<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Improving Fairness and Cybersecurity in the Artificial Intelligence Act</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Gabriele Carovano</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Alexander Meinke</string-name>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>University of Tübingen</institution>
          ,
          <country country="DE">Germany</country>
        </aff>
      </contrib-group>
      <pub-date>
        <year>2021</year>
      </pub-date>
      <abstract>
        <p>The EU's draft Artificial Intelligence Act (AIA) aims to regulate artificial intelligence (AI) systems, especially so-called 'high-risk AI systems', to ensure that they incorporate EU values and respect EU fundamental rights. However, despite its good intentions, the AIA fails to address basic challenges in the development of high-risk AI systems with regards to both fairness and cybersecurity and thus ofers insuficient protections to the public. Specifically, we discuss how fairness, cybersecurity, and accuracy can often be in unavoidable conflict that necessarily leads to ineliminable trade-ofs unaccounted by the AIA. Against this backdrop, We propose the creation of a specialised AI institute and ofer detailed solutions through new theoretical legal approaches consisting of mathematically computable, principlebased obligations.</p>
      </abstract>
      <kwd-group>
        <kwd>eol&gt;Artificial Intelligence Act</kwd>
        <kwd>Fairness</kwd>
        <kwd>Cybersecurity</kwd>
        <kwd>Pareto-optimality</kwd>
        <kwd>Trade-ofs</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Fairness</title>
      <p>
        AI systems are often claimed to be biased or unfair in one way or another, but as is well-known
in the algorithmic fairness literature, there is no uniquely agreed-upon definition of the concept
[
        <xref ref-type="bibr" rid="ref1">1</xref>
        ]. Some definitions (i) require equalising certain prediction metrics across subgroups [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ]; some
(ii) demand that similar individuals, with respect to the prediction task, are treated similarly [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ];
others (iii) impose certain requirements based on a set of causal relationships that are assumed to
hold on the task [
        <xref ref-type="bibr" rid="ref4">4</xref>
        ]. Yet, despite the many fairness notions proposed thus far, legally qualifying
an AI system as fair remains dificult as for many AI applications there exist mathematically
unavoidable trade-ofs either between diferent fairness notions or between those systems’
accuracy and fairness [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ]. Additionally, the described situation gets further complicated by
the fact that all fairness definitions require certain assumptions and/or decisions on which
attributes or subgroups deserve protection. As a result, efective regulation and supervision are
necessary to ensure that high-risk AI developers do not prioritize profit over the public interest
by optimizing their systems’ fairness towards definitions and subgroups that cause the least
degradation to their systems’ performance.
      </p>
    </sec>
    <sec id="sec-2">
      <title>2. Cybersecurity</title>
      <p>
        Conventionally, cybersecurity involves the defence against any threats aiming to compromise
computer systems and information security, without distinguishing between threat types (e.g.,
AI-related or non-AI-related) and sources (e.g., harm, theft, or unauthorised use). AI systems,
however, cause new cybersecurity risks or modify existing ones. AI-specific cybersecurity
threats can be grouped into four categories: (i) adversarial attacks [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ] (maliciously modified
inputs that cause vastly altered behaviour in an AI system); (ii) data poisoning [
        <xref ref-type="bibr" rid="ref7">7</xref>
        ] (malicious
modifications to training data); (iii) privacy theft [
        <xref ref-type="bibr" rid="ref8">8</xref>
        ] (inferring information about the training
data from the model’s input-output relation); and (iv) model stealing [
        <xref ref-type="bibr" rid="ref9">9</xref>
        ] (inferring information
about the model’s parameters from its input-output relation). While defending against these
threats is in the public’s interest, their mitigation is not straightforward for several reasons.
Firstly, the precise definition of the threat model often requires many assumptions. Secondly,
even under precisely specified threat models, successfully mitigating one attack vector is known
to come at the expense of accuracy, other desired properties, or both [
        <xref ref-type="bibr" rid="ref10 ref11 ref7">10, 7, 11</xref>
        ]. Thus again, as
for fairness, also for cybersecurity efective regulation and supervision are necessary to ensure
that high-risk AI developers do not prioritize profit over the public interest by optimizing their
systems’ cybersecurity towards threats that minimally interfere with their profit-maximisation
objectives.
