HW10

“Rethinking Privacy For The AI Era”

Published Mar 27, 2019 by Insights Team at Forbes.com

https://tinyurl.com/forbesai6

Concerns over consumer privacy have peaked in recent years—roughly in step with the rise of

advanced technologies like artificial intelligence. About 9 in 10 American internet users say they

are concerned about the privacy and security of their personal information online, and 67% are

now advocating for strict national privacy laws, according to a study by by Intouch International.

Fed up by a steady stream of incidents that range from the 2017 Equifax hack to the nefarious

gaming of consumers’ social media data for political purposes, policymakers have begun to

strike back on consumers’ behalf.

Europe’s General Data Protection Regulation (GDPR), the sweeping privacy legislation that

went into effect in May 2018, was the first large-scale effort to offer consumers more legal

protections. The California Consumer Privacy Act, which grants new rights to citizens of the

state in January 2020, marks the first similar such step in the U.S. Similar laws are being pursued

in a handful of other states, and there’s early talk of national measures coming soon as well.

Such protections run up against a more complex conflict: With advanced technologies like

artificial intelligence (AI) taking off, the need for data is greater than ever, much of it from

consumers. So how does society, industry, and government balance this voracious need for data

with the protections that consumers are demanding? Can legal structures help to manage the

inherent conflict between AI and privacy? And what is privacy in 2019, anyway?

As the saying goes, it’s complicated.

A Moving Target

To Bernhard Debatin, an Ohio University professor and director of the Institute for Applied and

Professional Ethics, the first problem is that there has never been a clear—or enforceable—

definition of privacy, since it is such a complex, abstract concept.

“The notion of privacy has changed over time,” says Debatin. “In post-modern, information-

based societies, the issue of data protection and informational privacy has become central, but

other aspects [such as old-school, bodily privacy] still remain relevant. In other words, over time,

the concept of privacy has become increasingly complex.” That complexity has reached a tipping

point of sorts with the rise of AI. Consumers faced with an endless stream of lengthy user

agreements hastily click through to “accept” without ever realizing what privacy rights they may

be giving away.

The information they provide winds up in large databases, which have the potential to be mined

for any number of uses, including marketing opportunities, purchasing recommendations, or

other services. Facial recognition and voice identification systems, meanwhile, can also track our

movements in the real world; at home, smart appliances, motion-sensing lights, and thermostats

continuously collect data about when we come and go.

Many of these functions provide a helpful service—but the potential risks they carry are not

trivial. “Seemingly anonymized personal data can easily be de-anonymized by AI,” says

Debatin. “It also allows for tracking, monitoring, and profiling people as well as predicting

behaviors. Together with facial recognition technology, such AI systems can be used to cast a

wide network of surveillance. All these issues raise urgent concerns about privacy.”

Tackling The Problem With The Law

From a legislative standpoint, these trends have not gone unnoticed. The GDPR fired a first

volley at the problem. California’s forthcoming privacy law will soon at least give the U.S. a

major toehold on the issue, as it will apply to nearly 40 million Americans.

While privacy is a hard concept to define and safeguard, especially today, “there are some basic

principles that can help with protecting privacy,” says Debatin. “GDPR has in fact included

many of them.” Good privacy legislation in the age of AI, he says, should include five

components:

• AI systems must be transparent.

• An AI must have a “deeply rooted” right to the information it is collecting.

• Consumers must be able to opt out of the system.

• The data collected and the purpose of the AI must be limited by design.

• Data must be deleted upon consumer request.

“These steps make it possible to protect us from potential AI-based discrimination, lack of

consent, and data abuse,” Debatin says.

Getting the U.S. on par with these standards might be difficult. A federal bill called the Future of

Artificial Intelligence Act sought to take the first steps at protecting the privacy of individuals

against potential abuses from AI. Alas, that bill has seen little movement since it was introduced

in the Senate in 2017.

More recently, the U.S. Government Accountability Office (GAO) released a report expressing

concern about the lack of a comprehensive national internet privacy law, with particular concern

over “the collection, use, and sale or other disclosure of consumers’ personal information.”

The GAO report calls upon Congress to consider such legislation and to empower an agency like

the Federal Trade Commission (FTC) to punish privacy violators with civil penalties. While the

FTC currently has the power to fine companies that violate privacy rights, it only undertook such

actions 101 times from 2008 to 2018. Nearly all of these matters were settled with the FTC, with

only a handful of civil punishments issued. Self-Policing Of Privacy

Is it possible that the AI industry might be able to police itself when it comes to privacy? It’s a

tough sell, because companies have had little incentive thus far to build privacy protections into

their systems. Major privacy breaches in recent years have made for breathless headlines, but

ultimately very little fallout for the companies responsible.

One 2018 study measured the cost of a data breach at $3.86 million globally. Considering the

companies studied generated between $100 million and $25 billion in annual revenues, the cost

of a privacy misstep for large companies is negligible.

Still, privacy breaches can depress stock prices and cause companies to lose consumer trust.

Eventually, one has to assume, these problems will become serious enough to carry significant

business impact.

How might technology step in and help? Emerging technology concepts, such as differential

privacy and homomorphic encryption, suggest some potential paths forward. Differential privacy

systems introduce randomness into user data in order to prevent de-anonymization tactics from

succeeding, while homomorphic encryption adds a layer of security by allowing machine

learning algorithms to operate on data without decrypting it. These methods and others are

beginning early-stage trials.

What happens next will depend on who gets their act together first—government or private

industry. Constellation Research analyst Steve Wilson first called for businesses to implement

“Big Privacy”—a privacy compact between industry and consumers that would ensure

transparency in how data was used—back in 2014, noting that legislation was not keeping up

with technology.

Today, Wilson says that the concept is more critical than ever, and that the pace of innovation is

simply too fast for the law to follow. Yet he remains an optimist. He predicts that within five

years consumers will see some restraints coming to the industry, either through the law, AI itself,

or other means.

“People thought the world was going to be consumed by oil derricks in the 1920s, but we tamed

the rampant oil industry,” says Wilson. “I think we will soon tame the data barons, too.”