(This article appeared as a Federal Register Notice on June 9, 2022.)
AGENCY:
Office of Science and Technology Policy (OSTP).
ACTION:
Notice of request for information on Advancing Privacy-Enhancing Technologies.
SUMMARY:
The Office of Science and Technology Policy (OSTP) – on behalf of the Fast Track Action Committee on Advancing Privacy-Preserving Data Sharing and Analytics of the Subcommittee on Networking and Information Technology Research and Development (NITRD) of the National Science and Technology Council, the National Artificial Intelligence Initiative Office, and the NITRD National Coordination Office — requests public comments to help inform development of a national strategy on privacy-preserving data sharing and analytics, along with associated policy initiatives. The national strategy will put forth a vision for responsibly harnessing privacy-preserving data sharing and analytics to benefit individuals and society. It will also propose actions from research investments to training and education initiatives, to the development of standards, policy, and regulations needed to achieve that vision.
DATES:
Interested persons and organizations are invited to submit comments on or before 5:00 p.m. ET on Friday, July 8, 2022.
ADDRESSES:
Interested individuals and organizations should submit comments electronically to PETS-RFI@nitrd.gov and include < RFI Response: Privacy-Enhancing Technologies > in the subject line of the email. Due to time constraints, mailed paper submissions will not be accepted, and electronic submissions received after the deadline cannot be ensured to be incorporated or taken into consideration.
Instructions: Response to this RFI is voluntary. Each responding entity (individual or organization) is requested to submit only one response, in English.
Responses may address one or as many topics as desired from the enumerated list provided in this RFI, noting the corresponding number of the topic(s) to which the response pertains. Submissions must not exceed 10 pages (exclusive of cover page) in 11-point or larger font, with a page number provided on each page. Responses should include the name of the person(s) or organization(s) filing the comment, as well as the respondent type ( e.g., academic institution, advocacy group, professional society, community-based organization, industry, member of the public, government, other). Respondent’s role in the organization may also be provided ( e.g., researcher, administrator, student, program manager, journalist) on a voluntary basis. Comments containing references, studies, research, and other empirical data that are not widely published should include copies or electronic links of the referenced materials; these materials, as well as a list of references, do not count toward the 10-page limit. No business proprietary information, copyrighted information, or personally identifiable information (aside from that requested above) should be submitted in response to this RFI. Comments submitted in response to this RFI may be posted online or otherwise released publicly.
In accordance with Federal Acquisitions Regulations Systems 15.202(3), responses to this notice are not offers and cannot be accepted by the Federal Government to form a binding contract. Additionally, those submitting responses are solely responsible for all expenses associated with response preparation.
FOR FURTHER INFORMATION CONTACT:
For additional information, please direct questions to Jeri Hessman at PETS-RFI@nitrd.gov or 202-459-9683.
SUPPLEMENTARY INFORMATION:
Privacy-Enhancing Technologies (PETs) present a key opportunity to harness the power of data and data analysis techniques in a secure, privacy-protecting manner.[1] This can enable more collaboration across entities, sectors, and borders to help tackle shared challenges, such as health care, climate change, financial crime, human trafficking, and pandemic response. PETs can also help promote continued innovation in emerging technologies in a manner that supports human rights and shared values of democratic nations, as highlighted during the Summit for Democracy in December 2021, which included an announcement that the United States and the United Kingdom are collaborating to develop bilateral innovation prize challenges focused on advancing PETs. However, to date, PETs have not achieved widespread adoption due to a variety of factors, among them, limited technical expertise, perceived risks, financial cost, and the need for more research and development.
The purpose of this Request for Information is to better understand how to accelerate the responsible development and adoption of PETs in a manner that maximizes the benefit to individuals and society, including increasing equity for underserved or marginalized groups and promoting trust in data processing and information technologies.
Terminology: Privacy-enhancing technologies (PETs) refer to a broad set of technologies that protect privacy, which are within the scope for this RFI. We are particularly interested in privacy-preserving data sharing and analytics technologies, which describes the set of techniques and approaches that enable data sharing and analysis among participating parties while maintaining disassociability and confidentiality.[2] Such technologies include, but are not limited to, secure multiparty computation, homomorphic encryption, zero-knowledge proofs, federated learning, secure enclaves, differential privacy, and synthetic data generation tools.
