Serious Privacy

Schrödinger's data - Guidance on being Anonymous and Web Scraping

Dr. K Royal, Paul Breitbarth & Ralph O'Brien Season 7 Episode 26

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 33:32

Send us Fan Mail

Welcome to the Serious Privacy podcast, where Paul Breitbarth, Ralph O'Brien, and  Dr. K Royal, discuss a week in privacy. And we discuss some of the hot topics including an European Data Protection Board (EDPB) we also look at the EDPB guidelines on anonymisation, and Web scraping, including data dimensionality - which we looked up live!

We also discussed Prince Harry's privacy lawsuit in the UK - spoiler alert, he lost. And Meta up so some shenanigans. Come join the fun!

As we enter the summer months, the world of data protection and privacy legislation continues to evolve, especially in the UK and EU. In this post, we'll explore the latest updates surrounding the UKs Information Commission and the ongoing changes affecting its governance

If you have comments or questions, find us on LinkedIn and Instagram @seriousprivacy, and on BlueSky under @seriousprivacy.eu, @europaulb.seriousprivacy.eu, @heartofprivacy.bsky.app and @igrobrien.seriousprivacy.eu, and email podcast@seriousprivacy.eu. Rate and Review us!

From Season 6, our episodes are edited by Fey O'Brien. Our intro and exit music is Channel Intro 24 by Sascha Ende, licensed under CC BY 4.0. with the voiceover by Tim Foley.

Paul

And then suddenly it's summer. Apparently, it's already July. Before you know it, we've celebrated America's 250th birthday. We see people going on vacation all across Europe. Parliaments are wrapping up their work, supervisory authorities are wrapping up their work and pushing lots of things out. So, what else could you expect for episode 299 than a week in privacy episode? Well, we'll take you through everything that has happened in the past fortnight. My name is Pal Breitbart.

Ralph

My name is Ralph O'Brien.

K

And I'm Kay Royal, and welcome to Serious Privacy. I guess I could celebrate the 250 years and tell him it's serious privacy. Yes, it is. But that just doesn't sound right coming out of my mouth, right?

Paul

As Henry Hagen said, in America they haven't spoken English for years.

K

Right. Ain't no doubt about that. All right.

Ralph

I have checked and double checked to make sure we're not accidentally on 300 and we're actually on 299.

Paul

What do you mean, Ralph? Is this going to be a thing for us, episode 300?

Ralph

Oh, I can't imagine. I can't imagine that we would have anything special planned at all. It's an arbitrary number, after all. In fact, it's your 300 if it's not mine.

Paul

I think it's 300 for none of us. It's 300 for the episode, but none of us was there for all episodes.

Ralph

This is true. This is very true.

K

Although we did touch all episodes at some point. We might not have recorded them, but we did touch them.

Paul

For sure.

K

And Ralph VT listened to all of them. He touched them too. And any more details on touching, I don't need to know about.

Ralph

I'm gonna have to go back and just like see what my own count is. Because I was a guest before I was a host.

K

What is true? And you were a guest host.

Ralph

Yes, this is true.

K

This is true.

Paul

I probably got about four different numbers. More statistics next week.

K

And as y'all know, Americans and statistics right now. We just go with whatever resonates with whoever's listening.

Paul

That's true. We uh probably have had about a gazillion minutes of podcasting that we've did, and we have probably over twelve billion listeners around the world.

K

Yeah. And the number of countries we'll have to say that too, because I think there was five hundred and seventy-five countries?

SPEAKER_02

Yeah, sounds about right. In American statistics.

K

We're gonna go into something serious here. Unexpected question. Y'all ready?

SPEAKER_02

No?

K

On an average day, how many pigeons do you think you could carry?

Paul

None. These are getting more and more. I wouldn't carry a pigeon. Why would I carry a pigeon? They're flying rats. I can't disagree.

Ralph

There was an old cartoon when I was growing up called Catch That Pigeon, I seen remember. Dick Dastardly and Hannah Barbera bunch. Yeah. Carry. You gotta catch them first, haven't you?

K

Right?

Ralph

Funny enough, when when our wonderful editor Faye goes to university in Aberystwyth, there is a man known as the Pigeon Man who stands on Aberistwith's seafront and feeds the birds tup and to bag. And and he's always covered, like literally pigeons all over him. I've got some photographs actually of the bird manima at Aberistwith. Could frequently be seen at all covered in pigeons.

