Hi there everybody, welcome to our CPGE EDI webinar. I am thrilled today to introduce you to my dear friend and world renowned privacy expert, Ms. K Royal. I guess I could call you the honorable K Royal since you are a licensed attorney, but Kay has the entire alphabet soup of privacy qualifications and is a prolific privacy author. She has over 60 news articles, is a featured privacy tech columnist for The Association of Corporate Counsel. She also initiated the Association of Corporate Counsel's Women in the House programming supporting women in health counsel and the ACC elected K as their member of the Year in 2015, and the recognition of her extensive leadership. She is an executive board member for the Center of Law, Science and Innovation at Arizona State University as well as an adjunct professor of privacy law, and she's won just about every award you could possibly imagine for a pro bono service awards and for her outstanding work as an attorney and a privacy expert and I'm super excited to hear your presentation today K. Thank you. Welcome K
I'm wondering if this shows everyone how you supplement your income by taking prolific bribes. No, thank you so much for having me Darra was one of my absolute favorite law students back when I worked at the Arizona State University College of Law running the student life and the pro bono, and she actually impressed everyone on day one when one of the most famous and most argumentative professors did a sample socratic method to the entire entering class on the welcome day and Darra gave it back to him just as good as she got it and got the attention of everyone: the professors to staff, everyone standing up. So, love being here, but okay this isn't the K and Darra loves each other show. So let's jump in, I'm going to share my screen and this is absolutely an open
conversation so if anyone has any questions please please do not hesitate to ask any questions that you might have. Jump in, interrupt us, chat, whatever. Darra please feel free to do the same. I have no intention of killing everyone with death by PowerPoint whatsoever. Okay, so today she introduced me, but my email addresses are on the presentation as well. That way you can make sure you can get hold of me if you have any questions whatsoever.
I also co host a podcast is very popular actually in privacy. Today we released an emergency session on standard contractual clauses out of the EU so love it when things are published within 24 hours it means I do minimal editing work. So, let's give everyone kind of a basics in what privacy is. And if anyone, if everyone wants to speak up and raise their hand and say yes we already fully understand privacy, then we can skip kind of doing a grounding in it.
Otherwise I'll give you a little bit of an oversight and hopefully this will put it in perspective as to why does privacy matter. It's actually the hottest growing field both in and out of law right now and it's my understanding, I'm speaking to librarians, students, although that's not what you call them. Data custodians. We have library students and information science students. Information professionals and sort of the big term for our field. So this should really absolutely help.
So you may hear the term personal data, personally identifiable information, personal information. So, PI, PII. What does it all mean? Well when you kind of look at it overall all of it is kind of putting it into one category although they actually do have different nuances, but essentially it means information that's linked to a person. And there is absolutely nothing in the definition that says it has to be personal, personal information it can be business personal information, it can also be publicly available, personal information. There's nothing that says it's confidential. So a lot of times when I talk to sales people at companies they'll say well we don't have personal information so we don't need to do all this.
Well, who do you talk to? Who do you call? Who do you email? Who signs the contract? All of that is personal information, and it doesn't matter if you have the person's name. That is a critical thing to understand. You don't have to have the person's name in order for it to be personal information. It merely has to be information that relates to or is capable of being related to an identified or potentially identifiable person, and I'll give you a wonderful example, very common way of the identifying photos people. Y'all tell me if you can tell who this is. Personal information, even if it is commonly dei dentified.
And this actually matters when it comes to things like HIPAA when they're like, I'm taking pictures of patients and hospitals, but you can't identify who it is so it's not really protected under HIPAA. Well, is it a unique injury. Are you at a hospital where you only take certain types of cases? Is there an identifying mark on the individual such as a tattoo or particular mole or birthmark or something like that. If you can identify and narrow down who that person is with information that is available to you then it's personal information and nowadays information that is available to people come from all over the place. You don't have to just look at the databases within your own company, there's information freely available online or from other companies. So that really impacts it. Now, this is the law and I promise not to kill you with the legal stuff, but you kind of need to understand that in the United States, the word privacy is not in our Constitution.
And people think it is, but it's not. It was not until the Griswold case in 1965, I believe, where they established officially that the penumbra of the Bill of Rights, specifically the first and the third and the fourth and the fifth and the ninth and the 14th amendments actually do mean your private, so you're not being forced to quarter soldiers, therefore you have privacy of your home. And thank you, Darra just completely keeping us updated with notes I love it. So these emanations of privacy. Thank you Darra, that are in the penumbra has actually give us a constitutional right to privacy. However there are 11 state constitutions that include privacy
in the constitution, California is one of them. Although California is was voted into the Constitution, Arizona has it and it was actually in the constitution when Arizona became a state. It was put in there deliberately. There's also federal laws. The Electronic Communications Privacy Act, Video Privacy Protection Act, I love to throw out here especially the video privacy one. That's an example of privacy laws coming to fruition because of something happening in the world. And quite often laws are passed in reaction to something that's public outrage and the video Privacy Protection Act came because the video rental information was released or breached, and it included the video rental list of some of the US Congress people.
