Speaker 0
0:10 – 0:15
Welcome to Tech Talk. Bye. CT. Great. You're all good.
Speaker 2
0:15 – 2:09
Welcome to CDT's Tech Talk, where we dish on tech and Internet policy, while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski, and it's time to talk tech. Startups and policy don't always mix, but CDT is trying to help startups and entrepreneurs think through the tech policies that might impact their bottom line. Today, we'll talk about a new suite of resources that CDT has created to help decode policy for startups. We'll also have an update from the Internet governance front, where the transition of the IANA contract is moving forward, and the transfer of the contract to the global community now appears to be on track. CDT was front and center at the meetings in Marrakesh to help make this possible. Our very own Matthew Shearer has described the road to Marrakesh as bumpy, thrilling, and frustrating, but ultimately satisfying. No. This was not an epic holiday Matthew was talking about, but rather the journey to the fifty fifth ICANN meeting, which took place in Morocco. At that meeting, the cross community working group on enhancing ICANN accountability, that's a long name, reached a consensus on the accountability enhancements necessary to move forward with the transfer of the IANA contract to ICANN from the US government. Matthew, who travels all over the world, is in town for CDTs annual dinner, Tech Prom. Hope to see you all there or to have seen you there, depending on when we push this one live. And we're lucky to snag him for a few minutes beforehand for insight from that ICANN meeting. Welcome, Matthew. Thank you, Brian. So first, congratulations. I know that you were personally very involved in this and played a leading role in it, especially on the accountability enhancements. So based on the meetings that happened in Morocco, do you think the IANA transition will happen happen on schedule in September? Semi on schedule. Right? It was already delayed
Speaker 0
2:09 – 3:00
once. That's right. Yes. It's a it's a pleasure to be here. Yeah. The the transition will happen in September. And as you say, it has been postponed once. We are at the moment looking at new changes that are being made to the ICANN bylaws, which is probably the biggest piece of work we have at the moment. As we said at the recent hearing, we're pretty confident that we can make the target date in September. We have to be vigilant, though. There's absolutely no doubt that that there can be changes that can be inserted into the bylaws that we're gonna be looking for. There could be interpretations or implementation issues that we need to review. But, basically, by the April, we should have done the necessary to provide ICANN with a new set of bylaws that encompass and incorporate all the different changes that we've been asking for. That's exciting. So tell us a bit about that. Why is accountability
Speaker 2
3:01 – 3:13
so important here? And then what are the specific enhancements that you've been working so hard to get? So the real way that you have to look at these these accountability enhancements are the what we're doing basically is replacing NTIA's stewardship of the domain name system with the
Speaker 0
3:25 – 3:55
looking at the budget and looking at strategic plan and, effectively being able to to veto them all the way to being able to recall the board are powers that provide the community with the stewardship, this ability to actually say to ICANN, okay. You're doing a great job in the IANA functions post transition, but you need to make these corrections. And if ICANN doesn't make those corrections, then we have these powers that allow us to take further measures if necessary. So it's effectively replacing US Government stewardship with the community stewardship.
Speaker 2
3:55 – 4:04
That's impressive. So it sounds like the community has a a lot of power in this new agreement. Is that true or, you know, not the case?
Speaker 0
4:04 – 4:25
It does have a lot of power. I think what the the realization is though is that, you know, we don't wanna be in a situation where we're recalling the entire ICANN board. If it gets that bad, then clearly we should have taken measures before then. So it's it there's a whole escalation process from, trying to resolve issues all the way through to what people are calling the nuclear option, which is recalling the board.
Speaker 2
4:26 – 4:37
That would be a nuclear option. So what made it so challenging to get to this stage? I mean, I I loved reading your blog post where you really kind of, like, put a lot of colorful language in there and made it sound like, you know, quite a bumpy
Speaker 0
4:39 – 5:26
what was it that was so challenging about this agreement? Well, the thing that was so challenging was also the thing that made it so fascinating is that we have probably, for the first time in a multi stakeholder context, actually had governments, civil society, business, academia, the technical community, all there with the same kind of rights, the same kind of openness, the same kind of transparency, which when you comes to negotiating governance or policy is really tricky, of course, because everybody has a different perspective. So at the end of the day, it became a product of consensus, but it was a hard fought consensus. And so I think that in that sense, that was a challenge, but the challenge is also an expression of what we were trying to do. That's great. So you mentioned that you touched on this a bit with the bylaws and what you're working on, with your target to finish that up by the April.
Speaker 2
5:26 – 5:39
So with the proposal going to the NTIA, what are the next steps beyond the bylaws, for you and for the broader Internet community? Are there any other major obstacles that could jump up in this process?
