Responsible AI: Protecting Privacy and Security

Responsible artificial intelligence (AI) entails a few different forms. Through this series, we are going to highlight the six important aspects of AI in the academic research space. Check out our full list of AI tenets here.

AI is increasingly impacting data privacy and security concerns because AI works on a much larger scale than previous automation would allow. Unfortunately, many reports indicate that AI is also making it easier for malicious actors to exploit system vulnerabilities, as highlighted by a submission from law firm Ropes & Gray to Bloomberg Law. An article from Virginia Tech points out how AI is fueling the rapid spread of misinformation, while Experian discusses how scammers are leveraging AI to deceive people more effectively.  

However, AI is also being employed to address these very challenges. Along with the development of AI-driven solutions, existing security regulations and standards are crucial in preventing breaches and setting best practices. As the AI landscape evolves swiftly, staying knowledgeable with these standards and the latest AI applications is essential for EBSCO as we work on building and delivering AI tools into the research space. 

At EBSCO, we reference IAPP which defines data privacy as:

“the use and governance of personal data—things like putting policies in place to ensure that consumers’ personal information is being collected, shared and used in appropriate ways. Security focuses more on protecting data from malicious attacks and the exploitation of stolen data for profit. While security is necessary for protecting data, it’s not sufficient for addressing privacy.”

Another useful definition we refer to at EBSCO is how Gartner defines data privacy as: 

“the processes and associated tools that protect sensitive information assets, either in transit or at rest.​”

Both share the theme of secure usage of personal data.

EBSCO utilizes several data privacy and security measures to ensure the safe transmission of data. For example: 

• Data minimization - only collecting data required for specific value or functionality, at the time it is needed;
• Product development guardrails - data privacy as a checklist item for every feature and capability; and
• ​Consolidating identity data to a minimum number of directories.

Additionally, EBSCO implements several information security measures. For example: 

• Data encrypted in transit and at rest;
  • Role-based access control: using Single Sign On (SSO) and Active Directory groups to authorize specific employees to access only the information needed to perform their job;
  • Multi-factor authentication;
  • Audit logging access to information; and
  • ​Using “top shelf" technologies​ when data retention or transmission is required.

EBSCO is committed to keeping information safe and secure. We are diligent in our efforts to make sure personal data is safely stored, is used and accessed only by necessary individuals authorized and trained to do so properly.

EBSCO follows the best practice for secure data practices in workplace training, and we maintain ISO certification and compliance to ensure a secure environment for customer data and the handling of data. These standards ensure that EBSCO is held accountable to high security and data privacy standards. EBSCO has also adopted a Least Privileged Access policy where, according to CNSSI and NIST,  “a system should restrict the access privileges of users (or processes acting on behalf of users) to the minimum necessary to accomplish assigned tasks.”​

Least Privileged Access ensures EBSCO employees only have access to information that is required to fulfill their employment tasks. For example: 

• Back-end services and data stores;
• Customer product administration;
• Financial and personal data if collected for specific product functions or purchases;
• Authentication; and
• Personalized functionality.

In addition to the protections enacted by companies, end-users play a significant role in safeguarding their own data. Experts such as the Identity Defined Security Alliance highlight the importance of using trusted and authoritative data and tools to enhance data security. An open-access scholarly article from MDPI highlights how users can actively manage their data by overseeing the collection, storage, and utilization phases within the data life cycle. This includes employing data monitoring practices to prevent unauthorized use, and leveraging tools that provide transparency and control over how personal data is processed across various platforms. Reading license agreements and Terms of Use are also essential for understanding how personal information is handled.

Several notable tools and practices are gaining attention in this area. Apple’s App Tracking Transparency Tool, for instance, is recognized as a valuable resource for managing data access on mobile devices. Additionally, SOLID, an initiative spearheaded by Tim Berners-Lee, the inventor of the World Wide Web, allows users to store and control their own data, deciding when and with whom to share it. Experts also emphasize the importance of maintaining good data hygiene as a critical step in enhancing personal security. Together, these measures offer users practical ways to protect their privacy, complementing the security frameworks established by companies.

Organizations like NIST, ISO, the Artificial Intelligence Institute, UNESCO, IEEE, NATO, and more are beginning to focus efforts on defining and implementing guidance, strategies, protective measures, standards, and regulations for responsible AI. You can become more knowledgeable by getting involved in working groups, advocacy groups, and local petitioning groups. Additionally, focusing on responsible AI practices for security and data privacy in the applications and organizations you use day-to-day will help end-users learn more about these important topics.