      </p>
    </sec>
    <sec id="sec-3">
      <title>3. Draft AI Act’s Limitations and Proposals</title>
      <p>
        Despite existing ineliminable trade-ofs between high-risk AI systems’ fairness, cybersecurity,
and accuracy, the draft AIA at the time of our paper’s acceptance neglected fairness as
selfstanding legal principle (aside from minor mentions of biased data [
        <xref ref-type="bibr" rid="ref12">12</xref>
        ]) and only superficially
treated AI-specific cybersecurity issues, mainly through legally undefined terms (e.g., AI specific
vulnerabilities, model flaw etc [
        <xref ref-type="bibr" rid="ref13">13</xref>
        ]). As a result, the draft AIA resembled a ‘blank cheque’ that
neither ensured legal certainty, nor guaranteed individuals’ fundamental rights, nor provided
meaningful guidelines to inform AI developers’ business decisions and democratic oversight
over the latter. Problematically, the original draft AIA left many normative decisions to
standardisation organisations despite their lack of democratic representation, risk of regulatory
capture, and the unclear judicial control over their operations.
      </p>
      <p>
        Note that the original version of the draft AIA mandated the creation of a European Artificial
Intelligence Board which would have had some limited and (we believe) insuficient authority
and expertise to shape the implementation of the AIA by issuing recommendations and opinions
about technical specifications and harmonisation standards. However, the most recent
amendments to the draft AIA have replaced the AI Board by the “AI Ofice”, which has a significantly
expanded scope [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ]. In the accepted version of this paper, we proposed an “AI Institute” to
assist in the concrete enforcement of the draft AIA. We will now describe our proposal for its
duties while still referring to it as the AI Institute, although we expressly do not endorse the
creation of a separate legal entity and rather propose to incorporate our suggestions into the
operation of the AI Ofice instead.
      </p>
      <p>
        The purpose of the AI Institute would be to introduce some democratic oversight into the
setting of the legal standards necessary that objectively measure and evaluate AI systems’
fairness and cybersecurity. Crucially, standardisation bodies would still perform their normal
functions, except under the supervision of the AI Institute, which could overwrite their choices
when deemed needed in the public interest. This difers from the currently proposed AI Ofice’s
authority in two key ways. Firstly, the AI Ofice is only able to "issue opinions, recommendations
or written contributions" on technical specifications [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ] and its guidance on the matter of
robustness and AI-specific cybersecurity is still explicitly “non-binding” [
        <xref ref-type="bibr" rid="ref15">15</xref>
        ]. Secondly, its role
in defining metrics for discrimination and algorithmic fairness is still at best implicit in the
amended draft AIA. We argue that the AI Institute should be able to give binding definitions,
benchmarks and thresholds if it deems them necessary in some application or group thereof.
      </p>
      <p>Given the high social impact of such binding decisions from the AI Institute, we also advise
subjecting the latter to the review of the EU Institutions (including the European Parliament)
to ensure full democratic oversight and political accountability. Concretely, we propose that
in cases where the Institute wants to make a metric and threshold of fairness or cybersecurity
legally binding for a certain application of AI, that they submit a short proposal to the EU
Parliament for approval. This increases democratic oversight for high-stakes decisions while
producing small bureaucratic overhead.</p>
      <p>
        Furthermore, we suggest to include within the AIA a duty to commercialise only AI models
placed on the Pareto frontier. To illustrate our proposal, we trained AI models predicting job
applicants’ success by assigning a score to the photos of their faces.1 We used AI photo screening
hiring systems as an illustrative example given that (i) they qualify as high-risk AI systems
under the draft AIA (ii) their fairness and adversarial robustness has already been called into
question [
        <xref ref-type="bibr" rid="ref16">16</xref>
        ]. Importantly, although we only experiment with AI hiring systems, the arguments
generalise to other high-risk AI systems. Specifically, Figure 1 illustrates the trade-ofs that
arise on our dataset. Each point on Figure 1 corresponds to a diferent model having its own
specific trade-of between the model’s error (x-coordinate), and the model’s unfairness/ the
model’s susceptibility to adversarial examples (y-coordinate). For each model outside the curve
there is a model on the curve that performs better on one or both measures (i.e., it is either
more accurate, or fairer/adversarially robust, or both), while not underperforming on the other.