Therefore, it became a law that you have to protect the information. So, but one of the other things is to pay attention to you'll hear a lot from the Federal Trade Commission . They're an agency in the US, that you would not think is actually protecting privacy, but there is section five, which prohibits unfair defective or unfair or deceptive acts in trade. And so what they particularly look at are the privacy notices online for companies and if companies say they do something and they don't, or they say they don't do something and they do, then it can become a deceptive trade practice, and it used to be that privacy notices were very wordy, very flowery. Attorneys
would get involved and say we protect your data to the highest protection imaginable. Well as you can imagine that not true, because all security can be broken. And so now you need to make sure that your privacy notices are merely factual, and one of the interesting things is under the new California Consumer Privacy Act and the soon to be in 23 California Consumer Privacy Rights Act is companies have to disclose whether or not they sell or share your data. Now sell is very broad. It does not mean selling your data for money. It can mean exchanging your data for something of value, and a lot of companies say well we don't sell the data so we're not going to put it on there.
They have to put in their privacy notice whether they do sell the data or whether they don't sell the data, and if they do who do they sell it to giving the very broad definition of exchange of value not necessarily money. And as you can imagine if they get it wrong. The FTC can come after them for deceptive trade practices. So it's very interesting conundrum going into. There's also tort law I don't get into it, but people can sue for invasion of privacy intrusions, highly offensive, there's all kinds of things privacy's related to.
Then of course the main federal acts here in the US. HIPAA, which is the Health Insurance Portability and Accountability Act, FERPA for education, GOBA for finance, and then the Privacy Act of 1974 for government data for public sector. One of the interesting things to realize is the very first privacy law in the United States or not even in the United States, in the world is recognized as being 1970, I believe, and it was in a province of Germany, and the first country law was the one in Switzerland, but it was at the same time that the US started passing privacy laws. And so they say the US doesn't have good privacy laws because we're unlike the rest of the world and that's not true. There was actually just an Italian case that came down about a doctor who published an article about a patient, and it was in a medical journal and the Italian enforcement agency had to come down because you didn't get the patient's permission to do it. He didn't identify the information. Europe is all up in arms because you know this Enforcement Act. Didn't the doctor violate privacy and here in the US, there would be no question.
So, matter of fact, if the doctor tried to publish it in a journal here in the US, the journal probably would have de identified it for him, and would have asked for a signed permission from the patient to use it so it's interesting to see how the US privacy law definitely butts up against global privacy law. So let's move on just a little bit we've talked about this little bit. GDPR is Europe is the General Data Protection Regulation,. It is actually driving privacy laws worldwide. Brazil actually modeled there's after the European Union's GDPR and now that the UK has exited the European Union, the UK has their own version of the GDPR. Canada has privacy laws although people like to say they have no teeth, because they don't do a whole lot of enforcement they actually have a proposed privacy law now that they're looking at doing a whole lot more sanctions and violations and having appeals and being a lot more formal. And here in the United States, Virginia actually passed a law, just this past legislative season that's modeled after the GDPR even use the terms controller, processor.
So with all that. Let's start diving into what are the specific pillars of privacy? What do you need to do and we're again we're the aim of this is to get to the artificial intelligence and the social justice and how this works. So if I go too fast, please don't hesitate to tell me to slow down apparently I'm one of the fastest talking Southern people most people I've ever met.
So, just feel free to say whoa stop explain that a little bit and we're good. Darra jump in if you got questions. So, under the privacy pillars and these are pretty standard things that happen under all privacy laws. So you might not be able to comply or know all the privacy laws in the world, much or the ones in the US, but at least you can understand the general principles of them. So transparency and
notice means exactly what it says, tell people what you're doing with their data. Now, my children who are much older than I would like to admit they are right now used to ask why do we write privacy notices if we know people don't read them. Raise your hand. I don't even have to see you raise your hand if you read the privacy
notices of all the websites you go to, or the privacy notices of all the apps you download. And if you reject certain permissions and the app you download. Do you have your phone set for automatic updates of those apps because typically they go from anywhere from 12 permissions you give them when you initially install them to an average of about 120 on updates. So even though you might have said no to permissions if you're set to automatic updates and you probably have it anyway. So transparency and notice, why do we tell people, because it's the only way we have of telling people. I mean I'm sorry absorb that very simple statement, the only way we have giving notice and telling people is to give notice and tell people.
