hello everyone before we get started I'd like to remind you that you can submit questions for our speakers in the Q&A sections of uh section of this webinar today uh this event is also being recorded so please ensure your questions do not contain identifiable information if you wish to remain anonymous the recording will be made available uh by the end of the week on the safe Computing website at safe computing. um.edu welcome and happy data privacy day my name is SW Lich and I'm the assistant director of privacy and it policy at the University of Michigan I am thrilled to welcome each and every one of you to a privacy at Michigan event on a DAT that's dedicated to raising awareness about privacy and promoting data protection practices privacy at Michigan is an event series that is co-sponsored by the University of Michigan's information and Technology services department and the school of information we organize events that provoke thought and discussion on privacy topics relevant not only to our academic and research communities but Society at large with me today is Professor floran sha one of the thought leaders and organizers behind privacy at Michigan he is an associate professor of information at the school of information associate professor of electrical engineering and computer science at the College of Engineering and also an adjunct professor of law at the law school here at University of Michigan Florian's research combines privacy human computer interaction emerging Technologies and public policy so without further Ado I will turn it over to floran to introduce our special guest for data privacy day 2025 thank you swla uh it's my great pleasure to welcome Dr shaik Das with us here today Dr Das is assistant professor at Carnegie melon University um car melon University's human Compu diretion Institute where he directs the security privacy usability and Design Lab or the Spud lab for short and Dr D's research is at the intersection of human computer interaction artificial intelligence and cyber security and his work aims to answer the question how can we Design Systems that Empower people with improved agency over their personal data and experiences online as a consequence a lot of his recent work has focused on investigating the Privacy implications and risks of emerging AI Technologies applications but also on how we can maybe leverage AI to better protect people's privacy as such we thought shic would be a perfect keynote speaker for um our privacy day and shik we're very excited that you're joining us today please take it away well thanks lorian for that great introduction and swla for sort of um you know stewarding this whole process I'm I'm really honored to be here you know I kind of joke that I've been doing this for like 15 to 20 years now but I still haven't managed to get assistant or intern out of my title but hopefully that changes sometime soon um so hey everyone I'm shic I'm going to be speaking for the next um 30 minutes or so about uh this topic that I call privacy in the age of AI which you know I'm sure you've heard of all sorts of other talks about the age of AI and how that's changed other things um so today um you know I've worked on a lot of things related to privacy and security at large and so you know the natural question is why this talk and why now and you know one of the big reasons is that people are pretty apprehensive about how rapid advances in AI will and are already impacting personal privacy and that's not surprising because it seems like every other day we see a new article about a new AI thing causing a new egregious privacy violation of some kind from law enforcement use of facial recognition to the use of deep fakes to create non-consensual intimate imagery to questions over consent in the use of personal data to train large language models and given all of this recent energy around Ai and its malcontents it's perhaps unsurprising that a recent survey with 10,000 people from all over the world found that people believe that AI will result in less privacy in the future and feel particularly pessimistic about the impacts of AI on privacy compared to almost every other aspect of life moreover so that's a consumer perspective and from the practitioner perspective a recent sort of 2019 review of 84 guidelines for developing ethical AI Technologies found that privacy was one of the five most commonly cited principles for ensuring that the AI products that we create in are are created responsibly and with ethical Frameworks in mind um and yet prior work has also shown that practitioners don't really have a ton in the way of AI specific privacy guidance now before I go any further I do want to acknowledge here that dialogues about Ai and privacy are not new in some ways the two are sort of inextricably bound because many of the fundamental priv RIS that we talk about in the context of the internet and digital privacy spanning decades really had to deal with this idea that you know data was being collected automatically and algorithmically being processed for reasons that were sometimes opaque to the broader population at large but it's sort of clear to anyone who's been paying attention that modern advances in Ai and machine learning have greatly expanded in capability it's just not completely clear if and how these enhanced capabilities have changed the surface area privacy risk and to complicate things further there's a great deal of hype around what these Technologies can and cannot do making it difficult to distinguish real risks from speculative ones so does AI fundamentally change something about privacy do practitioners really need AI specific privacy guidance we need to proceed with some caution here so that our work stems from a firm foundation and not from a place of fear uncertainty and doubt because we don't want to fall into sort of fall prey to the AI also sort of rampant today so to that end there are sort of two fundamental questions that I'm going to be exploring in the majority of this talk today the first one is how does AI change privacy risks if it does at all and the second is how well are practitioners equipped to recognize and mitigate these risks so let's start with that first question now answering this question was the focus of a Kai paper led by my student Hank Lee who which he presented last year and in it we introduced this taxonomy of privacy risks entail by the capabilities and requirements of modern AI Technologies so to keep our process sort of grounded on reality and not speculation we settled on a taxonomy construction process and scoped our analysis to cases of documented privacy harms related to an AI product or service and we sourced these cases from a popular AI incident database the AI AIC which is a curated database of over a thousand incidents where AI has seemed to cause some kind of harm and this list moreover is tagged with a variety of pertinent criteria one of which is privacy and so there were over 300 of these cases that were tagged as being related to privacy in some way and so we manually analyzed these to see if the Privacy risk described in that incident was either created by exacerbated by or otherwise not super meaningfully Changed by the capabilities and requirements of modern Ai and to sort of assist in our assessment we