Speaker 0
5:40 – 6:30
The, the so the so the proposal will go through this interagency process, and that'll be reviewed by Congress. And hopefully, that will occur before Congress goes into recess in in July. So this is a pretty tight time frame, when we've got so as I said, we've got this month for the bylaws. There's a number of other measures that have to be addressed and and implemented before NTIA can give its sign off on this. And then there's a whole set of other issues which haven't been addressed, have been left to what we're calling post transition, so after September, including things like jurisdiction, human rights, transparency, just because we handed it over in Marrakesh doesn't mean that we're not working. In fact, it's, just as challenging from a a time timing perspective, and work will continue well into,
Speaker 2
6:30 – 6:39
the latter part of of the year. Yeah. It does not sound like you're stopping work at all. It sounds like exactly the opposite. So even though you said it was a bumpy journey, is it totally worth it?
Speaker 0
6:39 – 6:55
Absolutely. I think, assuming everything goes according to plan, this will probably be the best expression of a multi stakeholder process in action. And it's one that actually has had an impact. So it's changing policy. It's changing the governance of an organization.
Speaker 2
6:55 – 8:14
It's quite an amazing achievement, and that's something we should be celebrating. That is incredible. Thank you so much, Matthew, for all your work on this, and thank you for joining Tech Talk. Bye. Thanks. If you're working for a startup or a busy entrepreneur, there's a good chance the last thing you want to be thinking about is laws and policies. But with the amount of data and personal information that so many startups work within today's digital marketplace, it is very likely that there are some laws on the books that could affect your business. To help decode some of the tech policies, many of which relate to the usage of data and the privacy of individuals, CDT launched a suite of resources for startups and entrepreneurs. The head of our San Francisco office, Gautam Hans, led the creation of these resources, and Ali Lang supported that work and has been socializing them like crazy. They both joined us today on Tech Talk. Welcome, Gautam and Ali. Hi. Hello. It's so good to have you both here, especially you, Gautam. Even though I love you too, Ali, but I just don't see Gautam as much. Uh-huh. I like this. He loves all his children. That's right. That's right. Silicon Valley, certainly a place that is the center of the startup world. Although, I guess, there would be people challenging to say there's other, you know, centers. Do you think startups are really thinking about policy?
Speaker 3
8:15 – 9:00
I think that they are now more than they have been before, and not just because of the resources and the topics that we discuss with a range of startup communities, but much more so than even five or ten years ago. These issues around privacy, security, speech, IP, that's intellectual property, are more in the news. And so consumers are more interested in them, and I think that trickles to the startups as well. If you're interested in having a wide audience through an app or a site or, you know, a wearable device, you got to know that your consumer base is gonna be really engaged on these policy issues, and that means for good business practices, you too have to be engaged on them.
Speaker 1
9:03 – 9:27
Yeah. I think that that sounds right. I think, particularly as start ups are watching companies like Uber and Airbnb face regulatory challenges, I'm sure they're thinking about how to design their their business model and their products early on to address that kind of concern. So I think it's becoming, as Gautam said, more of a topic of of concern and of interest, but I don't know if it's, where their their sort of true passion lies.
Speaker 2
9:28 – 9:41
That makes sense. So what are the questions that startups should be asking themselves at early stages, particularly around things like the data they collect and, you know, the intellectual property that they have that they wanna protect?
Speaker 3
9:43 – 10:58
I think there are market forces that really push not just start ups, but all companies to collect all the data and protect all the IP that you conceivably can even if there isn't a clear business interest in doing so. So we at CDT, I think, are trying to encourage companies of all sizes to be very thoughtful about how they think about data collection and what they're using it for, how they think about copyright, patent, trademark. And what that means is that being, a little deliberative beforehand, I think, makes your business much more sustainable and I think communicates a good message to your user base that rather than just sort of follow follow the default impulse or motivation of a business to just collect and protect, you really have given some careful thought to what you're trying to do with your product, how you wanna interact with your customer base, and how you wanna, exist in the business ecosystem. And I think, it that level of preparation beforehand is likely to pay very good dividends in the long run.
Speaker 1
10:59 – 11:58
Yeah. I think I think that's exactly right. And and what a lot of the answer to those answers to those questions will be based on is, you know, what are your values as a business? And some of the some of the differences between Silicon Valley, you know, proper, I guess, and DC in terms of the startup community is a lot of the startups here are focused on doing things for social causes. Right? They're they're meant to intervene, not necessarily their their driving purpose isn't necessarily business as much as it is, you know, to to make the world better. And so if your startup is sort of thinking about that, like, how do you create a a difference in the world, you you also need to consider what your values are and ask yourself, you know, not only what's the purpose of my my business or, you know, and for what purpose am I using this data, but what am I trying to cause in the like, do in the world, and how do I have a net positive value, and what kind of information do I need to have for that, rather than starting, as Gautam said, from collect all the data and then figure it out later. So just kind of reversing the two positions.
