Marcelo E. Huerta Miranda
Legal Advisor at the Informatics Center (CEI)
Office of the Comptroller General of the Republic of Chile

INTRODUCTION.

Artificial Intelligence (hereinafter AI), Smart Contracts, Blockchain and Quantum Computing are safe, expeditious and highly traceable technological innovations that are useful for transactions and decision-making processes, but which must be applied and audited with special ethical criteria and preventive control measures in favor of administrative probity.”

The principle of probity and ethics pose a challenge to the auditors of our SAIs to apply them correctly in order to decide on what is right in each case. To this end, we need only think of the recent cases of the possible hack of the ClaveÚnica database for public procedures in Chile, and the Ramsomware of BancoEstado, the occurrence of cases in countries such as Argentina and Brazil, among others, increasing at an exponential rate due to the global pandemic and teleworking.

ClaveÚnica Case

On October 20th, the newspaper “El Mostrador” reported that the Metropolitan Cybercrime Investigation Brigade of the Investigations Police of Chile detained a 26-year-old computer engineer in the city of Limache for hacking the website of the Digital Government Division- dependent on the General Secretariat of the Presidency – which, on October 8th of this year, allowed the theft of the ClaveÚnica database by the hacker, who will be brought to justice and formally arraigned for the crime of computer sabotage (provided for in law No. 19,223).

ClaveÚnica is a tool that allows users to carry out more than 900 procedures with State agencies and also allows access to the Docdigital system, the State’s official communication platform, where the documents of different State agencies are uploaded, including those of the Presidency.

The Executive cleared the air stating that “there is no evidence that allows to affirm that there has been access to information related to ClaveÚnica;” although it began an update process of this for security reasons anyway.

BANCOESTADO CASE

On September 7th of this year, the newspaper “La Tercera” reported on the cyberattack suffered by BancoEstado, where neither the assets of the state company, nor the funds of its clients were infected, but, in an unprecedented stoppage for local banks this Monday morning, the 410 branches they have in the country had to be closed. Of course, during the day, they did manage to reopen about 24 branches, this is about 6% of the total. The blocking of computers and some systems was massive.

This was a case of Ransomware (malicious software that infects computers and prevents them from being used.) Generally, this type of malware, which hijacks computers, asks for a monetary ransom in order to free the computers. But that has been ruled out. “What happened in practice is that this virus or this attack was looking to collect data. It took data that, for now, for the bank, are not significant; that is why we have been able to keep the operation functioning normally,” Sebastián Sichel, president of BancoEstado. explained in Parliament yesterday.

No violation of customer accounts or bank assets was detected. The malicious program managed to encrypt the bank’s data, so in practice, a commercialization or sale of this data should not be observed since they would not have managed to remove them from the Bank. In the face of this cyber-threat in Chile, the virtual hijacking of computers, the Undersecretary of the Interior, who leads the Central and Incident Area of BancoEstado, expressed that he will continue to work with the CMF to monitor and strengthen procedures and security measures to address cyber-security threats.”

Isabel Cabello, a BancoEstado prosecutor, said on Monday that they filed a complaint for computer sabotage.

Likewise, it was reported that, as in the case of Migrations of Argentina https://www.lavoz.com.ar/sucesos/hackeo-a-migraciones-se-vencio-plazo-y-cybercriminals-publicaron-datos-sequuestrados, the policy is that no negotiations are made with cybercriminals for the hijacking or disclosure of data.

BRAZIL CASE

Without a doubt, the most recent and serious attack is the one that occurred in Brazil on November 5.
https://obastidor.com.br/investigacao/cnj-governo-de-brasilia-e-sus-sofrem-ataque-semelhante-ao-do-stj-25

The days following it was reported that it was not only the Superior Court of Justice of Brazil, but also Social Security, the National Council of Justice, etc., about 10 important bodies in total and there is already a hacker group that has spoken, who have a thinking similar to Anonymous Brazil.