rooted our analysis against Solo's popular 2006 taxonomy of privac as a baseline because that taxonomy was proposed at a time when privacy concerns entailed by Computing and the internet did Loom large but before we could really grasp the capabilities of modern AI Technologies in the way that we sort of grasp now so if the risk described in these incidents appeared to be captured directly by Sol of's taxonomy in a manner where the capabilities and requirements of modern AI didn't really seem to play a very significant role then we consider these cases as largely unchanged but on the other hand if the risk described appear to be different than what was plainly captured by Solo's taxonomy we asked is the risk here fundamentally enabled by the modern capabilities of modern AI or is it exacerbated by the requirements of these AI Technologies so the punchline here is that we found that around 93% of the incidents that we analyzed it seem to involve a situation where the capabilities or requirements of modern AI Technologies seem to either create or exacerbate the described risk in some way and we further sorted these incidents across 12 broad categories of risk um some of these are based off of Solo tonomy in fact many of them are um and I'll highlight a few of them here but the paper but the paper more formally defines and illustrates each case if you're interested in learning more so let's start by talking about privacy risk that AI exacerbates so identification risk in Solo taxonomy relates to linking Digital Data points to an individual's identity a picture of your face for example is not necessarily linked to your identity by default but facial recognition technology makes it much more easily makes it much more easy to do so so AI Technologies simplify and facilitate linking across many data sources even with low quality and or OB fiscated data so for example facial recognition Technologies now can work even if you're wearing a mask for example and they do this in NRE time and really at an unprecedented scale so clearview.ai is a really good example of this many of you have probably heard of it so facial recognition existed long before kind of like modern uh conceptions of kind of like computer vision um AI of course computer vision uh modern computer vision has made it much better um and our faces are very clearly tied with our identities but what clearview.ai did was it made it so a police officer can in real time index into your online presence with just kind of like a hastily captured picture of your face and so this is an example of how modern AI Technologies kind of exacerbate that risk beyond what was previously uh really possible there are even talks of using AR glasses to make this happen in real time for example similarly surveillance has existed long before AI but AI kind of dials it up to 11 by incentivizing the collection of ever more data for the promise of being able to make sense of it automatically there are reports for example of governments using CCTV to automatically identify and track religious minorities there are also reports of how schools can spy on kids through the use of increasingly sophisticated tracking software and Hardware this sort of passive capture of ever more data is only practical and cost effective because vendors promise to use AI Technologies to make sense of this fire hose of data uh if you recall you know just last year mic Microsoft announced this new recall product for its new AI infused PCS which will take screenshots of users PCS every few seconds for later retrieval and pro processing they have since of course paused this because there was a lot of backlash so Microsoft was adamant that this data would never leave the user's PC but it's not hard to imagine a future where once this sort of data collection is normalized the data could be subpoena or otherwise compromised in ways that are not that we're not currently envisioning um would be a risk uh more immediately So speaking of which another risk that AI exacerbates is insecurity insecurity of course is rooted in institutions being bad data stewards so owing to La sort of a lack of security or perhaps poor judgment you know companies like Equifax have been attacked and compromise the personal data of pretty much every single person in the United States AI doesn't really change the fact that they are bad stewards but it does intro introduce entirely new attack vectors to leak personal data that were previously not really thought about you know a good example of this are memorization risks in llms llms can memorize training data verbatim and can be made to regurgitate this data in response to certain prompts for example there was this chatbot deployed in South Korea leuda which was made to Output the names the emails and the addresses of people whose information was included in its pre-training dat data in the three years since not a ton really has changed even chat even GPT 40 can be made to do this though the prompting techniques now need to be more intentionally adversarial than they were in the past so beyond the risk that AI exacerbates let's talk about the risk that AI creates and these are usually tied to the capabilities of AI so we found that the capabilities of AI can create new types of known categories of risk from soless taxonomy as well as one sort of new category of risk that is not very cleanly captured by the taxonomy so first AI is being used to create new types of distortion risks or methods to spread false information about people you know so this is broadly more related to this idea of like kind of uh misinformation and disinformation uh you know these risks are canonical sort of the canonical misinformation deep fakes that people are particularly worried will threaten the Integrity of the information ecosystem at large while these artificially generated deep fake have not really yet run rampant in the way that some of us might be really concerned they will be in the future they are already being used maliciously there are documented examples for example of 4chan users using deep fake Technologies to create videos of celebrities saying homophobic and racist things which you know again I'm sure none of you predicted when I said forchan now ai is also being used to create new types of exposure risks or methods to reveal private information that people might view as sort of like deeply primordial in some way way um you know the type of uh the the use of Genera generative AI to create non-consensual intimate uh imagery for example constitutes this type of exposure risk um uh that people are more immediately worried about when it comes to this sort of thing um these risks again are not really theoretical people have been using uh you know generative adversarial networks to for example uncensor sexual content and there's also a new category of privacy Risk entailed by AI technologies that was not super well captured by Sol taxonomy when we were looking and that's uh physiognomy andrology so physiognomy is this pseudo science that purports that one can understand a person's character or their personality traits by examining their physical Fe features particularly their face um if any of you have seen Minority Report you might be aware of this um it traces its origin to the racist and eugenic ideals of the 19th