Considerations for Privacy Professionals
In a landmark year marked by significant AI advancements, it’s vital to prioritize transparency, accountability, and respect for privacy rights. Privacy professionals have been tasked with guarding against the downfalls of automated decision-making for some time, including potential harms that result in loss of opportunity, economic loss, social detriment, and loss of liberty.
Guiding solutions that address algorithmic discrimination risks is a tricky but necessary business. Privacy professionals need to be at the forefront of developing safeguards against algorithmic biases.
Strategies for Privacy Professionals: Balancing Transparency and Privacy
Against a backdrop of seismic change in the technology landscape and considering demands for new regulatory and compliance standards, privacy professionals need to tackle the complex task of trying to ensure algorithmic accountability. Several considerations, strategies, and approaches are emerging.
Transparency and Explainability
Transparency and Explain-ability are certainly a starting point. Demystifying algorithmic decision-making is essential. The public should be informed about algorithms, including their sources and potential sources of bias.
Reuters recently reported that Meta used a significant number of public Facebook and Instagram posts to train their AI systems, raising concerns about personal data. While Meta asserts this aligns with a fair use principle, competing content creators may challenge this claim. Regulators in the near future may as well.
The situation emphasizes the need for clear data usage policies, merging AI progress with individual privacy protections and fair business practices.
The Four D’s Framework
A Four D’s Framework can help. It is a method for assessing algorithmic systems to minimize privacy harms throughout the life cycle of an algorithmic system, much like the notion of shifting privacy left. The build of an algorithmic system comprises four stages: Design, Data, Development, and Deployment. This framework ensures that the entire scope of an algorithmic system is captured in a risk assessment. Think of algorithms simply as more advanced states of statistical profiling engineered into software products, and as such, they are prone to the same benefits and potential harms.
Because of this, it is crucial to introduce ‘policy layers’ at each stage of development. These layers can serve as a filtering mechanism, checking on a system as it is being built, preventing it from showcasing potentially harmful or biased outputs. While raw training data may contain various biases rooted in history, privacy layers can help filter out such biases, ensuring AI does not perpetuate them.
To enhance AI safety and reliability, modifications to the original training data sets are undoubtedly needed, but as an interim step, Google’s first Chief Decision Scientist has well articulated that policy layers can serve as an effective interim step.
Privacy Impact Assessments
Privacy Impact Assessments (PIAs) need to be updated to include all the implications that arise from AI. TrustArc recently did so. Their PIAs now essentially operate as Algorithmic Impact Assessments. PIAs include but also transcend legal compliance, ensuring that algorithms consider aspects like fairness, ethics, accountability, and transparency.
Global Governance of AI is also needed in companies that use AI in their products. Fostering a cohesive, coordinated effort at a global scale is necessary for algorithmic transparency and accountability.
Of course, AI can also be used in novel forms to help with the management of AI itself. Novel machine learning (ML) solutions are in constant development to ensure user privacy.
Technological Advancements in Algorithmic Privacy
Keeping a watchful eye on ML solutions directed at privacy is important. Several stand out and undoubtedly, many more are in the works. Although the solutions themselves are highly technical involving advanced mathematical and computational approaches, their applications need to be understood by privacy professionals. In this sense, algorithmic privacy begins with the explainability and transparency of AI algorithms built to maintain privacy themselves.
A starting point is the notion of Differential Privacy which has been around since the mid-1990s. This privacy-preserving data method allows for gathering useful insights about a population without compromising individual data. The impact on groups remains consistent regardless of any single person’s data inclusion, with only the study’s findings potentially affecting demographic subgroups, not individual participation.
Building on Differential Privacy, Microsoft’s Privacy Preserving Machine Learning (PPML) initiative is a three-step process to understand, measure, and mitigate privacy “leakages” in training models. It aims to preserve the privacy and confidentiality of customer information while enabling next-generation AI productivity.
A quick overview of Machine Learning (ML) approaches to privacy includes the following.
