Managing Risks and Potential Harms with DPI Implementation

Prompt: What can be done to effectively manage risks and potential harms associated with DPI layers in the United States (ID verification, digital payments, and data exchange)?

Any societal-scale digital solution, if not properly anticipated or managed, has the potential to pose risks ranging from threats to privacy and human rights to unintended market effects to opaque business practices. Challenging conditions that are specific to the United States include a large and underregulated market for user data; a palpable erosion of public trust that affects every policy challenge; political polarization; and inadequate legal frameworks.

Experts cite inadequate privacy protections as the greatest issue of concern in the United States. On the positive side, they point out that we as a society know more about what remedies could be effective to prevent surveillance and discrimination and to provide mechanisms for redress. Addressing potential harms involves encouraging and incorporating open dialogue and responsive safeguards at all stages of DPI development to prevent misuse and ensure that DPI serves the public interest without compromising individual rights.

Experts also note that federal government capacity is constrained in three key areas with respect to DPI: building and funding institutional structures to protect constitutional democracy and individual rights; engaging in effective, legitimate technology oversight; and having the expertise to build, deploy, and maintain tech solutions. It is hard to imagine that the government could be perceived as a trusted steward of tech. However, as one of the largest procurers of tech solutions in this country, the government could commit to modeling healthier tech development and management. The Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence is an encouraging example that the U.S. government can effectively design policy direction developed through inclusive approaches rooted in the public interest.

A shift toward a digital commons approach could mark a path forward for inclusive and equitable outcomes. And although this mindset may not be fully where the federal government is today, the United States did participate in the recent launch of the Universal DPI Safeguards Framework at the United Nations. Experts recommend this framework as a foundational and practical tool with a set of actionable guidelines for countries considering DPI risk mitigation and safeguard measures.

Key Findings

Reflecting on many of the challenges, experts shared the following ideas to better manage risks and potential harms associated with DPI implementation in the United States:

• Support effective national privacy policy that establishes clear data rights of individuals.
• Create independent tech oversight bodies and conduct effective impact assessments.
• Mitigate risks by supporting and modeling safe, inclusive, and accessible solutions.
• Strengthen law enforcement response and redress for digital crimes.
• Address concentrations of market power. Private sector interests, competition concerns, and legacy operations all pose significant challenges.
• Conduct public education campaigns to advance tech literacy, awareness of data safety for individuals, and understanding of how digital harms can calcify social inequalities.
• Build capacity in the tech-for-good space and attract tech talent to dynamic and innovative civil service positions.
• Realign burdensome compliance practices, especially around public procurement, in ways that improve transparency and accountability.
• Promote solutions that don’t depend on access to raw data (for example, privacy preserving techniques, differential privacy, advanced forms of encryption, and the like) and increase research and support for digital ID verification that better protects the user.
• Establish paths for meaningful cross-sector collaboration through dialogue, guidelines for data sharing, interoperability standards, and development of public-private partnerships.
• Ensure sustainable funding for DPI projects, such as by creating the DPI as part of a publicly funded nonprofit corporation.
• Invest in DPI that ensures pathways for digital-first, not digital-only, solutions.

Building on the insights provided by experts below, the next research article in this collection will examine the need for cross-sector collaboration and incentive alignment.

Go to the next article in the research collection: ENCOURAGING CROSS-SECTOR COLLABORATION AND INCENTIVE ALIGNMENT FOR DPI DEVELOPMENT

A Curated Collection of Expert Insights

Prompt: What can be done to effectively manage risks and potential harms associated with DPI layers in the United States (ID verification, digital payments, and data exchange)?

Creating Policy, Legal, and Regulatory Frameworks Including a National Data Privacy Plan

Daniel Castro, Director at the Center for Data Innovation

Addressing privacy concerns will take more than just good technical design to minimize actual privacy risks. Additional work will be necessary to address perceived privacy risks, even when such claims are based on pure falsehoods and misinformation. For example, legislation that sets specific requirements for data rights of individuals on DPI could mitigate some of these concerns, as well as an overarching privacy commitment to all government-funded DPI, which could include regular independent third-party audits and assessments.

