CYBER FLORIDA RESPONSE / OFFICE OF MANAGEMENT AND BUDGET
REQUEST FOR INFORMATION
PRIVACY IMPACT ASSESSMENTS
The Florida Center for Cybersecurity (Cyber Florida)
The Florida Center for Cybersecurity (also known as Cyber Florida) was established within the Uni-versity of South Florida in 2014 under Florida statute 1004.444. The goals of the center are to: po-sition Florida as a national leader in cybersecurity and its related workforce through education, re-search, and community engagement; assist in the creation of jobs in the state’s cybersecurity in-dustry and enhance the existing cybersecurity workforce; act as a cooperative facilitator for state business and higher education communities to share cybersecurity knowledge, resources, and training; seek out partnerships with major military installations to assist, when possible, in home-land cybersecurity defense initiatives; attract cybersecurity companies to the state with an empha-sis on defense, finance, health care, transportation, and utility sectors.
Comment
Privacy is amongst the most critical concerns for the general public as more and more data are being collected and stored by agencies (both public and private). While people understand that data collected has its benefits to them, the direct impact to their privacy is vastly unclear to most Americans. In fact, we believe that the usage of Privacy Impact Assessment tools for data collected is something that many Americans are not even aware of. In this context, and particularly with emerging AI technologies, we commend the OMB for their diligence
in raising public awareness of the utility and importance of Privacy Impact Assessment (PIA) tools, and in their request for public input.
Recommendations:
1. We recommend that OMB standardize the creation, usage, and dissemination of PIAs across all agencies. The public is currently unaware of what these PIA tools intend to capture from data collected and how resulting evaluations are made, stored, and adapted. How frequently does the adaptation happen? What forms of privacy breaches are intended to be protected – identity, location, health status, race, gender, etc.? The general public needs to know this, as well as where to find this information across federal agencies.
2. We recommend that OMB take advantage of existing research in the space of human behavior and privacy. There are deep theoretical findings in this space that span the domains of computing, anthropology, social science, public health, business and more. Each theoretical area provides a unique flavor to model how the public perceives privacy in various forms. As newer PIA tools are being developed and data assessed, integrating these research findings into assessments will provide significant scientific validity to the outcomes. This will only serve to improve the public’s trust as PIAs are being developed and used. Although, we must caution that while cultural differences do exist in privacy perceptions of people, there should be little to no impact of such differences as PIAs are being designed and used. In fact, the most significant challenge is how to define a PIA framework that is useful, and yet generic. Incorporating scientific foundations into this process is expected to alleviate challenges.
3. We recommend an annual report be generated summarizing findings across all federal agencies as the PIA tools are being used and data analyzed. The general public should be made aware of how federal agencies perceive their privacy, and with feedback solicited from the public, the framework for using PIAs and outcomes will improve and be more widely trusted.
4. A general belief with information privacy is that there is always a trade-off between privacy and utility. Specifically, the belief is that the more private a piece of information is, the less useful it becomes. In fact, this tradeoff is the driving force for the lack of consensus on what constitutes optimal privacy. Cyber Florida believes that with carefully crafted, rightly used and publicized privacy protections, trust of the public will increase as they understand privacy protections. This means that the public will likely share more data, and the increased data, trust and confidence of the people will only serve to make the data useful to the larger society, while still ensuring individual privacy. Hence the need to engage with the general public on PIAs.
5. With increasing use of AI, we understand OMB’s concerns with respect to privacy. With sophistication in AI techniques, these risks will only worsen. Furthermore, it may be next to impossible to predict what the possible hidden features are that AI models will extract with massive scale training data that are beyond the comprehension of humans as they evaluate privacy risks. In this realm, data protection is critical (even if it was deemed privacy preserving). We recommend due diligence in safeguarding data from leakages. If data was indeed shared, there needs to be audit logs. We recommend state of the art access and data control policies
for data access and modifications. Clear policies need to be in place if and when AI models are trained on private data – including the type of AI model, the training hardware, use cases, evaluation plan for AI models and documentation. Periodic checking needs to be ensured to guarantee no deviations of AI from the intended purpose. Critical recommendations we make are a) the need to store all private data within the geographical boundaries of the US; b) multi-layered and fine-grained access control so that impacts of any information leakage are gradual and not catastrophic; c) having a privacy specific Incident Response Plan (adapted to current NIST standards) for AI-centric data and models; and d) investments in homomorphic encryption technologies that allow for AI models trained and executed on encrypted data to enable privacy-preserving AI learning.
To summarize, we believe that the seriousness with which OMB is addressing privacy concerns is important and timely. We believe that the American public needs and wants to be at the forefront of efforts designed to protect their privacy. The federal agencies across the government are best equipped to do that. With a public that is confident of its privacy, data sharing and subsequent innovation will happen in a safer environment, hence benefiting the overall society while still preserving individual privacy.
Contributing Authors
Dr. Sriram Chellappan
Academic Director of Cybersecurity Research, Cyber Florida: The Florida Center for Cybersecurity Professor, Computer Science and Engineering, University of South Florida
Contact Information
Ernie Ferraresso
eferraresso@cyberflorida.org
813 974 1869 Director
Cyber Florida: The Florida Center for Cybersecurity