The Data Bank of the Unified Health System is seriously affected. That is, all the information of retirees, of those who receive health benefits, work licenses for health treatment, contributions for future retirement, etc.

This is how the entire Data Bank of the Superior Court of Justice was incinerated and burned. I still do not know how much of the data bank of the Social Security database was compromised. If it has reached Dataprev, the Social Security Technology and Information Company, this will harm thousands of Brazilians, especially retirees and the sick.

It is estimated that this constitutes an immeasurable information security failure of Brazilian public bodies.

https://www.uol.com.br/tilt/colunas/carlos-affonso-de-souza/2020/11/06/o-que-o-ataque-hacker-ao-stj-ensina-sobre-seguranca- digital.htms

Its significance is really worrying because if this happens in Brazil, all the other countries in the region may be on the verge of massive attacks on state systems, so we are looking at adopting special cyber security measures. Now that it has been consolidated and imposed, and all kinds of legal services and products using technological resources under the LegalTech model, and even the administration of justice by digital means, and the electronic file, it is very important to bear in mind the gaps and vulnerabilities to which they may be subject.

Ethics

For Aristotle, man is a naturally political social animal that, being with others, understands that there are correct ways of behaving and judging others, metaphysically founded on the Kantian categorical imperative. It is a hierarchy of values.

At the international level, it should be noted that, on February 28th, a document was signed at the Vatican on the ethical aspects of technology and AI, which, in turn, influenced the directive of the European Parliament and the Union Council, establishing that they must be at the service of people and the planet, with full respect for the rule of law. To do this, they must be transparent and reliable in order to respond to the organizations, in the face of the ethical dilemma, both in the utilitarian and consequentialist dimensions, outlining their patrimonial responsibility via internal regulations and manufacturers’ guarantees.

Regarding judicial decisions via IA, it outlines that they will be adopted on a pragmatic and jurisprudential basis, acting as a bank of experience and its possibilities. Accordingly, Estonia, a country very advanced in social intelligence, has already announced the creation of a robot judge to solve simple cases in matters of Local Police Courts such as the application of fines for traffic offenses, speeding, parking in prohibited places, etc.

Let’s review these technologies very briefly.

ARTIFICIAL INTELLIGENCE

In my book “Computer Crime” Ed. Conosur 1996-1998, I pointed out that, while its concept was first coined in 1956 by John McCarthy, Stanford professor, its actual appearance occurred at the end of the historic 5th generation of computers during the International Conference on Computer Systems in Japan in 1981, when the construction of “computers capable of maintaining normal dialogue with a person and manipulating information in a faster and more versatile way than previous machines was announced, developing the so-called expert systems; comprehension of natural language – as opposed to programming; artificial vision, which will have the possibility of recognizing images, performing visual controls of quality, people, criminals etc.; and automatic programming systems, in which it will be enough to tell the computer through a natural language what you want it to do and not how it should do it.”

BIG DATA (as main component of AI)

This is a set of data, or combinations of these, whose size (volume), complexity (variability) and growth velocity (speed) make it difficult to capture, manage, process or analyze using conventional technologies and tools.

These technologies are parts of the so-called MACHINE LEARNING (ML)

The machine actually learns an algorithm that reviews the data and is capable of predicting future behavior. It does this by looking for patterns in the data, and then using a model that recognizes them to make predictions about new data. It has 2 types of algorithms: supervised learning – which use labeled data – and unsupervised learning, which find patterns in unlabeled data.

The predictive coding task, as opposed to the quantitative legal, involves applying one or more of the sets of supervised learning algorithms to classify each new record by relating it to the “training data” previously identified by an expert reviewer. In turn, they can be classification or regression (logical or linear) that identifies which category an element belongs to based on known examples and logistics: it predicts a probability; Linear Regression – A numerical value.

QUANTUM COMPUTERS.

They seek to take advantage of the quantum properties of qubits to be able to run quantum algorithms that use superposition and entanglement with greater processing power than the classical ones. To do this, it uses ions (atoms from which one or more electrons have been removed) in a certain state and keeps them held in laser traps, and then combines them according to the calculation to be made. They are especially suitable in factoring processes.

