Controversy, thy name is Europe: Open credit scores, data-driven counter-forensics, and the regulation debate

Europe's biggest digital culture festival raises questions beyond the use of data.
Written by George Anadiotis, Contributor

Video: Facebook suffers legal setback in Germany, loses privacy case

Europe's SXSW: The analogy may give an idea of what Berlin's re:publica is to someone who has never attended. Like most analogies, it's not entirely accurate. But re:publica positions itself as Europe's biggest conference on topics concerning digitisation and society, while also being one of the world's most exceptional festivals on digital culture.

Read also: Data.world: The importance of linking data and people

Berlin's re:publica started out in 2007, with 700 bloggers in attendance, and it has been growing ever since. Last week, in Berlin, there were more than 10.000 people attending a program spanning three days, 15 themes, and 18 stages. With speakers ranging from the likes of Microsoft and Google to government officials to counter-culture activists, re:publica is a mixed bag.

Data, its use and misuse, was a recurring theme, and we picked some of the topics that spurred debate.


In Germany, like most places, credit scores are a big thing. They can make or break anything from loan applications to house hunting and mobile connection contracts. Where there is a credit score, there is also a debate. While you may have heard about China's social credit system, and the criticism associated with it, for example, chances are you don't know about SCHUFA.

Read also: Water data is the new oil: Using data to preserve water

SCHUFA is Germany's one and only credit score system. SCHUFA is issued by Schufa Holding AG, a credit bureau supported by creditors that has been operating since 1927. SCHUFA has been criticized by a number of actors and for a number of reasons.


SCHUFA is Germany's one and only credit score. Now, OpenSCHUFA is challenging that. (Image: Dpa)

In 2003, the German Data Protection Office issued a press statement, in which the risk that SCHUFA was evolving into a privately controlled central database was highlighted. In 2009, the German Ministry for Consumer Protection undertook a study of the error rates of various credit bureaus, and identified a very high error rate at SCHUFA.

Recently, Austrian data activist Max Schrems expressed his intention of using GDPR to file against SCHUFA. Schrems, known for his legal action against Facebook since 2011, questions the legitimacy of SCHUFA's right to indiscriminately store and process credit information about almost 70 million Germans without necessarily having consent.

In the meanwhile, there is also action against SCHUFA beyond the courtroom. The OpenSCHUFA initiative, a joint effort by NGOs Algorithn Watch and Open Knowledge Foundation, aims to crack the SCHUFA open, by deciphering its algorithm in the name of transparency.

OpenSCHUFA people believe that how SCHUFA works should be known, in line with their broader goal of investigating the transparency and fairness of algorithmic decisions. And since all legal action taken from affected parties wishing to disclose details of SCHUFA scores issued on them has been rejected, they took it upon themselves to investigate.

Can crowdsourcing and algorithmic accountability reporting methods be used to unlock more secrets of the SCHUFA and let us know where their practically unlimited power is based on? This is the question OpenSCHUFA poses, and in order to answer, OpenSCHUFA is asking people to chip in.

SCHUFA has reacted by calling the OpenSCHUFA campaign "misleading and against security and privacy in Germany." Its main argument is that SCHUFA is already transparent for public authorities and supervisory authorities, and cracking the algorithm open will encourage fraud, abuse, and the exodus of know-how from Germany.

SCHUFA also implies OpenSCHUFA has ties with the Bertelsmann Stiftung, which is part of a group also owning a large credit agency, and therefore is a competitor of SCHUFA. But what may be the most interesting part in its line of defense is the attack on OpenSCHUFA's plea for data.

The amount OpenSCHUFA set as a goal for the campaign is modest (€50,000). But in order for this reverse engineering effort to work, data is also needed. OpenSCHUFA is encouraging people to ask for all the data they are entitled to get from SCHUFA and submit it to OpenSCHUFA. Data will then be used to feed a logistic regression analysis.

The project intends to develop a web app with which one's own SCHUFA information can be scanned, securely and anonymously transferred, and subsequently made machine-readable. So OpenSCHUFA is asking people to trust it with its data, similar to what SCHUFA is doing. There are differences, of course -- perhaps, most notably, consent.

Forensic Architecture

Trust, or actually lack thereof, is also the driving force behind Forensic Architecture (FA). FA is an independent research agency that undertakes historical and theoretical examinations of the history and present in articulating notions of public truth. If that sounds a bit abstract, examining where FA comes from and how it works may make it more concrete.

Read also: GPU databases are coming of age

FA was founded by Israel-born Eyal Weizman, whose background is in architecture. At some point, Weizman's attention was captured by the role of architecture in the Israel-Palestine issue, and since then, himself and the team he built have embarked on a number of efforts to unravel official narratives in Israel and beyond.


