Thinking Outside the Checkbox

We live in a world where data collection is the norm. Companies rely on vast amounts of this data to train their AI models and remove bias — but it’s the users who are frequently left in the dark about how their information is stored, who has access to it, and how long it will be held for.

To regain control and assert our authority over our own data and online privacy, we must challenge and question the implications that ambitious products, services, and research projects have on our personal spaces. This scepticism does not stifle innovation but rather puts us back in the driver’s seat when it comes to how our data is used.

The paramount question arises: How can we balance collecting enough data to effectively drive bias out of AI models and still respect individual privacy? Moreover, how can we accomplish this while ensuring meaningful consent from users? These are the questions we’ll explore in this article.

The Ethics of Data Collection

The push for technological advancement can sometimes skew the ethical considerations of privacy.

Consider the experimental super sensors called Mites as a glaring example. These advanced devices can capture up to 12 different types of unique data, and over 300 were installed on the walls of Carnegie Mellon University’s TCS Hall earlier this year. However, their presence came as a surprise to many.

An article published in the MIT Tech Review noted that the intended purpose of building a secure, user-friendly IoT (Internet of Things) Infrastructure was noble. However, the underlying issue was the lack of transparency, as students and faculty were never afforded the foundational choice to opt in.

Like Mites, many projects make idealistic promises. Take Worldcoin as one. OpenAI CEO Sam Altman’s hope for his iris-scanning technology, which asks for your biometric data in return for a share of crypto tokens (WLD), is to distribute wealth as a form of universal basic income equitably.

Although Worldcoin has committed to anonymising and erasing user biometric data once its system is optimised, they haven’t yet set a concrete deadline for this deletion. Is it prudent to rely solely on the project’s word, especially given their approach towards lower-income communities? (Referring to the project offering $50 to Kenyan residents — a significant portion of their average monthly earnings — for their biometric data).

With 2.2 million sign-ups since its soft launch in 2021, Worldcoin’s rapid growth prompts questions about whether they genuinely obtained explicit consent from all participants. The lack of a detailed timeline and a straightforward procedure might raise concerns with regulatory bodies down the road, especially when viewed through the lens of the GDPR. 

Experts argue that consent agreements are often ambiguous and opaque and shift the responsibility to the end user without giving them a complete picture of the potential data risks.

Every successful innovation we’ve seen was once first rigorously beta-tested. The data collected for “research purposes” does not justify the sometimes questionable policies around consent. Normalising this as default, with so many key unanswered questions remaining, blurs the line between user consent and company profit.

How Can We Achieve Meaningful Informed Consent?

Conversations around our privacy are often lopsided, as few of us can really understand the true consequences of what we consent to. As one senior executive said to McKinsey,

“The bar here is not regulation. The bar here is setting an expectation with consumers and then meeting that expectation — and doing it in a way that’s additive to your brand.”

While the law provides essential guidelines for data handling, organisations should adopt a comprehensive data ethics framework that sets a gold standard of principles and best practices for handling data.

As an end user or participant, clear communication, choice and control from the outset is of utmost importance concerning how consent should look. Ask yourself these key questions:

• Do I understand how my data is being used? What is the extent of my knowledge? Trust is not a mere given, but something that is “earned” over time between businesses and their customers. This trust can only be reinforced through consistent transparency. Meaning that those who handle your data must clearly explain their utilisation and protection methods. Their privacy policies should be readable, up-to-date and easily accessable to equip users in making an informed decision.
  
  

• Am I actively choosing to contribute my data through an opt-in consent model, or is it assumed that I consent unless I explicitly decline (opt-out)? This should be standard practice, even if not legally mandated in some jurisdictions. How does consent look like in this context? It’s essential to implement a participatory and collaborative approach where users can take tangible steps to opt-in. It’s also worth noting that this responsibility lies with the data controller, not the end-user or participant.
  
  

• Do I have authority over my data at all stages? What are my options if I decide to withdraw or modify some permissions? Can I reclaim what I’ve provided just as easily?
  
  

• Who can access my data? Users should be aware of the protective measures that prevent unauthorised access or data misuse.
  
  

• What are the implications of giving up my data, and were they made clear to me?
  
  

• How long will my data be stored? Data retention policies should align with the purpose for which the data was collected.

PETs in the Privacy-Utility Trade-Off

At the heart of these questions lies the principle of data minimisation — to collect and extract only the level of information required to fulfil a specific purpose. One must ensure the personal data being processed is (as per the GDPR and ICO UK);

• Adequate — sufficient to properly fulfil stated purpose;

• Relevant — has a rational link to that purpose; and

• Limited to what is necessary.

Understandably, data minimisation helps reduce privacy risks. However, within AI, limiting data could also heighten the risk of bias due to an unbalanced dataset or inadequate data to assess algorithms’ preferences.

Enter Privacy-Enhancing Technologies (PETs) as a solution

Privacy means making trade-offs. Organisations collect and extract insights from data to release statistics, but without safeguards, it may reveal sensitive information about individuals. Central to achieving this balance are PETs like Trusted Execution Environments (TEEs), namely Secure Enclaves, and Differential Privacy.

What are TEEs?

• Striving to be the reliable intermediary, TEES, or secure enclaves, mimic the behaviour of a trusted third party by attesting the functionality performed by hardware or a cloud provider.
  
  

• Enclaves are akin to secure servers and protects data in use due to their combination of a) limited inputs and outputs and b) digital attestation, wherein the cloud infrastructure digitally signs a document to validate the integrity and authenticity of the code executing within the enclave.

What is Differential Privacy?

• Differential privacy, meanwhile, ensures that when analysing data to extract insights, the output won’t reveal whether an individual’s information was included in the dataset.
  
  

• This mathematical approach guarantees that an algorithm’s results remain consistent whether or not a specific person’s data is present, offering robust protection against leaking individual-level details.

The role of PETs in the privacy-utility trade-off is not black and white. Their utility hinges significantly on the intent that underpins a project. So, if the underlying intent of a project is to spy on the public, no PET will help unless they undermine the very ideals they seek to uphold.