Privacy and AI #13

In this edition of Privacy and AI:

PRIVACY

? FTC prohibits telehealth firm Cerebral from using or disclosing sensitive data for advertising and requires it to pay $7 Million

? Report on Data Breaches 2023 (Dutch DPA)

? CNIL report on data breaches

? Incident Response Recommendations and Considerations for Cybersecurity Risk Management (NIST draft publication)

? Applying data minimisation to consumer requests (CPPA)

ARTIFICIAL INTELLIGENCE

? GenAI security guidance (2023)

? Meta to label AI-generated content

? The Business Case for AI Governance (The Economist, 2020)

? The potential of AI to automate government transactions (Turing Institute)

EVENTS

? Imagination in Action 2024

READING PILE

? ICO, Accuracy of training data and model outputs.

? Meta Llama 3 and Meta AI assistant

? Generative AI Models. Opportunities and Risks for Industry and Authorities

? EDPB, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms

? The Ethics of Advanced AI Assistants (Google DeepMind)

SUGGESTED BOOKS

? Deep Learning (MIT 2019)

PRIVACY

FTC prohibits telehealth firm Cerebral from using or disclosing sensitive data for advertising and requires it to pay $7 Million

Cerebral deceived users about its data sharing and security practices and misled consumers about its cancellation policies

What happened

- careless marketing: sending promotional postcards to 6000 patients including their names and information that might reveal their diagnosis

- former employees continue to get access to the systems after the termination of employment

- insecure access methods: the use of SSO accessing patient data sometimes exposed other patients' data

- non-implementation of policies and training

Proposed order

- payment USD 7m

- ban from using or disclosing patient data for marketing

- implementation of privacy and security program

- post a notice informing patients about this matter

- implementation of data retention schedule and data deletion

Link here

Report on Data Breaches 2023 (Dutch DPA)

The Autoriteit Persoonsgegevens (Dutch DPA) launched the 2023 Report on Data Breaches

Among the most salient aspects of the report:

? 69% of the organizations affected by a cyber attack estimated the risk to victims as too low

? The AP is concerned that the assessment made by organizations suffering a cyber attack downplays the risks: only 30% of the breaches reported originated in cyber attacks were qualified as high-risk

? According to the AP, data breaches caused by cyber attacks generally pose high risk to individuals and "must almost always be reported to the AP and to the victims"

? 25.694 data breaches were reported to the AP in 2023

? The healthcare sector reported the most data breaches in 2023 (ca 9000), followed by public administration (4300) and financial services (ca 2000)

? Nearly 20m persons were affected in total, and the largest cyber attack affected nearly 10m data subjects

Link here

CNIL report on data breaches

The CNIL compiled the information from data breaches reported from May 2018 to May 2023

Number of data breaches

- the CNIL received 17.483 data breach notifications

- over the years the number of notifications have been increasing

Sectors and industries

- the private sector is responsible for 2/3 of the notifications

- per activities, the public administration accounted 18%, scientific and technological activities 14,6%, health sector 11.8%, financial and insurance sector 10,9%, etc

Origin of the data breaches

- more than half of the notifications correspond to confidentiality breaches, in particular ransomware and phishing. The public sector is more affected by phishing, while the private by ransomware.

- lost or stolen equipment and non-intentional disclosure of data are also frequent

Geographic distribution

- notably the Paris area is where most of the notifications are origined

Timeline for notification

- on average, an organization takes 113 days to find a data breach, however, half of the data breaches are discovered within 10hs of the event

- half of the notifications were conducted within the 72hs period

- according to CNIL, the main reasons for the delay are: a lack of awareness regarding the reporting obligation and willingness to collect more elements and proper assessment to determine the breach

Link here

Incident Response Recommendations and Considerations for Cybersecurity Risk Management (NIST draft publication)

This publication seeks to help organizations incorporate cybersecurity incident response recommendations and considerations throughout their cybersecurity risk management activities.

It also provides a common language that all organizations can use to communicate internally and externally regarding their incident response plans and activities.

It adopts the CSF 2.0 Functions, Categories, and Subcategories as its new high level incident response model.

Incident response roles and responsibilities

? Incident handlers: collect and analyze data and evidence, prioritize incident response activities, and act appropriately to limit damage

? Leadership: oversees incident response, allocates funding, and may have decision-making authority on high-impact response actions

? Technology professionals: Cybersecurity, privacy, system, network, cloud, and other technology professionals

? Legal: review incident response plans, policies, and procedures to

ensure compliance with applicable laws and regulations, including the right to privacy. Legal may be also consulted if an incident may have ramifications

? Public relations: inform incident

? Physical security: for access to facilities if needed

? Asset owners: provide insights on response and recovery priorities for their assets

? Third parties: managed security service providers or CSPs

Incident Response policies, procedures and processes

In general, incident response policies include:

? Statement of management commitment

? Purpose and objectives

? Scope of the policy

? Definition of events, cybersecurity incidents, investigations, and related terms

? Roles, responsibilities, and authorities, such as which roles have the authority to confiscate, disconnect, or shut down technology assets

? Guidelines for prioritizing incidents, estimating their severity, initiating recovery processes, maintaining or restoring operations, and other key actions

? Performance measures

Link here

Applying data minimisation to consumer requests (CPPA)

The California Privacy Protection Agency's Enforcement Division issued an Enforcement Advisory: Applying Data Minimization to Consumer Requests.

