Using Artificial Intelligence to support Privacy Management

A gap between privacy and security means it’s currently harder for organisations to implement a comprehensive privacy program than an information security program, even though business leaders understand and relate to privacy more than information security.

Contemporary challenges in security have been met with standards and frameworks, technology platforms and effective consulting approaches. Yet these tools are still being developed in the world of privacy, especially as security practitioners, who are usually handed the privacy baton, don’t necessarily know how to run the race. Hence, privacy programs tend to centre on security techniques, such as information classification and encryption to solve more complex issues that need a more nuanced approach.

Privacy researchers are turning to artificial intelligence help bridge this gap, and to jump ahead of more traditional security approaches to support the goals of principle based frameworks such as the GDPR.  By feeding continuous metadata to AI algorithms, complex outcomes like rights and usage (which are fundamental to privacy management)can be evaluated in real-time and in the context of evolving business needs.

Privacy Management vs Security Management

Businesses of all sizes are capturing and holding an ever-increasing amount of personal information. Data is often spread across a variety of systems, some locally, some in the cloud, and context changes depending on, among other things, the purpose for which the data was gathered and the information owner’s consent to its use. Information owners (or data subjects in the world of privacy) are gaining increasing rights which must be supported.  Using direct customers as the example, these individuals now have the right to demand an immediate, up-to-date report on the data held about them (for example, via a Data Subject Access Request), which can burden the IT team tasked with the gathering and formatting of this data.  The introduction of the California Consumer Privacy Act, giving consumers in California new privacy rights, has seen an immediate increase in requests to erase data.

For organisations looking to develop systems to support these rights, the traditional approach to reporting used by security teams , where they gather and report on system logs, won’t work. Application and operating systems logs rarely include data usage context. Knowing that a business user accessed a data record doesn’t explain why it was accessed, which then requires further investigation from the privacy team to identify the purpose of use.

If the business has hundreds of thousands of customers and complex data gathering and usage requirements, managing even a few dozen of these requests can be time consuming  and also challenging to achieve a level of accuracy commensurate with the developing legal requirements.

How is Artificial Intelligence Helping?

Artificial intelligence can help with this problem.

Artificial Intelligence is being used to understand the usage profiles for personal data access and correlate it with the legal requirements, while machine learning builds organisational usage models and correlates these with the user agreement baselines to spot deviations. Dashboards can show data set risk scores and guide privacy manager investigations and assist in determining the best course of action to reestablish a compliant baseline. A special branch of AI research is developing tools specifically tailored for privacy matters, such as privacy-aware machine learning (PAML) algorithms. PAML helps privacy technology vendors develop management tools that can defend and maintain personal identities during the process of data gathering and analysis, so that the usage agreements are not breached even though the data is still, in effect, being processed. Anonymizing techniques obfuscate data before normalizing for data mining and knowledge determination, so privacy is maintained.

Amazon’s AWS platform has a deep learning capability called TensorFlow that vendors and software developers can use to build machine learning into cloud applications. TensorFlow is used to enhance privacy systems by introducing natural language processing and speech translation into monitoring solutions, two aspects of data monitoring that are difficult for traditional security monitoring technologies to achieve.

Ericson is just one example of the technology vendors doing plenty of research in this space, with federated learning systems making it possible to train models without transferring sensitive data from devices to a central server.

Conclusion

Artificial intelligence and machine learning are changing the way businesses operate. They may also be a game changer for privacy programs, helping establish the context that is so important to understanding the consideration of data use in the context of privacy principles.

However, this approach is different to that typically used by security practitioners.  To ensure that our approach to privacy and security becomes fully aligned, we’ll need these systems to converge and allow leadership teams to see them as one and the same. Only then will the goals of both be achieved and successfully managed, and AI will help us get there.

References

https://www.ericsson.com/48f9d1/assets/local/reports-papers/ericsson-technology-review/docs/2019/privacy-aware-machine-learning.pdf