century quack quacks who are sort of like claiming to have a scientific basis for explaining why certain groups of people were more primitive and prone to antisocial behaviors physiognomy has long been debunked but AI is kind of ushering in a little bit of revitalization of it so there have been attempts for example to use AI to classify people as gay or straight or criminals or not based on only a picture of their face it's nonsense of course but there's growing energy and excitement around these sorts of uses of AI so for those of you who want to see all of the categories along with sort of the constituent examples um but don't want to read a paper which you know um no judgment here uh feel free to check out our website uh you can access it at htps privacy taxonomy okay so hopefully I've provided some evidence as to why we think modern AI does appear to change privacy risk in some way but that kind of begs the question if AI creates new privacy risks and exacerbates others then how well equipped are practitioners working on AI products and services like how well equipped are they to recognize and mitigate these risks in some way so to see why this might be an issue consider existing Notions of uh privacy preserving machine learning which is a really hot topic of course and it should be um but things like differential privacy and Federated machine learning which take up a lot of kind of the space um the the the speaking space of privacy preserving machine learning right now they certainly help reduce some risks but only a small subset of all of the Privacy risks that AI creates or exacerbates you know it's primarily these sort of like training time processing and and and data collection risks um I can use differential privacy and Federated learning for example to create something like a criminality classifier just fine um that doesn't fundamentally sort of address uh the Privacy risk inherent in that idea so rhetoric around this privacy preserving machine learning focuses very heavily on these techniques so how well are practitioners um really equipped to identify and mitigate the whole range of potential privacy risks we discussed so we explore this question in a USIC security paper uh that Hank presented last year as well so we interviewed 35 practitioners who work on AI products and services in many different companies across many different roles and we asked them about their privacy work for specific AI products and services that they have actually worked on in the last six months and our analytic Focus here was on three questions so how aware were practitioners of AI created and or exacerbated threats like the ones we discussed before when defining privacy work for their products what motivated and inhibited this privacy work and What affected their ability to do this work so first let's talk a little bit about the awareness question so we found that when defining privacy work for their products practitioners use the language of harm reduction and risk mitigation for users as you would want to see and as you might expect but the way they defined and situated these risks were often not really super specific to the capabilities and requirements of AI for example a technical lead discussed the need to make privacy respecting machine learning models that would only be able to analyze data in the aggregate a researcher expressed the inherent tensions of implementing tight controls around data but providing enough access to stakeholders to improve understanding of product impacts a software engineer stressed the importance of siloing data so that it's not used unexpectedly you know they said we want people's information to be safe and not used for anything else other than actually recommending them clothes at this point many of you are probably saying hey that sounds a lot like what we think about already and you're right in short nothing really super changed that we that that that we observed practitioners did not really Express a lot of awareness of for example memorization risks and training data reconstruction attacks uh they viewed their privacy work pretty much the same as any other product because the structures in place to think about privacy kind of remain generic and non-specific to AI so in terms of motivation we found practitioners exhibited three key motivators for their AI privacy work the first was alignment with business interests so a privacy focused AI product could be a competitive differentiator in today's market for example the second was social responsibility some practitioners really did Express and believe that their privacy work was aligned with their personal values and that's what drove them to do it and the third of course was compliance we don't do it by choice it's enforced but we also found that practitioners face many more Inhibitors and motivators for their AI privacy work and I'll cover a few of these here so one was that compliance requirements were overly rigid reducing incentives for any product specific privacy work that sort of went above one participant described being met with resistance anytime she advocated for privacy work because the product was already quote unquote compliant others expressed incentive issues so one person described how caring about privacy work would slow them down making them seem less productive relative to their peers hindering career advancement and then still others Express product specific opportunity costs so the canonical sort of like you know model model utility versus privacy trade-off here where one person said that taking care of privacy basically means having less data which means a less uh well performing model so in some for motivation we found that AI privacy work is largely driven by meeting non- AI specific compliance standards and that practitioners face many more Inhibitors than motivators at both a micro and a macro scale and finally what constitutes and affects practitioners ability to do privacy work so people started by expressing this need to negotiate the value of privacy relative to other product goals one person said for example it's really just going the extra mile of like is this meeting users concerns there the bare minimum is just not very good others mentioned the need to undergo training but that this training was very general and provided little AI or product specific guidance and still others mention Consulting references and or other teams and experts to understand best practices and how others handle privacy questions in the context of AI in general however we found that the ability there were many ability barriers for privacy work as well first practitioners lacked this kind of holistic view of the data pipeline which made it difficult to assess how their products might con might contribute to Downstream privacy risk for the company as a as a whole and one person said for example you know the technology is often really sophisticated and there are all kinds of AI and policy controls like who who can and who can and can see that data and so it becomes difficult to tease out the true risk moreover we found that while practitioners discussed lacking guidance for AI specific privacy work they were often in situations where they had to rely on individual judgment one person for example said it's all pretty new and so not a