March 15, 2022
The CONNEXIONs project has given explicit attention during its lifespan to the legal and ethical compliance of its next-generation detection, prediction, prevention, and investigation services with all the relevant applicable national, EU and international law, research ethics standards and codes of scientific conduct, adhering in that way to the highest standards of research integrity and ethics principles, that represent the shared values upon which the EU is founded, laid down in the European Charter of Fundamental Rights with a focus on respect for human dignity, right to the physical and mental integrity of the person, and respect for privacy and protection of personal data.
To begin with, all the activities of the project that involved human participants (for all three pilot use cases), had been ethically approved by the Ethics Committee of the Sheffield Hallam University, prior to their realisation. Parallel to that, dedicated informed consents and information sheets have been prepared by the project’s Ethics Advisory Board, with emphasis on the voluntary character of the entire procedure and on the right of the adult participants (including LEA personnel and staff involved) to withdraw their consent at any time without any consequences. In addition to that, specific information on the data processing has been provided to the participants, with the relevant information to be differentiated depending on the type of participation of the data subject (tool operator and/or attendee in the demonstration). Pseudonymisation techniques have been implemented, with each participant to have been assigned a unique participation number, while the data minimisation principle has been also applied, as only the minimum of data that was needed for the purposes of the research has been collected. All the aforementioned procedures were aligned with the General Data Protection Regulation (Regulation (EU) 2016/679), as well as with specific national legislations of the PUC responsible countries: Germany (Bavarian Data Protection Act), Greece(Law No. 4624/2019), Portugal (Lei No. 58/2019), Romania (Law No. 190/2018) and the United Kingdom (DPA, 2018).
Furthermore, to ensure both legal and ethical compliance when collecting data from social media (Twitter and YouTube), a dedicated guide has been also produced, including a risk assessment matrix for guiding ethics considerations associated with social media processing, data protection and IPR issues. Only publicly available data and/or previously collected personal data have been processed for the activities of the CONNEXIONs project, with all relevant information on the processing to have been made available on the CONNEXIONs project website in line with Articles 6 (1) (e) and (f), 14 and Recital 50 of GDPR. Specific technical and organisational safeguards have been in place to protect the rights of each data-subject, with pseudonymisation techniques to have been applied wherever necessary.
Regarding the data acquired from external websites, all data were fully anonymised by removing names, locations, and other personal or identifying attributes prior to storage to avoid stigmatisation or negative consequences on potential victims of human trafficking. All partners that have been involved in the data processing respected the Terms of Service of the data providers, while the Data Management Plan of the project was constantly updated during the three and a half years of the project, including the relevant Privacy-by-design principles and mechanisms that have been embedded to the design and architecture of the CONNEXIONs system.
In addition to that it was agreed among the consortium partners that all potential incidental findings would be managed on a case-by-case basis and supervised by the ethics board. Before the realisation of each PUC activity, all researchers had been adequately prepared on the procedures laws and legislation in place, being informed also on the content of the incidental findings and their follow-up actions. The same accounted for the research participants being informed on the confidentiality limits they will be offered during their participation to the relevant activities.
Attention has also been given to the proper development and usage of the AI services in the CONNEXIONs project, ensuring that they would respect the human dignity and autonomy, would effectively prevent bias, discrimination, and stigmatisation, as well as would not present possible limitations on fundamental human rights. and freedoms (including freedom of expression, access to information, freedom of movement etc.). All the services have been built in compliance with the Proposal for a Regulation laying down harmonized rules on Artificial Intelligence (Artificial Intelligence ACT) and amending certain Union Legislative Acts and included measures such as: (a) requirement of human validation/verification before any decision-making activity, (b) provision of reviewing tools to the users for manually reverting possible false alarms generated by the service and deleting all associated data, (c) proposal of certain mitigation measures such as operator training and appropriately labelled outputs accompanies by confidence scores, and (d) mitigation measures for addressing the risk of inherent bias in data collection and their subsequent annotation by human operators when building training sets (anonymised/pseudonymised large and varied collections of publicly available data, review of dataset labels and constant training of the operators).
The legal and ethical compliance to the relevant rules and regulations of the CONNEXIONs project has been a long-term and continuous endeavour of the project partners, with constant discussions with experts, with bilateral meetings, as well as with intense brainstorming and contemplation during each and every activity. The culmination of these efforts has produced a robust framework that guided the consortium during the lifespan of the project, providing future recommendations for similar projects.
The Final Conference of CONNEXIONs hosted a dedicated panel discussion on “Legal and ethical issues associated with security research projects and the emerging use of AI” took place, where legal and ethical experts from the Consortium and the Ethics Advisory board presented all the aforementioned endeavours, underlining the most challenging ethics and data protection issues, the legal and ethical risks associated with the use of AI in the CONNEXIONs project as well as in similar security related research projects.