So it's a broken system, but it's one of the only options we have. Consent is very touchy. You have to give people full information in order to get consent from them and if you're going to gain consent for something then you also have to make it equally as easy to withdraw consent, and giving consent can be something as easy as checking a box online, but yet when you want to go back and opt out or you want to withdraw your consent it's usually write us at this email address and make it a, you know, I don't know federal tracked package that requires a signature and include three copies. It's not easy usually. And so you have to make it easy individual rights, we've always had rights under HIPAA. Ever since it was passed, lot of laws now we're starting to include them and one of the biggest ones we're starting to see is the right for deletion and so you can generally request that your data be deleted. And this is very important
both to archivist and to data analysts is can you delete data if it's going to break the database? No, there are exceptions under deletion including if the law requires you to keep the data you can tell them no we're not going to delete the data. So a lot of things there. Privacy officers having someone that knows privacy, whether it's an attorney or a non attorney. I've been in both
roles I'm a licensed attorney, but I'm in non attorney roles as well. Make sure someone actually understands privacy. Vendor oversight make sure if you're going to outsource either your customer data that you process or your own data that you have oversight over your vendors laws are starting to require specific contracts in place with very specific language and if you've got you know five different laws with five different contractual requirements and you're going to have five different amendments on your contract. So why is it hard to get a contract in place with a customer or an entity or an outsource because all the laws that are in place, so you know darn all those attorneys.
Data purpose collection limitation means only collect data for the reason you need to collect data for and it also means don't use it for any other purposes. A very common example of secondary use of data is data that companies collect and then as they do software improvements they test the data on the data they have or they test the software on the data they have. Well the data they have was not collected for purposes of testing software. If they collect the data in order to mail a widget to someone. Well, that's why they
collected the data. So purpose limitation would say you can't then use it to test new software, unless the second purpose is very closely related to that of the first and who in their right mind would think testing software is closely related to shipping a widget. So you might be able to explain it you might be able to make those connections, but you shouldn't have to so what do you need to do, you need to disclose in your notice that you're going to test it on your software on their data whenever you have software improvements and nobody reads to notices anyway so there you go now you have your permission. Data integrity is just making sure data can't be changed as it goes. You keep data logs you make sure it's protected during transmission and storage. Cross border
transfers and international requirements is getting data from other countries and it doesn't even have to physically move. If there is a server in Germany and you're in the US and you access that server even if you don't download the data, you don't store it all you do is look at it, that is a cross border transfer of data because looking at it is considered processing. Processing is anything you do today to including deleting it or an anonymizing it that's processing it, and then security, you've got to have security with privacy you gotta have privacy with security. No security is infallible it's going to break and when it does what's going to get you in trouble is going to be whether or not you abided by the privacy requirements.
Do you have more data than you should, is it not protected, is it not redacted, is it not anonymized, that's where you get in trouble and think of all the data breaches that you've heard of over the years. And you hear the CEO being fired, you hear of the chief information security officer being fired. You don't actually hear the Privacy Officer being fired this because most of the time they ignore us anyway, because nobody wants to hear about privacy. It's kind of like insurance nobody wants it, it's a necessary evil, but it's there it is there for our protection you just need to be aware of how it impacts you.
And one of the biggest things before we jump into AI then is there is a difference between a privacy breach, and a security breach. A privacy breach could be impacting the data and it doesn't have to be electronic if you miss send an email if you lose a briefcase with patient records, those are all privacy breaches. Security breaches actually breaching the information security, but it might not ever touch personal data. If you don't have personal data in that system that was breached, probably not a privacy breach, but it would be a security breach. When you have them both. That's when you hear about all the millions of records that are
jeopardized and all those free credit checks you've got for the next 20 years or something. Okay, so let's talk about artificial intelligence and machine learning. Now in here, what is AI. So artificial intelligence or machine learning is a machine that displays intelligent behavior. It can reason, it can learn it can process sensory perceptions. It involves tasks that historically been done by people but can now be done faster, better, and can actually learn things from what it actually processes, and there are two types, there are narrow AI, and then there's artificial general intelligence, and they mean exactly what they sound like. The narrow is limited to a very specific application,
and the general is general applications that it would have. The problem is, it happens within a black box, and you can't explain it. So if under the privacy laws people have the right to ask you questions about how you process their data, or how you came to a specific conclusion, or what exactly you're doing to their data. You can't answer it if it's AI, because you don't know. It happens outside our comprehension, we don't know exactly what machines are doing. And so that is a very very touchy area when it comes to privacy and it comes to individual rights. The other thing that's touchy is watching. Darra is a blockchain expert and block chain is considered one of the most secure ways of processing data however you can't change it. So how do you do individual rights,
deletion, amendments, corrections if you can't actually change the data because it's immutable. So technology is both our friend and our enemy. It gives us the ability to do certain things, to innovate, to achieve amazing things in the world, but it also offers complications when it comes to very basic privacy protections. And it's no surprise that the first privacy laws were passed in 1970 there were some earlier ones in some very specific areas right before that, but it's because the first mass marketed computer was sold in the 1960s.
