Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
To accelerate the adoption of emerging technology such as artificial intelligence, biometrics and the Internet of Things, the National Institute of Standards and Technology has released the first draft of a privacy framework that sets an ethical foundation for data usage.
NIST Director Walter Copan, also the undersecretary of commerce for standards and technology, said Wednesday that the framework’s first version, which the agency released Jan. 16, helps set outer boundaries for the rapid expansion of emerging tech industries.
But more importantly, he said striking the right balance between privacy and innovation “means enjoying the benefits of innovative products while upholding our country’s founding values.”
“Getting privacy right will underpin the use of technologies in the future, including AI and biometrics, quantum computing, the Internet of Things and personalized medicine. These technologies all will be a big part of our future,” Copan said at a Center for Strategic and International Studies event.
Meanwhile, the Census Bureau has already taken steps to deploy differential privacy for the results of the decennial population count. The technique injects mathematical “noise” into the data to protect the identity of individual responses to the census, while still producing valuable statistical information.
As another part of NIST’S roadmap for the framework, Copan also announced the launch of a guide to help small- and medium-sized businesses develop privacy standards.
“Over the next few months, we’ll be reaching out to these innovative smaller companies with their resource constraints understood to better have a sense of how the privacy framework can help enhance their work and their operations,” he said.
Based on the feedback gathered from industry, Copan said the NIST privacy framework will include supporting materials the agency will develop with stakeholders to provide further clarity on how to use the privacy framework.
Jason Matusow, the general manager for Microsoft’s corporate standards group, said the privacy framework not only aligns with NIST’s popular cyber framework, but looks to bridge the gap between privacy and cybersecurity officials.
“Security individuals and privacy individuals in companies frequently don’t work well together in the sandbox,” Matusow said during a CSIS panel discussion. “You have some conflicting objectives and there’s a sense of overlap that creates organizational tension at times. Having these two frameworks so tightly linked together is a really practical outcome that helps achieve a more effective privacy practice.”
“Understanding these risks can really allow organizations that build the technologies that shape our world … to make better decisions about protecting privacy when they’re designing their products and services before individuals ever even touch them,” Lefkovitz said.
As part of its framework, NIST will work with its National Initiative for Cybersecurity Education to identify “skills profiles” necessary for privacy assessment work.
Michael Cronin, IBM’s vice president for ethics and policy, said those conversations should not only reflect how to build those skills, but “finding ways to hire people with those skills, changing the model of how we educate people.”
Chris Calabrese, Center for Democracy and Technology’s interim co-CEO and vice president for policy, said the framework is a useful tool for industry to have a common understanding of privacy issues, and outlining what it means for businesses to weigh privacy risks.
However, like any tool, he warned that the framework can only do so much, and warned organizations to not view these privacy considerations as a check-the-box exercise.
“If a company is a good company that wants to engage in good data practices, this tool will allow them to do a good job. If it’s a company that just wants to sort of check a box or worse — maybe obscure practices that aren’t good — this is not a magic fix, it’s a voluntary process,” Calabrese said. “At the end of the day, it’s not a substitute for a legislative approach or a regulatory approach, but it is a very useful supplement,”
That report found that 55% of “high-growth” companies are “highly concerned about the ethical ramifications” of emerging technologies, while only 27% of low-growth companies expressed similar concerns.
“Every adoption of new technology is a chance to either gain or lose trust with the consumer,” Calabrese said in reference to the Deloitte report.
In addition, Microsoft’s Matusow said the NIST framework recognizes that “privacy is not a destination” — a modification of an adage commonly applied to cybersecurity.
“Certainly as new technologies come onto the market, new technologies bring about interesting dynamics to assess. The framework needs to evolve with it,” he said.