lot of people have the answer and it really comes down to making my own decision so this is a good example of how many of these practitioners who aren't trained in privacy are really at the front lines of doing this work and needing to make very privacy pertinent decisions as they're developing these models and applying these models to Downstream products so to summarize when talking about sort of like what's changed about privacy with AI it does seem that AI technologies have meaningfully changed privacy and we need better systems to help practitioners recognize and mitigate the risk that they introduce okay so in this talk so far I've primarily focused on how AI technologies have changed and exacerbated privacy risks but as with many disruptive new technologies there is a flip side it's risky yes but there are also opportunities um is that true here do the capabilities of modern AI afford US unique opportunities for addressing long-standing privacy challenges well I won't get into too many details I did want to sort of like end this talk on a potentially more optimistic note by showing some ways that my group has been envisioning ways that AI Technologies can also help address some privacy risks so I'm going to show a few demos here these are often times work Works in progress so they'll be a little bit rough um and I'm going to be talking over the video um but for the first demo that I'm going to be sharing here is pry which kind of directly follows from the work that I discussed in this talk so recognizing that practitioners have relatively low awareness of AI privacy RIS we built a system that does use generative AI in part in this controlled manner to help practitioners uh without much privacy background who again we found were sort of at the front line of a lot of this work um reason about the AI privacy risk that may be present in their product Concepts so practitioners start by entering a brief description of their concept idea privy then aims to formalize the capabilities and requirements of the AI in this concept as you can see over here and then it generates these use cases and helps practitioners brainstorm both intended and unintended use cases and allows practitioners to provide the sort the sort of natural language feedback to change outputs that they think might be improved or that could be improved and you can see over here generates several that a practitioner can sort of Carousel through you can see it also helps practitioners reason about impacted stakeholders both the beneficiaries of a potential use case as well as who might be disproportionately sort of like negatively impacted by a particular use case again it helps uh sort of brainstorm a variety of these and then finally it uses all of this information to surface the AI privacy taxonomy risk categories that were deemed to be most relevant to a given product concept so this would be you could imagine something like a complement to static checklists uh and and and would aim to sort of provide practitioners with more kind of like directed guidance to get specific kind of feedback on what kinds of privacy risk might be most pertinent to their specific product and the specific use cases that they were thinking about envisioning a whole range of unintended use cases the people who might be impacted and what are the specific privacy risks that they might need to ultimately um address okay so the next demo that I'm going to show is um Imago obscura so beyond helping practitioners address privacy risks generative AI can also help potentially help end users more easily convert privacy intention into action how many of us for example have wanted to maybe share photos online but hesitated because of private privacy concerns while there is this sort of large slew of end user research that aims to improve image privacy it's difficult for most end users to put this into practical use so the next demo sort of like illustrates how we might be able to use some of these Technologies to help users identify and mitigate image privacy risks AO obscura an image privacy AI co-pilot to enable identification and Mitigation Of risks [Music] we introduce Imago obscura an AI powerered image editing co-pilot that enables users to identify and mitigate privacy risks with images they intend to share to do so a Mago obscura enables users to one articulate their image sharing intent and privacy concerns two become aware of multiple contextually pertinent image privacy risks including both user aware and overlooked risks three apply recommended obfuscation techniques for the risks they choose to address supporting informed decision-making about image [Music] sharing expressive intent I'm not going to I'm not going to show you the whole five minut spel over there so that gives you a sense of like how Imago obscura um sort of introduces new design patterns where users can directly articulate what are they concerned about with sharing this particular image and then it uses sort of this kind of like Theory backed um uh you know uh approach towards using these generative AI Technologies in order to analyze kind of semantic regions of an image to identify like where particular privacy risk that are related to the threat models that users directly care about um like where they might be manifesting in their image and provides sort of like just in time kind of like analytic feedback as well as uh opportunities to mitigate those risks using a variety of different aisc techniques so similar uh you know sort of like similarly there's this large body of work that demonstrates how end users struggle to reason about privacy risks and what the textual content they share online while seeking um informational and emotional support so like many people for example use Reddit in order to identify sort of like um uh informational support that they might need in when they're facing particular dilemmas or emotional support when they're going through sort of difficult situations and times um but they might have some level of sort of concern that you know what they're sharing might be something uh that could de identify them later and cause them potentially negative Downstream consequences so G AI Technologies can also help provide customized just in time advice that allow users to reason about risk to anonymity when sharing information online on you know pseudonymous online for like credit here's a demo of privacy mirror a system we have developed that is sort of like a grammar lead for privacy uh to show how this went [Music] you can also note so the different aesthetic Sensibility of my different students based on their um their music choice so clearly kaisel is more kind of like going for this upbeat and chipper personality whereas Isidor is going more for this like cool and Cal personality here um so you can see that uh here with privacy mirror you know we we actually developed a custom language model to detect self-disclosure risks and built a browser extension that provides just in time feedback for users as they are crafting their post and what might be potentially de identifying and what's kind of interesting is we we did this initial engagement with users where we tried to understand from like a human AI teaming perspective what are the sorts of things that users would want to make more informed