Speaker 3
11:59 – 12:28
The only thing I'll add to that is, as I said, we really encourage all companies to think about these issues, but realize that startups don't usually have, you know, big policy teams or, you know, it may not be the first thing that comes to their mind, which is part of the reason we developed these resources, that we understand that, you know, not every company has, the people power to really ensure that there's a team dedicated to thinking about these issues, holistically and preemptively. And so we definitely wanna help,
Speaker 2
12:29 – 13:16
sort of popularize our own policy goals and and sort of explain why we think that they're the right ones for both consumers and for businesses. So let's talk a little bit about those resources. Get a little bit, I guess, wonky here even though we try to avoid getting too wonky on this this show. Ali touched on this a little bit already, especially in DC, you know, seventeen seventeen seventy six, a lot of people know that name. They focus on some sector specific issues like education and health care. Are there sectors, since there's no baseline privacy legislation in The US, are there sectors, some sectors that are more challenging or even some that have clear laws around, like, how you use data or privacy rights than others? And are are some of these, like, barriers to entry in the field because they're they're either overregulated or under regulated?
Speaker 3
13:17 – 14:56
So for HIPAA, we have to it it applies to certain entities, and, I think your legal team for a startup is probably best suited to figure out what the HIPAA implications are for a specific startup. But it is an important law to know about and, has a a lot of detail about data practices. COPPA is a law of that is generally applicable to data collection, and it too has restrictions on the collection of data. And it defines, 13 year olds in one way and and children who are older in a different way. And so those laws, I think, are, I think, pretty well known in terms of their existence even for startups, but that doesn't necessarily mean that you have you still have to figure out how to comply with them. And so what we're trying to do is less help people with compliance because CDT doesn't do direct representation, but we do try to flag what the laws are and what they were designed to do in general. As to whether there are barriers to entry, I think there certainly has been some discussion about COPPA as sort of maybe potentially discouraging the growth of an industry for children in terms of apps and, you know, Internet services that we've seen as being very robust in other contexts. I also think, though, that companies that are working in spaces that are highly regulated realize that while there may be a lot of requirements that they need to comply with preemptively, they may actually end up, in a particularly competitive place because other companies may be less inclined to put that preemptive investment.
Speaker 2
14:57 – 15:15
Wow. You did a great job of answering all my billion questions. Well done. So let's go a little bit broader. If you are a start up and you have, you know, a lot of customer data or even just a little bit, is there one or two policies that are likely to be super, super relevant to you or that you should really pay attention to? I think one of the relevant to you or that you should really pay attention to?
Speaker 3
15:15 – 17:08
I think one of the things that we often highlight at CDT and maybe have you and talked about in this podcast, although I don't think it was me, is the FIPS, the fair information practice principles, which is a sort of data management regime that is pretty broad and, at a high level, but talks about different principles, that companies that handle data should keep in mind. And, actually, not just companies, but all entities, government agencies, and and the like. So of those FIPS principles that I think are perhaps most, mindful or important for startups to keep in mind, I would highlight certainly the collection issues. As I mentioned before, limiting what kind of data that you collect is important, not just because of the privacy issues, but because consumers, I think, are much more aware today of how data collection can really happen on a pervasive constant basis and therefore don't let the idea of a company collecting all their data without a lot of clarity as to why they're doing it. The other issue that startups really, I think, need to be mindful of is security issue. The big firms that we know of and interact with on a daily basis or frequent basis is, have robust security teams, to really protect their data. I think, as we all maybe saw on the John Oliver, Apple commercial, big companies have to really spend a lot of time thinking about data security. But small companies, you know, they don't have those teams most likely. And so security is something you have to be very careful about because we've seen a lot of articles about data breaches. There's a lot of concern about the consequences of those breaches. And I think for a start up, a data breach can really be devastating potentially and that company because not only do you have to worry about the compliance requirements, but the PR hit for a start up that would have a security issue could be major. And users wanna be confident that the data that they provide to a company is being protected robustly.
