min read

Respecting & handling privacy In the digital age

A discussion around the necessity of ensuring security and privacy when it comes to the data we collect and use.

This is part 3 of a 5-part series on Ethical AI. If you missed part 1- Ethical AI Standards: A Process Approach, click here.

Now with a solid foundation for proper data infrastructure, we must take due care to secure the data that we collect and use. With any input provided by a person, we are now responsible for utilizing that input ethically whilst protecting it from being leaked, misused, or stolen. Therefore, privacy is twofold: information mustn’t be used by businesses to harm its users, and additionally, information mustn’t be left vulnerable to exploitation by hackers. The first area is rich in a philosophical sense, as it pertains to what is morally permissible, whereas the second area is rich in a technical sense, as it pertains to the actual software used to encrypt and protect data from being extracted for nefarious purposes.

Philosophical Considerations About Privacy

Here we will talk about the moral features of monitoring individuals and collecting their data. To highlight such features, we will consider this scenario:

An employee, who we will call ‘John’ has been working at a company for 7 months. In this time, they’ve gotten acclimated to the role, got acquainted with the team, and begun being decently productive as they have settled into their position. The company decides to invest in some monitoring solutions that tracks employee productivity. Just before the implementation of this monitoring software, John faces some awful circumstances in his private life, and as a result, plummets in productivity. The software tracks things you’d expect it to- first by identifying each and every worker, checking their habits for messaging, meetings, file uploads and so on, and then simply reporting this information with accompanying statistics and insights. These findings then contribute to the rationale for firing decisions, promotion decisions, and are seen as another source of information for financial and economic decision making. Unfortunately for John, his initial data puts him far below his other workers, workers who are about as productive as John himself in otherwise normal circumstances. Since he is a relatively new hire, John’s reputation has not been solidified, and so he is immediately cast into doubt whether he should truly be employed at this company. Alongside John, a few other employees who scored low are being considered for termination. These other workers turn out to genuinely be a wrong fit for the company, so it appears if John gets fired with the others, the software ultimately worked but at a small collateral: John.

We can take note of how many variables are at play here, and if we tweak just a few, we find very different stories taking place:  

  • If John were to be at the company for not 7 months but 5 years, John’s reputation would’ve been solidified and there would be an understanding that something isn’t right: either the tracking software has some sort of issue, or John has some personal issue that is stopping him from being the productive worker that he is.  
  • If John had this personal issue enter his life not immediately before the software began monitoring him, but rather 6 months down the road, there would be 6 months of data backing up John’s performance and only now be introduced as an anomaly, not the baseline.  

We’d like to illustrate a point now: these contingent variables are insufficient to change the moral features of how the AI is set up to work- my claim is thus that the way in which monitoring software works must be fundamentally different than how it was presented in the scenario. Simply hoping that “life will work itself out” towards such problems is unsatisfactory and so a better model built on principles that go against prima facie AI ideals (e.g., unrestricted collection and use of data, ownership of data as a default position, etc.) must be implemented.


Josh Bersin’s excellent Privacy and Ethics in People Analytics report (Referred to here as ‘the Report’) has a plethora of examples which I found to exemplify so many key possibilities in ethical violations of privacy. The entire sentiment of the piece holds many great points towards accountability and ethical responsibility. These principles I will lay out will match his sentiment and make use of many of the examples used in the piece.

1. Collected data should not be used to harm those it collects the data on.

This point is quite versatile, because it highlights multiple cases in which harm can be done to those who give their data. An extremely clear-cut example stems from the Report which mentions a case in which warehouse workers had to work against target numbers, if they did not match such a target, they would be terminated. This is a severe case of using information to harm someone: being placed in a situation where your livelihood is at stake by being set to unreasonable targets is clearly immoral. This case is clear cut because it follows immediately from one action to another: the data’s state causes the consequence of being fired. Consider now John’s case, which is more subtle: his data leads to the consideration of him being fired. This, too, is making the data responsible for putting him at risk: a good analogy would be pushing someone onto the road, this may or may not lead to great harm, but the shover would be blameworthy for putting one onto the road. What then would be a good compromise? I can think of two, one handles how the AI itself should function, one handles how humans should use AI when information is present. I will start with the latter:

(1.1) Humans should use collected data to help, not to harm

Assume the AI program remains unchanged from our given scenario. Instead of utilizing this information to consider firing employees, take this information to discuss the situation with your employees, and begin a dialogue. E.g.:

“You currently are among those who rank the lowest in productivity. Do you have any idea why this might be the case, and is there something we can do to help?”

While this statement is a very direct one, one which might even instill an initial shock, it could be the exact kind of thing needed for an employee to open up and discuss any issues they may have. The fact of the matter is, low productivity is undesirable in a worker, but is not a sufficient cause to fire in instantiations of it. Rather, if this employee fails to correct any issues leading to low productivity, then there is sufficient cause to fire them. I am qualifying that statement on the supposition that discussions were had about the issue prior to termination. If John failed to relay the information he was holding even after being talked to by his employers, thus opening the floor for him to speak, then he is not a good communicator. At the same time, the data itself is not responsible for him being considered for being fired: it merely gives the employers direction of which employees to talk to. If the employees do nothing about their issues, that is on them, not their data which is being monitored. The change to our perception of AI would be this then: any information gained from AI must be buffered by human action before any harm may be done, and that human action in itself must not be a kind of harm (e.g., considering the termination of an employee is harm, merely discussing with an employee about the current situation and learning what you can do to help is not).