Background: Data are vital resources for solving society’s biggest problems. Clinicians are using data to identify the best treatments for their patients, farmers are using data to predict and improve farm yields, and public servants are using data to create evidence-based policies. Artificial intelligence (AI) and other emerging analytics techniques are amplifying the power of data, making it easier to discover new patterns and insights, ranging from better models to predict the impacts of climate change to new methods for detecting financial crimes.
While data are enabling innovation and insights across sectors, it can still be challenging to harness the full potential of data due to the overarching imperative for adequate privacy and security protections. For instance, when trying to explore developing new treatment options, some medical researchers may experience challenges when trying to gain access to medical records because those records reveal health information that may identify the individual patients, implicating the privacy and safety of those patients as well as medical privacy law. In other situations, confidentiality concerns around intellectual property limit research collaborations that could improve data model training and speed advances within those sectors.
Certain types of PETs provide ways to share data or provide access to data to drive innovation while also protecting privacy. For example, PETs could allow for the analysis of medical images across hospitals and international borders without transferring that data or even without using or disclosing the images to researchers. PETs could enable access to more comprehensive and diverse datasets, which in turn could enable the development of AI systems that can produce better treatments for patients from all demographic backgrounds.
Acknowledging this potential, the Federal Government seeks to develop a national strategy for advancing and adopting privacy-preserving data sharing and analysis. In the public sector, PETs can facilitate more integrated public services by enabling data analysis across agencies, advancing the Federal Data Strategy’s mission “to fully leverage the value of federal data for mission, service, and the public good.” [3] In the private sector, PETs can spur innovation and efficiencies by making it feasible for companies to enable more data access for researchers and nonprofits, or even for each other, without disclosing sensitive information.
Data processing by the Federal Government and in the private sector is currently governed by a number of laws, regulations, and policies. Many of these policies are in place to protect the information privacy of individuals and businesses, often by sector ( e.g., healthcare, education), by entity ( e.g., interagency data sharing, open data), or by jurisdiction ( e.g. the California Consumer Protection Act). However, as PETs continue to mature and mitigate the risks to information privacy when used to enable data sharing and analysis, it is possible that some existing policies will need modification. Such modifications could make it easier to harness the potential of PETs, while ensuring that the Federal Government and other entities continue to manage data in a responsible and privacy-protecting manner.
Through this RFI, we seek public input to identify potential actions or recommendations that could be put forth as part of a national strategy on privacy-preserving data sharing and analysis. We are especially interested in comments on Federal laws, regulations, authorities, research priorities, and other mechanisms across the Federal Government that could be used, modified, or introduced to accelerate the development and adoption of PETs.
Scope: OSTP invites input from any interested stakeholders. In particular, OSTP is interested in input from parties researching, developing, acquiring, using, or governing privacy-enhancing technologies; parties with expertise on the exchange of data with or within the Federal Government; and parties with experience using PETs to ensure effective delivery of Federal services and increase equitable outcomes.
Information Requested: Respondents may provide information for one or as many topics below as they choose. Through this RFI, OSTP seeks information on potential specific actions that would advance the adoption of PETs in a responsible manner, including on the following topics:
- Specific research opportunities to advance PETs: Information about Federal research opportunities that could be introduced or modified to accelerate the development or adoption of PETs. This includes topics for research, hardware and software development, and educational and training programs. This also includes information about specific techniques and approaches that could be among the most promising technologies in this space.
- Specific technical aspects or limitations of PETs: Information about technical specifics of PETs that have implications for their development or adoption. This includes information about specific PET techniques that are promising, recent or anticipated advances in the theory and practice of PETs, constraints posed by limited data and computational resources, limitations posed by current approaches to de-identification and deanonymization techniques, limitations or tradeoffs posed when considering PETs as well as technical approaches to equity considerations such as fairness-aware machine learning, security considerations based on relevant advances in cryptography or computing architecture, and new or emerging privacy-enhancing techniques. This also includes technical specifications that could improve the benefits or privacy protections, or reduce the risks or costs of adopting PETs.