Yolanda Martínez, Practice Manager for Digital Development in Latin America and the Caribbean at The World Bank

Establishing a comprehensive citizen-centric service design approach that ensures transparency and accountability in data handling, investing in advanced cybersecurity measures, providing individuals control over their personal data, conducting public education campaigns, and creating independent oversight bodies. These steps will build public trust and promote wider acceptance and adoption of DPI by safeguarding personal data and addressing potential misuse and security threats.

Joseph Lorenzo Hall, Distinguished Technologist of Strong Internet at the Internet Society

We should promote and actively seek solutions that don't depend on access to raw data (e.g., privacy-preserving techniques, differential privacy, advanced forms of encryption, etc.) or that incorporate methods to obtain the necessary information without exposing individuals significantly. I believe gaining the trust of individuals in these systems will be extremely challenging in the current environment, and without that trust, the entire endeavor will likely fail.

Ethan Zuckerman, Professor and Director of the Digital Public Infrastructure Initiative at UMass Amherst

The most significant thing we could do is pass meaningful privacy legislation. There's a vast, unregulated market for user data in the U.S., and we could follow the European lead in putting significant privacy legislation in place. That would not only benefit the public information areas, but will also provide better safeguards for areas like Digital ID and payment.

Akash Kapur, Senior Fellow at New America and The GovLab, and Visiting Research Scholar at Princeton University

Two of the most important factors include: 1) a federal privacy bill (or equivalent national-level privacy protections); 2) better law enforcement responses to digital crimes, of all varieties.

I think the second one, in particular, is important, and receives less attention than it should. There really is very little redress for digital harms right now (other than vague messages to “inform the FBI”!). A more locally based strategy that helps educate, staff and train police departments is sorely needed. One analogy for this approach is the U.S.’ recent announcement that all embassies (and some consulates) will be staffed with digital officers; this should be true of police departments too.

David Eaves, Professor and Deputy Director in Digital Government at the UCL Institute for Innovation and Public Purpose

The first line of defense is an accessible, resilient and independent legal system that can hold all stakeholders accountable. Second, are a robust privacy law, access to information regime and consumer protection regime that explicitly covers this infrastructure that can be used by governments, private sector and citizens to hold each other accountable.

For example, in our DPI Map we focus on four key attributes:

• Interoperable and extensible
• Transparency, accountability and oversight
• Privacy, security and protection
• Non-discrimination and inclusion

How the degree to which there is capacity and coordination (state capacity) to support these attributes and then to what degree these enable scale of adoption.

Advancing Tech Literacy with Public Education Campaigns and Standards

Lauri Goldkind, Professor at Fordham University and Editor in Chief at the Journal of Technology in Human Services

A significant barrier to creating cohesive DPI is a lack of public understanding, and gap in knowledge about digital harms and how these harms reify existing societal inequalities. In the absence of public health style digital literacy campaigns, nontechnical publics have been known to build “folk theories” of AI and digital data practices. These folk theories are crafted in part by social media feeds, the popular press and an individual’s personal information network. The dangers of digital literacy via folk theory, is that an under-informed or mis-informed public may be duped into becoming a thread in the fabric of the Amazon-industrial ecosystem with a seamless consumer pipeline between their Ring Cameras, their Alexas, and the Amazon built environment. While the Amazon example represents consumerism gone awry, worse is a mis-informed non-technical public unable to distinguish between real and manufactured political information. Given the global rise in populism and conservative governance, a digitally literate non-technical public is of grave concern.

Increasing digital literacy can be achieved via at least two mechanisms. Common Core Standards that are used by school districts across the country for setting K-12 curricula could be expanded beyond digital literacy and data literacy to include AI literacy standards. While enhancements in the K-12 curricula address future workers and citizens, public service campaigns can be used to address U.S. adults. Who in the U.S. public has not heard slogans or seen campaigns such as: “You Could Learn A Lot From a Dummy” on using seat belts, or “Friends don’t let friends drive drunk” on reducing incidents of drunk driving? The creation of accessible, easily adoptable data literacy campaigns would help to raise public consciousness and build support for data protections at the individual citizen level.