decisions and one of the things that we found is that they wanted sort of like support for for the AI understanding posting context because if you're posting for example about um Cushings Disease support on a subreddit for Cushings Disease maybe it's not actually such like a huge disclosure that you have Cushings Disease because people would expect that if you're on that subreddit Maybe you have that anyway um and so understanding kind of like these these contextual norms and like what's required by a community for example when you're sharing is really important because otherwise you run the risk of habituating users to all of these you know kind of like privacy notifications that they fundamentally don't really need to care about um so instead by accounting for things like uh posting context you can provide sort of like much more uh useful and relevant feedback as they're uh as they're using this tool okay so for the final demo that I'm going to share with you today we're tackling another kind of like long-standing problem in end user privacy which is this sort of scourge of configuring access control and privacy settings so historically we've had to sort of pick between simple core screen controls that are easy for users to use but may not fully capture the Nuance of their preferences or complex and fine grin controls that are sort of a menace for users to properly configure but are much more expressive so think about like you know in this context I'll want um you know the the building shut down but in that context I want the building open uh and things of that nature so with Sketch based Access Control we're really exploring ways that users can express their ideal access control and privacy preferences through a combination of sketching and natural language to AC to access this kind of like Middle Ground approach that is simple to use but captures Nuance preferences so in this video imagine that there are these two users Alice and Bob who share smart office with a camera and a microphone so how might we specify who should have access to what without going through kind of like a million drop- down lists and switching between different smart uh Smart Home applications um and so you can see over here kaisel is sort of like quickly sketching what you know one reasonable Access Control policy might be and what's really interesting about this is that it's not limited to just like you know Alice and Bob and it you can you can really sketch whatever you want so you can sketch for example times and contexts and so on so you can see over here the the model kind of interprets the sketch and turns it into a structured policy it provides visual annotations and really interestingly it also generates these counterfactual vignettes to help users understand how their policy will work in boundary conditions um so what happens when Bob and Alice are both there together and things like that and then it provides suggestions to help users refine these scenarios uh spot vulnerabilities and and gaps in their policies and resolve these ambigu ambiguities as they go okay so with that I'm gonna I'm G to end I think I got to right around 30 minutes um and so uh yeah uh thank you for listening to my talk all right thank you shik do you want to unshare your screen maybe oh yeah and then uh do your audience if you have any questions please use the Q&A feature in zoom and we're happy to take your questions um and we're really going to structure the next 20 minutes or so more as a conversation and um first of all shik thank you so much for um this really like thought-provoking and interesting talk um you've done a lot of really interesting research and um maybe to start off us start us off you talked about many kinds of privacy risks and and I really appreciated how you differentiated between things that are also privacy risks with AI and other risks that are maybe excess ated or created by AI I think that's a really meaningful distinction um which of these risks do you concern you the most like what what are you most worried about yeah it's a good question you know the answer is obviously sort of like nuanced I would say um because I think contextually different risks kind of like keep me up at night more than others you know obviously this idea that we can use AI to revitalize pseudo Sciences like physiognomy is is very concerning to me um and we should just like stop doing that um but I also do think that that's one of the risks that probably as a society will I'm hoping I'm hopeful I'm I'm I'm more optimistic that we'll be able to maybe um be able to control that a little bit more this like this the sort of idea that you shouldn't be using you know facial recognition type and face detection style AI to determine whether or not somebody will be a criminal I think we'll I I I can see a good sort of vector for like you know different sorts of interventions like either just social norms um or just regulation to be able to curtail that kind of a risk although it is kind of scary that it's being considered uh right now um but I would say you know um there's this sort of like General uh concern that I have and you know this is maybe because I watched too much West World years ago but this idea is like what is the nature of our reality um um and when you think about like how do you know what you know um to be like about your current experience to be true you know often times it comes from social proof and it comes from our kind of sensory perception and I do feel like modern AI tries to challenge both so you know attacks to social proof are these sorts of like ways that we can integrate these Bots and very these highly sort of like realistic seeming uh Bots into kind of like our existing kind of social information ecosystems that are attacking social proof signals and then um uh you know this this ability for generative AI to generate like non-consensual imagery um is an attack on our sensory perception and so while I think right now you know we haven't seen the worst of it I do fear at some you know it's not privacy only but it's privacy and like kind of like integrity and security and all of these other things um I do I do sort of worry you know how like don't I don't as easily see a good intervention right now that will definitely prevent that um if that makes sense yeah and I think like an an interesting wrinkle to that is also that with these new AI models um it's not just that you can have more realistic ways of foiling people's senses right through deep fakes and other things but you can also automated and scale it very well right yeah yeah yeah so where do you think we need to focus our efforts to address some of these risks is it technological interventions like you're working on is it public policy and regulation do we need more research to even better understand the harms and risks um you know if you can pick one of those so it's easy to say all of the buff right but like if you where do you feel like the the biggest um biggest difference is to be gained maybe yeah you know if you had asked me a little while ago I might have said that we're we're making some good strides with policy but you know there's a lot of uncertainty associated with that um for the foreseeable future I will say um I do think that ultimately we do need um this is a