Sunday, March 3, 2024

The Clash Between AI & Data Privacy: How It Can Be Resolved

 


One thing that is for sure is that there are a lot of data privacy laws out there.  As I have written about many times before, some of the most notable ones are the GDPR, CCPPA, and HIPAA.  In the simplest terms, they have tenets and legislations embedded into them to make sure that businesses are maintaining all of the needed controls in order to make sure that the datasets that they have in their possession about their customers and employees are in safe hands.

There is much more to it of course, but the good news is that at least there are the regulators out the who are watching these companies, and should they go astray, they will come under the eyes of a comprehensive audit and possible financial penalties.  But the main problem here is that at least in the United States, there is no one central law that can handle all of the 50 states.

In other words, there can be 50 different privacy laws created each with their own set of requirements and caveats.  So, what if a business owner transacts business in all of the states, is he or she still responsible for becoming compliant with them?  The short answer to this is yes.   It will of course be a herculean task to accomplish, but whether it is fair or not, they will ultimately be held responsible.

Now, there is another issue which is further compounding this problem even more:  The explosion of AI on a global basis.  Obviously, AI models will be holding and transacting a ton of information and data.  After all, that is how they function and operate.  Because of the “black box” nature of AI, many people are now concerned about how they personal data will be protected here as well, and rightfully so.

So far, 8 states in total have come out with their own version of a data privacy law, and some of those include Oregon, Montana, and Texas.  Privacy surrounding the use of AI has also been addressed in these pieces of legislation.  But, even from within these states, these laws are wildly different.  For example, because of its much smaller population size (only about one million), the threshold of what constitutes data privacy has been set much lower, thus resulting in a lower ratio of audits and penalties if businesses are not compliant.

In terms of Texas, they have spelled out various financial thresholds in which businesses have to meet certain data privacy requirements.  For example, an organization that produces far less revenue will not be held to nearly the same standards as one that is a Fortune 500 company.  And in Oregon, the data privacy laws have been extended to include protection for linked devices (such as IoT based ones), to fitness watches, to even transgender health records.

So now as AI becomes much more entrenched into American Society, these data privacy laws will have to be adjusted on a big-time basis in order to accommodate and take into these advancements.  Here are four top trends to be on the lookout for as this year continues to unfold:

*Data leaks and exfiltration from Large Language Models (LLMs), which is a component of AI.

*Using existing customer information to train new AI models, without their knowledge or consent.  A good example of this is the recent fiasco with Zoom.  More details about this can be found at the link below:

https://www.darkreading.com/cybersecurity-analytics/following-pushback-zoom-says-it-won-t-use-customer-data-to-train-ai-models

*Expect more passage of widely varying data privacy laws from states located in the Northeast sector of the United States.

*Many unforeseen security breaches will occur as businesses continue to adopt AI on a rapid scale. To this effect, the Federal Trade Commission (FTC) will be a key regulatory body here.

*The Presidential Election of this year will only heighten the negative uses of AI, especially when it comes to Deepfakes, Phishing email attacks, and phony websites asking for political donations.

*There will be an increased awareness in terms of determining who owns the data, and under which data privacy law it should fall under.  This is also known as “Data Sovereignty”.  For example, suppose you run an online business, and you store all of your customer’s information and data in the Cloud.  Who owns it?  You? Your Cloud Provider?  Also, which data privacy law should it fall under?  The CCPA, or the GDPR?

My Thoughts On This:

Right now, it is the United States Federal Government who is our best friend right now to make sure that the states follow data privacy and protection.  In fact, the Biden Administration has passed some key pieces of legislation and even Executive Orders (EOs) to enforce this.  But the problem is that the technology is advancing far too rapidly than what the laws can keep up with.

For example, if a set of law is passed today, it will quickly become outdated tomorrow with the pace of innovation that is taking place in AI today.  One way to possibly resolve this to some degree is to have another department within the Federal Government called the “Department of Cybersecurity”.  From here, all of the AI and data privacy laws can be created and passed here, then trickling down to all of the 50 states.

The prime benefit here will be that there will be just one common set of standards and best practices, with no wild variations in the legislation, as we are seeing today.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...