And so now all of a sudden, it was different for how you process data, how you compute, how you share data, how data is stored. And that started the whole thing about privacy protections and that was only a little over 50 years ago. So it's something that we're just now starting to get into. So what are some of the ethical issues in AI. Well some of the general ethical issues that people have: unemployment. So this is something we've always wondered when there's machines. What happens after the jobs in,
When they're done processing with they're going to process, or when they take away jobs from people. Now that worries been around for a long time and it hasn't really materialized as machines replace people in jobs, more jobs for people open up dealing with machines. Data analysts is a perfect example of that. Inequality. How do you distribute the wealth created by machines.
Humanity. How do machines affect our behavior and our interactions and I'll show you a whole bunch of good examples of these. Artificial stupidity. How do we guard against mistakes, and that's where a lot of the social justice issues come in is the mistakes that are being made. The common word or phrase is garbage in, garbage out. But what if it's not garbage, that's going in. And that's one of the social justice issues is the facts that are actually going into the artificial intelligence, they're real facts, it's not garbage.
The problem is the societal norms that created those facts. And one of the examples can be it is an absolute fact that there are more African Americans in prison, then there are Caucasians. That's the fact. The backup to that is, why are there more African Americans in prison than there are Caucasians. And that comes down to a whole lot of other social justice issues that we have to deal with and we need to fix as a society. But unfortunately, those are the factors that go into the AI.
And so if you've got AI watching excuse me I have four dogs, and apparently they decided they wanted to be part of the presentation. Sorry. So if you're looking at security in a mall or in a store and there used to be those that were open and people would go to malls and they walk around and they do things, and the AI running would tell them they need to watch the African Americans in the store closer than they watch the Caucasians because African Americans are more likely to break the laws. Not true. Just happens to be our societal injustices coming through with the data that goes into the biases that go into AI. And so that's where we really need to see people that carry this justice with them. We need more minorities working in the programming and in the AI and
in the technology to make sure that we're aware of the biases that go in, because once you train AI according to the biases you can't really untrained it so that question about how do we fix artificial stupidity. So that's one of the social justice issues. How do we keep, keep, AI safe from adversaries, that's very hard. Some of the most corrupt countries in the world. And I say corrupt because that's the, that's the gauge they're on is there's publications about they look at the level of corruption in certain countries. And some of them, part of what they figure is in corruption is because they see security protections own competitors or other entities systems as a challenge, and they want to beat it.
And that's one of the legal things that we take into account when we're doing law in China is if we have a law firm in China, we just have to understand that that data will be breached, because that's a cost of doing business in China is they, they love it they like doing it. It's a way of life there and so it's just one of the things you take into account of doing business and that's one of the first things to Chinese law firms will tell you when you hire them. It's just know that your data is going to be breached by using us because that's how we work here in China. And so, how do you protect against unintended consequences.
You have to make sure that you're aware of the biases in the data that's going into the AI. How do you stay in control of a complex intelligent system that is very difficult, and I'm looking for the experts that can fix that one. And then how do you define the humane treatment of AI, which is an interesting question of robot rights, I have to admit that's not one I get into very much. Any questions on this part so far. Darra does this spark any questions with you?
All the questions. Okay. Well that was a good grounding, that was the grounding and what the conversation is going to be so okay 28 minutes that wasn't bad. I'm really looking forward to hearing you talk about how privacy interfaces with all of this and specifically from that social justice perspective. Then I am going to go straight into, you know what let's go to the next slide. First, just to give you a little peek about how the world is treating AI, and some of the laws that they have. So there are countries that have discussed restrictions on the
use of lethal autonomous weapons. That is a very controversial use of AI. Regions that have permissive laws in place for autonomous vehicles, and how those are used. And then I want to make sure that we talk about biometrics before we actually jump into the AI. So, I love this last one here that is the face if you look at it sideways, it says wire.
And so this is one of the, the very easy ways to understand the biometrics may not always be what you think they are. So, love that and there are biometric laws, some of them are private companies only. Some of them also govern public information are public entities and one of the biggest controversies is law enforcement use of facial recognition. And so, Illinois has BIPA, the Biometric Information Protection Act.