disruptive technology and I think I I think we need to reestablish kind of like professional Norms regulatory kind of like um interventions and kind of just like ethical values in the creation of these AI systems um I think I think that's where we can get sort of like the most bang for our buck now of course like the individual kind of like tools that I've mentioned I think like the first one that I mentioned like privy is specifically for practitioners in order to help them reason about privacy risks in the creation of AI Technologies and so in that way I could see these individual tools being really helpful um in that Norm setting piece um and this sort of like com like complying with emerging regulation piece um the other sort of tools that I mentioned are sort of more at the individual level and I think they're essential in order to provide users with like some ability to try to protect themselves um against the incoming kind of risks as well as to protect themselves against kind of long-standing risks that might just be exacerbated in this bold new world of ours but I do think probably before we think about kind of like the broader impacts of these Technologies impacting individuals I think we can get the best gains by thinking kind of like at sort of like you know I feel like if you if if you can affect professional Norms in some way either through regulation or through kind of like new forms of training new forms of like tools that can just like sort of like help practitioners as they're sort of dealing with this Brave New World I think you can have a broader kind of like impact right now and then once we like get the 80% uh of that we can start thinking about these other interventions as well that could get us further yeah I mean it's it's interesting your work with practitioners so to kind of or concerning I guess to see how practitioners are aware of some risks but also maybe are not fully grasping the uniqueness and new risks that come with some of these AI Technologies and the scope seems very limited in what they focus on where do you see the role of higher education in terms of you know sensitizing people to some of these issues more like are we are we teaching people the right things or are we just focusing is our Focus May about too yeah I you know it's interesting right because I think I I think it's a little bit of both I think um obviously like academics we you know we worship at the altar of novelty and so we're we're certainly trying to think about um how these like emerging Technologies entail new risks and it's being incorporated into our coursework and our curriculum but I do think that there's this kind of like this difference at least at least in my in in my experience and this might not you know be true everywhere um you know there's like this set of folks that we train for practice and there's a set of folks that we train for research and I feel like we put a lot more emphasis on like teaching the folks who we train for research to think about kind of like these emerging risks and things and then you know the set of folks that we teach for practice it tends to be lagging right because it tends to be sort of like this is what the industry Norms are now so like learn this um and with sort of the pace at which things have changed with some of these AI Technologies I don't I don't know that like we have really kept up with how well we are you know teaching the teaching people who are who are expecting to go into industry into like these privacy engineering roles or these AI development roles how well we're uh sort of like teaching them to think about like kind of emerging risks and things that may not be that may not have like 10 years of established kind of industry Norms uh to kind of like support that curriculum so I do think that there probably needs to be a little bit more of that of like cross talk between those two forms of pedagogy I would think yeah one of the other aspects you mentioned is that uh you know business goals are often an inhibitor to building privacy into systems or thinking more thoroughly through them do you think that's an inherent conflict or are there ways to potentially align business goals in the age of AI with privacy protections yeah um you know I think um yes uh but I don't know what I don't know at what scale you know like I'm trying to figure that out myself one of our practitioners did mention and I sort of like highlighted it in the talk today is that you know caring about privacy can be a competitive differentiator in a pretty saturated Market uh things are moving so fast right now that people are not really caring so much about privacy because they're just trying to be kind of like the first to market with the shiny new AI thing um and uh you know drisking your product obviously is going to is obviously going to take some time but you know one one thing that's a little bit hopeful to me is that you like you often don't need to be the first to Market to have the best kind of product you know um so like Google wasn't the first search engine Apple wasn't the first to really create most things uh but they got a whole bunch of market share by caring about this right and like apple whether you consider it grandstanding or not oftentimes it is grandstanding but they have made this show of like being the big tech company that cares about consumer privacy at some level and one of the reasons they're doing that is because it's like a marketing push right and it's a competitive differentiator it's like you know relative to all these other big tech companies that will just take your data and do whatever they want with them we promise to not let third parties do whatever they want with them we'll just do whatever we want with them right um and so I do think like this idea of like privacy as a competitive differentiator um could be good business and I'm hopeful that it can be at at the scale that a lot of these companies are thinking about yeah hopefully um so you know moving maybe to the more hopeful topics you you showed some really exciting ideas for leveraging a eye to protect privacy uh like the Maru obscura and privacy mirror projects um and there's a question from the audience here which is um could you talk more about um in designing these Technologies how do you and your team think about making decisions for the user and about what privacy should mean and what good privacy is and and kind of like how do you view the role of these kind of like decision support systems in improving privacy yeah that's a good question you know we're starting to sort of develop a little bit of this design space for what it means to create kind of like this human AI teaming approach towards sort of like privacy preservation for individuals and you know one thing that I'm hearing in that question is like okay so if we allow users to kind of like what their threat model is you know maybe there's something that they don't know like maybe there's a threat that they should care about but they but that they're they don't have the vocabulary to articulate into that and I think that's absolutely true and we you know we we need to be cognizant of like how can we how can we support them not only in sort of like articulating what are they concerned about and helping them through that but also like