Mastodon Kuan0: September 2024

Sunday 29 September 2024

Things AI, Sept 2024

Open-source AI models: from ICO's previously-asked questions, this Q&A was added recently even though currently the "Last updated" date indicates 11 April 2024.
Q: We want to develop a speech transcription service for use in our organisation, using an open-source artificial intelligence (AI) model. Can we do this even though we don’t have detailed information about how the model was trained? (see the answer!)

AI Act: from Deloitte's AI Act Survey 2024, not many companies surveyed have started prep, nearly half feel partially/poorly prepared, over half think the Act constrains their innovation capabilities in AI, there were mixed views on legal certainty and on the Act's impact on trust in AI, and almost half thought the Act's more of a hindrance to AI-based applications! But, over a 100 companies have signed the Commission's voluntary AI Pledge under its AI Pact, that seeks to encourage organisations to implement AI Act measures ahead of its formal applicable dates.

Beyond the AI Act, see more generally:

Revised EU Product Liability Directive: the new EU Parliament has approved the text (Eur-Lex), so it just remains for the Council to adopt it (although Estonia is against the procedural rules); when published in the OJ thereafter it will become law. Significance? For the purposes of no-fault liability for defective products, "product" will explicitly include software including that supplied via SaaS. The text also mentions software as including AI systems. Also:

"A developer or producer of software, including AI system providers within [AI Act] should be treated as a manufacturer"... "Where a substantial modification is made through a software update or upgrade, or due to the continuous learning of an AI system, the substantially modified product should be considered to be made available on the market or put into service at the time that modification is actually made."

"National courts should presume the defectiveness of a product or the causal link between the damage and the defectiveness, or both, where, notwithstanding the defendant’s disclosure of information, it would be excessively difficult for the claimant, in particular due to the technical or scientific complexity of the case, to prove the defectiveness or the causal link, or both... Technical or scientific complexity should be determined by national courts on a case-by-case basis, taking into account various factors. Those factors should include...the complex nature of the causal link,  such as... a link that, in order to be proven, would require the claimant to explain the inner workings of an AI system...  ...in a claim concerning an AI system, the claimant should, for the court to decide that excessive difficulties exist, neither be required to explain the AI system’s specific characteristics nor how those characteristics make it harder to establish the causal link." 

EU Cyber Resilience Act (CRA) on "horizontal cybersecurity requirements for products with digital elements": the new EU Parliament has approved the text (Eur-Lex), so it just remains for the Council to adopt it; when published in the OJ thereafter, it will become law. Note, this aims to "set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufacturers take security seriously throughout a product’s lifecycle". Also note, "Products with digital elements classified as high-risk AI systems pursuant to Article 6 of [AI Act] which fall within the scope of this Regulation should comply with the essential cybersecurity requirements set out in this Regulation..." (see much more in Art.12 and Rec.51 which specifically cover high-risk AI systems, and Art.52(14)).  BTW, the Commission is inviting cybersecurity experts to apply to join its CRA Expert Group. Various criticisms of the CRA have been mentioned in my book/free companion PDF; here's another critique.

UK: the AI Act doesn't apply in the UK post-Brexit, so perhaps there are indeed more AI opportunities in the UK, on which Google has published a blog and fuller paper. The UK will make the AI Safety Institute (AISI) a statutory body as well as "identifying and realising the massive opportunities of AI" including for government/public services. (Here, the UK's not alone: a study for the European Commission emphasises AI's "significant potential" to improve EU public sector services.) AISI work includes assessing AI capabilities, e.g. Early Insights from Developing Question-Answer Evaluations for Frontier AI.

But, the GDPR still applies in the UK: ICO statement on LinkedIn's changes to its AI policy, so it is no longer training genAI models using UK users' data (opt-out link for others). There was separately an AI opt-out hoax that fooled a lot of people!



