Unfortunately, we’re always going to have roadblocks in implementing new technology. Being held accountable is one of them. If you’re trying to meet mission goals and do good using new technology, you’ll need to make sure your cyber tools limit potential harm. Issues like privacy, bias, access, data protection, and disclosure are some of the key factors in making sure that AI and personal data is used properly. Improper development in these key areas, or simply ignoring them, can mean that your product is putting constituents, beneficiaries, members, and even stakeholders at risk.
It’s critical to meet a high standard in creating new digital tools. More and more, cyber instruments are available to support progressive missions and visions. AI, big data, civic tech, mobile data, blockchain, internet of things, health tech, and other cutting edge platforms all require accountability measures from top to bottom. If your organization is looking at collecting and analyzing data, be sure to take steps to make sure you are accountable for how that data is stored, used, and interpreted. If data is collected, stored, or transmitted insecurely, you put people at risk of having their private information leaked. If data is analyzed incorrectly, you may inadvertently harm beneficiaries.
For NGOs or social enterprises to continue to welcome public trust, we must make sure that all precautions are taken to meet ethical and legal requirements when using advanced technology. Below are some of methods to ensure accountability, prevent issues from arising, and to check for problems from design to execution.
Legal and Ethical Basics
When you start looking into new technology tools, you’ll need to review regulatory and ethical requirements based on your plans. Your organization may require certain types of regulation and management based on the data that you collect or the jurisdiction that you’re in. Fortunately, there are laws in place to protect consumers from improper management of their personal data. However, organizations need to step up to adhere to strict ethical standards, even if the law does not require them. If you have ethical policies in place, you can use them as a reference for how to govern your data.
Many NGOs are new to hi-tech, but we can review existing, traditional standards and best practices to start. Let’s have a look at the Standards for Excellence Institute Ethics and Accountability Code. While each of these codes provide a good reference, three items in the Legal Compliance and Ethics section stand out: maintaining legal compliance, required public disclosures, and ethics. While these are not specific to the use of technology, their basic tenets reflect the goals organizations should try to achieve.
First is legal compliance. That means reviewing the legal requirements of data storage, collection, and transfer. It seems obvious to make sure you’re abiding by the law, but it can be easily overlooked. One example that most organizations are familiar with is the CAN-SPAM Act, as it’s known in the US. Around the world, commercial electronic communications, like email, have basic requirements. Things like opt-in and opt-out, sender identity and labeling, and contact information. More advanced regulations, for example those in Europe, control where and how data about individuals can be transmitted digitally. We’ll talk more about European regulations later, as they provide a good framework for accountability. Another good example of a legal requirement is accessibility. Ensuring that your tools are available to people with a “diverse range of hearing, movement, sight, and cognitive ability” is not only ethical, it’s often required by law. In the US, this falls under 508 Compliance.
Second, publicly disclose your adherence to the laws and regulations required, as well as disclosing any information that is ethically pertinent to your technology use. One typical example is the use of cookies. Many companies disclose that they are collecting data about their website users. In many jurisdictions this is required. However, if it is not, it’s probably a good idea to do so, particularly if you’re collecting any details other than typical visitor data. Another very important example is the disclosure of data breaches. If the personal data you’ve collected is compromised, you should immediately disclose to those affected, as well as to organizational stakeholders. More on this later. Finally, if there is other critical information about how you are collecting or using data that could affect individuals, it may be best to explain that to those users and your organizational stakeholders.
The last point, although a bit redundant, is ethics. If your use of technology employs the following schema, chances are you’re maintaining a healthy and accountable technology program. The Standards for Excellence Institute outlines four items:
- Nonprofits should ensure that they have an explicit and clear set of ethical principles and, as appropriate, operational or program standards that have been discussed by their board and staff and that are transparently clear to all stakeholders.
- In rendering its programs or services, a nonprofit should act with the utmost professionalism and treat persons served with respect.
- Nonprofits should provide an effective procedure for problem solving or reporting grievances, including but not limited to, legal or ethical misconduct by the organization’s employees and volunteers. The procedure should include actions for addressing and resolving complaints effectively.
- Nonprofits should have policies in place that protect the confidentiality and privacy of personal information.
Getting Technical with Explanations
In addition to traditional basics of accountability being applied to technology, technologists are looking at specifics that will shape how tools are developed and used. One such group is an interdisciplinary panel of scholars that took it upon themselves to investigate how to hold AI accountable. The team, consisting of legal scholars, computer scientists, and cognitive scientists, delves into how to use explanation as an accountability measure for AI. In short, there are cases where an artificial intelligence machine should be able to explain, so that a human can understand, how a decision was made. The panel reviews legal scholarship, specific cases, technical limitations, and resource/cost implications in depth to determine that explanation, when used properly, can help create accountability for decisions made by AI.
First, they explain that not every decision needs an explanation. They base this on everyday norms and behaviors, as well as a legal framework. For example, it’s probably not necessary for a decision-maker to explain a decision if it doesn’t impact anyone else. Also, for different cases, we require different levels of explanation. For example, when a young doctor makes a decision, they may need to explain it to their superiors. But when experienced doctors make decisions, they don’t always need to explain as often or in as much detail. From the legal perspective, here is another look at how the need for explanations can vary:
…a judge ruling on a motion to grant a hearing can generally do so with little or no explanation; the decision is highly discretionary. But a judge handing down a criminal sentence — one of the most important decisions a court can make — must provide an explanation so that the defendant can detect and challenge any impropriety or error [O’Hear, 2009]. On the other hand, a jury cannot be compelled to explain why it believed a certain witness or drew a certain inference, even though these decisions may have an enormous impact on the parties. One justification given for not demanding explanations from juries is that public accountability could bias jurors in favor of making popular but legally incorrect decisions; another is that opening jury decisions to challenges would weaken public confidence in the outcomes of trials and bog down the legal system [Landsman, 1999].
