Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Deepfakes, Phrenology, Surveillance, and More! A Taxonomy of AI Privacy Risks

Hao-Ping Lee, Yu-Ju Yang, Thomas Serban von Davier, Jodi Forlizzi, Sauvik Das

TL;DR

The paper investigates how modern AI/ML changes privacy risks in products and services by analyzing 321 documented AI privacy incidents from the AIAAIC dataset. It develops an AI-centric taxonomy of 12 privacy risks, identifying new categories such as phrenology/physiognomy and exposure from deepfakes, and shows AI can exacerbate existing risks like surveillance, identification, and data disclosure. The authors map AI capabilities and data requirements to Solove's taxonomy to determine when AI creates novel risks, amplifies prior ones, or leaves them unchanged, concluding that AI often meaningfully alters privacy risk profiles. They argue that current privacy-preserving AI methods (e.g., differential privacy, federated learning) address only a subset of these AI-driven risks and advocate for AI-specific privacy guidance and a living taxonomy to guide practitioners, researchers, and policymakers.

Abstract

Privacy is a key principle for developing ethical AI technologies, but how does including AI technologies in products and services change privacy risks? We constructed a taxonomy of AI privacy risks by analyzing 321 documented AI privacy incidents. We codified how the unique capabilities and requirements of AI technologies described in those incidents generated new privacy risks, exacerbated known ones, or otherwise did not meaningfully alter the risk. We present 12 high-level privacy risks that AI technologies either newly created (e.g., exposure risks from deepfake pornography) or exacerbated (e.g., surveillance risks from collecting training data). One upshot of our work is that incorporating AI technologies into a product can alter the privacy risks it entails. Yet, current approaches to privacy-preserving AI/ML (e.g., federated learning, differential privacy, checklists) only address a subset of the privacy risks arising from the capabilities and data requirements of AI.

Deepfakes, Phrenology, Surveillance, and More! A Taxonomy of AI Privacy Risks

TL;DR

The paper investigates how modern AI/ML changes privacy risks in products and services by analyzing 321 documented AI privacy incidents from the AIAAIC dataset. It develops an AI-centric taxonomy of 12 privacy risks, identifying new categories such as phrenology/physiognomy and exposure from deepfakes, and shows AI can exacerbate existing risks like surveillance, identification, and data disclosure. The authors map AI capabilities and data requirements to Solove's taxonomy to determine when AI creates novel risks, amplifies prior ones, or leaves them unchanged, concluding that AI often meaningfully alters privacy risk profiles. They argue that current privacy-preserving AI methods (e.g., differential privacy, federated learning) address only a subset of these AI-driven risks and advocate for AI-specific privacy guidance and a living taxonomy to guide practitioners, researchers, and policymakers.

Abstract

Privacy is a key principle for developing ethical AI technologies, but how does including AI technologies in products and services change privacy risks? We constructed a taxonomy of AI privacy risks by analyzing 321 documented AI privacy incidents. We codified how the unique capabilities and requirements of AI technologies described in those incidents generated new privacy risks, exacerbated known ones, or otherwise did not meaningfully alter the risk. We present 12 high-level privacy risks that AI technologies either newly created (e.g., exposure risks from deepfake pornography) or exacerbated (e.g., surveillance risks from collecting training data). One upshot of our work is that incorporating AI technologies into a product can alter the privacy risks it entails. Yet, current approaches to privacy-preserving AI/ML (e.g., federated learning, differential privacy, checklists) only address a subset of the privacy risks arising from the capabilities and data requirements of AI.
Paper Structure (40 sections, 3 figures, 1 table)

This paper contains 40 sections, 3 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Human-centered AI
  4. Prior privacy taxonomies and concepts
  5. Creating a privacy taxonomy
  6. Method
  7. Constructing the Taxonomy of AI Privacy Risks Based on AIAAIC
  8. Qualitative Analysis Procedure
  9. Taxonomy of AI Privacy Risks
  10. Data collection risks
  11. Surveillance (150/321)
  12. Data processing risks
  13. Identification (124/321)
  14. Aggregation (49/321)
  15. Phrenology / Physiognomy (27/321)
  16. ...and 25 more sections

Figures (3)

  • Figure 1: We filtered from 1,049 cases from the AIAAIC database and selected cases labeled as "privacy issues." We filtered them down to cases with the technology claimed to be AI/ML that caused actual privacy risks to end-users. We also picked 10% of the cases without the privacy label from the database and went through the same analysis process. The final dataset comprised a total of 321 cases.
  • Figure 2: 12 types of privacy risks that AI technologies create and/or exacerbate relate to data collection, data processing, data dissemination, and invasion. The arrows indicate data flow (invasion risks need not involve data, but often do).
  • Figure 4: The distribution of each privacy risk we identified as not meaningfully changed, exacerbated, or created by AI. Note that one AI incident can involve multiple types of privacy risks.