It follows that any model that is not on the curve ofers a bad trade-of to be forbidden by law.
      </p>
      <p>The technical name of the curves shown in Figure 1 is ‘Pareto curve’ or ‘Pareto frontier’.
Since the Pareto curve identifies the entire set of optimal trade-ofs existing between accuracy
and fairness or cybersecurity, we suggest embedding within the AIA an obligation for AI
developers to commercialise only AI systems that are placed on the Pareto curve given legally
pre-established protection-worthy subgroups, fairness definition(s), and selection of
cyberattacks to protect against (in cases where such measures have been defined by the AI Institute). 2</p>
      <p>Additional measures could prevent that AI developers’ competition gets toxic turning into
races-to-the-bottom. For example, when selecting a model on the Pareto frontier for a
hiring AI system, society might want to prioritise fairness over accuracy, i.e. the AI Institute
could explicitly impose thresholds of the chosen fairness metric that need to be met. When
1The source code is available under https://github.com/AlexMeinke/fairness-cybersecurity-draft-aia-experiments
2If more metrics are deemed desirable the Pareto frontier will be a surface in higher dimensions. A 3D example
can be seen under https://github.com/AlexMeinke/fairness-cybersecurity-draft-aia-experiments where we show the
trade-ofs that arise when fairness and cybersecurity are simultaneously enforced.
(a) Accuracy-vs-Fairness Trade-Ofs
(b) Accuracy-vs-Cybersecurity Trade-Ofs
thresholding or other similar techniques are not introduced by the AI Institute, the AIA should
mandate the respect of a default ‘reasonability principle’ to guide AI developers’ selection of the
model to commercialise among those on the Pareto curve. The reasonability principle, therefore,
is envisioned as a default and residual mechanism guiding AI developers’ discretion when
other techniques are not used and potentially in combination with them when the two are not
incompatible. Specifically, the principle of reasonability would require AI developers to opt for
the model on the Pareto frontier that ofers the most reasonable, proportionate, and appropriate
trade-of between accuracy, fairness, and cybersecurity considering the technological
state-ofthe-art. Such a principle, among others, will require AI developers (i) not to opt for excessively
accurate but highly unfair or cyber unsecure models; (ii) not to opt for highly inaccurate but
fairer or more cybersecure models; (iii) provide relevant evidence and explanations supporting
decisions over commercialised models among those on the Pareto frontier; (iv) provide relevant
evidence and justifications explaining why models other models on the Pareto frontier were
dismissed. The explanations requested by points (i), (ii), (iii), and (iv) should be included in the
technical documentation AI developers need to draw before placing their AI systems on the
market under Article 11(1) draft AIA. This way, the principle of reasonability will simultaneously
realise three socially desirable objectives. Firstly, it ensures that AI developers avoid extreme
and socially damaging accuracy-vs-fairness or accuracy-vs-cybersecurity trade-ofs. Secondly,
it preserves a suficient competition space among AI developers so as to guarantee that market
forces boost innovation and social welfare. Thirdly, it provides legal certainty as it ofers a legal
framework against which AI developers can ex ante inform their business decisions and judges
can ex post assess the legality of the latter.</p>
      <p>Finally, note that for general purpose foundation models, the number of measures and
benchmarks one could reasonably propose for fairness or cybersecurity is so vast that it seems
implausible that the Pareto-frontiers could be observed in practice. However, as soon as the
general purpose model is embedded into a specific high-risk application, it can be evaluated
according to task-specific measures and trade-ofs apply and thus our proposed Pareto-duty
can be implemented.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <given-names>S.</given-names>
            <surname>Verma</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Rubin</surname>
          </string-name>
          ,
          <article-title>Fairness definitions explained</article-title>
          ,
          <source>in: 2018 ieee/acm international workshop on software fairness (fairware)</source>
          , IEEE,
          <year>2018</year>
          , pp.