Washington also has a biometrics law, Texas has a biometric law, some of the new states that are incorporating privacy laws include biometrics in the definition of personal information. So it is protected from that, but typically limited to biometrics use to identify a person, the controversies with the law enforcement use of biometrics, and this is AI is recognizing people. We talked about the biases that go into it. If AI was trained using the available student population and the available student population when that was created was overwhelmingly one gender versus another, one race versus another then your AI is going to be trained on certain things and so you can mis-identify people, you can focus on the wrong people and when police are using this in real time to identify perpetrators at a scene, then that's something you need to be careful of and we have some great news stories around there so let me move over this. One of my professors that I work with,
he and I teach the course on privacy biometrics and privacy big data and emerging technology. And we actually did a presentation on AI, just to give you some history here I'm not going to give you all of this and I did send this so it can be shared with y'all as well. So AI really started right in, right before the 1960s, but the boom has been this past decade or so where you've really seen it coming and going. This is a PDF.
Let's go down to these examples so here we go. How do you vote 50 million Google Images give a clue. So what is this show on your screen I just want to verify that it moved it to the right screen. Yes. Okay. Perfect. Thank you very much. I want to make sure, yes. Okay, perfect. So this, what vehicle is most strongly associated with Republican voting districts, and it's extended tab pickup trucks for Democrats, it is sedans. All of this came from AI. Your Roomba may be mapping your home and collecting data that could be shared.
So I just got a Roomba, but in the past few months before then I refuse to do so because that's what it does it maps your house, and that data can be breached and accessed. When AI can't replace the worker it watches them instead and so cameras watch the stations of workers and see if they can meet their quotas. Can they violate your privacy everything from speakers to water meters are sending information to the cloud.
There's a murder trial was testing the boundaries of privacy and home. Amazon Echo, Alexa, Google Home, all of those are used to actually capture transcripts. People can call the cops using it even if they don't intend to do so, and randomly I will walk through my house and just say my husband's name is Tim just say stop Tim, stop Tim, don't break my leg. Oh, I'm bleeding you hurt me. You're killing me. He's like, shouldn't you be saying this with more emotion. No, they just pay attention to the transcripts not the actual audio recordings. And yes, they have used them in trials.
So that is it. Alexa call the police was another one, they AI that can sense movement through laws. So when police are looking at assessing houses and whether or not people are there you can actually use AI for this as well. It is helpful in good ways as well, don't get me wrong here AI is very very positive. But for as many positive uses there are negative uses. And until we can offset
the outcomes of the negative uses. I mean we have to be fair, as a society, hackers are real obstacles for self driving vehicles a lot of information that comes from there and they can hack them by the way yes they can hack embedded medical devices so your heart defibrillators your insulin pumps things like that can be hacked and changed. AI also works in a lot of cases such as shopping so there's an age old story that people who own Macs would be shown hotel prices and car prices a lot higher than people who own PCs, because AI told them that people who own Macs had more money to spend. Google's project Nightingale got the personal health information on millions of Americans and used it. Cameras with AI brains, and we'll talk about how that goes into deep fakes, so they can mine data very much more specific than what you can capture own just software capturing data is the AI can actually take information from that. Your bosses can read all of the company, emails, AI can actually identify people who are potential whistleblowers based on language they use and it doesn't have to be language that says, I'm going to blow the whistle on this or I'm going to report them to a regulator, it can pick it up, many many conversations before that, just based on the wording that they use and the types of emails that they send.
You can identify tweets sent under the influence of alcohol so AI has learned what is a tweet look like, what kind of words are there, what kind of syntax do you use if you're drunk tweeting. Facial recognition what we were talking about before, these are just some of the ways. Some of the points on the face that it pays attention to, and how it does facial biometrics. Class action file lawsuit against clear view AI startup.
And this was in Illinois under the Illinois Act I was talking to you about and about how they use facial recognition and whether or not they got people's permission to use their faces for their facial recognition algorithms. Biased algorithm led to the arrest of an innocent person for a crime he did not commit. So this was in Michigan, and the facial recognition based on the AI and the programming identified the wrong person. So when you talk about social justice issues that's about as unjust as it gets. Can it predict your personality type by watching your eyes, it can based on the information in.
It can also tell your political affiliation, and then that connects to targeted behavioral advertising and they can specifically target individual people in the news stories that those people are fed through their social media or through their newsfeed that would either discourage or encourage them to go vote. If your news stories are showing you on your social media or your newsfeed on your device, your laptop or your phone, that the polling lines are backed up for three miles and people are miserable and people are passing out from the heat are you going to actually go physically check to see if that's true or are you going to choose not to go to the polls and vote. That actually does happen. I may be paranoid, but paranoid doesn't mean you're wrong. How China's using AI to fight the coronavirus of very interesting ways that they implemented that. Very successful processes in most cases, their high tech police they use facial recognition and a lot of AI and a lot of the activities that they engage in. Emotion recognition algorithms computers know what you're thinking.
