Consent is key.
In this episode, we talk about some hardware and some software that might be of interest to you, and DeepMind’s claims that their AI coding engine is on par with your average human developer. Then we speak with Giulia Gentile, fellow in law at the London School of Economics and Political Science, about Europe’s General Data Protection Regulation and a ruling by a German court saying that it found "no legitimate interest for using Google Fonts on its websites," and the legal precedent that it sets.
Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.
Josh Puetz is Principal Software Engineer at Forem.
Dr Giulia Gentile is Fellow in Law at the London School of Economics and Political Science. She specializes in EU constitutional law and the protection of fundamental rights in the digital society.
[00:00:10] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.
[00:00:19] JP: And I’m Josh Puetz, Principal Engineer at Forem.
[00:00:22] SY: This week, we’re talking about some hardware and some software that might be of interest to you, and DeepMind’s claims that their AI coding engine is on par with your average human developer.
[00:00:33] JP: Then we’ll speak with Giulia Gentile, Fellow in Law at the London School of Economics and Political Science, about Europe’s General Data Protection Regulation, GDPR, and a ruling by a German court that said it found no legitimate interest for using Google Fonts on websites in the EU, and the legal precedent that may set.
[00:00:51] GG: The idea is that Google Fonts allows the dynamic IP addresses of the visitors to be transferred to Google without consent.
[00:01:03] SY: So we’re starting this episode off with some neat new hardware and software. We wanted to make sure that you knew existed. The first is Raspberry Pi’s OS is now available in 64-bit. This will allow the single board computers to access higher amounts of RAM on some of their higher end boards giving a nice boost in performance. In an ARS Technica blog post, Raspberry Pi stated, “We’ve come to realize that there are reasons to choose a 64-bit operating system over a 32-bit one. Compatibility is a key concern. Many closed-source applications are only available for arm64 and open source ones aren’t fully optimized for the armhf port. The 64-bit version of Pi OS is supported all the way back to the Raspberry Pi 3, which was released in 2016.” So pretty nice. We’re excited about what you all might make out there with this new 64-bit version of the Raspberry Pi default operating system. If you want to share what you’ve made or what you’re going to be working on, call into our Google Voice at +1 (929) 500-1513 or email us at [email protected] So Josh, are you a Raspberry Pi kind of guy?
[00:02:19] JP: I'm not a casual Raspberry Pi.
[00:02:21] SY: Cash, okay.
[00:02:22] JP: Cash, yeah, yeah.
[00:02:23] SY: Okay.
[00:02:23] JP: I have a Raspberry Pi version 4 I want to say. Every couple of years, they come up with a new version.
[00:02:28] SY: Right.
[00:02:28] JP: What’s really cool is something called the Raspberry Pi Zero. I think they’re on the second revision of that. Raspberry Pi maybe costs, I want to say like 40, 50 bucks. It’s got ports, blah, blah, blah. The Raspberry Pi Zero is really, really tiny. It’s like very miniature. It costs about like $15 and it’s super fascinating as well. So I tinker around with it every once in a while. I wish I did more with it, to be honest. Some of the exciting things about the Raspberry Pi OS going to 64-bit is that it will be able to address more than four gigabytes of memory, which is really cool. The other big thing that the Raspberry Pi Foundation talked about was a lot of the open source software is compiled for 64-bit now. And if you think about it, there are hardly any 32-bit operating systems in usage anymore. They’re getting pretty rare. So a lot of the open source software that people want to run is only available for 64-bit OSs. That means if you’ve had a Raspberry Pi and you’ve been playing around with some open source software, you either have to find someone that already packaged up the software or you have to build it yourself. And that can get pretty complicated.
[00:03:38] SY: So this is going to be really convenient for a lot of people, just doing their regular work out there.
[00:03:43] JP: Yeah, I'm really surprised by the support that’s going back. Maybe this speaks to like how long they’ve been working on this, but the foundation said that Raspberry Pi 3 and above are supported, and I checked the Raspberry Pi 3 was released in 2016.
[00:03:58] SY: Yeah, six years ago. That’s pretty good. That’s legit. Yeah.
[00:04:00] JP: That’s a lot of models out there that are going to be able to run this, which is really kind of cool.
[00:04:04] SY: So given that 64-bit is kind of ubiquitous, why do you think it kind of took so long? Because it’s been rumored, I think for a while, I don’t think this is like a totally new thing. Why do you think it happened at this point?
[00:04:18] JP: So they have had an alpha, you know it’s serious when they call it an alpha not a data. They’ve had an alpha of this since I think about summer of 2020.
[00:04:28] SY: Okay.