how do we help them uh mitigate kind of like threats that maybe they don't know to they don't know that they should care about but maybe they should care about um at some level you know here is where we do sort of some like standard kind of like human centered design stuff right like so you need to meet users where they are because you can't like like motivation is really to for difficult to force on users so we you know one of the one of the things that we're learning from this like um from these like formative engagements with some of these tools is if you can provide users with kind of like greater direct agency over like this is how this tool will help you with your specific goals you can start to sneak in other things um that maybe the user should also care about once they once they are sort of approaching this tool from the perspective of like hey this is a thing that's helping me do what I need to do and is not like telling me to do a bunch of things that I don't really know much about um and so you'll notice like in the Imago obscure demo I kind of glazed over it and it happened very fast but the user enters like what are the concerns what what are their specific concerns with this image but the recommendations aren't limited only to that we actually have this kind of like taxonomy of different image privacy risk that we've sourced from prior literature um that we use to kind of like do the semantic segmentation of the image and while we do prioritize the ones that the user has specifically stated that they care about um we surface more than just that we surface other risks that you know maybe the user doesn't know uh or didn't articulate that they're concerned about but that maybe they could uh potentially be concerned about so the idea is to kind of create awareness to potential implications and that way not just decide for the user but actually like enhance their awareness of potential risks yeah yeah you know I really like these generative AI Technologies and their ability to allow for teaming and I feel like they you know like their affordance in in the ability to like take natural language input and like expressive like free form input has really enabled a new way for us to access kind of like the structured language of computing with the natural language of humans um and I feel like it it's exposed these kind of like new possibilities for us to kind of like explore what happens when we allow people to really sort of like program with their voices yeah so you kind of showed a couple of solutions or or systems that try to address privacy risks or or raise privacy awareness in very specific contexts right what do you think it would take to develop like your personal privacy assistant you know like your youri system that knows exactly your privacy preferences and helps you make aware of things you might be concerned about because it knows about you and uh and act that through all kinds of three years of of life I think one of the things is like people don't want to really think about their privacy right like it's often a secondary consideration as you said earlier it's like people want to get something done they want to make that post they uh yeah so so how can we support them maybe more holistically and protecting their privacy yeah I mean I'd love to get your take on this too Florian after after I give my take but um I think you know the use of these generative AI Technologies right now sort of like where we are with our understanding of how they can help they work really well when you're quite specific um and then they can give you kind of like generic kind of advice when you try to go to General and Broad but they don't work that well in my like in in my opinion at least like when you're really trying to like help people with some W with a particular task when you're trying to operationalize kind of like what it means to convert privacy intention into action taking this kind of General approach is quite challenging right now um because in order to sort of like effectively sort of Leverage these models you really need like some level of like um expert uh expert driven like f shot examples and things like this um so you know to get back to your question of what do would take to build this kind of like General AI privacy assistant which like I totally want to build that one day right like that sounds like super exciting idea um but I think we don't get there by starting with that Vision we get there by building individual tools and then building an agent that can like understand which tool to use in which context um and so like for example Imago obscura can help you with image privacy privacy mirror can help you with kind of like textual privacy sketch-based Access Control can help you with configuring privacy settings and you know there might be a day when it gets good enough that we can create this kind of like top level agent that understands the differ different kind of individual tools that are that are available and understands in which context which tools should apply yeah I guess I guess an interesting uh potential issue there is also that these tools in order to be really effective and personalized must have a lot of information about you too and so kind of trading maybe decision support in terms of privacy against uh substantial trust in the technology to keep your data safe as well yeah yeah and I think that goes around many different dimensions so you know there's the obvious Dimension which is like well a lot of these big models that can do better they're hosted uh by a third party right like do you want open AI to have all this information about you maybe not there's a solution to that which is like maybe you could run local models there is like a little bit of a performance hit you take there so like how much of the performance hit are you willing to take in order to have a local model is one question but then there's another question right which is even if you have a totally local model it's similar to this idea of like using differential privacy and Federated learning to address all privacy risks um it only addresses a subset of the risks right um and so um even if you have this totally local model that's working on your behalf it still has all this information about you it's making decisions about what you want um and so there's this fundamental kind of like trust issue associated with like to what extent do you want you know even if this thing is running totally like under your control on your own laptop or whatever it happens to be like to what extent do you want to trust um the delegation of kind of like these privacy tasks to this machine and I think for a lot of people they might be fully willing to trust it as long as they had full control over it but you know I think for many others and myself included um I'd always want to be kind of like in the loop I'd always want to be sort of like making the making the decisions um but I would really just kind of like want it as an execution engine right like I don't want to have to go through all of the drop down list to to enact this you know it's not not a direction I wanted to go in initially but I think it's maybe interesting to talk about right like I think what that also hints at is that you as someone who very actively works with AI