Forensic Architectures uses data collection and analytics to challenge official narratives. (Image: Forensic Architecture)

FA also uses novel research methods to undertake a series of investigations into human rights abuses. The group uses architecture as an optical device to investigate armed conflicts and environmental destruction, as well as to cross-reference a variety of evidence sources, such as new media, remote sensing, material analysis, witness testimony, and crowd-sourcing.

Weizman presented some of the cases FA has investigated, as well as the methods they used. FA tries to engage in field work as much as possible, but data and models are also a key aspect of its work. A big part of FA's work is based on data collection and analytics.

In FA's investigation on one of Israel's raids in Gaza, for example, FA collected and processed thousands of videos and images shared on social media. Based on this material, as well as architectural models of the area, they attempted to correlate and place this body of evidence across space and time to recreate the story of that incident from as many angles as possible.

This spatial timeline of sorts was made possible by hard work and techniques such as utilizing metadata and visual processing. Some of it was quite simple, such as picking up when clips were shot. Others, such as correlating clips with one another in time and space, required imagination and advanced processing.

Weizman mentioned, for example, how they were able to use bomb clouds as metatada. Each cloud had a unique shape, which FA was able to identify in different clips and use as an anchor to verify the time at which clips were shot and place them on the architectural model of the area.

Based on this, distances could be calculated, and even the sizes of bombs that were dropped could be pinned down with accuracy. A correlation against Israel's known stock of weapons was then made, leading to the identification of the exact bombs that were dropped. This, in turn, lead to a file for excessive use of weapons in a civilian area that Israel had to answer to.

FA produces results that are not only usable and conclusive to the point of forcing governments to retract their stories, but also technically and visually impressive. Its multidisciplinary team has in many cases exhibited its research in art showcases, as it sees this as an outlet to reach out to the public.

Regulate this

Controversy and trust are common themes not only across these two initiatives, but also in re:publica and perhaps in the European approach in general.

Read also: The road to automation, the joy of work, and the 'Jen problem'

Weizman was asked, for example, how can the data FA uses be trusted, and whether they would be considered evidence in a court of law. This has been the line of defense against FA's investigations in many cases, discrediting them as "fake news."

Weizman explained that although the data they use do not fall under the typical definition of evidence, organizations such as the International Court of Justice in the Hague have updated their policies to take social media evidence into account under certain conditions, effectively acknowledging that a massive body of evidence should be considered.

In the OpenSCHUFA case, its people countered the "don't help fraudsters manipulate the score" argument coming from SCHUFA's side by saying that a score that is so easy to manipulate must either be wrong or problematic. Perhaps more interesting, however, is the regulation argument.

According to this, SCHUFA is regulated, therefore the public has nothing to worry about. Again, this was a cross-cutting theme in re:publica: How to deal with data sovereignty, monopolies, user consent, and what have you? Regulation was often the proposed answer, albeit often seen under a critical lens.


Regulation is an oft-cited answer to the questions posed by data-related challenges in Europe. But is enought? (Image: IBM)

Europe was, and maybe still is to some extent, looking at Silicon Valley as a role model of innovation. At some point, however, the realization that moving fast and breaking things does not necessarily end well settled in, along with a dose of self-interest one might add. One of the things pointed out in re:publica was that regulation alone won't cut it.

Germany's ISP landscape, for example, is -- in theory -- regulated. What consumers find in practice, however, is that regulation is mostly there to ensure they can switch between ISPs. In dealing with their existing ISPs, consumers are on their own. Collective or individual legal action against ISPs in Germany is not an option either, and as a result, ISPs can more or less do as they please. And let's not even examine what happens in the housing market.

So, it's not all about regulation; what's more important is what the regulation entails, and how it can be monitored and enforced. With GDPR looming, that question may be more relevant than ever. As Europe is finding Silicon Valley may not be what it thought it was, the US may be up for surprises, too.

Previous and related coverage

Russians suspected of new German attack may 'have been inside system for a year'

German intelligence services and federal specialists are investigating "an IT security incident."

No, we're not trying to get backdoors in smart homes, cars, says Germany

The German government is trying to quell outrage over reported smart-home and car-bugging proposals.

Planet analytics 1.0: From the UN lab to the globe

The United Nations (UN) is developing initiatives that leverage data and analytics to measure and streamline sustainable development goals. While this is work in progress, there are some fundamental questions as to its effectiveness.

Healthcare's $3 trillion question: Should the likes of Google and Facebook control this data?

How is data managed? Do users get to have consent over how their data is used? And do they get a cut out of the value generated by using that data? Let's take a walk on the wild side.

Editorial standards