has a data commissioner said everything is fine or what's the status quo there Shufa still exists zuständig für die Shufa die Person in charge ist Dataprotektions-Officer für den Federal-State of Hess er ist nicht pursuing Shufa als er all zu wenn es in einem unterschiedlichen Staat ist aber das eine Veränderung was passiert ist diese elektronische Datawikreste vorhin sind sie nur von Mail ein Dataprotektions-Kommissioner dass sie mit E-Mail senden Access-Codes von Mail und man kann dann Requesten oder Fetchier-Data online das ist eine Sache, die verändert hat aber wir haben nicht wirklich gehört über alles andere das Federal Dataprotektions-Officer might be objecting to und Shufa ist natürlich nicht um die Leute zu verabschieden das Dataprotektions-Kommissioner zu verabschieden microphone to you again please ich wollte fragen ob du noch Dataprotektions-Kommissioner für Open Shufa hast zu dieser sehr, sehr sehr shorten Dataprotektions-Kommissioner die Leute bekommen nicht so viele Punkte die sind oft shorter als online und das ist kein Dataprotektions-Kommissioner die wir in unserem Modell benutzen also wir haben die Dinge auf den Held geplant aber wir hoffen, dass wenn wir mehr Druck aus Shufa exerzen und lange Replye bekommen dann können wir das Dataprotektions-Kommissioner nutzen aber natürlich hoffen wir, dass das Ministerial der Justice-Intervene Hi, I also have a question for the makers of Open Shufa and you have a lot of information there now and you have gotten a lot of important sensitive personal data and then GDPR also went into effect and I wanted to ask whether how you dealt with GDPR and having to be GDPR compliant we had legal aid the data are only given to two external media companies and the rest was dealt with internally at the open knowledge foundation and algorithm watch the data protection officer Niko Herting did all this we weren't interested in people's names they were not usually included unless people made a mistake when they uploaded their data where and included easily identifiable data so ideally we don't have that data at all but of course that doesn't mean that these data sheets are completely anonymous of course there are certain ways to find out who actually own these data we don't publish them though many people told us they would like to work with our data set but we currently don't allow that with our data we have a question from the internet signal please are you planning to publish these laws as code page versions and are you working on a machine readable version of these laws we've been focusing on the legal issues here there was a project called Federal Git that tried to version the federal laws on GitHub I did that myself and there was a lot of manual work involved in reverse engineering how these are made and we had a legal Hack workshop here at one of the assemblies and we tried to see if these patches can be extracted from the Federal Logazet using natural language parsing and taking apart PDFs and finding out which paragraph was changed in which way but there are lots of different ways that these changes can be included in the Federal Logazets there are services that do that for example BUSA but it's complicated it's a very complicated matter there is a lot of work involved and ideally we wouldn't have to reverse engineer this like we do with Open Shufa but we'd like to have the legislator do that himself and that would also simplify the legal process where people currenty type everything into word documents Wir haben diese Läume, die anderen Läumen verändern. Wir hoffen, dass dies verändern wird. Aber die Legalexperten, die ich talked zu, sehen keine Läume hier in der nächsten Zukunft. Es gibt nicht so viele Fortschritte. Es gibt nicht viele Progriffe, obwohl wir es tun, aber das ist viel Arbeit. Aber wir sind nicht diejenigen, die diesen Weg verändern wollen. Die Regierenden haben diesen Weg geholfen. Es gibt niemanden, der dieses alte Weg von etwas tun will. Es gibt einen neuen Projekt, den E-Legislation. Es ist ein Federalprojekt, der versucht, das zu arbeiten. Aber ich denke, es ist vor allem, eine Wortplugin zu schreiben. Super, Mikrofon Nummer 2. Ja, ich bin interessiert, wo diese Daten und diese Läume kommen. Sie sind von OpenLaws.de. Sie haben jemanden mit einer Hand von der Zitizen-Axis schraubt. Und dann OCRs, die noch nicht OCRs sind. Und haben Sie die Advertisungen getroffen? Es gibt jetzt keine Advertisungen. Aber wir können nicht wirklich sagen, wo es jetzt kommt. Wir haben noch Zeit für eine Frage. Wir haben noch Zeit für eine Frage und ein Mikrofon, bitte. Hallo, eine tolle Präsentation, danke. Ich war jetzt in den Lightening-Talks und habe gehört, ein Projekt, das in Publishing-Kort-Decisions interessiert ist. Hast du das gehört oder hast du mit ihnen gearbeitet? OpenLegal-Data, ja. In diesem Bereich sind es sehr coole Leute, die nicht nur die Gesetze, sondern auch die Öffentlichkeit haben, die nicht nur die Publishing-Lauten, sondern auch die Court-Orders haben. Und wir versuchen, das zu finden, wie wir uns da sieben können. Vielen Dank. Vielen Dank. Bitte, gebt die Spiegel einen anderen warmen Rundfunk.