Encouraging Inclusive Stakeholder Engagement

Alek Tarkowski, Co-Founder and Director of Strategy at the Open Future Foundation

From our perspective, the key issue to address is the development of ecosystems around DPIs and the engagement of various civic and non-commercial actors in these ecosystems (and not just a mix of state and private actors). We offered a vision of this approach in our "Generative Interoperability Report". Here I would just reiterate the significance of DPI funds as a relatively simple policy mechanism that could trigger the development of DPIs and ecosystems around them.

Carl Gahnberg, Director of Policy Development and Research at the Internet Society

Multistakeholder cooperation and to realize that none of the questions are really new. There is a ton of experience in fora like W3C, IETF and amongst civil society about the critical considerations.

Daniel Abadie, Senior Technical Advisor at the Centre for Digital Public Infrastructure

Establish clear paths for cross-sector collaboration. This can include guidelines for data sharing, interoperability standards and privacy and security protection. Develop public-private partnership models, defining the roles, responsibilities and benefits for each sector involved through participatory design mechanisms. Capacity building and skill development is critical as well. Invest in training programs to build the necessary skills in both the public and private sectors.

Diana Zamora, Director of Global Public Policy at Mastercard

To address challenges related to DPI, it is essential to engage in open dialogue with stakeholders, including federal and state governments, the private sector, and civil society organizations. By fostering collaboration and understanding the unique needs and concerns of each group, it may be possible to develop a DPI framework that aligns with American values and leverages the strengths of the U.S.' federal system. Additionally, piloting DPI solutions in specific use cases and documenting their impact can help build trust and demonstrate the potential benefits of DPI in the U.S. context.

Empowering Democracy, Advancing Governments’ Role in Driving Better Outcomes through Oversight, Resources, and Civic Engagement

Audrey Tang, Senior Research Fellow at the Collective Intelligence Project and Beth Simone Noveck, Professor and Director of The Burnes Center for Social Change, and The GovLab at Northeastern University

One major barrier to Digital Participation Infrastructure DPI adoption in the United States is the entrenched nature of traditional democratic processes and the resultant institutional inertia. We are accustomed to long-established but limited methods of citizen engagement, including periodic elections, town hall meetings, and written public comments. However, in our experience, the primary obstacle to the more frequent use of DPI is not resistance to change per se, but rather a lack of understanding of 1) why, when designed well, more frequent opportunities for public participation leads to better decision making, and 2) how to deploy these practices efficiently.

To address this knowledge gap, we have instituted government-wide training programs. In Taiwan, we implemented the Participation Officers Network. In the United States during the Obama Administration, we established Open Government Officers in every agency. Both elected officials and civil servants should receive comprehensive education on the benefits and implementation of DPI. Such programs should not only cover the technical aspects but also emphasize how DPI can enhance their ability to serve constituents and make more informed decisions. This training would leverage examples from countries like Taiwan, Iceland, and Brazil to illustrate the successful implementation of DPI on a large scale.

Daniel Castro, Director at the Center for Data Innovation

One uniquely (at least partially uniquely) problem for the United States is political gridlock, especially in Congress. Any U.S. DPI needs to have independent, sustainable funding after launch so that it is not subject to the types of government shutdowns that impact other parts of the federal government. For example, federal highways do not get shutdown during a Congressional spending deadlock, but other federal government functions do cease their operations. For consumers and businesses to rely on DPI, they will need assurance that government shutdowns will not materially impact their operations, including monitoring and responding to cyber incidents and completing planned (or unplanned) updates. Therefore, any authorizing legislation to create DPI should explicitly consider its funding mechanisms and isolate the independent organization responsible for running DPI from federal government shutdowns. One way to create these safeguards would be to create the DPI as part of a publicly funded non-profit corporation.