K

The only thing that's coming to my mind is birds don't have a sphincter.

Paul

This is very random, Kate.

K

You can't potty train a bird, so if he's covered in pigeons, he's covered in pigeon poop.

Paul

Obviously. Each of their own.

K

I just move at the pigeon speed of light and got right there to the if I'm carrying pigeons, I'm probably carrying pigeon poop. So I'm gonna say if you hold your arms out, you could probably get like what, eight pigeons on the arm? These guys don't like this question at all. They're not giving you an answer. And I did leave one word out. Which one, how many do you think you could reasonably carry? And I think reading from their faces and hearing the conversation, they cannot reasonably carry any.

Ralph

Correct. Yeah, I think I think it's an unreasonable question. So to reason reasonably carry. When I see pigeons, they tend to go in a stew, so you know. Okay.

K

Why can you hit eight pigeons on an arm? Probably one on the head. And depending if I'm sitting or not, I could probably get some else.

Paul

But the problem is I wouldn't you sure we're gonna get to episode 300? Let's first start with some privacy topics. Ralph, I believe you have an update from the UK on where things are headed with the new Data Protection Commission. Let's start with that. Let's start with something easy.

Ralph

Well, well done, Paul, for a segue. That was so random I couldn't even find one of my usual segues.

K

I have ramped it up, y'all.

Ralph

Yeah. Couple of small updates here from the UK with our good friends here. The Information Commissioner's Office stroke the Information Commission, as you might be aware. I think I've said this before. We've got two regulators at the moment. As we have an Information Commission led by the CEO Paul Arnold, who is also the Deputy Commissioner, and we have an Information Commissioner's Office, which they will transfer the assets from one to the other. But no Information Commissioner themselves, John Edwards, as we know, having resigned. And there's been a lot of comments, which I don't think I'll dwell on too much, brought out especially by Liz Kennedy, who is one of the ministers who's been tracking this and putting out some public statements around this. One of the public statements she has made, however, is that next week they will advertise for a new chair of the Information Commission. Now, for those people who don't know, when we lose the office of the Information Commissioner, the ICO, technically we lose the ICO as well. They just become the chair of the Information Commission. So adverts go out next week. So if there's anyone out there who fancies a job at the top of public life and data strategy and data enforcement.

K

Oh why.

Paul

And as the nationality of one of the countries of the British Commonwealth, I assume.

K

We used to be British Commonwealth.

Ralph

Indeed. I am actually unaware of any restrictions on the on the nationality of the person for the post, bearing in mind the last was Canada and New Zealand. I don't believe you've got to be British in order to apply. So we will see what happens as of next week when the post gets advertised. But in the meantime, it's business as usual for the ICO here in the UK.

K

Business as usual with no leadership from what was his name? John Edwards?

Ralph

Paul Arnold, the CEO of the Information Commission and the Deputy Commissioner, is running it in John Edwards' absence. And they're certainly still issuing a number of enforcement notices. We have seen here a number of them again, not under G E P R, but under PECA, P E C R, our e-privacy legislation, for want of a better word. Hundreds of thousands of unlawful marketing calls.

Paul

For you that means P E C R. P-E-C-R, yeah.

K

Well, I know P B or P E P P. That's what I thought. It's P-E-C-R, right?

Paul

Yeah. It's like P-I-P-L.

K

Yeah, like P-I-P-L, which he wanted to call something else, and I didn't in HIPAA or HIPAA or data. However, people I'm gonna have to say the fans need to tell us how they pronounce P E C R.

Ralph

Pecker.

K

I would call it Peker, correct?

Ralph

Calling a Pekka is too amusing, same as calling the New Information Commission the year. Okay. But what did we get under Pecker Ralph? Two home improvement companies find 370,000 for nuisance calls, targeting vulnerable people. A Manchester firm, 300,000 for bombarding people in debt with 5.5 million texts.

K

I wish somebody could do something here about that. It's ridiculous.

Ralph

So, yeah, a number of PECR penalties here in the UK, yeah, around unsolicited communications. People often forget that whilst we focus on data protection, there there are laws surrounding unsolicited communications. And actually, one of the things our Data Use and Access Act did here in the UK was moved the £500,000 fine for ECA up to the level of the GDPR. So for us, that's 17.5 million pounds or 4% of global annual turnover. 7.5 million was just the exchange rate when we Brexited, basically. The European listeners would know that to be 20 million euros.