BLOCKCHAIN.

Advanced cryptography mechanism, created by Satoshi Nakamoto in “Bitcoin: A Peer-to-Peer Electronic Cash System” from 2008 as a decentralized registry system, at a physical, administrative and political level, allowing to manage transaction databases for a community or network, without requiring participants to trust each other.

They are classified into 3 types: 1) Public access, open and decentralized; 2) Private, closed and centralized, and 3) Hybrid or consortium, partially closed and distributed.

SMART CONTRACTS (SC).

This concept was introduced by Nick Szabo, in 1994, pointing out that any decentralized ledger can be used for self-executing contracts, which were later on called smart contracts, and could be converted into code and their execution permitted on a blockchain, the interaction of all the entities on the network with each other in a distributed manner, thus eliminating the need for a trusted third party.

DIGITAL IDENTITY.

Technology represented by an ordered selection of databases and composed of records and blocks of encrypted information; the blocks are linked and chained together and what mainly characterizes this technology is that the data is distributed in such a way that the user has access to all the records that are chained and the traceability of the operation performed.

REGISTRY SYSTEM.

The Registry is the place where an asset and your right over it are registered. Its notion refers to the list, document or roll where the entries or general information of a thing are recorded. Estonia works under the e-Land Register system, a web application that contains information on all limited real rights for properties, delivering data in real time via X-Road, a fundamental tool for the real estate market, providing full transparency and all the information of those involved in the real estate sector. Cadastral information (including address, area, purpose of the land); property relations; liens, restrictions, rights of use, other annotations; and mortgage information.

BLOCKCHAIN APPLICATION AND AUDIT.

Its immutability allows irrefutable proof of the existence of a transaction and, especially, to maintain an audit record that guarantees the traceability of the transactions and the ownership of the assets.

A regulatory body is required to supervise this type of network where banking entities would operate and set standards at a regional or global level, and rules on how banking entities would be incorporated (qualifying titles or licenses) and a reliable digital identity system to individualize the parties; for this, the new eIDAS Regulation introduced provisions that guarantee security to the trust deposited by consensus of the Financial Institutions that make up the platform, records and valid transactions to third parties.

CONCLUSION

There is a legislative gap to be resolved regarding the acceptance that these systems will have, their evidential value with a view to establishing a system of reliable transactions, and policies to prevent attacks on social coexistence between users and manufacturers.

Shakespeare already foresaw, in the Merchant of Venice, the great damage that could be caused by the numerous judicial disputes that unethical law can cause in the wrong hands. An example of the consequences of doing business lightly and without reflection or advice, of contradictions, ambiguities and shortcomings of the law, and of the reasons that lead to litigation.

We do not ask so much of our SAIs; we believe that adhering to the structuralist theory (rather than the syncretic) used in the formation of language (F. Saussure) and appreciating the technological evolution in Synchrony (like a film that is being developed), rather than Diachronic (like a photo), ethics and the principle of probity mark the path to act with conscience, evaluating the externalities of these interactions in the face of our legacy to future generations and critically to an inter lucid society that allows regulating the knowledge and communication of an effective ethic of its value as a right to welfare for all (in Hegelian terms) in whose context the principle of accountability will be the basis of social consciousness.

It is, without a doubt, a pending task for the success of which I suggest studying these tools, with the greatest possible rigor, and applying them to fulfill our control objectives in harmony with respect for the rights of the owners of these data.

About the Author:

Marcelo E. Huerta Miranda is a Legal Advisor at the Informatics Center (CEI) of the Comptroller General of the Republic of Chile. Marcelo is a Doctor © JURIS in Law, SAEJEE Business School, Spain; Master in Public Law in Constitutional Law (PUC) and Diploma in “Computer Expertise” and “Audit, Control and Security Systems,” USACH. He also took the Soziologie für Juristen Course, Univ. Salzburg, Austria