Amazon Web Services (AWS) are investing heavily in their Artificial Intelligence offerings.
At Enabl AI, we are huge fans of AWS generally, and particularly the AI capabilities they have brought to market. They, along with other cloud providers – notably Microsoft and Google – are truly democratising what is possible for businesses of all sizes to achieve by providing low-cost, powerful AI capabilities for all.
It recently come to light that their default policies state that they can use the content processed by their services to train and develop their AI services and technologies. This means any images, text, audio etc. uploaded to their systems, possibly including your customer’s personal data, can be used by AWS for their own purposes. This also includes AWS potentially transferring your content to other regions to do this.
The sort of generalised Artificial Intelligence that AWS is providing typically requires large data sets to train the learning algorithms, so we can understand why AWS would want to do this, but for our own purposes, this isn’t something that is desirable for ourselves or a number of our clients – and since the ruling on 16th July 2020 by the European Court of Justice that effectively invalidated the EU-U.S. Privacy Shield, this transfer of data might in some cases lead to a GDPR breach.
There has been plenty written on the ethics and the rights and wrongs of AWS’s position on this, which are interesting articles to read, but ultimately, we’re more interested in how to harness the best technologies available on the market and it’s difficult to deny that AWS is one of those technologies. Therefore, our focus quickly shifted to how to disable this option in AWS and ensure that we can provide the level of privacy and data sovereignty that our customers expect.
Which products are affected?
AWS’s policy applies to pretty much all their AI services (CodeGuru Profiler, Comprehend, Lex, Polly, Rekognition, Textract, Transcribe, and Translate at the time of writing).
Opting out
It used to be that the only way to opt out was to raise a Support Request with AWS Support, but since July 9th 2020, it’s now much easier to opt-out without having to contact AWS Support. What’s more, AWS also updated their policies to state that opting out applies globally to all regions, and any historical content that may have previously been stored by AWS to improve their AI services and technologies will be deleted.
The process to opt-out
AWS has a guide that walks you through the process of opting out of their AI services using your content.
We did this recently to ensure all of our accounts were opted-out, and the process goes like this:
Step 1: Enable AI services opt-out policies
- If you have more than one AWS Account, decide which one is your master account. You don’t need to do this and can perform the opt-out for each account in turn, but we found that doing this once on a master account and inheriting the settings to our other AWS accounts made life a lot easier
- Log in to your master AWS Account as an IAM user (not the root user as per AWS’s best practice guidance)
- Visit the ‘Organizations console’ at https://console.aws.amazon.com/organizations/
- Choose the ‘Root’ option in ‘Organize accounts’ tab
- In details pane on the right hand side, under the ‘ENABLE/DISABLE POLICY TYPES’ tab, choose to ‘Enable’ the ‘AI services opt-out policies’
Step 2: Create the AI opt-out policy
- Go to the ‘Policies’ tab and select ‘AI services opt-out policies’
- Choose ‘Create policy’
- Define the policy name, description and policy JSON. Getting the JSON bit right is a bit tricky, but to opt-out of all AI Amazon services (both current and future) and not permit any other accounts other than the master account to change these settings, we used this:
{"services": {"@@operators_allowed_for_child_policies": ["@@none" ],"default": {"@@operators_allowed_for_child_policies": ["@@none" ],"opt_out_policy": {"@@operators_allowed_for_child_policies": ["@@none" ],"@@assign": "optOut" } } }}
- We set Policy Name to ‘AIServicesOptOut’ and the Description to ‘Opts out of content processed by AI services in our accounts being stored and used for the development and continuous improvement of Amazon AI services and technologies’ and clicked ‘Create Policy’
Step 3: Attach this policy to the root of your master AWS Account
- Back in the ‘Organize accounts’ tab, choose the ‘Root’ option
- In details pane on the right hand side, under the ‘POLICIES’ tab, choose ‘AI services opt-out policies’
- You should now see ‘AIServicesOptOut’ (or whatever you called the opt-out policy) in this list, and click ‘Attach’ to attach it to the root of your AWS Account
Step 4: (Optional) Add other AWS Accounts to your AWS master account
If, like us, you have more than one AWS Account, you will probably want to add them all to your master AWS Account through AWS Organizations to ensure that the opt-out policy is applied across all of your accounts consistently.
To do this is pretty straightforward:
- In AWS Organizations, go to the ‘Invitations’ tab
- Invite your other organisations by either entering the 12-digit organisation id or the email address of the root user for each of them
- As the owner of the account that is being invited, accept the invitation and confirm that you want to join the parent AWS Organization
Step 5: Check the opt-out policy applied to each of your accounts
For each account, you can now check that the policy is applied as you would expect:
- In the ‘Organize accounts’ tab, choose an AWS account that you want to check
- In the details pane on the right, expand the ‘AI services opt-out policies’ section.
- Choose ‘View effective policy’ option
- If everything is working ok, you should see the following which means the account is opted-out of AWS using your, and your customer’s, content to train their AI services (including any new AI services they may add in the future):
{"services": {"default": {"opt_out_policy": "optOut" } }}
