Categories: Privacy

Police use of AI-based facial recognition – Privacy threats and opportunities !!

This article describes the issue of Police use of AI-based facial recognition technology, discusses why it poses a problem, describes the methodology of assessment, and proposes a solution 

The CBC reported on March 3[1]  that the federal privacy watchdog in Canada and three of its provincial counterparts will jointly investigate police use of facial-recognition technology supplied by US firm Clearview AI.

Privacy Commissioner Daniel Therrien will be joined in the probe by ombudsmen from British Columbia, Alberta, and Quebec.

Meanwhile, in Ontario, the Information and Privacy Commissioner has requested that any Ontario police service using Clearview AI’s tool stop doing so.[2]

The Privacy Commissioners have acted following media reports raising concerns that the company is collecting and using personal information without consent.

The investigation will check whether the US technology company scrapes photos from the internet without consent. “Clearview can unearth items of personal information — including a person’s name, phone number, address or occupation — based on nothing more than a photo,” reported the CBC.[1] Clearview AI is also under scrutiny in the US, where senators are querying whether its scraping of social media images puts it in violation of online child privacy laws.

In my opinion, there are three factors that could get Clearview AI, and its Canadian clients, in hot water. Here are the issues as I see them:

  1. The first issue: Collecting and aggregating data without consent. Even though the photos may have been procured under contract from social media networks, the linking of database photos to demographic information is a big no-no from an individual privacy perspective. Facebook’s infamous experience with the now-dissolved Cambridge Analytica was another example of data being repurposed. It’s possible that, through “contract engineering” (drafting complex contracts with lots of caveats and conditional clauses), Clearview has gained contractually permissible access to Canadians’ photos. However, linking that data with demographic information would be considered a violation of Twitter and Facebook’s terms of use.
  2.  The second issue: Not providing evidence of a Privacy Impact Assessment. A Privacy Impact Assessment is used to measure the impact of a technology or updated business process on personal privacy. Governments at all levels go through these assessments when new tools are being introduced. It’s reasonable  to expect that Canadian agencies, such as police services, would go through the federal government’s own Harmonized Privacy and Security Assessment before introducing a new technology.
  3. The third issue: Jurisdiction. Transferring data about Canadians into the United States may be a violation of citizens’ privacy, especially if the data contains personal information. Certain provinces, including British Columbia and Nova Scotia, have explicit rules about preventing personal data from going south of the border.

How will Privacy Commissioners decide if this tool is acceptable?

The  R v. Oakes four part test [3] will be used to assess the tool’s impact. This requires considering the “four part test” used by courts and legal advisors to ascertain whether a law or program can justifiably intrude upon privacy rights. The elements of this test: necessity, proportionality, effectiveness, and minimization. All four requirements must be met.

My assessment of the use of Clearview AI’s technology from the Oakes Test perspective:

  1. Necessity: Policing agencies will have no problem proving that looking for and identifying a suspect is necessary. However …
  2. Proportionality: Identifying all individuals, and exposing their identities to a large group of people, is by no means proportional.
  3. Effectiveness: The tool’s massive database might be effective in catching suspects; however, known criminals don’t usually have social media accounts.
  4. Minimality: Mass data capturing and linking doesn’t appear to be a minimalistic approach.

The federal Privacy Commissioner publishes its methodology at this link[4].

Are there any solutions?

Yes, AI-based solutions are available. Here at KI Design, we are developing a vision application that allows policing agencies to watch surveillance videos with everyone blurred out except the person for whom they have surveillance warrant. For more information, reach out to us.