Children's emotions as they learn. So can you watch children actively learning and use AI, and whether or not they're paying attention whether or not they're engaged. Boost lip reading accuracy. Predict your own, that was another personality one. Detects deception may soon spot liars in real courtroom trials now take that to the next step.
If you're using AI to detect whether or not a witness is lying. That means you're using real time AI in a courtroom. What if your court is wrong, what if your AI is wrong. What if they're not lying. Is this information they're going to give to the jury? Is this information they're going to give to the judge if it's not a jury trial? Is this information shared to both prosecution and defense or both sides of a civil trial.
And different issues like that and yeah Darra I think you just brought up I think that was you that just said that. So this one about children learning and reading. How does that work with neuro diverse children. So, again, it's not necessarily garbage in, it's just limited data in unless they're actually including neuro diverse children in these processes for the AI in equal levels of how they're using non neuro diverse children. Then you're going to come out with the wrong conclusions because they're not using a full data set.
This one, your mind, you're the mind reading AI can see what you're thinking, and it can draw a picture of it pretty fascinating, but does everyone's minds work the same I don't know even know what they would use to do that. Surveillance cameras to use computer eyes to find pre crimes. Now how many of us have seen the movie with Tom Cruise about the predicting murderers and crimes that happened in preventing it from that.
Right. So that's another issue that we've got with the, with the AI and the predictions. Is there still always a human element there always still a human element. Brain machine interfaces forged authenticity so now we're getting into the deep fakes and deep fakes are huge. I can't see a show of hands out there, but think about deep fakes and how many of you have had experiences, either watching the fakes or even doing some of it yourself. There's very popular apps where you can replace your face. In a video clip with a famous movie clip or something like that.
And can you imagine what this, the implications of this would be in courtrooms. So if a video was introduced as evidence in a courtroom. Do we have the right judicial measures in place to stop false information from being introduced as evidence. There's evidentiary procedures to where you can challenge the authenticity of certain things with this AI on deep fakes is pretty, pretty big.
And it's pretty significant. And you are allowed to produce a copy of something if the original is not available, I believe you can assess the original to see if there is a deep fake. Some very very smart people can go into the programming and assess it. But if it's a copy of it because the original isn't available, can you tell that the copy is a deep fake. Can you prove it.
And if you can't prove it. Do you have to let it in or can you eliminate that from being evidence in a trial. Very, very controversial news, and then the rest of these are just good things. I'll stop here on these AI powered cameras become a new tool against mass shootings. So, yes, AI was one of the things that they used in the Boston Marathon bombing, is they were able to identify people in the, in the crowd that was there and who was around and matched it also with witness reports and security sightings and different things like that, but it was very helpful in that. Also helpful in
the school shootings that we've been having lately. And so don't get me wrong, AI is very very powerful, very much, able to be used as a, as a powerful tool. And I will stop the presentation there. Let me stop sharing my screen and then Darra let's talk about some of the questions that you got with this really really brief, but impactful insight into privacy and AI.
Well first I want to welcome all the questions from our attendees, because you and I can talk anytime about my questions so. Absolutely well you had you posted one yet for the archive is out there are we going to have to evaluate AI generated records for authenticity before they come into your collections and how will you do that. That's a question for you? How will you do that, if you're the keepers of history, how do you know that the history is right. Well, and of course we've had as the archival students can say we've had forgeries that's where our whole field came from is looking for forgeries, but you know and it's going to be a problem I think for libraries too and I think it's going to be a bigger piece of the whole dismiss information problem that is so important to the information profession and then for the data, data analytics folks here, you know, how are y'all going to be able to make sure that the data that you're doing your work on is good. Right. And and again I get it. With the archivist,
and maybe y'all can educate me on this. It's not just written paper like you would think of for a library and y'all are talking all the information and how to archive that. And as part of your job is proving it's correct. Does this mean you're getting training in AI and deep fakes and technology. Seems to be where we're moving, but yeah so I will leave it to our wonderful attendees now if they have any questions, feel free to either raise your hand or to talk or to type your question into the chat. Yeah, please do until I see some questions coming through, I'll just continue talking about some of the ethical issues.
So, on the podcast we had a woman on there one time that is a privacy engineer. And she was explaining how it's becoming more common to make sure that engineers are actually trained in not only privacy and understanding what personal data is, but in also understanding how does that feed into the technology and what you need to be on the watch for. And so we've talked about the, the underlying data that used to program AI, and how if you don't have the right data you can come out with the wrong conclusions. There's also intellectual property issues with that. If you think of different companies hiring the same AI company to let's say just do contract review.
