H-ISAC Hacking Healthcare 12-17-19 - Health-ISAC - Health Information Sharing and Analysis Center

TLP White: In this edition of Hacking Healthcare, we begin with a warning about the use of emotion-detecting technologies and a call for their regulation. Next, we detail how the U.S. National Institute of Standards and Technology (“NIST”) is helping further biometric research. Finally, we briefly explain India’s proposed data privacy and data protection bill that mixes elements of the General Data Protection Regulation (“GDPR”) with a healthy dose of government exemptions.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

1. Concern over Emotion-Detecting Technologies Leads to a Call for Regulation.

A rush to implement artificial intelligence and machine learning (“AI/ML”) into ever more products and services has prompted a warning from the AI Now Institute. The New York University-based research center is cautioning that new laws are needed to restrict the usage of AI/ML-based “emotion detecting” technologies.[i] These technologies claim to be able to better detect the “true” emotional state of an individual by picking up on micro-expressions in an individual’s face, interpreting the tone of an individual’s voice, and even analyzing biomechanics such as walking.[ii] Such technologies are beginning to find their way into organizations looking to alter their hiring processes or test individuals for deception. The AI Now Institute warns that the underlying science behind the technology isn’t as clear cut as marketing often makes it out to be.

According to AI Now Institute co-founder Dr. Kate Crawford, the technology is not based on completely settled science, and there are many studies that dispute the evidence of a “consistent relationship between the emotion that you are feeling and the way that your face looks.”[iii] According to Dr. Crawford, it appears that many of these technologies, which fall under the formal name of “affect recognition,” are based on information gleaned from psychological studies in the 1960s.[iv] One of these studies in particular suggested that there were only six basic emotions that could be expressed via facial features.[v] Subsequent studies have shown there is far more variability in the number of emotional states and the expression of those states through individuals than was previously identified.

2. NIST Releases New Biometric Data for Public Use.

Last week, NIST released biometric research data that includes facial photographs, fingerprints, and iris scans. This data has been released for research purposes and all the data has been anonymized, to the extent that biometrics can be, and each individual consented to their data’s inclusion and use.[vi] NIST hopes that this data will help fill the lack of quality publicly available biometric data and allow researchers to test the performance of access control identity verification systems.

For those that aren’t familiar, NIST is a research and development agency within the United States Department of Commerce. Although part of the U.S. government, NIST has a long standing international reputation as an impartial and scientifically grounded organization that focuses on developing and publishing a wide range of standards. While many in the cybersecurity industry will know them for their work on the Cybersecurity Framework, the release of this biometric information is well within their broader mission.

NIST has separated this data into three databases on their website, SD 300, SD 301, and SD 302. SD 300 contains roughly 900 fingerprints, SD 301 is a “multimodel” data set containing various biometric identifiers that are linked, and SD 302 contains fingerprint data gathered by several different processes.[vii] NIST has plans to slowly expand this initial set of biometric databases.[viii]

3. India’s New Data Privacy Legislation.

After over a year of deliberations, India’s parliament introduced legislation that would create the first major data privacy and data protection law in the country.[ix] The bill includes elements of Europe’s GDPR and also incorporates measures that give the government broad powers.[x] While the bill has support from some privacy advocates, many more are concerned about the exemptions that the government can take advantage of as well as how easily they can be invoked, and much of the industry is concerned that this bill adds to the growing balkanization of the Internet.[xi]

This bill would create sweeping changes to how companies can use and store an individual’s data. This would include the requirement that companies seek permission to use an individual’s data, and that any individual can ask for their data to be deleted. In theory, the enhanced privacy protections for individuals would apply to India’s government as well as private entities, but in practice the government is able to exempt itself in cases where it claims that national security or public order necessitates an exemption.[xii] This likely means that controversial programs like the Aadhar national ID system, India’s national digital biometric identity program, will remain unaffected even if the bill passes. The bill would also create a data protection agency that would “write specific rules, monitor how corporations are applying them and settle disputes.”[xiii]