[00:04:29] JP: I was reading a blog post from one of the developers who said, “Frankly, it’s based on DB and Linux, and they had a lot of bugs to work out with their implementation of it. And I think they’ve just been bug fixing this whole time and I appreciate this. They didn’t want to release it until it was solid. Because think about it. People that are getting involved with the Raspberry Pi, it’s pitched as a personal computer kit, right? It’s pitched for the hobbyist, but you’re supposed to be focusing on the fun kind of like hardware-type projects you could do and maybe some of the software that you’re running, but you’re not supposed to have to struggle with the OS. Right? That part’s supposed to be just like plug and play. So they really took their time and they didn’t want to release it until…
[00:05:09] SY: Make sure they got it right.
[00:05:11] JP: Yeah, that things were all ironed out. So it took a while to get here, but I think it’s kind of exciting.
[00:05:16] SY: It’s very cool. Yeah.
[00:05:17] JP: The next thing we wanted to mention was an announcement that Flutter, which is Google’s cross-platform framework, is now available for Windows. In an announcement, Google writes, “A couple of years ago, we laid out an ambitious vision for Flutter to expand for mobile apps on iOS and Android, to other platforms, including the web and the desktop.” So this is pretty big for the open source framework. It allows you to create native window apps. And since according to the company, nearly half a million apps use Flutter. They’re hoping that increases the amount of apps that are running on the desktop and running under Windows. Among other things, your apps will have greater integration with things like win32com, Windows runtime APIs, all the stuff that native window apps already have. This is really interesting, I think. Flutter’s been kind of making strides on Android, of course, because it’s put out by Google, but iOS as well. A fair number of, of course, all of Google’s apps on iOS use Flutter, but I’ve seen other cross-platform apps using it. And the idea that you can start to do cross-platform but also launch on Windows, that’s pretty interesting.
[00:06:26] SY: That seems really useful. Yeah. I haven’t used Flutter myself, but I was first introduced to it just when I was looking at how to make an iOS app and how to do cross-platform applications. And I was like, “Oh, fun, that’s interesting.” So it’s really interesting that you’re doing that even further by making it all the way out to Windows and now there’s web. And it just seems like it’s going to be an even more useful tool for folks to use. I was surprised with the nearly half a million apps though. I kind of thought it’d be bigger. I don’t know what your reaction was to that number. But I thought Flutter was more popular than…
[00:06:59] JP: Oh, I saw half a million apps that I was like, “Wow! That’s a really high number.”
[00:07:02] SY: Oh, yeah? Okay. Okay.
[00:08:03] SY: I mean, maybe a test platform, but yeah.
[00:08:06] JP: It’s not really cross-platform where it’s nice to have options. If you want to make something for mobile and go to multiple platforms, it’s nice to have a choice that is more than just React Native. And on the desktop as well, if you’re going to use React Native, I mean, that’s kind of rough on the desktop. I don’t know. This could be really cool, especially if you’re making a mobile app already and you want to dip your toe in the Windows market. It could be kind of interesting.
[00:08:28] SY: Yeah. Really interested to see how this affects the Flutter community. And if it really does, give it a boost and we see more apps coming because of it.
[00:09:00] SY: So one thing that I know that gives developers a lot of anxiety is whether we will one day be replaced by robots. This especially comes out when we talk about no code tools and that kind of thing. Well, this bit of news isn’t about no code tool specifically, but it’s definitely not going to help your fears of being replaced. So Google’s DeepMind, the brains behind things like the super smart AlphaGo, which could defeat virtuoso Go players, has now created another AI system called AlphaCode. According to DeepMind, they test AlphaCode against different coding challenges that are used in various coding competitions and their AI system “writes computer programs at a competitive level”. Although AlphaCode’s ability is only currently within the realm of competitive programming, the researchers say they are optimistic that the success they have already had with the AI system will open the door to being able to branch out in its programming prowess. Who knows? Maybe in the future, we can just have a robot do those dreaded interview coding challenges for us. I would not be mad at that.
[00:10:04] JP: Because it seems like all it’s doing right now, these questions that they tested AlphaCode against, these are like the coding interview questions you dread. From the article that we’ll link, “In one example challenge AlphaCode was tested on, competitors are asked to find a way to convert one string of random, repeated s and t letters into another string of the same letters using a limited set of inputs. Competitors cannot, for example, just type new letters but have to use a “backspace” command that deletes several letters in the original string.” So they showed like example of input would be like AB, AB, and you basically have to backspace a number of characters and then type the correct character in. I had to read this like five times just to understand what they were asking for.
[00:10:54] SY: Yeah.
