Tech Policy Hub

In this project, Dr. Harry, Dr. Sivan-Sevilla, Mr. McDermott, and Mr. Poudel are offering a novel methodology to map the attack surface exposed across US county governments. They argue that existing & limited methodologies to measure, enumerate, aggregate, and evaluate the cyber attack surface of US county governments prevent the full estimation of the importance of local government cybersecurity to national resilience. Their study aims to address this gap. They further develop existing OSINT-based methodologies to measure the attack surface and assess the size and vulnerability of publicly accessible county infrastructures. By collecting data on 42,735 Internet-facing devices across 3,095 US county governments they show, for the first time, variations in size and vulnerability of exposed county government attack surfaces. They develop and compare service- and Common Vulnerability Exposure (CVE)-based measures for attack surface severity, each showing different correlation trends with county population. They also highlight the lack of correlation between density of CVEs and likelihood of exploitation and develop measures to quantify the risk, revealing the impact of county government vulnerability on national cyber resilience. Previously studied as islands of insecurity, their novel empirical approach holistically estimates potential county vulnerability to common attack vectors upon service misconfiguration and aggregates CVEs, their severity, and probability of exploitation across county infrastructures, shedding light on the integrated and aggregated attack surface created across US county governments.

In this project, Dr. Benthall & Dr. Sivan-Sevilla suggest a new model for regulating privacy. Recently, the practice of regulating privacy, largely based on theories of privacy as control or secrecy, has come under scrutiny. The notice and consent paradigm has proven ineffective in the face of opaque technologies and managerialist reactions by the market. They propose an alternative regulatory model for privacy pivoted around the definition of privacy as Contextual Integrity (CI). Regulating according to CI involves operationalizing the social goods at stake and modeling how appropriate information flow promotes those goods. The social scientific modeling process is informed, deployed, and evaluated through agile regulatory processes – adaptive regulation – in three learning cycles: (a) the assessment of new risks, (b) real-time monitoring of existing threat actors, and (c) validity assessment of existing regulatory instruments. At the core of their proposal is Regulatory CI, a formalization of Contextual Integrity in which information flows are modeled and audited using Bayesian networks and causal game theory. They use the Cambridge Analytica scandal to demonstrate existing gaps in current regulatory paradigms and the novelty of our proposal.

In this project, Dr. Sivan-Sevilla is trying to assess the impact of ‘privacy intermediaries’ on effective accountability across the US privacy regime. Those US privacy intermediaries include Privacy NGOs, Tech Whistleblowers, Tech Journalists, Academic Researchers, FISA Courts, and Congressional Committees who have been active and trying to hold privacy threat actors into account. They work to advance consumer privacy vis-a-vis corporations and fight government surveillance vis-a-vis the security establishment. They work both formally & informally, but it is still unclear to what extent they are promoting meaningful accountability by threat actors. According to the literature, the political context, capacity of the regulator, strength of intermediary networks, and level of formality all contribute to the extent to which intermediaries will be able to promote ‘meaningful’ accountability. For the broken privacy regime in the US, the impact of regulatory intermediation is unclear. This project asks: (1) How formal and informal US privacy watchdogs hold US government and corporations into account? (2) How can we explain different levels of accountability powers across public vs. private threat actors & vis-à-vis formal vs. informal privacy watchdogs? (3) What are the consequences of varying accountability powers to the individual rights of data subjects? ‘Accountability Powers’ of privacy intermediaries are assessed based on their authority, resources, and application of power. Through a questionnaire that includes accountability index indicators, in-depth interviews, and desk research of publicly available documents from various privacy watchdogs, this project aims to shed light on whether and how effective privacy accountability emerges in the US. Preliminary results show that privacy intermediation for digital accountability works in creative, innovative, and informal ways, when privacy threat actors are less ready for scrutiny & oversight.

In this project, Patrick Parham seeks to understand the management of privacy in a post third-party cookie digital advertising ecosystem as privacy pressures on the online advertising industry have led organizations to consider shifting from third- to first-party data solutions to navigate privacy concerns while satisfying business interests. Consequently, individual advertisers are assuming an increasingly important weight on consumers’ privacy decisions, deciding how to target segments of the population for advertisements assembled from first-party data instead of defaulting to the capabilities of primary adtech platforms. Specifically, advertisers, who are not used to having such central privacy roles, become ultimately responsible for putting privacy preserving first-party data solutions to work. This proposed project examines how advertisers currently address privacy in their work and also manage these developing privacy preserving solutions that leverage first-party data for advertising. This work investigates the experience of advertiser employees at the business process-level responsible for coordinating both targeting assembled from first party-data and privacy in the process, through a thematic analysis based on semi-structured interviews. Additionally, this research looks to understand the efforts of the industry’s trade organization developed standards and guidance related to first-party data practices and associated privacy-preserving solutions on adverisers’ disparate attempts to coordinate privacy. To do so, a critical discourse analysis is performed based on assembling a corpus comprising standards, guidance, technical documentation, and press releases from an individual industry trade organization’s privacy initiatives.

Dr. Sivan-Sevilla, Dr. Ciampaglia, and Mr. Poudel study the digital ecosystem of news websites through their third-party structure. A common trait of digital news media outlets is that they rely on display advertisement to generate revenue for their business, which is heavily based on personal data collection and tracking. But this poses challenges to Internet users, who do not always have the tools to trust the news sources they visit will handle their personal data responsibly. This is an especially pressing issue, given that nowadays news outlets vary considerably in terms of their quality and reliability, and this may extend also to the technical infrastructure that these outlets rely upon to serve display ads and other third party assets. This work builds on, and further develops, previous work in the privacy literature that utilized the structure and publicly available attributes related to websites’ third-party requests to test the extent to which the request structure of websites can be used to distinguish between legitimate and fraudulent websites. The goal is to investigate how much the third-party structure of news outlets is indicative of their operations and quality, going beyond existing approaches that solely rely on the inspection of web content. Such a method could be used to complement current systems and help companies, organizations, and online communities better enforce their own content policies.

In this project, Dr. Sivan-Sevilla aims to realize how AI policies are implemented by government agencies and to what extent we can still hold ML-based government accountable. ML systems offload complex, time-consuming, cognitive tasks of public administrators to machines, allowing cost savings and better resource allocation for agencies that often operate under significant constraints. As government agencies automate their decision-making, however, they undermine the premise of public administration whose power derives from their expertise, flexibility, and ability to be held accountable. Through organized workshops & in-depth interviews with Maryland’s agencies who use ML to deliver public outcomes, this project aims to realize how public agencies implement ML policy requirements, and which accountability arenas – judicial, professional, or social – are the most effective ones in holding the government accountable for ML consequences.

Prof. Katie Shilton is one of the leaders of The VCAI Initiative, a UMD Grand Challenge project to integrate AI research and education across campus, engage in high-impact research with local stakeholders, and transform how artificial intelligence is practiced. It brings together UMD researchers interested in placing social and human values at the center of AI design to innovate on AI design methods and education. Activities include seminars, round-tables, tutorials, and collaborative research. More details are available here.

Prof. Katie Shilton is co-leading a project on community-based content moderation. Online platforms increasingly enforce complex speech and content policies to encourage participation and prevent hate speech and extremism. Balancing free speech and equality online is not only a thorny social problem debated by platforms and legislators, but also a problem negotiated every day by a (volunteer and paid) workforce of online moderators. This project uses participatory design with volunteer moderators to build machine learning tools to support healthier online communities, enable better working conditions for online moderators, and create more flexible software responses to community policies and norms. With Sarah Gilbert, Hal Daume, and Michelle Mazurek. More details are here, and a summary slide is available here.