Collaborating on Effective Safeguards and Remedies

Laura Bingham, Professor and Executive Director at the Institute for Law, Innovation & Technology at Temple University

Focusing on effective remedies is an absolute priority. This means planning for a mix of ex ante tools (like risk assessment, impact assessment and human rights due diligence) and ex post redress mechanisms that work for people who face the most significant risks when something goes wrong and who are least positioned to advocate on their own behalf. One set of investments by decision-makers and governance stakeholders cannot preclude the other. Often, judicial systems and independent authorities that could play a pivotal role in the design of remedies are not present in conceptual discussion about DPI safeguards or DPI design and implementation. Redress mechanisms and the character and quality of appeals from negative determinations (in the field of public benefits, for instance, are remedies purely administrative or is judicial review envisioned, where do the burdens fall between claimants and agencies) become an afterthought, merged with other operationalization detail to be determined, for example, in regulatory frameworks rather than primary legislation.

In addition to attention to remedial structures, the fundamental optional nature of DPI must be invested in at all levels, not only in principle, otherwise systems tend to become de facto mandatory for accessing essential services. Operationalizing optionality requires significant investment including in timely and effective consultation with impacted groups like those without regular access to high-speed internet, people who share smartphones or accounts, people with disabilities and people with lower levels of digital or financial literacy.

Concerning data exchange specifically, the findings from a recent 50-state survey on the state of data exchange in state public benefits administration highlighted a need for increased transparency about the programs (differentiating between the envisioned roadmap and actual implementation) and a critical need to ensure that emerging state privacy laws apply to public institutions, not only private data stewards, and that carve outs for public institutions are clearly articulated and minimized to reflect a specific purpose.

Focusing on Foundational Approaches like Procurement, Interoperability, and Standards

Lauri Goldkind, Professor at Fordham University and Editor in Chief at the Journal of Technology in Human Services

The harms created by digital systems cannot be thought of solely as engineering challenges or tech problems. They are socio-technical problems, created most often by unintended consequences, as in the case of MiDAS, the Michigan Integrated Data Automation System, where individuals were falsely accused of gaming the unemployment system. Viewing the debacle of MiDAS through a solely engineering lens might yield an engineering solution, whereby if we could just tweak the algorithm, the system would work as planned. However, predictive analytics or engineering tools often have trouble managing edge cases or outliers. They are by definition best equipped to deal with averages and central tendencies. A more fruitful solution, rather than moving towards digital IDs or other tech forward fixes might be to work towards transdisciplinary design teams, upstream, in the vendors building these tools. For example one risk management solution upstream from the “product” could be situated in the procurement process. The agencies purchasing products could mandate in the RFP process that all contractors demonstrate a diverse project team including representation from a range of identities (gender, race, ethnicity) as well as disciplinary experiences. There are great models in contracting that prioritize and offer preferential treatment to minoritized and women owned businesses. By baking inclusion and risk management into pre-design and development process, some of the downstream unintended consequences could be avoided. A similar pre-development, pre-procurement policy solution is the development of a participatory design process that meaningfully engages non-technical stakeholders. Models of this type of community engagement exist in the U.S., most notably in the participatory budgeting process. Including community and citizen level expertise in the pre-design and pre-decision making process would support decision maker’s understanding of potential unintended consequences at the project implementation stage.

Joseph Lorenzo Hall, Distinguished Technologist of Strong Internet at the Internet Society

I believe it's important to focus on aligning incentives. For example, businesses often overlook the resources required to develop new software or hardware using open standards and open source software when considering the procurement bid/price. This presents real challenges because it's easier to invest a large sum of money in creating something proprietary with the hope of future returns, rather than putting in the extensive and lengthy effort to develop open standards and software that would ensure government procurement supports the true downstream generative potential of software and services procured by the public sector.

Go to the next article in the research collection: Encouraging Cross-Sector Collaboration and Incentive Alignment for DPI Development

Return to the main collections page