[00:10:57] JP: They do state these are not normal coding types of activities. These are definitely challenge related, but wow. If this is what I was doing on a daily basis, I would welcome an AI to write this.
[00:11:08] SY: Yeah, if that’s how you could replace me, I’ll pick up a new skill. I'm okay. I’ll learn something else. It’s fine.
[00:11:15] JP: Are you nervous about being replaced by a computer? Do you think in the future we are going to be replaced by AI?
[00:11:22] SY: I really don’t think so. I think that AI will make our jobs easier. I think it’ll kind of get rid of some of the lower level, less interesting, the grunt work. I mean, I’m thinking like monitoring services and server infrastructure. And I mean, there are so many things that coding has gotten rid of for us as it is today of not having to, even when we distribute software, there are so many things that we don’t have to worry about because it’s been taken care of for us by products that I feel like with AI, something like that is probably going to happen to our everyday code where maybe if we’re spinning up the very, very basics of the foundation of a blogging app or something simple. Maybe we’ll be able to knock that out very quickly with the help of AI. But I still think that when it comes to more interesting problems, I think you’re still going to need humans, especially because, I mean, I see this like every day on my Twitter feed of people saying, “I thought coding was the hard part. It’s not the hard part. It’s people. People are the hard part.” And so I’m imagining all the things that go into coding, it’s not just literally, “Let’s type out this script or this code,” a lot of it is figuring out, “Well, how do you approach it?” Balancing different needs, different stakeholder requirements and working with the designer. You know what I mean? There’s just much more to it than just very simply writing out code that I don’t think you’re going to have a machine be able to replace that entire function. I think maybe parts of it, the lower level stuff, sure, maybe. But I think if anything, it’ll be helpful to us, but I don’t think it’s going to be a threat to us.
[00:13:06] JP: I'm kind of settling on that as well. I was trying to think of like examples of AI-assisted stuff that I’m using right now. And I notice that I’m actually using GitHub’s Copilot product quite a lot.
[00:13:18] SY: Yup, that’s what I was thinking too.
[00:13:20] JP: I use it like all the time. Those that don’t know, GitHub Copilot is this technical preview thing they have that is hooked up to GPT-3. As you type, it basically looks at all the code that’s on GitHub and tries to sort of guess what you might be typing next. So if you’re making a function called is positive and you give it a string, it’ll suggest based on the language you’re using like, “Oh, hey, here might be an if statement. If it’s the string true, then return Boolean true,” vice versa. It’s looking at all the code that is available to it and trying to guess what you’re going to type next. And that just like auto completing the line you’re on, but auto completing your if statement or your function or sometimes your class. And I'm actually using that all the time, but I would equate it to kind of like AI car driving tech. You got to keep your hands on the wheel. You can drive through a playground with children with copilot real fast.
[00:14:19] SY: Right.
[00:14:21] JP: And I wonder how good it will get. Granted these are two very different fields, but people talk about like, “Oh, AI is going to drive our cars.” And experts say like, “No, we are so far away from that.” The initial steps are really tantalizing and it looks like we’re close to a solution, but when you dig into it, there’s so much more there that has to happen. And I kind of think that’s where we’re. We’re going to settle upon. I mean, right now, obviously, this isn’t ready for prime time. Do I ever think AI will be coding up programs? Like you said, I think it’s the human side that’s going to be the real problem, understanding what are the requirements. Does this really work? Does this work with other systems?
[00:15:01] SY: Should I be building this at all?
[00:15:04] JP: Right. Exactly.
[00:15:05] SY: Yeah. Coming up next, we talk about our German court ruling against Google Fonts, the font embedding service library and the legal precedent this could set across the European Union after this.
[00:15:42] SY: Here with us is Giulia Gentile, Fellow in Law at the London School of Economics and Political Science. Thank you so much for joining us.
[00:15:51] GG: Thank you. Thank you for having me.
[00:15:52] SY: So tell us a bit about your legal background and focus.
[00:15:55] GG: So I work at the London School of Economics where I conduct research in the field of fundamental rights into digital society, but I also look at questions of European law and constitutional European law.
[00:16:11] JP: So you are the perfect guest for us because we have a lot of questions about GDPR. Since we’re going to be talking about GDPR, could you just kind of cover it at a basic level for those of our audience that might not know what it is? Could you explain what is the GDPR and what’s its major purpose?
[00:16:28] GG: So the GDPR stands for the General Data Protection Regulation, which entered into force in 2016 and became applicable in 2018. So it has been applied by companies, since now almost four years. It is a regulation that substituted the previous directive and essentially it has the objective of governing data processing. So how data, and in particular personal data, is dealt within the territory of the European Union and therefore the rights that data subjects have, data subjects being individuals that share their data. And of course also the obligations and the liabilities that exist for either companies that process this data and decide how this data should be processed. And these are normally called as processors and controllers.