References:

  1. https://www.cbc.ca/news/canada/windsor/windsor-police-clearview-ai-1.5483550
  2. https://www.ipc.on.ca/information-and-privacy-commissioner-of-ontario-statement-on-toronto-police-service-use-of-clearview-ai-technology/
  3. https://scc-csc.lexum.com/scc-csc/scc-csc/en/item/117/index.do
  4. https://www.priv.gc.ca/en/privacy-topics/surveillance/police-and-public-safety/gd_sec_201011/
Categories: Security

The Necessity of Multi-Scanning

Last Friday, the WannaCry cyberattack effected more than 300,000 computers, impacting thousands of businesses, hospitals and enterprises, across 153 countries by taking advantage of outdated versions of Windows that never had updated Microsoft’s crucial security upgrades.

 

With the increasing amounts of advance threats by attackers and the overall skyrocketing growth of malware, relying on a single anti-malware engine is no longer sufficient for high-security networks.

 

Anti-malware, multi-scanning softwares are essential for improving security because they significantly increase the intensification of malware detection rates and consequently, reduce the susceptibilities created by a specific anti-malaware engine’s shortcomings.  Multiscanning refers to the process of running multiple anti-malware or antivirus engines concurrently. Multi-Scanning anti-malaware tools also have the added features of meaningfully reducing the number of days of exposure to new malware outbreaks and often can protect systems from malware targeting a variety of system at once, including Windows, Mac, Linux, iOS, and Android operating systems.

 

No single anti-virus software is perfect. Each product will have it’s own strength and weaknesses when it comes to detecting some threats. Likewise, every emerging threat that has the possibility to be detected, will be detected at a different rate by different engines Studies have found that no single engine detects every possible threat. Thus, it is only by combining multiple engines in a multi-scanning type of solution will all possible threats be detected quickly. One downfall of ‘multi-scanning incorrectly’, is that running multiple engines instantaneously can result in conflicts to your servers that lead to system freezes and application failures. Another downfall is that it increases the amount of false positives you can receive. Lastly, multi-scanning can be very costly, especially for smaller-scale enterprises.

 

Fortunately, many vendors have come up with technology that is able to conduct a multi-scan, and detect all types of malware in a single tool, without the hassle of licensing and maintaining multiple antivirus engines. Such vendors allow you to improve your malware detection, decrease the detection time of an outbreak and increase resiliency to antivirus engines’ vulnerability. However, determining the right number of tools or which one to select depends on the volume of the data being protected, the value of this data and the severity and frequency of potential attacks.

 

Security experts are predicting that malware attacks are expected to increase in frequency and severity, multi-scanning anti-malaware solutions can be our best line of defense.  Using anti-malware in a multi-scanning process, or tools that automatically multi-scan can be  used to ensure the safety of your organization’s servers, the email attachments you open, web searches, sending confidential files securely and much more. Multi-scanning allows users and enterprises to control their early detecting engines to detect spear phishing and other specific types of targeted malware attacks. This in turn, will allow them to take action as quickly as possible.

 

 

Categories: Innovation, Privacy

THE PRIVACY ACCORD: AN OPEN LETTER

PRIVACY INNOVATION IN CANADIAN LAW, TECHNOLOGY, AND CORPORATE CULTURE

I invite you and other privacy leaders to join me in co-authoring a privacy-affirmative position paper, the Privacy Accord. This statement will propose new relationships between government, technology entrepreneurs, and corporate and business leaders to strengthen and enhance privacy in Canada and around the world.

WHY THIS PRIVACY ACCORD IS NEEDED

Privacy under Attack

Government and healthcare agencies, financial institutions, and corporations store massive amounts of personal data. Yet 90% of Canadians are concerned about their privacy: 73% feel they have less protection of their personal information than 10 years ago, and 56% are not confident that they have enough information to know how new technologies affect their privacy (Office of the Privacy Commissioner of Canada, 2014). Rapid changes in technology and communications are altering the ways we interact, and much of our private information is slipping out of our hands. In social media forums, we can instantly share personal details with a public of our own choosing. Such sharing is part of the developing cultural norm. What is less easy to control is what happens to the data tracked from our Internet use. As more and more of our interactions and transactions take place online, more and more of our personal information is finding its way onto the Internet.

