1. What is the "aggregation problem" in the context of AI inference and privacy?
Correct. The aggregation problem describes how individually non-sensitive signals — posting times, topic patterns, vocabulary choices, purchase behavior — compound into a statistical fingerprint enabling inference of sensitive attributes the person never disclosed.
Incorrect. The aggregation problem is about inference: individually innocuous data points, when combined, create a fingerprint that reveals attributes the person never explicitly shared — as demonstrated in the de Montjoye mobile phone metadata study (4 data points uniquely identifying 95% of individuals).
2. When Google's "Location History" was turned off in 2018, what continued to record users' location data?
Correct. "Web & App Activity" — enabled by default and described separately — continued logging location data from Google services even when Location History was explicitly disabled. Arizona settled the resulting lawsuit for $85M in 2023.
Not quite. "Web & App Activity" — a separate, default-on setting — kept recording location from Google services even after Location History was turned off. Google settled Arizona's lawsuit for $85M in 2023.
3. The "sectoral approach" to US federal privacy law creates a problem for AI because:
Correct. A fitness app collecting health data isn't a HIPAA "covered entity." An AI HR tool isn't subject to FCRA. A consumer profiling AI operates between multiple sectors' statutes. The patchwork leaves large gaps that general-purpose AI systems readily exploit.
Incorrect. The sectoral approach creates gaps because AI doesn't respect industry boundaries. A health-adjacent fitness app, a credit-adjacent employment tool, or a general data broker operates between the narrow statutes without clearly falling under any one of them.
4. The EFF's Cover Your Tracks tool (coveryourtracks.eff.org) tests what specifically?
Correct. Cover Your Tracks assesses browser fingerprint uniqueness and tracker-blocking settings — a diagnostic for the passive identification risk that exists even without cookies.
Not correct. Cover Your Tracks is specifically a browser fingerprinting and tracker-blocking diagnostic. HaveIBeenPwned handles breach monitoring; neither covers data brokers directly.
5. GDPR's extraterritorial scope means:
Correct. The determining factor is whether an organisation processes EU residents' data — not where the organisation is headquartered or operates. This is what gives GDPR global reach and created compliance obligations for US, Asian, and other non-European companies.
Incorrect. GDPR applies based on the data subject's location, not the organisation's location. A company in any country that processes EU residents' data must comply — there is no opt-out mechanism.
6. What is "passive data" in the context of digital footprints?
Correct. Passive data is automatically generated by digital behavior — location pings, scroll patterns, typing speed — without users actively providing it.
Passive data is generated automatically as a byproduct of using services — click timing, scroll behavior, location pings — without any conscious user decision to share it.
7. The $650 million Facebook BIPA settlement covered only Illinois users because:
Correct. The same AI feature collected identical data from users nationwide, but legal protections existed only where state law created them. This geographic inequity is a defining characteristic of the US sectoral approach to privacy law.
Incorrect. The settlement's limitation to Illinois users reflects the absence of equivalent biometric privacy laws in other states. The AI system operated identically everywhere; the legal outcomes differed based entirely on geography and state legislation.
8. What data was Signal able to produce when the DOJ subpoenaed it in 2016?
Correct. Signal's minimal data retention meant the only information it could legally provide was account creation date and last connection date — demonstrating its privacy architecture through a real legal test.
Not quite. Signal could only produce account creation date and last connection date. No messages, contacts, or call records existed on Signal's servers to hand over — demonstrating genuine minimal data retention.
9. The Illinois Supreme Court's ruling in Cothron v. White Castle (2023) held that:
Correct. This ruling dramatically expanded potential liability — an employer scanning fingerprints of 200 employees twice daily creates hundreds of violations daily. For companies using biometric AI without compliant consent procedures, the financial exposure can become enormous rapidly.
Incorrect. Cothron held that each scan is a separate violation — not that damages are capped or that there are temporal exemptions. This ruling significantly increased the financial risk for any company collecting biometric data at scale without BIPA-compliant consent.
10. The 2013 Kosinski/Stillwell/Graepel study showed that Facebook likes alone could predict political affiliation with what accuracy?
Correct. The study found 85% accuracy for political affiliation prediction from likes — a finding that helped establish how revealing passive engagement data is.
Not correct. The study found approximately 85% accuracy — far above chance, and achieved from passive like data that users typically regard as meaningless.