Enforcement Advisories address selected provisions of the CCPA and its implementing regs and share observations from the Agency’s Enforcement Division to educate and encourage businesses to comply with the law.

This advisory addresses the principle that businesses shouldn’t collect, use, keep, or share more personal information than they need when processing consumers’ requests.

CCPA establishes that businesses must only collect consumers' PI if this is reasonably necessary and proportionate to the purposes or for another disclosed compatible purpose.

The implementing regs specify that to evaluate what is reasonable necessary and proportionate for the purposes, business should evaluate:

- the minimum PI necessary to achieve the purpose (eg for a purchase confirmation, email, order info, payment and delivery info are necessary)

- the possible negative impacts on consumers

- the existence of additional safeguards to mitigate impacts

Then it provides factual scenarios and relevant questions businesses can pose when addressing different situations: 1) responding to a request to opt-out of sale/sharing; 2) verification of a consumer's identity:

? What is the minimum amount of personal information necessary for our business to honour the request (to opt-out of sale/sharing or identity verification)?

? We already have certain personal information from this consumer. Do we need to ask for more personal information than we already have?

? What are the possible negative impacts if we collect additional personal information?

? Could we put in place additional safeguards to address the possible negative impacts?

On the other side of the Atlantic, this guidance can be found in the DSR guidance issued by the EDPB

Link here

ARTIFICIAL INTELLIGENCE

GenAI security guidance (2023)

Risk mitigation measures

Organizations:

- implement strong authentication mechanisms

- apply security patches nad updates

- stay informed of threats

- protect network

- train employees

- establish genAI use policies

- select training datasets carefully

- choose tools from security-focused vendors

Individuals

- verify content

- practice cyber security hygiene

- limit exposure to social engineering or business email compromise

- be careful with the information provided

Link here

Meta to label AI-generated content

Meta will begin labelling a wider range of video, audio and image content as “Made with AI” when they detect industry standard AI image indicators or when people disclose that they’re uploading AI-generated content.

In February, Meta announced that they’ve been working on common technical standards for identifying AI content, including video and audio.

The “Made with AI” labels on AI-generated video, audio and images will be based on the detection of industry-shared signals of AI images or people self-disclosing that they’re uploading AI-generated content.

Meta also said that if it determined that digitally-created or altered images, video or audio create a particularly high risk of materially deceiving the public on a matter of importance, Meta may add a more prominent label so people have more information and context.

Meta will start labeling AI-generated content in May 2024, and they’ll stop removing content solely on the basis of their manipulated video policy in July.

Link here

The Business Case for AI Governance (The Economist, 2020)

1. A smart investment in product development

- Firms that incorporate responsible AI practices throughout the product development lifecycle will build competitive advantage through enhanced product quality

2. Trailblazers attract and retain top talent

- Responsible AI can significantly benefit talent acquisition, retention and engagement, especially given employees’ growing scrutiny of their employer’s ethics, beliefs and practices

3. Safeguarding the promise of data

- Companies’ growing reliance on user data is emphasizing the need for better data management, security and privacy, which will in turn fuel growth in the AI industry

4. AI regulation: Preparing in advance

- AI regulation is imminent and firms should invest in readiness

5. Building revenue

- Responsible AI can improve a firm’s top- and bottom-line growth by increasing customer engagement, broadening revenue streams, offering procurement advantages in competitive bidding processes, and increasing pricing power in the marketplace

6. Powering up partnerships

- Responsible AI is poised to ride the wave of sustainable investing and will help firms strengthen relationships with stakeholders, including competitors, industry associations, academia and governments

7. Maintaining strong trust and branding

- Societal belief in the virtue of technology companies remains high, but heightened focus on the sector has increased the trust and branding risks associated with a lack of responsible AI

Link here

The potential of AI to automate government transactions (Turing Institute)

The Turing Institute estimated that:

? the UK Gov provides 377 citizen-facing services

? each year 956m transactions are conducted

? 143m are complex bureaucratic procedures involving exchanges of data and decision-making, and many of them can be considered highly automatable

? even if these constitutes nearly 15% of the total service transactions, the study shows that this subset of transactions are made up of tasks which are routine and internally time consuming to the public sector, and therefore can offer a large payoff if automated.