          <fpage>1</fpage>
          -
          <lpage>7</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <given-names>M.</given-names>
            <surname>Hardt</surname>
          </string-name>
          ,
          <string-name>
            <given-names>E.</given-names>
            <surname>Price</surname>
          </string-name>
          ,
          <string-name>
            <given-names>N.</given-names>
            <surname>Srebro</surname>
          </string-name>
          ,
          <article-title>Equality of opportunity in supervised learning</article-title>
          ,
          <source>Advances in neural information processing systems</source>
          <volume>29</volume>
          (
          <year>2016</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3]
          <string-name>
            <given-names>C.</given-names>
            <surname>Dwork</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Hardt</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T.</given-names>
            <surname>Pitassi</surname>
          </string-name>
          ,
          <string-name>
            <given-names>O.</given-names>
            <surname>Reingold</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Zemel</surname>
          </string-name>
          ,
          <article-title>Fairness through awareness</article-title>
          ,
          <source>in: Proceedings of the 3rd innovations in theoretical computer science conference</source>
          ,
          <year>2012</year>
          , pp.
          <fpage>214</fpage>
          -
          <lpage>226</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <given-names>M. J.</given-names>
            <surname>Kusner</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Loftus</surname>
          </string-name>
          ,
          <string-name>
            <given-names>C.</given-names>
            <surname>Russell</surname>
          </string-name>
          ,
          <string-name>
            <given-names>R.</given-names>
            <surname>Silva</surname>
          </string-name>
          , Counterfactual fairness,
          <source>Advances in neural information processing systems</source>
          <volume>30</volume>
          (
          <year>2017</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>S.</given-names>
            <surname>Corbett-Davies</surname>
          </string-name>
          ,
          <string-name>
            <given-names>E.</given-names>
            <surname>Pierson</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Feller</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Goel</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Huq</surname>
          </string-name>
          ,
          <article-title>Algorithmic decision making and the cost of fairness</article-title>
          ,
          <source>in: Proceedings of the 23rd acm sigkdd international conference on knowledge discovery and data mining</source>
          ,
          <year>2017</year>
          , pp.
          <fpage>797</fpage>
          -
          <lpage>806</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>I. J.</given-names>
            <surname>Goodfellow</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Shlens</surname>
          </string-name>
          ,
          <string-name>
            <given-names>C.</given-names>
            <surname>Szegedy</surname>
          </string-name>
          ,
          <article-title>Explaining and harnessing adversarial examples</article-title>
          ,
          <source>arXiv preprint arXiv:1412.6572</source>
          (
          <year>2014</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <given-names>M.</given-names>
            <surname>Goldblum</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Tsipras</surname>
          </string-name>
          ,
          <string-name>
            <given-names>C.</given-names>
            <surname>Xie</surname>
          </string-name>
          ,
          <string-name>
            <given-names>X.</given-names>
            <surname>Chen</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Schwarzschild</surname>
          </string-name>
          ,
          <string-name>
            <given-names>D.</given-names>
            <surname>Song</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Madry</surname>
          </string-name>
          ,
          <string-name>
            <given-names>B.</given-names>
            <surname>Li</surname>
          </string-name>
          ,
          <string-name>
            <given-names>T.</given-names>
            <surname>Goldstein</surname>
          </string-name>
          ,
          <article-title>Dataset security for machine learning: Data poisoning, backdoor attacks, and defenses</article-title>
          ,
          <source>IEEE Transactions on Pattern Analysis and Machine Intelligence</source>
          (
          <year>2022</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [8]
          <string-name>
            <given-names>R.</given-names>
            <surname>Shokri</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Stronati</surname>
          </string-name>
          ,
          <string-name>
            <given-names>C.</given-names>
            <surname>Song</surname>
          </string-name>
          ,
          <string-name>
            <given-names>V.</given-names>
            <surname>Shmatikov</surname>
          </string-name>
          ,
          <article-title>Membership inference attacks against machine learning models</article-title>
          ,
          <source>in: 2017 IEEE symposium on security and privacy (SP)</source>
          , IEEE,
          <year>2017</year>
          , pp.