K

In 20 years, they'll be saying who lived through Brexit? It's always been there, right?

Paul

No, in 20 years' time, they'll be back in the European Union, but they don't know that yet.

K

Hopefully. They don't know that yet, but they will be. Got it.

Paul

So yeah, in the European Union, we've actually have two important pieces of guidance from the European Data Protection Board that were released on the 7th of July. Both are opinions that are adopted for public consultation. So you have until the end of the summer to actually file your comments. And as always, I would recommend people to take a look at these documents and file their comments because they are actually useful. The first document is the long-awaited opinion on anonymization. What it means to have anonymous data, when a data set can be considered to be anonymized, how you would need to approach that as an organization. It comes down to the question whether data is actually identified or identifiable. So even a natural person can be identified through the use of that data using any means reasonably likely. And means can be interpreted broadly. It may include also means that are only accessible to a third party. The opinion becomes quite technical. So the EDPB suggests two different approaches. One is a contextual approach, where you would actually look at the various capabilities that organizations have to be able to re-identify information that they have that is considered at the very least to be pseudonymized, so that is not directly identifiable. And then there is also what they call the simplified approach, where basically a data controller can go beyond the legal standard and decide that data should be treated as personal data, even though to some it may actually be anonymous. So those are two scenarios that everyone needs to take a closer look at, whether that's sufficiently clear, whether that's actually workable in practice. There are also three criteria that can be used as a test to see whether data is anonymous or not. That is the no record isolation, no linkage, and no inference. And if any of those criteria fails, then further analysis is needed whether or not data can still be considered anonymous or not. Generally speaking, identification or re-identification is more likely to be successful against record-level data with what they call high dimensionality and high resolution, but other factors are also considered to be important. Now, don't ask me right now to explain what high dimensionality and high resolution means, because I have not understood that properly yet. The opinions are very fresh. They have been released last night. So this will require some time to properly digest, especially for a complex as technical as anonymization. But I do think it's important. This opinion, I think we've been waiting for this one for about two and a half years. So it also shows that it is a very complex topic. The court had its say on it in the EDPS case. I think it's also a very relevant to very it is also a very relevant one to take a closer look at.

K

Just so you know, dimensionality and dimensionality reduction is the transformation of data from a high-dimensional space to a low-dimensional space.

Paul

Yeah, now we know everything.

K

So that the low-dimensional representation retains some meaningful properties, ideally close, it says to its intrinsic dimension. Working in high-dimensional spaces can be undesirable because raw data are often sparse as a consequence of the curse of dimensionality. I'm not even really understanding the words I'm talking about, but just data thing.

Ralph

I quite like the fact we have data protection in different dimensions because with EDPS versus SRB, quite a lot of people was talking about that it introduced Schrdinger's data. Data that was anonymous for some and not for others, or pseudonymous for some and not for others. So I quite like the idea of different data protection dimension. It's like the multiverse.

K

I'm very curious now because I'm having to learn this technical stuff with my master's degree in AI management. I still can't tell you what the heck computational convolutional neural networks are. Rest of the But there's 12 techniques: manifold learning, principal component, independent component, sequential non-negative matrix factorization. Oh, now that's my favorite one so far. Linear discriminant, generalized discriminant, missing values ratio threshold settings, low variance filters, high correlation filters, forward feature construction, backward feature elimination, and autoencoders. Now, of those lists, I imagine that what made sense was the backward feature elimination. That you would not be able to look at the data and go backwards and see what it was tied to.

Ralph

I've been saying for a number of years that data protection professionals are going to have to get a lot more technical. Over the years, we've been very good at learning what the law says. We've been very good at policies and procedures and impact assessments and things like that. But the law, don't forget, the GDPR especially says take appropriate technical and organizational measures. And we've been very good at the organizational, but pretty poor at the technical, I have to say.