That's a good example. If Company A uses it for you know 20,000 contracts and trains it and then they're able to sell it to Company B, Company YY, Company 1000, who benefiting from the AI of that first company who actually owns the intellectual property for that. And there was a company that was just determined to have violated the IP of another. And all of their patents invalidated which means all the work they were doing invalidated which means that all the AI that they had that was training their product development. Where does that go what happens to that. If, if the patent was actually owned by the first company and has to go back to them. Did they get all the AI training that came from the companies that they sold it to. So there's a lot of ethical issues when it comes to that the social justice one seems to be the ones that are top of mind for most people, and making sure there are some efforts out there and making sure that one that there are what they're calling inclusive programming.
So that is a movement now is inclusive it by design, into the technology, making sure that people of all different types are involved in the programming and in the technology. And this doesn't just mean ethnicity and genders, it means neuro diverse, it means people with disabilities, it means people from various locations in the US that don't speak the same as the others. It means people have different heights. And if you don't have that kind of diversity and inclusivity and equality in the programming. You're going to come out with bias data and implicit bias is a big focus in a lot of fields nowadays and looking at that and let's see we got one. Okay great.
Librarians are often in the position of negotiating vendor agreements and contracts without having recourse to legal counsel. Oh my goodness didn't realize that. What is happening in the field to empower librarians to navigate this or is this an unmet need. I'm going to say from my legal perspective is an unmet need Darra you're much much closer to this being an archivist and the lawyer. I'm not technically a lawyer anymore and ethically I have to point out that I let my license lapse when I moved to Canada. Okay, in our state you're still a lawyer, you're just not a licensed attorney.
Okay. But yes, no, it's absolutely an unmet need and I think for the privacy perspective, we've really lost control of the ecosystem in the libraries, and so, And I guess that's a good question K, is to build on Holly's excellent question. Holly's one of my students. We don't control the ecosystem anymore to a large degree so how do we meet our privacy obligations in an ecosystem where we only control part of it. And that is a growing concern in a lot of fields, because, as I talked to people about privacy and you know you bring up privacy and people like that again. But it touches everything.
If privacy is dealing with personal data. It touches, everything. Doesn't matter what field you're in it doesn't matter if you want to be hiding in the basement typing in things all day long, no matter what your end if you just want to be a transactional person doesn't matter. You're going to touch personal data somehow, some way so how do you educate people in the different fields about how to use personal data and I'll give you a great example of some of the differences.
So, if I was to tell you to tell me if something was public data, confidential data, or sensitive data, where would you put membership in a trade union, such as due to the librarians have a National Librarians Association. We have the American Library Association, perfect. So where would you put take out the American because we don't want to specify a country, but let's say it's the global librarians Association, would you consider membership of that to be public, confidential, or highly sensitive.
Oh it is so contextual only because you understand it. Everyone else, listen to that. And what we would probably say is public, because here in the United States, you could go pay $5,000 and you could get a list of pretty much every trade union out there right, American Medical Association, the Bar Associations, even our voter registration roles, which really irritates the Europeans. In Australia, that's considered highly sensitive information membership in a trade union is high or professional association they don't even say trade union because that could have specific interpretations, but membership in a professional association is considered highly sensitive. What about bank account information your routing number and your account information, would we say that is public, private, highly sensitive. We'd here in the USA that's highly sensitive right? It's not in Europe, and it's not in most countries that define what sensitive data is, it's not even, it's not even hitting the boundaries their finances know where in there definition of sensitive data.
Do you have to protect it. Yes. Is it sensitive data, no. One of the biggest ones dichotomies that I just mentioned was political. So in most countries with privacy laws political opinions and beliefs are considered highly sensitive data, their special categories, they must be protected to the highest degree and here in the US.
Good Lord you can you can go buy a voter registration pole. Or you can have AI figure it out based on what kind of car you drive and trust me there are political groups out there who do buy that data and they do use it. So one of the last ones I'll give you is personality.
Now I love this I happen to specialize in definitions of sensitive data. In Israel personality is considered sensitive personal information. So I'm all kinds of sensitive here clearly. And so in order to understand to fully put into context the AI, the technology, the programming, the underlying data, the social issues, it might cause you actually have to understand what is personal data and then what is special or sensitive categories of personal data. And how do you get that kind of understanding out to the people that are creating this technology, reading the contracts to buy the technology, determining whether or not the output is accurate or authentic, you start getting into some very complicated problems that are not easy for people to solve. and it can't just be one field solving it. If people are relying on the lawyers to solve this, it ain't going to happen. It really does take everyone who has a part to play in this from the beginning of creating the data sets and making sure that they're all inclusive to how you use the data. There are cities who have decided that their police departments are not allowed
to use a real time facial recognition, they can use it in review, such as if they're reviewing all the people that were at a crime scene afterwards and looking at the video they can use facial recognition for that, but they're not allowed to use it in real time. Because the potential for harm to an innocent person is very big, very large. So unless we're able to get the people from the very beginning of the system to all the way to the end. How do we address this problem it's not easy. It's not easy and all of you absolutely have a role to play in that I'm including the question on how do you read the contracts for it because y'all aren't trained in law. You're not trained and most lawyers aren't trained in privacy let's be clear here this is a this is a very very small field, although when the GDPR in Europe.