11. In the OCEAN personality model, what does "O" stand for, and what type of messaging would typically be most effective for high-O individuals?
Correct. Openness measures receptiveness to new experiences, creativity, and intellectual curiosity. Cambridge Analytica calibrated messaging by OCEAN scores — high-Openness users received different content than high-Conscientiousness users.
O stands for Openness — the dimension measuring receptiveness to new experiences, creativity, and novel ideas. Psychographic targeting systems calibrate message tone and content to each individual's OCEAN profile.
12. Which 2FA method has proven most resistant to account takeover in documented enterprise deployments?
Correct. Google deployed security keys to all 85,000 employees in 2017 and reported zero successful phishing attacks on employee accounts in the following year, per KrebsOnSecurity.
Not quite. Hardware security keys have the strongest track record — after Google deployed them to 85,000 employees, phishing attacks on employee accounts effectively stopped.
13. Which category of opt-out does enabling Global Privacy Control (GPC) in your browser address?
Correct. GPC sends an automated opt-out signal to every website you visit — and after the Sephora enforcement, California businesses are legally required to honor it under CCPA.
Not quite. GPC automatically signals opt-out of data sale to every website — legally binding for California-regulated businesses since the 2022 Sephora enforcement established it under CCPA.
14. The 2013 Nature study by de Montjoye et al. showed that location data could re-identify 95% of individuals using how many data points?
Correct. Just four location-time pairs were sufficient to uniquely identify 95% of individuals in a 1.5 million person dataset, demonstrating that location data anonymization is practically ineffective.
The de Montjoye study found just four spatiotemporal data points were sufficient — showing that human movement patterns are unique enough that minimal data enables re-identification despite "anonymization."
15. What is the core problem with runtime permission dialogs, despite being an improvement over install-time permissions?
Runtime permissions describe what data an app can access — not what it will do with it. Granting location to a navigation app vs. a free game looks identical in the dialog.
The gap is between capability and intent. The dialog says "this app wants location." It doesn't say "this app will sell your location to 40 ad networks."
16. The 2023 CFPB guidance on algorithmic lending models stated that lenders must:
Correct. The CFPB guidance put lenders on notice that "our algorithm is complex" is not a valid substitute for specific, actionable adverse action notices as required by the Equal Credit Opportunity Act.
The CFPB required specific, actionable adverse action notices — algorithmic complexity is not an acceptable reason to withhold meaningful explanation from denied applicants.
17. Global Privacy Control (GPC) became legally binding for California businesses as a result of which specific enforcement action?
Correct. The Sephora $1.2M fine in 2022 was the first major enforcement specifically for ignoring GPC signals, establishing GPC as a legally valid opt-out mechanism under CCPA.
Not quite. California AG Rob Bonta's 2022 action against Sephora — $1.2M fine partly for ignoring GPC signals — established GPC as legally recognized under CCPA.
18. HUD's 2019 complaint against Facebook alleged discrimination in which area?
Correct. HUD alleged that Facebook's ad algorithm allowed advertisers to use protected characteristics to exclude users from seeing housing ads — a Fair Housing Act violation. The discrimination was not programmed intentionally but emerged from the AI's optimisation of ad delivery.
Not quite. HUD's complaint specifically targeted housing ad targeting under the Fair Housing Act. The case demonstrated that algorithmic discrimination in housing — even when unintentional — can violate civil rights law.
19. What is the "rabbit hole effect" documented in YouTube's recommendation system?
Correct. YouTube's researchers documented that users who watched political content of any orientation were systematically directed toward progressively more extreme content — because extreme content generates stronger engagement signals that the algorithm rewards.
The rabbit hole effect describes how YouTube's algorithm progressively recommends more extreme content after political video viewing. Because extreme content drives stronger engagement signals (more comments, longer watch time, more shares), the engagement-optimization objective rewards it — pushing users toward increasingly radical content.
20. HireVue's response to criticism in 2021 — stopping facial expression analysis while continuing voice and linguistic analysis — was criticized by experts for what reason?
Correct. Critics pointed out that inferring personality, hirability, or risk from voice patterns has no more scientific validation than facial expression analysis. Removing one pseudoscientific component while retaining another doesn't constitute meaningful reform.
The criticism was that voice-based personality inference is also scientifically unvalidated. Dropping facial analysis while keeping voice analysis was seen as removing the most visibly controversial element without addressing the underlying problem of using unvalidated pseudoscience in hiring.