K

Yeah, we rely on our information security counterparts to know, which they always say, it doesn't matter what data we have, we'll just lock it down and nobody can touch it. No, sorry, there is no such creature as infallible data security. There just really isn't. No. But it goes the other way as well. We have a lot of people on the security side, and this is why we call ourselves cyber lawyers, right? Is because we understand the cyber law. We don't understand the technical implementation of it, but we understand the law. And I just ran against this just the other day where a technical person was trying to read a particular regulation of a very popular law and was trying to understand what exactly needed to do. And I'm like, why haven't you asked me? I don't expect a cybersecurity professional to understand law. Just like no one should expect me to understand technical controls. I used to keep a CISSP for dummies book on my desk. I just found it the other day. But he was, I'm like, tell you what, let me just send you the memo I wrote. And I sent it to him, and this was all within the same company, so no violation there. And he wrote me back and went, Oh my God, this memo is everything I needed. I'm like, that's why you should come to a lawyer when you have questions over what does the lotle mean?

Paul

And vice versa.

K

And vice versa, right?

Paul

No, that's absolutely right. For me, I'm already happy that the opinion confirms that it is still possible to have an anonymous data set. Because for a while there was also the discussion, is it even still possible to have full anonymization of data sets, especially with all the information that's available online?

K

Are they eliminating red aspect of it, Paul?

Paul

No, not completely, because the means reasonably likely for re-identification is still part of the assessment. If you can combine a data set that you receive with other data sets that are publicly available and re-identify your data set that way, then you should still treat it as personal data. But what you can do if you want to share a data set that has been pseudonymized on your end as a data controller, you share it with another data controller in the pseudonymous form without providing the key. You can, of course, add your contractual safeguards that say thou shalt not re-identify or even try to re-identify, which then in combination could probably also, under this opinion, give sufficient safeguards to ensure that the data can be treated as anonymous data instead of personal data.

K

Okay, listeners, rewind and count how many caveats Paul added to that.

Paul

Hey, it's data protection law, it's not black and white.

Ralph

Well, it this is why we call it Schrdinger's data, because we know we can pseudonymize it and it can be pseudonymous for us. We can give it to someone else and it'd be anonymous to them because they don't have the key to unlock it.

K

Or in this in this reducing dimensionality, the look backwards. Yes, exactly. I'm going to interpret the dimensionality as the look backward function. Interpreted when you first read the dimensionality as being full. That is full-fledged data, like something lives in dimensions. So a fine uh dimensionality would be a full set of data.

Ralph

Yeah, it's the width of the data set. Yeah. How many different data points you have? Because the more data points you have, the more likely it is you can anonymize someone if you've got host code and phone number and the way they look. And these are all different ways of identifying. So the more dimensions you have to your data set.

K

Or that's the way we're going to interpret it anyway, because it makes sense to us. We're going to go with that, right? We're going to go with that. Yeah.

Paul

So let's take a look at the second opinion because that's also an interesting one, and that relates to web scraping for Gen AI purposes. We've seen that has happened already quite a lot before this guidance came out, because we have all these large language models that were trained on basically books and the public internet and all of that. And EVPB has now issued their guidance on web scraping for the use of AI. And they say it often happens without data subjects being aware of it. GDPR does apply as soon as personal data is involved, no surprise there. Organizations need to determine on a case-by-case basis whether they would be controllers, joint controllers, or processors. Can you imagine that OpenAI goes to every single website and says, hey, we're going to scrape your data and we're joint controllers, so we need a joint control agreement in place? But that is something that may be required. There is an obligation to inform, but the caveat from the G VPR does apply that if it is impossible or it would require disproportionate effort to inform, then you don't need to inform at the individual level. Still, some generic information might be required. Public statements. Public statement, yeah. And then also the scraper, the organization scraping, should ensure that only information that is actually necessary for the intended purpose is collected. So you need to ensure that you don't just collect everything for all the time for every single purpose. No, the purpose limitation also still applies. So you need to set up some criteria on what you scrape and what you don't. If possible after the collection of the data, the EBPB says you should apply, more technical terms, syntax-based filtering mechanisms, and where feasible, replace some or all real data with synthetic data, or to anonymize or pseudonymize the data to also increase the levels of data protection. You should only scrape from reliable sources if you're going to scrape. You should timestamp the data, validate the data before using them in AI training. BDPB does recognize, also, probably looking ahead at what's coming in the digital omnibus, that a legitimate interest could be allowed for generative AI training purposes, but all conditions for a legitimate interest assessment need to be fulfilled. So the legitimate interest needs to be clear, it needs to be necessary, and it needs to be proportional. So you need to do that balancing test, you need to put in place mitigation measures for the personal data, including ensuring that certain data categories are not collected, that certain information is excluded, that certain data will not resurface or regurgitate, that the there is no risk of memorization of personal data, and also that individual rights can be exercised. So, yes, it is possible to use a legitimate interest to scrape data, but there is a very high threshold for it to be feasible.

unknown

Yeah.