(1.2) AI should withhold certain data to prevent harm

The other option, however, changes not our perception of AI, but rather the limitations of our AI: we remove the option for human error by hiding the data from those who might use it to harm others. If we return to our scenario, then, we could have a productivity monitoring company give employers access not to individual performance reports, but aggregate performance reports. This removes the possibility that any one person would be severely punished. The change then would lead to company-wide or division-wide changes. Mass firings would be too extreme (unless the division was exceptionally incompetent) and so less drastic and more productive measures would be taken (e.g., restructuring, change in management styles, etc.). The benefit of maintaining anonymity is that individuals are protected: in principle 1.1, it is quite possible that this kind of approach is not within the grasp of every decision maker. We’d all hope for people to make the wisest decisions with the information available, but it’s often the case that relying on someone to do good will lead to bad things at some point or another.

These considerations are currently being considered with nugget’s new Bots product- currently in development, it will utilize employee information in a seamless, background manner while providing complete security and anonymity to every individual- more information to come here, so be on the lookout for more announcements on this exciting new development.

2. Some information is public, some information is discretionary. Consent is required for the dissemination of discretionary information.

By the simple nature of doing things in public, public activity is plainly public information. If you walk on the street, people out and about will perhaps take notice of you, your location is known even if they don’t know your name. As such, some things are just naturally given up and this information is free in the broadest sense. There is, however, information you give that you do not intend to be public information. Governments have access to a plethora of your information, something you’re willing to give to either maintain your citizenship or your extended right to be in the country. It doesn’t follow you want this information being distributed without your consent to those you do not know, for reasons you do not have access to. Government bodies and companies hold great interest in having your data, and it is true that there are beneficial reasons to give your data. This is where consent comes into play: sometimes you want to be as well-known as possible (consider sending your resume to multiple companies or wanting to amass a social media following so they may see your life frame by frame). In such circumstances, readily giving consent is a benefit, and so such information should be utilized. Additionally, companies themselves need access to data so they may analyze and feed it into their AI machines. To balance this with the needs of privacy, companies need to provide an environment where consumers want to give their information, this lessens the impact that a company will have on a consumer, and so they will be more willing to give their data. Now understanding the logistics and reasons to give consent, there are proper ways companies ought to structure how they gain and respect the consent of those willing to give:

  • Consent requests should be concise and informative- they should mention the kinds of activities you plan to do with the information
  • Changes to policy should be notified to those currently giving consent- they must have the ability to accept the changes or revoke consent altogether
  • Revoking consent should be possible at any time, this allows people to change their minds and gives them the freedom and control necessary
3. Personal intrigue cannot interfere with business operations.

This issue pertains to personal gain or interest by employees whilst on the job. In a way, it relates to principles (1) and (2), yet it deals with immoral behavior of individuals, not company activity.The Report makes mention of a system called ‘God View’- a system which was intended to merely track operations but instead had its employees tracking the movements of celebrities and ex-lovers. It’s quite clear that employees having access to information for their own personal interests is not good. The kinds of implementations to go against this vary- restricting access to information accessible only by a few, logging employee activity to maintain accountability, essentially any relevant method employed by agencies that deal with discretion and maintaining strong moral fortitude.

Security: Necessary for Privacy

There’s quite little moral consideration required for security: a lock is a lock. What’s important is the safety of information. At nugget, the weight is considerable as we handle data that has an impact on one’s professional life- this is a profoundly critical area of one’s life and so must be handled with due care. There are standards to internet security and nugget follows them, having Advanced Encryption Standard at 256 bits as well as Transport Layer Security. Without going into too much detail, operations done by clients and users are secure; every database is protected to secure any information given to nugget.

AES practically guarantees the impossibility of a brute force attack. Yet we know from the news that leaks do happen, breaches do happen. The reason for this is human error: technological prowess must be present in one’s software, yet those that guard the gates must also be sharp. This is why error-minimizing safeguards are useful. Here are a few examples of some safeguard practices:

  • Placing cautious checks helps stop unintended actions.
  • Putting limits on when new security changes are deployed to verify if any new leaks are introduced.  
  • Shredding physical documents that contain data that would compromise security.  

These are the kinds of consideration that must be added and implemented in security measures when dealing with data, this is for the sake of mitigating human error and bringing about stronger security overall.

Evolving Privacy

To round out this section on Privacy, the final piece of advice is to ensure that new developments recall these important considerations: whether it is updating policy to better serve the people through more thorough data collection or introducing a new product to tackle a problem in a novel way; always consider what kind of harm could be introduced, and if the AI could be better attenuated to prevent the introduction of harm. Providing solutions instead of punishments feeds into this idea well. Finally, ensure the protection of such data being extracted both through virtual security as well as the addition of real-life safeguards.

Click here for part 4 all about Transparency!

Nicholas Tessier 🧠

Product Manager