[00:17:22] SY: What are some of the biggest tenants of GDPR and certain major tech rulings that have been said to violate it?
[00:17:29] GG: The GDPR is a relatively new instrument, as I said, but this doesn’t mean that it hasn’t attracted, I would say, an extreme amount of attention, both by practitioners, but also by companies and of course most institutions. So I would say the major rulings that we can think of lately are for sure those belonging to the Schrems saga that concerns the transfer of personal data from European Union to the United States, where the Court of Justice of European Union has found that the decision of adequacy that existed between the European Union and the United States in terms of adequate level of protection of personal data weren’t compliant with the GDPR framework. So these are very good judgments, I would say, that tell us quite a lot about how the GDPR works, but there are also a number of other judgments, such as the Facebook Ireland judgment and it’s had concerns how Data Protection Authority should cooperate with each other, judgments such as that Europe unite where instead we have other questions regarding the scope of application of the GDPR. So it’s the body of the risk burden that is certainly growing and increasing with time.
[00:18:49] JP: So Saron and I are based in the United States and a fair amount of our audience is based in the United States. I’m wondering if there is any kind of equivalent regulation or law in the United States that you could draw parallels with GDPR.
[00:19:03] GG: Yes. There are some national legislations, but these are sector specific. So there isn’t a general framework in the United States when it comes through personal data processing. So it’s rather a piecemeal and fragmented legal landscaping dispute, which indicates also very different approach in that jurisdiction concerning personal data. So there have been discussions regarding the creation of such a general framework.
[00:19:32] SY: What are the EU’s general attitudes towards big tech?
[00:19:36] GG: That’s a very good question. I think that isn’t a single attitude in the view. So I wouldn’t say that the European Union has a specific approach towards big tech. But for sure, the general approach of the European Union, when it comes to privacy, for example, which is very much linked to data processing, is that of protecting personal data and protecting the privacy of individuals being in a way a champion of these rights on a global level. So when it comes to big tech, I don’t think that the attitude of the European Union can be put in one box, I would say. So it depends on the sector. So when it comes to data protection, of course, the attitude of the European Union is to ensure that the rights of individuals in particular, the right to data processing our personal data is processed are enforced and correctly applied.
[00:20:34] JP: I think here in the United States, GDPR is frankly a dreaded acronym. It comes up and it means, “Oh, we have additional work to do at our website that we hadn’t even thought about.” I’m curious what the general attitude is towards the law among the public and really among the tech industry in the EU proper.
[00:20:54] GG: This is quite broad. And I think that the general attitude, again, depends on a case by case basis in the sense that for sure individuals are becoming increasingly concerned about their privacy following scandals, such as the Snowden revelations. For example, back in 2013, I think that there has been an increased sensitivity towards privacy issues and also the reach that not governments, but also now companies can have when it comes to the privacy. So this is, I would say, on a social logical level one can say. Now the regulatory response to these, I think that tries to deal with these issues. But of course, I mean, whether this is successful or not and whether the regulation struck the fair balance between the competing interests, that’s another question. So again, I think that the objective of the EU via these pieces of legislation was precisely to tackle these challenges, even though, of course, we should say that the data protection framework pre-existed the revelation, for example, in 2013, concerning the Snowden records and activities.
[00:22:08] SY: So a German court recently ruled that there is “no legitimate interest for using Google Fonts on its websites and that it violates GDPR”. Can you explain what legitimate interest is and talk about some of the reasons behind this ruling?
[00:22:24] GG: So the idea behind the GDPR, as I was mentioning earlier, is that individuals should be in control of the processing of their personal data. So in order to achieve these, the GDPR provides a series of principles and guidelines one can say particularly for processors and controllers when it comes to processing personal data. And in particular, personal data can be lawfully processed if there are at least some or at least one of the legal bases that are provided for legal processing for lawful processing under the GDPR. So we’re looking now at Article 6 of the GDPR. So the most renowned one is for sure consent. So if a data subject has consented to the effect that his or her personal data can be processed, then data processing is lawful. This is because by giving consent, individuals are exercising their decision, of course, and their control over their personal data. Now legitimate interest is a very interesting legal basis for data processing in the sense that we’re looking Article 6 again, Paragraph 1, Letter F of the GDPR where we read that processing can be carried. So processing may be necessary for the purposes of the legitimate interests pursued by the controller or by a third party. But there is a caveat to that except where such interests are overridden by the interests of fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child. So the idea here is that if there is a legitimate interest pursued by the controller, the controller is the entity that decides how personal data should be processed, then processing of personal data is lawful. Nevertheless, this idea of legitimate interest, you understand it’s quite blurred. We don’t really know what is illegitimate interest. In a way, this provision is a very good example because it gives us a sense about how the legislature and the European Union trying to balance in a way the different interests that converge when it comes to personal data, by giving some leeway to companies in a way to process personal data. But nevertheless, this processing, even in the presence of a legitimate interest by the controller, should always be mindful and respectful of interests or fundamental rights and freedoms of the data subject. So we have a balancing to be struck here between the legitimate interests of the controller and the fundamental rights of the data subject.