K

Yeah, and don't forget. Balancing tests means you can't jeopardize the rights and freedoms of the consumers. And whenever y'all think about that, think would Paul think you're jeopardizing his rights and freedom? Would Ralph think you're jeopardizing his rights and freedoms? I know you're jeopardizing mine, so yeah.

Ralph

I take the point about replacing it with synthetic data, so you're not actually ingesting real people's personal data into it. That's that's that's a safeguard that I think is relatively sensible. Yeah. One of the final points from it that I thought was really interesting is it says that the EDPB says that special category personal data should be in principle prohibited. And then it mentions the Court ruling, GC and others from the SEJAU as well. There is no again, because this is EDPB guidance, so that they haven't said, oh, you've got to do it case by case. I'll always say that. I'll also say that'll be case by case, you've got to look at it on your own merits. We're not going to say a hard yes or no. We're just going to say everything needs to be done on its own merits and you need to do your own test, right? Which is consistent with any of the guidance we see from regulators. Yeah. But it is interesting, they've gone to the point of saying in principle special category data is prohibited. You would have to find uh something from the list. And a lot of people in that list will look at the manifestly made public by the data subject special category basis. But I would say, and I I say this quite often to people who look at that is someone who's deliberately publicized, not left it on a website.

Paul

Yeah. And that's if you, for example, if you have cancer and you have a web blog or videos where you talk about your disease, then you have made it manifestly public.

K

But there's also there wasn't there an enforcement or a case decision that said merely posting on social media does not mean that you've manifestly made it public.

SPEAKER_02

Yes.

K

Even if your Instagram is public and you po you talk about your cancer doesn't mean you've manifestly made it public.

Ralph

Which is interesting. I think that's supposed to be somebody like uh an influencer or a rock star or or a celebrity.

K

Who knows the public has a good chance of hearing them, whereas most of us it's our family.

Ralph

Yeah, they've published a book or an autobiography or stood up on a t on a concert and says, I'm at this concert because I've got this disease as well, or this is someone who's deliberately put something in the public domain, not just left it on a website.

Paul

So for both opinions, you can join the consultation until the 30th of October on the brand new website of the European Data Protection Board.

Ralph

Oh, don't. I was in the middle of training and I was trying to find something, and I was like, Oh, I'll just go onto the European Data Protection Board's website and show you and show you this, and I've just started navigate round it live in front of delegates when I've never been here before.

Paul

To be honest, it is an improvement, the website, and to be able to find things, it has become easier, but it takes some adjustment.

K

So over here in the US, we don't have a whole lot that is absolutely fabulous. One of them, and I don't know if you mentioned this because but Prince Harry lost his privacy lawsuit?

Ralph

Yes, I did see that. It wasn't as I understand it, it was more that they hadn't provided the level of evidential proof.

K

Okay.

Ralph

I don't think anyone is in any way suggesting that the Daily Mail and others didn't do these things. I think it's more that the you're you're innocent until proven guilty. And therefore, if you're going to take even in a civil case as uh as this was, you can't rely on hearsay. It's got to be a level of evidential proof before the judge will find in your favour. And though Prince Harry has put out statements saying that this is a whitewash, blah, blah, blah. And it wasn't only Prince Harry, Elton John and others as well. But but yes, he has lost the case because, as the judge said in their judgment, this is over 20 years old now, and some of it has gone from memory. There are some documents that aren't available anymore, and therefore he just wasn't able to be evidenced.

K

And maybe this will encourage him, since he spoke at the IEPP, to be more or engage more with industry groups that support privacy and maybe try to get something done that way, right? Maybe write the EDPB and put in your comments. Things like that might actually make an impact, right? Some of the other ones, the WhatsApp usernames, you can hide your phone number and use a username now. I don't Is that a big thing? I don't use WhatsApp, so Yes, that is a big thing. Okay, there you go. You can use usernames rather than having your WhatsApp phone number shown. And by the way, if you don't know that on your credit cards, you can request a virtual credit card number that you can use in place of your real credit card number. That way, if it is stolen or misused, you don't have to worry about it actually compromising your real credit card. Yeah, it's interesting.