Technologies is very aware of the limitations and also the uh likelihood of these uh AI models to actually give you a wrong output right and uh make a wrong decision but do so very confidently um whereas what I'm kind of observing with how the general public is kind of embracing some of these AI tools there's often they're often kind of swayed by the confidence in which answers are provided right how do we deal with that challenge that is you know it's like you you feel like you're talking to a human but it's a very convincing person right yeah yeah yeah uh I don't know do you know no okay we can let that rest maybe maybe the audience can think about about it and get back to us um here's another question that goes maybe in a similar Direction and then I think we're probably close to our end here but um someone from the audience asks um do you think the emerging um agent-based AI Technologies introduce additional privacy risks to those that you've already kind of cataloged going off and doing things for you you know I I'm sure they do I haven't thought about it very deeply like I do have I I can give you hot takes but none of this should be considered uh like uh you know something that scientists have proven um I do think that you know at the level of um delegation so like it's similar to the conversation that we just had uh you have these agents that are going off and doing things that are that are working on your behalf and there's like a bunch of decisions that they're making on your behalf some of which might include like your personal information like a common a common sort of like use of these agents is to have like a like a personal assistant right like a like a like a meeting companion or like somebody who handles your or I shouldn't say somebody some tool that handles your emails and automatically does scheduling and things like that um well privacy is like we we know like people who work on privacy know that it's this it's such a contextually um situated phenomenon right like and so I might be willing to share with Florian for example like my calendar uh so that we can find like a common time to meet but I may not be willing to share that with some like random third party marketer who has emailed me asking for some time so that's obviously like probably a distinction that we can easily create a classifier to differentiate between but there's like so much there's like a lot of spectrum in between like somebody I know personally and somebody I don't know at all and like what are the contextual sharing Norms associated with that and how well is your agent going to be able to understand and identify what are those contextual sharing Norms you know out of office uh email indicators are a good example of this too right like for some people I might be willing to say it's like oh you know hey I have this personal family emergency and so I'm not going to be able to email respond to your email in a while but for people I don't know I'm just going to say hey I'm out of office um again that's a simple sort of classifier that we can we can probably generate but again there's so much Nuance in between those two ends of the spectrum um and if you delegate your if you have these agents working on your behalf and that are making all of these decisions for you without this sort of fundamental understanding of kind of like social norms and contextual Nuance you can imagine there's like lots of opportunity for like privacy leakage and spillage yeah well you know then there the people for whom you always want to be out of office right exactly yeah no I think that's a great Point um so it it sounds like our audience is really excited about some of these Technologies you're you're showing to protect PR privacy and one of the questions is uh when can we expect these Technologies to be integrated in existing platforms browsers websites apps instead of being separate tools and I'll add my own spin to that what do you think it takes to move from like here is a research system right like that demonstrates the the capabilities and what's feasible today to something that consumers can actually use a good question I think you know we have the benefit as research to take a lot of liberties with the assumptions that we're making but I do think that you know the future of like deploying some of these Technologies is very Community centered and I think you know we tend to I think a lot of times um we build these privacy and security Technologies with the hope that the general public are going is is going to want to use them right away but you the fundamental reality is that'll like the general public security and are often secondary concerns and so I think like the more the more effective approach I I don't know this for a fact but my my my current thinking on it is you know build something that's really great for a specific community so like for example with privacy mirror um you know we've just started this collaboration with the women's women Center in shelter of Pittsburgh because a lot of you know people who experience kind of like domestic stalking or abuse um they seek information online but they don't want their abuser to be able to De identify them as seeking this information online and so we're thinking well hey if we can build privacy miror to really help that population and show how like and demonstrate the value maybe after we we make it make it so good for them that it's something that they actually actively want to use we can start to like expand beyond that right like once there's some demonstrated value and we have some traction we can start to build these technologies that start to creep into the general public conscious but I think the approach of like trying to solve everybody's problem with these privacy and security Technologies and like hoping that it's going to catch fire usually doesn't work unfortunately just because they're they tend to be secondary concerns for most people okay well thank you so much I think that's a great way to think about this let's solve problems for communities and populations that need it the most and um in doing so we can design tools that will benefit everyone um and with that we hope we could shed some light today on privacy implications of modern AI but also on the opportunities for improving privacy not everything is necessarily bad when it comes to Ai and um we are uh so grateful to our special guest uh Professor Das and um also all of the the audience members the many people in the background um who have helped put together this event and many others and uh we're very excited to have brought you our seventh privacy at Michigan data privacy Day event we've been doing doing this since 2018 and uh we really appreciate the cross institutional partnership and support between the school of information and um Information Technology services in organizing this event series and please check the UFM safe Computing website for upcoming programming uh we also have a new brand new privacy portraits quiz you can check out and add your thoughts to the six words of privacy project all at safe computing. um.edu um note that the recording will be of this event today will likely be available by the end of the week also on the safe Computing website and with that happy privacy day everyone thank you for having me