The recently-published UK MoD's annual analysis of future global strategic trends 2024 mentions cyber and AI, of course. UK civil servants (but not the rest of us!) are being offered free training AI-related courses, covering various aspects of AI, illustrating what's considered most important: Fundamentals, Understanding AI Ethics, The business value of AI, Gen AI Tools and Applications, Working with Large Language Models, Machine Learning and Deep Learning, Natural Language Processing and Speech Recognition, Computer Vision, and a Technical Curriculum.

Separately, case studies summarised based on the DSIT AI assurance techniques have been boosted by the addition of more products/platforms, on areas from governance, facial recognition e.g. for verification/identification, compliance management and bias assessment (even for NIST AI RMF, ISO, and NYC 144 bias audit with synthetic data!) to AI monitoring/audit. If you're planning to offer AI products to government (or beyond), it wouldn't be a bad idea to get your own products assured and listed similarly.

AI uses in the UK: a great use is autonomous robots to maintain fusion facilities. On health, a "novel ... AI tool, validated using NHS eye imaging datasets... could transform the efficiency of screening for Diabetic Retinopathy (DR)", while the MHRA  is calling for applications for manufacturers and developers of AI medical devices to join its AI Airlock regulatory sandbox; and, Reflections on building the AI and Digital Regulations Service.

Collaboration on cybersecurity and AI research announced between the UK, US and Canada, to support defence and security

Equality, AIThe public sector equality duty and data protection, Sept 2024, UK EHRC guidance (with ICO input), including helpful examples of proxy data for protected characteristics under the UK Equality Act 2010, and a short section on proxy analysis of AI models, with a case study on the Dutch benefit fraud scandal that led to unlawful discriminatinon (from using biased predictive algorithms)

United Nations: much activity on AI, such as the final Governing AI for Humanity report on global AI governance, gaps, and international cooperation.

The recently (and almost simultaneously) promulgated UN Digital Compact is "a comprehensive framework for global governance of digital technology and artificial intelligence":

  • Objectives agreed included: "Enhance international governance of artificial intelligence for the benefit of humanity"
  • Principles agreed included: "Safe, secure and trustworthy emerging technologies, including artificial intelligence, offer new opportunities to turbocharge development. Our cooperation will advance a responsible, accountable, transparent and human-centric approach to the life cycle of digital and emerging technologies, which includes the pre-design, design, development, evaluation, testing, deployment, use, sale, procurement, operation and decommissioning stages, with effective human oversight"
  • On Digital public goods and digital public infrastructure: "We recognize that digital public goods, which include open-source software, open data, open artificial intelligence models, open standards and open content that adhere to privacy and other applicable international laws, standards and best practices and do no harm, empower societies and individuals to direct digital technologies to their development needs and can facilitate digital cooperation and investment... ...We commit by, 2030, to: (a) Develop, disseminate and maintain, through multi-stakeholder cooperation, safe and secure open-source software, open data, open artificial intelligence models and open standards that benefit society as a whole (SDGs [Sustainable Development Goals] 8, 9 and 10)
  • On  Objective 3. Foster an inclusive, open, safe and secure digital space that respects, protects and promotes human rights, they "urgently... Call on digital technology companies and developers to continue to develop solutions and publicly communicate actions to counter potential harms, including hate speech and discrimination, from artificial intelligence-enabled content. Such measures include incorporation of safeguards into artificial intelligence model training processes, identification of artificial intelligence-generated material, authenticity certification for content and origins, labelling, watermarking and other techniques (SDGs 10, 16 and 17).
  • On Objective 4. Advance responsible, equitable and interoperable data governance approaches, data privacy and security, "We recognize that responsible and interoperable data governance is essential to advance development objectives, protect human rights, foster innovation and promote economic growth. The increasing collection, sharing and processing of data, including in artificial intelligence systems, may amplify risks in the absence of effectivepersonal data protection and privacy norms...
    ...We commit, by 2030, to: (a) Draw on existing international and regional guidelines on the protection of privacy in the development of data governance frameworks (all SDGs); (b) Strengthen support to all countries to develop effective and interoperable national data governance frameworks (all SDGs); (c) Empower individuals and groups with the ability to consider, give and withdraw their consent to the use of their data and the ability to choose how those data are used, including through legally mandated protections for data privacy and intellectual property (SDGs 10 and 16); (d) Ensure that data collection, access, sharing, transfer, storage and processing practices are safe, secure and proportionate for necessary, explicit and legitimate purposes, in compliance with international law (all SDGs); (e) Develop skilled workforces capable of collecting, processing, analysing, storing and transferring data safely in ways that protect privacy (SDGs 8 and 9)
  • And Objective 5 was all about AI governance, not quoted in full here but
    "We will: (a) Assess the future directions and implications of artificial intelligence systems and promote scientific understanding (all SDGs); (b) Support interoperability and compatibility of artificial intelligence governance approaches through sharing best practices and promoting common understanding (all SDGs); (c) Help to build capacities, especially in developing countries, to access, develop, use and govern artificial intelligence systems and direct them towards the pursuit of sustainable development (all SDGs); (d) Promote transparency, accountability and robust human oversight of artificial intelligence systems in compliance with international law (all SDGs). (Also see UNESCO's consultation from Aug-Sept 2024  with a policy brief summarising emerging regulatory approaches to AI.)
  • We therefore commit to: (a) Establish, within the United Nations, a multidisciplinary Independent International Scientific Panel on AI with balanced geographic representation to promote scientific understanding through evidence-based impact, risk and opportunity assessments, drawing on existing national, regional and international initiatives and research networks (SDG 17); (b) Initiate, within the United Nations, a Global Dialogue on AI Governance involving Governments and all relevant stakeholders which will take place in the margins of existing relevant United Nations conferences and meetings (SDG 17)."