Speaker 1
17:11 – 19:00
No. I think that's incredibly comprehensive, and I and I think the FIPS are, a really helpful framework in a lot of ways. I I think it doesn't always need to be quite so complicated. I think that it can be overwhelming, as Gautam has said, for people who who are, under resourced and and facing, you know, really a huge array of challenges in in launching a business. And and, one thing that I I recommend people just think about is is the premise of the FIPS is fairness, and fairness is something that's really easy to understand. I really recommend watching this online video of the two monkeys who, are trading. They're they're in a research experiment, and they give the researcher a rock. In exchange, they get a treat. And one monkey gets a cucumber, and and they're happy. And the second monkey gets a grape. And the first monkey sees this, and and the researcher is, explains at this point that the preference between cucumbers and grapes for monkeys is roughly the same as as among humans, which is to say that grapes are better. So the second monkey sees that now we're getting grapes for handing over rocks and and gives over a rock and gets back a cucumber, and the monkey loses it, like just flips out. I mean, the fairness, you know, the feeling of of unfairness is really, really deeply ingrained in people. And so if you think about, you know, how you when you're when you're trying to ask yourself what is a fair data practice, looking at the FIPS is an incredibly helpful way to sort of think about how you need to structure your data principles and your privacies. But I think there's also a piece of it that's just thinking about how do you expect to be treated in the world, and you certainly don't wanna end up in make people feel like they've been treated unfairly because they will really respond very strongly and and, you know, from their gut. And and as Gotta pointed out, that kind of PR nightmare can really sink an emerging company.
Speaker 2
19:00 – 19:31
That's some good advice. Do you like tzatziki, though? I mean, that's probably the best way to do cucumbers, I think. I don't know if monkeys eat tzatziki. Well, that's true. Maybe. That says can we explore that topic in another Absolutely. I like yogurt, so there's that. So you kinda both touched on this a little bit. Do you think that privacy protections or good data practices are starting to be viewed as potential business differentiators? Or put a different way, do you think that a company or startup that has really thought through this early on might be better able to attract events investors or funds?
Speaker 3
19:32 – 20:59
I I think it's becoming more of an issue, of interest both to customers but also to investors. So when we think about a start up, you know, a start up eventually has you know, there's a few ways that it can evolve or, you know, that there's a sort of medium or long term goal. Acquisition, IPO, which is initial public offering of the stock, or, you know, just really good growth and then eventually an IPO. But there aren't a lot of what we call exits that are really out there. There's only a few paths that a start up can take. So in terms of both IPOs and acquisitions, those end up leading to a lot of review either by a regulator or by the potential acquirer. So what that means is that, especially when in the context of acquiring, what you your business practices are essentially monetized. And what that also means is that if you have a business practice that isn't great on privacy or security, that could be seen as a liability and a liability that will, be not, attractive to either an acquiring company or to the investors that you wanna see through an IPO. All that to say that I do think it is becoming an effective business practice and perhaps even a best practice and something that compliance with strong data practices is seen as, hopefully necessary for, a successful IPO or acquisition or another kind of exit.
Speaker 1
21:01 – 21:47
Yes. And that's indisputably good advice. I the other thing you wanna consider is that with the huge amount of data that major companies have and the historic value of of the data, I mean, just going years and years back, it it's tough to come up with a business model that lets you, going forward, compete by collecting data. Right? And so another thing you wanna think about is not only what what are people looking for, but also how do you differentiate yourself in a market where a lot of times your competitors or people that are also in the market are gonna have access to just an incredible amount of data that you really will never amass yourself. And so it's it's it's trying to figure out too not only what are people looking for, but but what role do you wanna try and play in the ecosystem, and and what kind of information do you need about the world and about people in order to fulfill that role?
Speaker 2
21:48 – 21:57
That's some great advice, Ali. So before we wrap up, just one more question for you, Gautam. You've been out in the valley for a little over a year now. Have you caught the startup bug? Do you have a business
Speaker 3
21:57 – 22:08
idea? I have a business idea that I don't really wanna do but everyone else does, which is that I make a lot of ice cream, and then I started the blog. And then everyone keeps asking me when I'm gonna quit and start an ice cream truck.
Speaker 2
22:09 – 22:46
And while that's very appealing, I think I need an investor first. That's a good thing. I've I've had your ice cream. I can attest that it is wonderful, and it is some of the most creative flavors that I've ever had. Which everyone can see at habeas custard or habeascustard.com. I think that counts as a shameless plug. There we go. Always a joy to have you here, Gautam, and always a joy to have Ali with us. Anyone who is, working at a start up or thinking about a new business idea should visit cdt.org. Go to the campaigns tab to see all the useful resources that Gautam and Ali have created on tech policy for them. Thanks so much, Gautam and Ali. Thanks, Brian. Thanks, Brian.
Speaker 0
22:51 – 22:52
Two,
Speaker 2
22:52 – 23:17
three. That's it for this episode of Tech Talk. Be sure to check out our resources for startups at cdt.org. You'll also find a lot more information on our work in the Internet governance world as well. I find myself referring to our website for those resources on a real regular basis. As always, tweet us any questions you have or topics you'd like us to cover to at SendemTech. I'm Brian Wasilowski, and thanks for listening.