56 The Right To Be Forgotten
Civic Tech Chat | 2021-04-01 | 33:17
[Gabe Gumbs](https://twitter.com/GabrielGumbs), CIO of [Spirion](https://www.spirion.com/)and host of the [Privacy Please Podcast](https://podcasts.apple.com/us/podcast/privacy-please/id1501600433)joins us to talk about data privacy. We'll cover some policy, compliance, and talk a bit about the right to be forgotten.<br><br>### Resources and Shoutouts:<br>- [Right to be forgotten](https://gdpr.eu/right-to-be-forgotten/)<br>- [Privacy Please Podcast](https://podcasts.apple.com/us/podcast/privacy-please/id1501600433)<br><br>##### Music Credit: [Tumbleweeds by Monkey Warhol](http://freemusicarchive.org/music/Monkey_Warhol/Lonely_Hearts_Challenge/Monkey_Warhol_-_Tumbleweeds)
Top Keywords
- data 0.011
- privacy 0.010
- fines 0.008
- information 0.008
- gdpr 0.005
- gabe 0.005
- need 0.005
- business 0.005
- might 0.005
- security 0.005
- folks 0.004
- ryan 0.004
Transcript
Speaker 0
0:00 – 0:21
Hello. I'm Ryan Cook, and this is Civic Tech Chat, a podcast about the civic technology movement. We seek to harness the power technology has to improve the delivery of public services to people everywhere. Gabe, thank you so much for joining us here on Civic Tech Chat. Can you introduce yourself and tell us a bit about what you do?
Speaker 1
0:21 – 1:39
Absolutely. Pleasure. Thank you for having me on the show. I am Gabe Gumbs. I am the chief innovation officer at a data security organization named Spirean. We're headquartered down in the Southeast Of The United States. We've been in business for some sixteen, seventeen years or so. I myself, I've been in data security for the better part of just coming up on twenty years, a whopping two decades of, slogging through the challenges of of security in the world. Got my start as many of us did back then in the networking side of the world and kinda quickly transitioned into security a few years thereafter. Security had always been in and around a lot of what I've been doing kind of on the, on the outskirts of my professional life. So there were there were a lot of, community driven security groups at the time. That's probably the fanciest way you'll ever hear anyone talk about, may the the alt 2,600 clubs and sit similar things. And, I spent most of my career as a a practitioner, architect, engineer, before transitioning into into building security products. And so now I spend the majority of my time helping solve problems for organizations big and small by, by bringing technologies to market that help make their lives easier and safer.
Speaker 0
1:40 – 1:47
What would you say is your personal why? That thing that drives you to get out of bed each morning and do what you do? The alarm clock. No.
Speaker 1
1:49 – 2:37
The the worst answer Simon Sinek would ever, ever, ever hope for. You know, my personal why is tied to to my passion for helping and sharing. I really, really, really feel it a a kind of a personal mission to to share the things I've I've learned and and the things that, have been taught to me, with others. I I certainly did not get here by myself, and so there is a there's a strong driving force inside of me that that appreciates giving back. And that means giving back to the security community. It means giving back to to the world at large. And the best way I can do that is through the the talents I have, in the information security field. It's the thing that that I'm certainly most passionate about, you know, in, in in my professional life and and even in my personal life in a number of ways.
Speaker 0
2:38 – 3:03
There's something in your LinkedIn profile description that stuck out to me. I I did a little bit of creeping before we hopped on here. And in that description, you mentioned that you often live at the intersection of storytelling and technology. And I imagine your passion for that intersection is in part what's led you to do things like hosting the privacy, police, privacy, please podcast. Can you talk a bit more about what this space means to you? I mentioned a minute ago that,
Speaker 1
3:03 – 4:20
you know, part of my why is about being able to give back and to teach and and to educate folks, on these various topics. And that's where that intersection between storytelling and technology lives. A lot of times, security can be positioned as this esoteric dark arts, you know, career path that is is not really approachable to many. And a lot of times also in the business world, a lot of the concepts that we're trying to convey to our business partners in other parts of of the organization, don't come from necessarily technology or even security backgrounds. And so being able to to express, many different many different ideas through storytelling, I find really, really brings it home for folks and and makes it real for them. It helps them understand both the challenges as well as the paths forward. And with regards to privacy, please, absolutely. So one of the reasons why we began privacy, please was to tell more of those stories. And and for those that that have listened to it or may tune into it after this, one of the things you'll notice, it's it's an extremely conversational style because what we're really what we're really getting at is telling the stories of our guests and understanding their stories, their lived experiences, their lived experiences in security and privacy, and how those things are applicable to our listeners. Today, we're gonna dig a bit into your privacy
Speaker 0
4:23 – 4:39
Today, we're gonna dig a bit into privacy policies, like the general data protection regulation and the California Consumer Privacy Act, both of which are very long names that are a mouthful. For folks that haven't spent much time in this space, what are these sorts of regulations typically trying to accomplish?