US: global AI research agendaproposed Reporting Requirements for the Development of Advanced Artificial Intelligence Models and Computing Clusters (i.e. cloud providers); "This includes reporting about developmental activities, cybersecurity measures, and outcomes from red-teaming efforts, which involve testing for dangerous capabilities like the ability to assist in cyberattacks or lower the barriers to entry for non-experts to develop chemical, biological, radiological, or nuclear weapons." One I missed earlier: the IAF's paper on Risk/Data Protection Assessment (for AI) as Required by U.S. State Privacy Laws.

And some miscellaneous things...

Hallucination issues with LLMs remain: a recent egregious example.

Comparing chatbots: interesting open-source tool to compare different (anonymized) chatbots by asking them the same questions, and do choose the best answer. See its leaderboard, currently OpenAI's o1-preview is top!

Cognitive bias: humans tend to think fluent content (e.g. LLM-generated) is more truthful/useful than less fluent content, which can produce systematic errors.  Of course, this tendency is why even hallucinationary genAI output can be trusted and believed by humans!AWS scientists argue that "human evaluation of generative large language models (LLMs) should be a multidisciplinary undertaking that draws upon insights from disciplines such as user experience research and human behavioral psychology".

AI users: apparently have a healthier relationship with work than colleagues who don't use AI! Although of course AI has been the reason for some job cuts.

Interesting article on AI hype and another on the importance of human thought and judgment when using AI.

(Also see my separate blogs on privacy / data protection and on security, forthcoming.)

Monday 16 September 2024

Browser cookie settings & consumer preferences - UK study

"Evaluating browser-based cookie setting options to help the UK public optimise online privacy behaviours" (PDF), a study for the UK Department for Science, Innovation and Technology on consumer preferences conducted  between Aug and Dec 2023, concluded that:

"...We recommend that any future cookie setting option should be interactive and detailed to a sufficient level that participants understand the real-world impact of accepting or declining a number of different options, e.g. that ‘functional’ cookies include login details, website preferences (language, currency), see Appendix 2, Figure 5. These setting designs secure stronger engagement by breaking participants out of the habit of automatically accepting all cookies purely for the sake of expedient access to the browser; furthermore, participants are satisfied after such a process of critical engagement...