? Saving even one minute per transaction in the category of services considered highly automatable on average would save the equivalent of approximately 2 million working hours per year, or around 1,200 years of work, based on the amount of time worked per year in a standard UK full time job.

Link here

EVENTS

Imagination in Action 2024

This week I was fortunate to attend Imagination in Action 2024 at the 美国麻省理工学院

Imagination In Action is a global event series that is a platform for fostering tech innovation and sustainability.

Dozens of startups and AI leaders joined at MIT to exchange views and promote their products.

Yann Le Cunn provided an overview of the recently launched Llama 3 and the importance of open-sourcing LLMs.

AI startups

Most of the start-ups are working on GenAI, building apps on top of foundation models and in other cases fine-tuning them to develop specialised AI assistants.

They are very much aware of the importance of doing things right. The topics most frequently mentioned both during presentations and individual conversions I had with them were around:

• Responsible AI?
• Security?
• Privacy?

However, my initial impression is that while they acknowledge that these topics are important when I asked about "how you are implementing them" the responses are not at all satisfactory. In any case, having awareness of the importance of including ethical, security and privacy considerations in the product development process is a good starting point.

READING PILE

I'm initiating this section because every day I see news and interesting readings but I don't have the time or energy to summarise them or in some cases even to go through them. This is why I thought it may be a good idea to include this news here for those interested in exploring them.

ICO, Accuracy of training data and model outputs.

This is the third call for evidence organized by the ICO that focuses on how the accuracy principle applies to the outputs of generative AI models, and the impact that the accuracy of training data has on the output.

Link here

Meta Llama 3

Meta released and open sourced Llama 3. This release features pretrained and instruction-fine-tuned language models with 8B and 70B parameters that can support a broad range of use cases. According to Meta it it is the most capable openly available LLM to date. Link here

Meta also launched it's new assistant built with Llama 3: Meta AI (here). Meta rolled out Meta AI in English in USA, Australia, Canada, Ghana, Jamaica, Malawi, New Zealand, Nigeria, Pakistan, Singapore, South Africa, Uganda, Zambia and Zimbabwe.

Meta, Responsible approach (here)

Meta, Responsible use guide (here)

German Federal Office for Information Security, Generative AI Models. Opportunities and Risks for Industry and Authorities

Updated guidance on risks and mitigations in GenAI models (here)

EDPB, Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms

Full text of the opinion here

The Ethics of Advanced AI Assistants (Google DeepMind)

Full text of the report here

SUGGESTED BOOKS

Deep Learning (MIT 2019)

This book is a superb resource for those approaching to AI from a non-technical background.

Prof. John D. Kelleher explains in clear language the fundamental concepts of ML and DL.

Chapter 1 provides an introduction to ML

Ch 2 digs deeper into critical concepts and foundations of DL, such as model, parameters, linearity, learning and combination of models

Ch 3 explains how neural networks work, activation functions, etc

Ch 4 the history of DL and how changes and research were done

I haven't read yet the following chapters but they are about

Ch 5 different types of neural networks (CNNs and RNNs)

Ch 6 learning functions, neuralnet training and some training algorithms like gradient descent and backpropagation

Finally, Ch 7 is forward-looking, considering the current research on AI and the future

This is a fundamental piece for those with not technical background to better understand these concepts and have (at least) a very basic understanding of how AI (DL chiefly) works.

I'd have loved this book had been written in 2023, and include explanations about transformers, attention mechanisms, and genAI. Really looking forward to a second edition of this book!

Transparency note: GenAI tools

1. Has any text been generated using AI? NO
2. Has any text been improved using AI? This might include an AI system like Grammarly offering suggestions to reorder sentences or words to increase a clarity score. NO
3. Has any text been suggested using AI? This might include asking ChatGPT for an outline, or having the next paragraph drafted based on previous text. NO
4. Has the text been corrected using AI and – if so – have suggestions for spelling and grammar been accepted or rejected based on human discretion? YES, Grammaly app was used to for typos and grammar
5. Has GenAI used in other way? YES, Google Translate was used to translate materials (eg. Dutch to English)

I made a first GenAI disclaimer in my previous Privacy and AI edition but from now on I will use this questionnaire that is an adapted version of this.

Unsubscription

You can unsubscribe from this newsletter at any time. Follow this link to know how to do it.

ABOUT ME

I'm a senior privacy and AI governance consultant currently working for White Label Consultancy. I previously worked for other data protection consulting companies.

I'm specialised in the legal and privacy challenges that AI poses to the rights of data subjects and how companies can comply with data protection regulations and use AI systems responsibly. This is also the topic of my PhD thesis.

I have an LL.M. (University of Manchester), and I'm a PhD (Bocconi University, Milano).

I'm the author of “Data Protection Law in Charts. A Visual Guide to the General Data Protection Regulation“ and "Privacy and AI". You can find the books here