[00:25:13] JP: So breaking down this ruling a little bit into concrete terms, what kind of precedent could this set? Does it mean that websites that are serving users in the EU won’t be able to use Google Fonts anymore?
[00:25:30] GG: First of all, we should clarify that this is a German judgment. So this applies only within the territory of Germany. So there isn’t an effect on the territory of the European Union, unless this case is brought, for example, before the Court of Justice of the European Union, which would issue a ruling that applies to the whole territory of the European Union. So at the time being, the facts of this judgment are limited to the German territory. The idea is that Google Fonts allows the dynamic IP addresses of the visitors to be transferred to Google without consent. So one of the legal bases that we mentioned for lawful processing of personal data is therefore missing. And when it comes to legitimate interests, well, the court in Munich found that there wasn’t a legitimate interest for embedding Google Fonts in websites. So this means that practically speaking, unless a consent mechanism, for example, is embedded in the website, well, the use of Google Fonts cannot rely on the legal basis of legitimate interest because this was considered to be out weighted by the protection of personal data, the fundamental right to personal data.
[00:26:52] JP: I wanted to touch on something you had mentioned. Websites would not be able to use Google Fonts without prompting for acceptance or letting the user know what’s happening or asking them if they’re okay with that?
[00:27:03] GG: Exactly.
[00:27:04] JP: Ah, I understand. Okay.
[00:27:04] GG: Exactly. Or any other legal basis that is included in Article 6 of the GDPR. So for example, the processing may be lawful. If it is necessary for the performance of a contract or performance of a legal obligation, but I mean, legal obligation doesn’t really work here in this context and probably not even the performance of a contract. But in an event, what is required really is a legal basis drawn from Article 6 of the GDPR. And in this context, legitimate interests cannot work.
[00:27:37] SY: How often do rulings like this have a wider impact on court decisions in other countries in the EU that might pop up?
[00:27:45] GG: This is relative. So there might be a domino effect where other authorities and data protection authorities, for example, may start investigations in this field, but there isn’t a rule, I would say. So this may be leading the way towards similar cases, but there is no certainty about it. So this is for sure an interesting judgment. And normally, German courts are very much at the forefront of new challenges and new sorts of interpretations of the GDPR.
[00:28:17] JP: So shifting gears slightly, recently another way that GDPR made its way into the news here in the States was that Meta was threatening to shut down Facebook and Instagram in Europe in response to EU regulations on being able to take EU users’ data and move it to the United States for processing. This sounds like hyperbole. And I don’t think anybody really believes Meta would shut down Instagram and Facebook, but I wonder if you just talk about that particular part of the GDPR that talks about moving data out of the EU and what ways other companies have dealt with it. Because I can’t believe Meta is the first company to come up against this regulation.
[00:28:56] GG: Yes. Something we mentioned briefly earlier on was the existence of adequacy decisions. And this is in a way the safest way for countries to be able to get access in a way to personal data produced in the European Union. So this is a mechanism through which the commission issues a decision that finds that the level of protection for the personal data that exists between jurisdictions, so the European Union and the third country, is adequate. So it is a form of equivalence in a way whereby it is considered that the third country, so the foreign jurisdiction can protect personal data in an adequate way. There is, therefore, this root, but there are also, of course, other ones. So this is in particular Chapter 5 of the GDPR where we also see that another way for transfer of personal data to occur between jurisdictions, in particular between the European Union and in other jurisdictions, ease the adoption of binding corporate rules. So this is something that was also tested in the context of the Schrems to judgment and there’s also a list of appropriate safeguards, and this is in particular Article 46 that should be respected for any transfer of personal data outside the European Union. So there are different ways in which a transfer of personal data can be achieved in a compatible way with the GDPR.
[00:30:29] SY: Thank you again so much for joining us.
[00:30:31] GG: Thank you. Thank you very much.
[00:30:43] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight is provided by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513 or email us at [email protected] Please rate and subscribe to this show wherever you get your podcasts.