...People remain divided over the idea of browser-based cookies. To improve sentiment, any future browser-based cookie settings should include features that will enhance web users’ feelings of control over their data (e.g. frequent prompts for updates, options to adapt preferences by types of websites, or for specific websites).

Participant engagement and satisfaction improved when they had access to more functionality details, an interactive interface to select their preferences, and timely prompting about privacy. As a result, should browser based cookie management systems replace the website level settings, we recommend that browser-based cookie setting design should attempt to disrupt users’ habits of automatically accepting through novel designs to create a dissonance with what they are used to seeing. Furthermore, any cookie settings that encourage participants to make a privacy-protective choice will lead to higher satisfaction regardless of initial preferences."

But if there's too much detail in the expanded info, users may just ignore them. And I'm not so sure about frequent prompts to users... that doesn't provide a great user experience. Strictly, when users have accepted cookies for a site, they should probably be told about their right to withdraw consent to cookies everytime they return to the site, but that doesn't really happen, at least not in a "disruptive" way, presumably because that's not great for UX too (popups continuing to appear even if you've accepted cookies previously?!).

AI and GPAI developments/info, Sept 2024

Some AI-related links, which I hope will be of use:

Final text of AI Pact pledges, promulgated by the European Commission to get tech companies to comply voluntarily with (at least some of) the AI Act before its formal applicable date. So, the text is not dissimilar from that of the EU AI Act, and indeed the G7 Principles from the Hiroshima Process


AI Act briefing for European Parliament, 2 Sept 24

✨BSA (The Software Alliance) Best Practices for Information Sharing Along the General Purpose AI Value Chain. There's some overlap with the EU AI Act's GPAI requirements, 3 Sept 24

✨Computer & Communications Industry Association's recommendations on GPAI code of practice, Aug 24

✨Note that the Council of Europe's AI Treaty, signed by the UK, EU and others, will come into force only on the first day of the month following the 3-month period after 5 signatories, including at least 3 Council of Europe member states, have ratified it. (On treaties/conventions, see the differences between signing versus ratification versus accession).

To support the Treaty's implementation, the COE's HUDERIA is a "legally non-binding methodology" for Risk & Impact Assessment of AI Systems for Human Rights, Democracy and Rule of Law (good summary). The UK's Alan Turing Institute is assisting on HUDERIA. The COE Committee on AI is considering HUDERIA soon. The European Commission & Council of the European Union are also involved. What's the betting as to how much HUDERIA will influence what is going to be required in Fundamental Rights Assessments for certain high-risk AI systems under the AI Act?

(Compare the US Department of State's risk management profile for AI and human rights, July 2024)


✨A data scientist has written a great outline of a practical approach in the face of the pressure to to AI-ify everything ASAP. Consider, is using AI always the best solution? Especially given that AI systems will increasingly be subject to more onerous obligations than non-AI systems (e.g. under the AI Act), is it always best to use AI when non-AI approaches/methods could work equally well or perhaps better?

✨What's up with the planned AI Liability Directive? It won't automatically be brought into force, but  a June Parliamentary Committee report stated that "the legislative work under the leadership of the Committee on Legal Affairs... will continue under the new Parliament. In the meantime, the Committee... requested an additional impact assessment from the European Parliament Research Service (EPRS). It is to primarily deal with the compatibility of the three legal acts mentioned [AIAct, product liability etc] and the risk-based concept and is expected to be completed by the end of 2024". Note the date for the additional impact assessment - end of 2024. So it's very unlikely this Directive will be passed this year, perhaps ever.

(I had tried to post the above on LinkedIn last Thursday, please see this AI developments post, but LinkedIn saw fit to demote it and not show it in people's feeds, so I think it's best to blog here instead, and at least there's space for me to flesh things out a bit more here.)