Major Internet corporations such as Google and Facebook track consumers’ activities online, creating identity profiles of consumer preferences in every area of life, by analyzing browsing history, consumption patterns, status updates, and email content. As this data is shared amongst corporations, and with government security agencies, personal privacy faces an unprecedented challenge. There is little real transparency: consumers routinely agree to terms and conditions so lengthy that it isn’t practical to read them. Few citizens are aware of the level of data sharing that takes place between major corporations, and with federal agencies.  As larger and larger volumes of data are collected and aggregated by big data initiatives, it is becoming more difficult to define precisely what is considered personal information.

The advent of the Internet of Things adds another dimension of complexity to the sharing of personal information. In this new paradigm, informed consent is more important than ever. Yet legislation lags behind technological innovation, and organizational culture is still reorienting itself to respond to these new privacy challenges.

In this rapidly-changing technological environment, it is crucial for privacy leaders to find innovative new ways to bolster privacy, and to communicate these recommendations clearly to government, corporations, and the general public.

THE ECONOMIC POTENTIAL OF PRIVACY PROTECTION

Privacy is a relatively untapped resource in Canada. Working with government and the private sector, privacy leaders can help raise the profile of privacy protection by spelling out its economic potential. Privacy-focused strategic alliances between government, major corporations, and innovation agencies can offer significant benefits to their various stakeholders. Privacy commissioners and data protection authorities could play a pivotal role in inviting these stakeholders to the table.

Who Benefits?

When government agencies (federal, provincial, and municipal) and corporations invest in startups working on privacy innovation:

DATA PROTECTION LEGISLATION

Prioritizing Privacy: The EU Approach

Current data protection laws in Canada, like those in the US, are vertical (sector-specific). By contrast, the European Union and many of its constituent states follow a horizontal model. This allows for a more mature, integrated approach to the protection of personal information. With more data sharing across organizational boundaries, sector-specific laws are becoming increasingly difficult to apply, and many initiatives now require extensive consultation to establish relevant privacy obligations. Data sharing across jurisdictions raises further complications; in Canada, some provinces have similar privacy laws, both in the realms of commerce and healthcare, but others have very divergent legislation. The EU has irreversibly committed itself to data protection reform, and this pending legislation offers much that Canada could consider emulating.

Some ideas and practices Canada should consider adopting from the EU:

Under the new EU legislation, fines for large data breaches will be a proportion (currently 2%) of the company’s gross revenue. Most North American laws define a set amount for fines, averaging a few hundred thousand dollars, which is insignificant for large companies. For companies to take privacy seriously, fines for violations must be set as a proportion of revenue.

Since the EU Court of Justice struck down the former EU/US “Safe Harbor” agreement, Canadian companies with transnational business interests wishing to avoid legal complexities would be well advised to bring their privacy policies in line with EU standards.

Personal Content Privacy

Personality rights are an evolving field in Canadian jurisprudence. The provinces of British Columbia, Manitoba, Newfoundland and Labrador, and Saskatchewan have enacted privacy legislation dealing with personality rights, and Canadian common law also recognizes a limited right to personality. Such rights can also be found in the Civil Code of Quebec. Recent technologies create new possibilities of recording audio and video – strengthening and expanding such legislation will help keep privacy protection in step with these technological advances.

TECHNOLOGICAL INNOVATION

While recent technological advances have often undermined personal privacy, emerging technologies can strengthen and protect an individual’s activity online. Investing in privacy-bolstering technologies is a smart business move. The erosion of online privacy is of significant concern to the public: for example, 90% of polled US citizens say that having control over what information is collected about them is important (Pew Research Center, 2015). The further development of privacy-bolstering technologies would thus be responding to the concerns of a significant majority of Internet users, who desire greater control over their personal data.

Here are just some of the ways in which future technological development could support information privacy:

Investing in Data Liberation Technologies

Such technologies allow users access to data while masking or erasing the identity of the data source, utilizing de-identification techniques such as tokenization or anonymization. Optimally used with automated risk analysis tools, de-identification allows both ongoing utilization of data and protection of individual privacy.