- Specific sectors, applications, or types of analysis that would particularly benefit from the adoption of PETs: Information about sectors, applications, or types of analysis that have high potential for the adoption of PETs. This includes sectors and applications where data are exceptionally decentralized or sensitive, where PETs could unlock insights or services of significant value to the public, where PETs can reduce the risk of unintentional disclosures, where PETs might assist in data portability and interoperability, and sectors and applications where the adoption of PETs might exacerbate risks, including in the areas of privacy, cybersecurity, accuracy of data analysis, equity for underserved communities, and economic competition. This topic covers opportunities to improve the effectiveness of data sharing among specific Federal agencies and between specific Federal agencies and entities outside the Federal Government, including the goals outlined in Section 5 of Executive Order 14058: Transforming Federal Customer Experience and Service Delivery To Rebuild Trust in Government.
- Specific regulations or authorities that could be used, modified, or introduced to advance PETs: Information about Federal regulations or authorities that could be used, modified, or introduced to accelerate the development or adoption of PETs. This includes privacy-related rulemaking authorities under the Office of Management and Budget, the Federal Trade Commission, and financial regulatory bodies, as well as acquisition regulations under the Federal Acquisition Regulations. This also includes the Federal authority to set procedures for agencies to ensure the responsible sharing of data. This also covers hiring authorities to recruit Federal employees with expertise to advance PETs, as well as acquisition authorities ( e.g., Other Transaction Authority) to procure PETs for development.
- Specific laws that could be used, modified, or introduced to advance PETs: Information about provisions in U.S. Federal law, including implementing regulations, that could be used, modified, or introduced to accelerate the development or adoption of PETs. This includes provisions, safe harbors, and definitions of use, disclosure, safeguards, and breaches. Information may also include comments on how to advance PETs as part of new or proposed legislation, such as that which would create a National Secure Data Service. Information may also include comments on State law or on international law as it applies to data sharing among international entities.
- Specific mechanisms, not covered above, that could be used, modified, or introduced to advance PETs: This includes the development of open-source protocols and technical guidance, the use of public-private partnerships, prize challenges, grants, testbeds, standards, collaborations with foreign countries and nongovernmental entities, the Federal Data Strategy, and data sharing procedures with State, local, tribal, and territorial governments. This also includes interpretations and modifications of standard non-disclosure agreements, confidentiality clauses, data use or sharing agreements, etc.
- Risks related to PETs adoption: Identification of risks or negative consequences resulting from PETs adoption as well as policy, governance, and technical measures that could mitigate those risks. This includes risks related to equity for underserved or marginalized groups, the complexity of implementation and resources required for adoption, as well as from conceptual misunderstandings of the technical guarantees provided by PETs. This also includes recommendations on how to measure risk of PETs adoption and conduct risk-benefit analyses of use.
- Existing best practices that are helpful for PETs adoption: Information about U.S. policies that are currently helping facilitate adoption as well as best practices that facilitate responsible adoption. This includes existing policies that support adoption, including in the areas of privacy, cybersecurity, accuracy of data analysis, equity for underserved communities, and economic competition. This also includes information about where and when PETs can be situated within tiered access frameworks for accessing restricted data, ranging from publicly accessible to fully restricted data.
- Existing barriers, not covered above, to PETs adoption: Information about technical, sociotechnical, usability, and socioeconomic barriers that have inhibited wider adoption of PETs, such as a lack of public trust. This includes recommendations on how such barriers could be overcome. Responses that focus on increasing equity for underserved or marginalized groups are especially welcome.
- Other information that is relevant to the adoption of PETs: Information that is relevant to the adoption of PETs that does not fit into any of the topics enumerated above.
Dated: June 6, 2022.
Stacy Murphy,
Operations Manager.
- For the purposes of this RFI, privacy-enhancing, privacy-preserving, and privacy-protecting are used as equivalent terms.
- Disassociability means enabling the processing of data or events without association to individuals or devices beyond the operational requirements of the system. NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, v 1.0, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf .
- https://strategy.data.gov/overview/.
[FR Doc. 2022-12432 Filed 6-8-22; 8:45 am]
BILLING CODE 3270-F2-P