As Artificial Intelligence continues to impact every aspect of society, business, and personal interactions, there is a growing concern for the security of AI systems and the privacy of data. The main privacy concerns surrounding AI are the potential for data breaches and unauthorized access to personal information. The Privacy Principles for AI system addresses these concerns
In a survey carried out on American residents by an independent market research organization, Propeller Research results showed that nearly half of the U.S. population (45%) are very concerned about their data being exploited, breached, or exposed.
In addressing some of these concerns and ensuring that there is privacy when dealing with personal data, OWASP Foundation launched a guide in February 2023 that will provide clear and actionable insights on designing, creating, testing, and procuring secure and privacy-preserving AI systems.
Privacy principles for AI systems as published by OWASP
Use Limitation and Purpose Specification
Data collected and used as a training set for one purpose should not be used for another purpose. For example, if personal data is collected for User verification, it should not be used for user targeting. This ensures that the data is used only for the purpose that was specified during data collection. Only through the consent of users and approval of the law of authority can there be an exception.
Fairness
The processing of data must be done in fairness. GDPRโs Article 5 refers to fair processing and EDPSโ guideline defines fairness as the prevention of โunjustifiably detrimental, unlawfully discriminatory, unexpected or misleadingโ processing of personal data AI Algorithms shouldnโt be trained with data sets that will produce discriminatory results.
Data Minimization and Storage Limitation
This principle implies that the amount of data collected for a training model should be minimal and not beyond the required amount. It also means that this data should be deleted once it is no longer needed. Irrelevant data should not be collected and access to this dataset set should be minimal. These data must be kept and used anonymously.
Transparency
Transparency in data privacy means that models and datasets should be clear and easy to understand. Users should be aware of what data is being collected, how it will be processed, and the rights they have over their data. It should also be understandable by internal stakeholders as well (such as model developers, internal auditors, privacy engineers, domain experts, and more). Users should not be manipulated but kept informed when there is a change in personal data processing.
Consent
The Principle of Consent requires that the approval of the data subject must be obtained before their data is collected and processed. Consent must be clearly and freely stated, It must be recorded and protected. This consent freely given can also be freely withdrawn at any time by the user.
Privacy Right
Data Subjects should have the right to access their data, make corrections to it, request for the deletion of their data, and ultimately object to the usage of their data in a particular training model. Processing of personal data should always be lawful.
Data Accuracy
All data to be used as a training set should be accurate and from a reliable source. Inaccurate data would result in a faulty algorithm and can cause unintended consequences. Effective measures and processes should be put in place to periodically check the accuracy of personal data and make corrections/erase the data where necessary.
Conclusion
Privacy Principles for AI Systems are very important as they protect fundamental human right, promote trust in AI technologies and provide fairness and accountability in decision-making process. Users should be given a choice and control over their data. These Principles of Privacy should be followed by organizations and industries to ensure that the privacy of users’ personal data is kept secure and not exploited by threat actors.
About the author:
