At a glance.
- US lawmakers call for agency focused on AI regulation.
- Montana bans TikTok.
- US lawmakers say budget delay could hurt cybersecurity.
- Trends in data brokerage lobbying.
US lawmakers call for agency focused on AI regulation.
As we noted yesterday, CEO of OpenAI Sam Altman testified before US Congress this week to discuss ways to mitigate the potential perils of artificial intelligence. Wired reports that senators at the hearing from both sides of the aisle voiced their desire to create a federal agency devoted solely to regulating AI. Senator Peter Welch, a Democrat from Vermont, stated, “Unless we have an agency that is going to address these questions from social media and AI, we really don’t have much of a defense against the bad stuff, and the bad stuff will come. We absolutely have to have an agency.” Senator Richard Blumenthal, a fellow Democrat and chairman of the hearing, noted that an AI regulator would need sufficient financial support to keep up with the rapid developments in the AI sphere. “Without proper funding you’ll run circles around those regulators,” Blumenthal told Altman and Christina Montgomery, IBM’s chief privacy and trust officer. However, not everyone agrees a single regulating body is the solution. The think tank Center for Data Innovation released a letter after the hearing stating, “Just as it would be ill-advised to have one government agency regulate all human decision-making, it would be equally ill-advised to have one agency regulate all AI.” Instead, the Center advocates for updating current laws and encouraging existing federal agencies to engage in AI oversight.
Michael Rinehart, VP of Artificial Intelligence at Securiti, warns of the risks of introducing sensitive data into AI models:
"The advancements in AI technology have raised important questions about data privacy and the potential risks associated with the use of sensitive data in AI models. In this context, AI regulations are likely to converge to address privacy concerns and ensure that AI systems do not violate individual privacy rights.
"It is crucial for organizations to be cautious when ingesting personal or sensitive data into AI models. Once AI systems are trained on such data, they are not able to ‘unlearn’ or remove the knowledge gained from it. Organizations must establish robust controls and safeguards to ensure that only necessary and privacy-compliant data is used for training AI models. Implementing strict access controls, anonymization techniques, and data governance frameworks can help protect privacy rights and minimize the potential for misuse or data breaches.
"To protect privacy in AI, organizations can adopt various techniques, including masking, differential privacy, and synthetic data generation. Masking sensitive attributes or personally identifiable information during model training can prevent the direct identification of individuals while retaining the data's usefulness. Differential privacy, by adding noise to the data, safeguards against re-identification attacks and prevents individual identification. Synthetic data generation creates artificial datasets that mimic real data's statistical properties but do not contain any personally identifiable information. As part of a privacy-first approach to data analytics, generative AI can and should be coupled with these data privacy techniques. Moreover, specialized training techniques in generative AI can produce Differentially-Private Synthetic Data, which preserves data utility while providing provable guarantees in data privacy."
Montana bans TikTok.
The Wall Street Journal reports that Montana has become the first US state to approve a comprehensive ban of TikTok. Passed by the state legislature last month, the bill was signed into law yesterday by Montana Governor Greg Gianforte and is set to go into effect on January 1, 2024. The company will be banned from operation in Montana, and app stores will be forbidden from offering the popular video-streaming app for download in the state. Reuters offers a detailed rundown of the many allegations the US has against TikTok, including long-simmering concerns that the platform’s Chinese-based owner ByteDance is feeding user data to the Chinese government. Gianforte said in a statement, “Today, Montana takes the most decisive action of any state to protect Montanans’ private data and sensitive personal information from being harvested by the Chinese Communist Party.” Legal challenges to the bill are expected, and TikTok responded to the ban by stating, “The bill’s constitutionality will be decided by the courts. AP News notes that opponents of the bill have argued that banning any platform, including TikTok, is a violation of free speech. Keegan Medrando, local policy director at the American Civil Liberties Union, explained, “With this ban, Governor Gianforte and the Montana legislature have trampled on the free speech of hundreds of thousands of Montanans who use the app to express themselves, gather information, and run their small business, in the name of anti-Chinese sentiment.” Quartz predicts that Montana lawmakers are certain to lose any legal challenge based on upholding the First Amendment. Carl Szabo, the vice president and general counsel of the tech trade association NetChoice, wrote in a statement, “The government may not block our ability to access constitutionally protected speech—whether it is in a newspaper, on a website or via an app.” Furthermore, even if the measure is deemed constitutional, tech experts say it’s unclear exactly how the ban would be enforced, especially considering that Montana residents could use a virtual private network to make it appear their devices are outside the state.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, dismisses the state's law as a stunt. "Montana's ban on TikTok is a publicity stunt that will never be upheld in court. It's a clear violation of First Amendment rights, cannot be enforced, and has no basis in fact. Gianforte is trying to stir up anti-China sentiment among his base. TikTok doesn't pose any more threat to an average person than any other social network. I understand if you want to ban TikTok on government devices, but banning it on personal devices is never going to work, technically or legally."
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, takes a similarly jaundiced view of Montana's action. "This is simply another case of politicians and their virtue signaling, playing to the crowd. While I agree that TikTok should be banned from government devices, it is totally illegal to try and ban the app from civilian devices."
Alex Applegate, Senior Threat Researcher at DNSFilter, thinks the ban won't work, and will in fact tend to drive users in the state toward other, even less secure alternatives:
“Montana has become the first US state to ban TikTok after the governor signed legislation prohibiting mobile application stores from offering the app within the state by next year. Without a doubt, there is going to be an uptick in circumventions in Montana. TikTok is too ubiquitous socially for a local ban to really work. The content makers aren't going to stop, and it's too easy to get around almost any limitation by simply using a VPN or other tunneling technology. There are ways to make it work on a national level, but a single state would be a tough sell. Looking specifically, Montana is a fairly low-population, technology-light state with an elevated age demographic. The population is largely concentrated in a few population centers (and the ones that aren't in major population centers are not the ones to worry about and not worth the effort to fight against from a cost-effectiveness standpoint), so that'll help, but it's still really just security theater - the practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it.
"Back in March, we observed a 650% increase in malicious TikTok activity (domains that include “tiktok” in the domain name). This shows us that threat actors are taking advantage of TikTok’s consistent news presence, meaning internet users should be more aware of potential phishing attempts related to TikTok. Attackers will capitalize on Montana residents looking for ways to circumvent the ban to steer users toward malicious websites with phishing and deception tactics, including domains that distribute malware. A malicious TiKTok domain is any website designed to mimic, to convincing detail, the actual https://www.tiktok.com website. This could be a domain that houses malware, is a component in a ransomware attack such as a C2 domain, or a phishing site designed to capture personal information. Because many data breaches originate as phishing scams, deceptive sites make up a large percentage of DNS-based threats. As we’ve seen before, threat actors will take advantage of any new avenue with high volumes of traffic and vulnerable data.”
US lawmakers say budget delay could hurt cybersecurity.
There are growing concerns that US Congress will not pass a 2024 budget by the start of the fiscal year, and during a three-hour Senate Appropriations Committee hearing on Tuesday, the State Department expressed worries that the delay could negatively impact cybersecurity. State Department Secretary Antony Blinken predicted that the State Department would “have real challenges when it comes to the investments that we need to make in security and upgrades—physical and cyber—leaving our personnel, leaving our facilities, leaving our cyber defense more vulnerable than it otherwise would be.” The State Department requested $750 million to bolster its cybersecurity programs, including zero-trust architecture and increased protection for staff end-user devices, and Blinken added that the budget proposal contains critical funding needed to expand missions in the Indo-Pacific region to “counter China's growing influence.” Defense One notes that the situation isn’t exactly new, as Congress has been tardy in approving its budget for decades, but at the hearing lawmakers emphasized how a budget delay this year could particularly hamper efforts to remain competitive with adversarial powers like Russia and China.
Trends in data brokerage lobbying.
While the data brokerage industry has become increasingly lucrative in recent years, proposed federal legislation protecting users’ privacy rights could make it more difficult for such companies to profit off of user data. Incogni conducted a study on the lobbying activities of data brokers, and the report shows that these companies have been steadily increasing their lobbying efforts to prevent the passage of such legislation. The researchers analyzed a total of 140 companies lobbying on behalf of forty data brokers or broker-owning companies, and the amount of money spent on lobbying increased from $37.5 million in 2020 to $49.6 million in 2021 and $56.1 million in 2022. Data broker owner Oracle Corporation spent the most – over $42.1 million, around 29.4% of all recorded spending – with Accenture trailing in distant second at $11.8 million. While it’s difficult to get a distinct idea of what issues these lobbyists are pushing, financial institutions, investments, and securities appeared in nearly a quarter of all the reports analyzed, while consumer issues, safety, and protection were only mentioned in 12%. Nearly a quarter of reports directly addressed privacy issues, likely minimizing the need for privacy protections for users.