They go on to explain that an AI explanation should be based on two concepts: local explanations and counterfactual faithfulness.
- Local explanations refer to a machine’s ability to describe an individual decision, and not just the general process by which it makes decisions. For example, what were the most important factors that led to a particular outcome.
- Counterfactual faithfulness means that if we change factors in the decision-making process, then the outcomes should change. For example, if the AI explains that one input value was a deciding factor, if we change that input, the result should change. The end result being that if we provide a counterfactual based on an explanation, the decision should be affected.
The importance of these concepts is that we can hold a machine accountable without knowing all of the inner workings of it. Providing explanations in this manner is valuable for two reasons. It protects trade secrets on how the AI is built, and it doesn’t require complex technical knowledge to understand the AI mechanics.
In addition to explanations, the authors explain two other tools for holding AI accountable. One is a theoretical guarantee, where the problem and the solution can be formalized mathematically and backed up with proofs. They use encryption as an example, it can be trusted because of the math that defines it. The other is statistical/empirical evidence. This is used when an individual decision doesn’t present a problem, but issues arise after a large number of outcomes are visible through statistics. For example, “a loan approval system might demonstrate its bias by approving more loans for men than women when other factors are controlled for.” For each unique decision, you may not see an issue, but in aggregate, the problem is clear.
One of the key areas where tools like explanation, theoretical guarantees, and statistical evidence are extremely valuable is bias. Bias is one of the important topics in the proper use of AI right now. It is particularly important to organizations trying to serve populations in need. One of the major factors leading to bias is skewed source data. If your AI is learning based on skewed data it could lead to exclusionary or discriminatory results.
Regulating Accountability
Launching soon are regulations in Europe that hold companies accountable for the way they manage data. The EU General Data Protection Regulation (GDPR) “is the most important change in data privacy regulation in 20 years” and affects a variety of technology operations. Adhering to these changes can help make sure any development you undertake will protect your stakeholders, beneficiaries, members, or constituents. The regulations go into effect May 25, 2018. You can find a full PDF of the legislation here.
If you’re in the EU, you’re required to follow these rules and you should probably speak with a lawyer about your compliance. Outside Europe, they provide an important framework for how to proceed. The advantages of these new regulations is that they’re based around what a consumer should expect in order to be protected. Let’s have a look at some of the rights being protected by these new regulations.
Consent
In order for data to be collected, companies must get consent from individuals, in an “intelligible and easily accessible form” that can’t be “full of legalese.” Sound good? While this probably won’t eliminate the long, confusing terms of service sometimes associated with software, this is a good step. As organizations ramp up the types of data they’re collecting, and extend the reach of their tools, this will be important in making sure that every user understands what they’re taking part in. For any organization that is familiar with scientific research, this type of consent should be no problem. Now it’s just about incorporating it in your online tools in an understandable way.
Breach Notification
Data breaches and hacks are a scary topic to discuss. Announcing a hack is a frightening prospect. If you have users’ personalized information stored online, you need to be accountable to those people. If your data is compromised, the ramifications for your organization could be huge. Now, companies are required to notify stakeholders about breaches of information. If the breach is “likely to result in a risk for the rights and freedoms of individuals” then companies have 72 hours to disclose. Hopefully this is already on your books if you keep any personalized data. You can also look into a new service, called cyber liability insurance, if you have concerns about your data security.
Right to Access and Right to be Forgotten
Users should have the right to find out what data you are collecting about them and how it’s being used. Additionally, they should be able to request for data to be erased and no longer disseminated. This is also tied in with consent: users should be able to withdraw consent even after it has been given.
Privacy by Design
This is an interesting concept that many companies and organizations skip over. Now it will be grounded in regulation. The regulation is that privacy should be built into new technology from the planning stages, not added ad hoc later on. If you’re thinking about creating a new cyber platform, make sure you have a plan for keeping data private before you start. If you’re in Europe and you don’t incorporate privacy protection when you launch a new product, you could face legal ramifications. Outside of Europe, this is still a critical piece of any new tech venture, and should be well thought-out in advance.
Data Protection Officers
This is a complex regulation and may not apply to many organizations. Under the GDPR, you must appoint a Data Protection Officer (DPO) if you meet certain requirements. The rule largely applies to companies that “require regular systematic monitoring of data subjects on a large scale” like Google, Facebook, or Amazon, as well as vendors they work with. However, the rule also includes companies that process “special categories of data or data relating to criminal convictions and offences.” According to the legislation, special categories means the following:
…personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
The role of the DPO, among other things, is to monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits and be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc). This is a crucial activity that can help keep technology platforms accountable. If you’re an NGO that works with this sensitive information, or with criminal information, you should ensure that you have the proper processes in place to protect your data. This may include, at a minimum, assigning a dedicated DPO.
There are a variety of other regulations laid out by the GDPR and a heap of legal analysis on it as well. If you’re in the EU and concerned about these regulations, speak to your legal representative. If you’re outside the EU, this should provide a reference on what is diligent in making sure you can be held accountable.
Conclusion?
There is a lot more to accountability than just what’s outlined here, particularly when it comes to the regulations. This is by no means a legal recommendation about how to proceed in developing your technological tools. But, making sure your technology can be held accountable is critical for any mission-driven organization looking to use technology to meet their goals.
Unfortunately, some of the recommendations here are resource intensive, but hopefully not prohibitively so. However, holding NGOs to the highest standard is important to protect the people being served. Rigorous and thoughtful design and planning, as well as monitoring and evaluation, is crucial wherever possible. Technological applications are no different.
If you have any recommendations for how to make sure your technology is accountable, be sure to share!
Originally published on January 3, 2018.