          <fpage>3</fpage>
          -
          <lpage>18</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          [9]
          <string-name>
            <given-names>T.</given-names>
            <surname>Orekondy</surname>
          </string-name>
          ,
          <string-name>
            <given-names>B.</given-names>
            <surname>Schiele</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Fritz</surname>
          </string-name>
          ,
          <article-title>Knockof nets: Stealing functionality of black-box models</article-title>
          ,
          <source>in: Proceedings of the IEEE/CVF conference on computer vision and pattern recognition</source>
          ,
          <year>2019</year>
          , pp.
          <fpage>4954</fpage>
          -
          <lpage>4963</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          [10]
          <string-name>
            <given-names>D.</given-names>
            <surname>Tsipras</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Santurkar</surname>
          </string-name>
          ,
          <string-name>
            <given-names>L.</given-names>
            <surname>Engstrom</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Turner</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Madry</surname>
          </string-name>
          , Robustness may be at odds with accuracy, arXiv preprint arXiv:
          <year>1805</year>
          .
          <volume>12152</volume>
          (
          <year>2018</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          [11]
          <string-name>
            <given-names>S.</given-names>
            <surname>Asoodeh</surname>
          </string-name>
          ,
          <string-name>
            <given-names>F.</given-names>
            <surname>Alajaji</surname>
          </string-name>
          , T. Linder, Notes on information
          <article-title>-theoretic privacy</article-title>
          ,
          <source>in: 2014 52nd Annual Allerton Conference on Communication, Control</source>
          , and
          <string-name>
            <surname>Computing</surname>
          </string-name>
          (Allerton), IEEE,
          <year>2014</year>
          , pp.
          <fpage>1272</fpage>
          -
          <lpage>1278</lpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          [12]
          <string-name>
            <surname>European</surname>
            <given-names>Commission</given-names>
          </string-name>
          ,
          <source>Draft EU AI Act</source>
          ,
          <year>2021</year>
          .
          <source>Article</source>
          <volume>10</volume>
          (
          <issue>2</issue>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          [13]
          <string-name>
            <surname>European</surname>
            <given-names>Commission</given-names>
          </string-name>
          ,
          <source>Draft EU AI Act</source>
          ,
          <year>2021</year>
          .
          <source>Article</source>
          <volume>15</volume>
          (
          <issue>3</issue>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          [14]
          <string-name>
            <surname>European</surname>
            <given-names>Commission</given-names>
          </string-name>
          , Draft Compromise Amendments to the
          <source>Draft EU AI Act</source>
          ,
          <year>2023</year>
          . Article 56-58.
        </mixed-citation>
      </ref>
      <ref id="ref15">
        <mixed-citation>
          [15]
          <string-name>
            <surname>European</surname>
            <given-names>Commission</given-names>
          </string-name>
          , Draft Compromise Amendments to the
          <source>Draft EU AI Act</source>
          ,
          <year>2023</year>
          . Article 15.
        </mixed-citation>
      </ref>
      <ref id="ref16">
        <mixed-citation>
          [16]
          <string-name>
            <given-names>E.</given-names>
            <surname>Harlan</surname>
          </string-name>
          ,
          <string-name>
            <given-names>O.</given-names>
            <surname>Schnuck</surname>
          </string-name>
          ,
          <article-title>Objective or biased: On the questionable use of artificial in-</article-title>
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>