Investing in Personal Content Privacy

Most current privacy technologies focus on the protection of text records. Given the proliferation of recording technologies (such as smartphone cameras, Google Glass, or drones) future privacy-bolstering technologies will need to adapt to different kinds of content, and an individual’s rights therein. For example:

And, more generally:

Investing in Defensive Online Security

Programs that block tracking software tend to be accessed by the technologically savvy rather than the average computer user. Such technologies need to become more visible, and easy to use, perhaps bundled with other defensive tools such as anti-virus programs.

Investing in Crowd Consent

Big data offers many opportunities for market research and social analysis, but these can raise privacy concerns. For example, if a statistic shows a particular demographic to be more susceptible to a given disease, or have a higher crime rate, that information could be used by insurance companies to penalize a consumer. Limited protections are in place in healthcare – researchers must have their statistics cleared by the Research Ethics Board before publishing – but as yet no technologies have been developed to allow individual consent.

CORPORATE INVESTMENT: THE PRIVACY ADVANTAGE

Within corporate culture, data protection is often seen negatively, as another unfortunate overhead. Protection of private information is understood as a threat to profit, draining resources to avoid the risk of a security breach and the attendant liabilities. Yet privacy-bolstering technology is also a business opportunity. Far from being a liability, privacy can be a powerful opportunity for companies to differentiate themselves as leaders in corporate responsibility and service to the public.

Meeting a Clearly-expressed Social Need

As citizens and as consumers, individuals consistently express concern over their lack of control and consent when it comes to privacy. Just one example: according to a 2014 poll by Microsoft, as many as 83% of Americans agree with the US Supreme Court decision that police should get a warrant before searching an individual’s cellphone.

Gaining a Competitive Advantage

Corporations and businesses choosing to develop protocols that protect rather than undermine privacy will differentiate themselves from their competitors. Consumers are often faced with a choice between very similar products and services. Adopting a pro-active privacy strategy positions a business to appeal to the many consumers for whom data protection is an issue.

Transparency

Negative publicity related to privacy issues can be highly damaging to companies, while positive communications on privacy matters can greatly enhance a company’s reputation. Companies that are open about how they gather, manage, and use personal information are better able to offer a sense of security and trust to customers and partners. By integrating effective privacy practices across their enterprise, providing information that addresses people’s concerns about privacy, and engaging the public and government in discussing privacy issues, companies can become known as leaders committed to protecting individual privacy.

Streamlining Efficiency

Investment in de-identification technologies, automated risk analysis tools, and other techniques of data protection will help smooth the interface between data users and individuals. With proper safeguards in place, market researchers can access the data they require without compromising individual privacy. More focused research means more accurate prediction of consumer preferences, and thus more effective marketing strategies.

Privacy as a Customer Service

As yet, few major companies are pro-active about privacy. Many put minimal protections in place and then suffer the consequences when a data breach occurs As the hack of Target’s Canadian operations demonstrated, as well as any legal penalties, these consequences include a massive loss of customer goodwill, and the attendant loss of revenue. Even major corporations whose data has remained secure rarely invest in privacy innovation, or engage with privacy as a customer service.

NEXT STEPS

Privacy as we know it is at a crossroads. Can data protection flourish in this brave new world of technological change, or will it decay? Economic, legal, technical, and corporate innovation will all be crucial in helping to direct the future of data protection in Canada. That is why I am asking you to co-author the Privacy Accord.

I am actively seeking your participation. As a data protection authority, your experience, insight, and expertise will bring great value to this project. Once the Privacy Accord has been finalised, we will promote it to private industry. Members of the investment community have already expressed interest in participating. Then, we will approach federal, provincial, and municipal regulators across the country.

I do hope you will join me in this exciting new venture to promote privacy and informed consent in Canada. Please let me know:

I look forward to hearing from you.

Wl Hassan, Ph.D