Ralph

Instagram, isn't it? They've said anyone who's got an Instagram post, you will now be able to throw AI on it. Yeah.

K

Yep. Privacy experts are worried about consent and image scraping, exactly what you were talking about, Paul. What are you scraping? Are there charge out there? And I was saying, get over it, people. We're gonna scrape it.

Paul

Yeah, they were saying that already last year, and they still don't have a legal basis to do so because it is data that was provided that is reused for a completely different purpose, and that can only be done on the basis of consent. On the terms. No, it's not consent on the terms. It's consent needs to be separate for personal data protection.

K

But they may also be violating the terms of use that Instagram had in place when people posted those pictures. You can't just post new terms, as many companies do, and then say, oh, and it applies backwards. It doesn't work that way. Doesn't work that way. And by the way, if you didn't just get it from the conversation, you do not consent to a privacy notice.

Paul

I think we have made that abundantly clear in in the seven years that we've been doing this.

K

There are still things there are still things out there, people out there, websites out there, and you consent to our privacy. No, I don't consent to your privacy notice.

Ralph

The ICO was absolutely that today. Suze Phillips here in the UK responded to something and actually posted up on LinkedIn. And apparently on one of the ICO's surveys, it says you agree to the privacy policy and consent to the ICO's notice.

K

If you need another reason for doing it, it's to your benefit, because if they consent, then you have to go through all of the consent parameters and the revoking of consent and making easy and all that. So it's easier on you too. Let's see. 23andMe settlement finally came to its settlement. It's a 46.75 million payout. A U.S. bankruptcy judge approved that. So more on the 23andMe settlement. And there's a lot of settlement agreements, especially here in the U.S., because that's where most of them are, that don't require proof. You can sign up and just say woo-hoo, and they send you money because you signed up and said, Woo-woo, you don't have to prove. That's a lot of them. And then the last one, the one that I will end on, is we are still waiting on Massachusetts. Massachusetts had the first state security that was in place, God, back in 2008 or something that we had to work with. But they haven't had a primacy law. So this week they are brawling it out. The civil rights advocates and the information advocates and the this and that advocates are all descending in Massachusetts. They're duking it out in the hallways, got blood splatters everywhere. People are slipping out the back doors, probably not so much fun, but trying to lobby for their part to be part of it. And what was really interesting is that Dan Solov's Privacy Plus Security Forum that he just had a couple of months ago, one of the Massachusetts legislatures came and spoke to us as one of the keynotes. And the everything she's learned about privacy now that she didn't know. And then the key factors that they're arguing over, which would not surprise anybody to know what they are. So there is some information with that, hopefully, into this week, last week, not last week. I got this whole looking backwards thing nailed, don't I? Next week, we might have some more information on that. So I don't really have a whole lot of huge things that are happening. Those are pretty big, frankly. Those are pretty big.

Paul

Yeah, they're pretty big. Okay. Then I think we'll leave it at that for this week.

Ralph

Before we go, people might have noticed online that we have posted a Ask Us Anything on LinkedIn. We are taking questions for a listener mailbag. Now, we might not get to them on episode 300 because I don't think it's selecting the cow of the bag to say we we've potentially got a special guest. But if not, we were thinking of running a listener mail bag anyway. So please feel free to get in touch through all of the usual channels. Link in email, BuzzSprout, and ask us anything, and we'll be more than happy to take your questions into consideration.

K

Into consideration. There we go. And that doesn't mean to say that I haven't gotten around to trying to convince my co-hosts that we might do a live episode, not next week.

Ralph

This is why we don't do live episodes because Kay's dog is barking in the background. Exactly.

K

Oh, you should hear the dogs when my husband leaves. There's howling, yipping, yelling is ridiculous. But anyway, thank you all so much for tuning in. We look forward to next week. We're excited to hit the 300th episode and wouldn't do it without y'all. We're also live on you. But we're also active on YouTube.

Paul

And on that note, I'll say see you next week. Goodbye. Goodbye.

K

Bye, Al.