- Perturbation Techniques add noise to data or algorithm outputs to prevent sensitive information from being learned.
- Cryptographic Approaches allow computations on encrypted data, ensuring sensitive information is not exposed.
- Federated Learning allows ML models to be trained across multiple decentralized devices or servers holding local data samples, without exchanging them.
- Secure Multi-Party Computation and Differential Privacy involves a distributed learning framework that provides secure multi-party computation while adding noise to the computations. It provides a mathematical guarantee of privacy but does not require decentralization of data like federated learning.
- More recently, MIT’s Probably Approximately Correct (PAC) Privacy technique automatically determines the minimal amount of noise that needs to be added to protect sensitive data.
These Machine Learning (ML) procedures offer robust and diverse tools to protect sensitive data. They provide mechanisms to add noise to data, perform computations on encrypted data, train models on decentralized data, and integrate secure computation with privacy guarantees, thereby enhancing data privacy and security in ML applications. While their technical implementation may sit with other experts, it is important that privacy professionals have a broad understanding of their use and a seat at the proverbial table in the decisions to use them.
Much of these requirements gathering are not yet adequately understood nor addressed in current regulatory compliance standards. Again, privacy professionals involved from the beginning of design can help ensure the “future-proofing” of built applications.
The Global Regulatory Context
Recognizing that current laws and regulations are not adequate for addressing AI legal and ethical concerns, most regions worldwide are in the process of updating their regulatory frameworks. Each is influenced by their legal, cultural, and economic contexts.
In the EU, the Artificial Intelligence Act presents a horizontal strategy, aiming to set a gold standard for AI regulations with a set of rules that applies across all sectors and industries. This act is reminiscent of the GDPR and may well have a similar far-reaching impact. Canada’s Artificial Intelligence and Data Act (AIDA) also adopts a horizontal strategy and is particularly focused on high-impact systems.
By contrast, the U.S. is taking a vertical approach to regulation, with different sectors such as healthcare, finance, and transportation each having their own set of rules and regulatory bodies. Rather than crafting new AI-specific laws, existing legal frameworks to govern AI tools are being leveraged. This sector-specific approach brings into play key regulators like the Federal Trade Commission and the U.S. Department of Justice.
TrustArc: Leading the AI Privacy Revolution
In the dynamic realm of AI regulations and technical challenges, TrustArc emerges as a beacon. Their comprehensive suite encapsulates facets of governance, privacy, security, and compliance that help future-proof regulatory compliance.
For example, TrustArc’s data inventory hub helps enterprises map every software application they deploy and store individual data in. Each application is rated as to it high, medium, or low risk in terms of its privacy contents, which is what is contemplated in all future AI regulations.
TrustArc has updated and integrated renowned frameworks like the NIST AI Risk Management and OECD AI principles. In addition to the updated Nymity PMAF™, catering specifically to AI data privacy governance, TrustArc offers:
- Data and Business Process Risk Workflow: allowing you to streamline data mapping inventory and automatically get automated risk scores or customize your own. Based on the risk scoring, you can also configure your own automation rules to kick off a library or pre-built or customizable assessments to mitigate risk.
- Pre-built AI Risk Assessment Template: designed for AI risk specifically in mind, you can use this pre-built template designed by TrustArc privacy experts to evaluate your AI systems
- AI Resources: Expert-built operational templates and topics are available for effective AI deployment, along with how to incorporate best practices and standards including OECID AI, NIST AI, and PMAF.
With AI Governance features seamlessly integrated into existing products, TrustArc ensures privacy professionals are always a step ahead with best practices and regulatory updates.
The momentum of AI’s advancement shows no sign of slowing, and with it comes heightened responsibilities for privacy professionals. Algorithmic accountability and privacy safeguards are more crucial than ever. TrustArc stands ready to assist enterprises aiming to become both innovation leaders and brands renowned for their ethical approaches to AI.