Went in effect three years ago it was past five years ago, went into effect three years ago. The IAPP International Association of privacy professionals predicted that the world would need about 75,000 more privacy people now I've been privacy a long time. And they predicted the world would need about 75,000, when they went back. I think two years after the GDPR was passed, there were over 500,000 data protection officers registered with the data protection authorities in Europe. Now that doesn't mean all the people working in privacy, it means the data protection officers which are like your chief privacy officers. 500,000.
That's a lot. And those are lawyers, those are non lawyers, those are people from every walk of life that in their company was decided to be the person that knows how to govern the data. It could be a data analyst, it could be an archivist.
It could be about whoever is in charge of the data. So is this a field for our students. This is lit a fire under anyone they found a passion for privacy, the privacy bug bit them and they became passionate about it yes this is actually as I mentioned earlier, and I'm not joking.
This is the hottest growing field, both in and out of law, but you do need to make sure that you have the right skill set to fit well into privacy there's a lot of people that they're in privacy, they have the jobs and privacy, they're not good at it. And the reason they're not good at it is they're focusing either strictly on exactly what they're doing and so they're very inflexible, or they don't understand all the ways that privacy touches our lives and what it does. In other words, if you can't see that AI is problematic from the data that comes in it and before that the social justice issues that impact the data that impact that goes into AI to the outcomes and the deep fakes and the authenticity. If you can't see that whole roadmap and understand what the very very broad mind that this is a problem, then yeah you're probably not going to do good in privacy. Do you have to be all knowing and have a law degree No. As a matter of fact,
a lot of lawyers don't work well as privacy people because privacy is is kind of questionable now for me to say it's all shades of grey, but there's very, very few hard lines in privacy. Unlike other areas of law where you can move a comma and change the meaning of a sentence, you know 15 different ways in privacy, all of those meanings could still be right. Doesn't make one wrong versus another you can take out an entire paragraph, explaining privacy law replace it with something completely opposite and they would both still be right.
So you've got to have that flexibility of thinking and be willing to be creative, but then also know where to put your foot down and go No, sorry that one is a big hard black bar laying across your way and you ain't passing. There we do have a few of those. So we got about four minutes left with K. Does anyone have any burning questions that they want to get off their chest, well you have the chance, absolutely happy to hear from anyone. And you're absolutely welcome to contact me after with questions if you didn't catch my email address Darra knows how to reach me, trust me.
And in privacy I definitely believe in the transparency part. So you can find me easily on social media, just make sure you spell my first name with one letter K there's not a dot after the K there's no y. I'm as easy to find me. Thank you for doing that Darra just shared that if you're interested in working on these issues, check out the Library Freedom Project is open to students.
Oh, thank you for that suggestion Holly love that so please do check that out, feel free to reach out to me find us. If you want to know about privacy, you're also welcome like I said to go listen to the podcast. This season we shortened it to an average of about 30 to 35 minutes because people told us that 50, five zero minutes was too long to walk their dogs or exercise, but the one that was released today on the new standard contractual clauses out of Europe that are hot off the presses, and it's almost an hour.
Sorry. But absolutely, you can go back through the things we actually talked about social justice and AI in some of the episodes so please feel free. I'm not just being selfish and plugging here. It's just good information if you're looking for a quick resource on how to understand what it is if you have a question that's an easy way of doing it. We don't talk from a very legal perspective whatsoever.
Trust me nothing with me is going to be a legal perspective. In Spring of 2022 we have a new course on privacy, technology, and law in iSchool. I wrote the course I don't know if I'll be teaching it. Beautiful she's actually my reviewer. One of my reviewers my PhD is on privacy in universities in the US and all the different privacy laws that impact universities, people have no idea that here in the US, you might think it's FERPA, which is the Family's Education Records Protection Act or something like that.
It's no the only one that applies to the universities. Pretty much every privacy law out there would apply if you're doing the right activities and that's another thing to understand about privacy so with that I won't make you run to the actual hour. Thank y'all so much for having me. I hope you enjoyed the conversation, and have some insight into why AI can be so problematic for social justice and discrimination issues.
Thank you so much K. It was a real pleasure to have you. We were very very lucky to have your time and expertise. Thank you K. And thank ya'll for listening to two southerners run the program. Ya'll take care. Bye ya'll.
2021-07-22