Speaker 1
4:40 – 7:00
There's one primary thing they're trying to accomplish, and that is protecting the privacy of consumers, putting that power back into the consumer's hands as the digital transaction world has collected, gathered, stored, analyzed, information on on subjects, on people in particular. There are a lot of really good uses for that for that data. Everything from being able to help form, other types of policies, civic policies, but it also does get used in in ways that aren't always to the best intent of the of the data subjects themselves. You know, on the far end of the the nefarious spectrum, we could we could cite, you know, the Cambridge Analytica scandal. On the not so far end of the spectrum, we can we can cite the the more mishandling of people's privacy. Right? Just the the the lack of of care when when it's entrusted with those with those individuals. And suppose both CCPA and GDPR, if you're looking for the non mouthful version, is, they're they're both geared towards ensuring that organizations do a number of things, that they they take a privacy first approach. GDPR refers to that as privacy by design, as well as empower the users to be able to take control of their privacy, to be able to dictate how their information can be shared, and more importantly, how it how it should not be shared, who it can be shared with, and who cannot be shared with, and things of that nature. And on top of those two, we we see similar laws having emerged emerged across the entire planet, Brazil, South Africa, you name it. Just about every developed country, has some form of regulation either already passed or currently in in legislation. And here stateside because we're a fabulous amalgam of of a bunch of of different little entities, all 50 of them, 50 different states plus three territories. What we see is a lot of state level regulations also under rise, which is what CCPA. So that one's actually not a federal, regulation, in the same way that g d apologize. In the way that GDPR is a big overarching regulation meant to govern the EU, CCPA really is just intended to cover California citizens or those that do business inside of California.
Speaker 0
7:00 – 7:21
I I think a base concept that I'm I'm hearing in there is essentially that, you know, I as a person, if, there's if data about me is collected or through about my actions or things related to us collected that, the intent is, like, I should have some control or ownership of either that data or what's done with it. Is that is that, like, what folks should kinda take from
Speaker 1
7:22 – 8:03
from that? Well, I'll turn the question around to you, Ryan, because it it is your data that is in con it in the hands of all of these organizations. Do you feel as though you should have that control of your data? Turn it back on me. Yeah. And bear in mind, this is an opinion, but I I I think yes, ultimately. But Yeah. And and I'm sure you think that that way for the same reasons that, you you you might own curtains. Right? It's not about whether or not you anything nefarious is happening inside your home. You respect and value your privacy, and your data very much tells a lot of stories about you. In fact, no matter how close your blinds are, your data tells way more information about you than I would ever know by simply standing outside of your home and peering in in through your blinds. Not that I would do that.
Speaker 0
8:06 – 8:32
And, a part of all of this is a, a concept that, some of these laws share, which is the the concept of the right to be forgotten. The idea that you have the ability to compel an organization that's holding this this data that we're talking about, or data about you, and, you could ask them essentially to, like, delete it and and remove it from their infrastructure. Can you talk a bit about that and and, the importance that sort of provision has in in those, like, structures?
Speaker 1
8:33 – 9:51
Sure. The right to be forgotten is an interesting story in and of itself. This is another one of those intersections that that I like to recall. So the genesis of it was based on an individual, I believe he's in Spain, who had an incident early in his life that was still showing up on the Internet, and he wanted it removed. He was many years removed from that incident, believed it was harming him in in in future opportunities, and wanted that to be removed. And so took this all the way to through the courts, and they ultimately rule that he had a right to be forgotten. That information had changed, had been updated, but the information that all these organizations held on them had not. That concept has since carried forward, beyond just the the right to be forgotten on the Internet, but the right to be forgotten within your organization we do business with. Simply because I transact business with you once, does that give you the right to continuously know these things about me in perpetuity? Yes. You needed my home address to have delivered books to me, but do you need it beyond that if I haven't given you consent to use it beyond that? And the answer is is ultimately no. Right? And and, again, turning it to to you a second ago, I think you might even agree. If you would share that information with me once in the past for one very specific purpose, and now I'm using it for a very wholly different purpose later in the future, you probably would like the right for Gabe to forget where you actually live.
Speaker 0
9:52 – 10:10
Yeah. And and you're correct. I I I am of that that, temperament with this. Alright. And I do hold that opinion. Fact, I kind of as a practitioner in in software development, my my view on on kind of the collection information is, you know, I should collect it for as long as I need it and then only use it for that purpose and then Yeah. And the right to be forgotten
Speaker 1
10:11 – 10:57
works on the tail end of that. On the front end of that, GDPR equally put in some, some regulation that states that you should only collect the data you need, and you have to have a lawful basis for collecting it. So if you are in the business of delivering books, I'm just picking on on something that everyone might be familiar with. Right? But you you are a a digital where you you're a digital storefront. You you sell books. You probably don't need to know my sex in order to to deliver that service to me. So why should you collect that data in the first place? Right? Like, you don't need to know my sex, my religion, my age. You you don't need any of that information for the purpose of processing that transaction. And things like GDPR says that you don't have a lawful basis for you for collecting information, then you can't and shouldn't have that information.
Speaker 0
10:58 – 11:23
I imagine something that comes up as a as a difficulty, whether it's, like, trying to prove compliance with this or requirement or even if you're the organization trying to manage it, is the idea of in a way, you kinda have to prove it negative. Right? If you don't have information about someone, it's kinda hard to then, like, prove necessarily that you that you don't somewhere. Does that kind of act as a point of consternation between organizations and and regulators?
Speaker 1
11:23 – 13:30
There's a ton of hairy and gray area in here. So there are a couple of other things in the mix. First, there are a number of carve outs for legal exceptions as to why you can still hold on to some information. And some of it may be everything from tax purposes. You have to be able to account for the fact that, you paid you paid, you collected taxes on behalf of a book you sold to me in the state I lived in. And some of it is, beyond that. So some of it is is more geared towards research and and even policing. So there are ton of carve outs. So let's put those, on the side, but I I wanted to to make sure we made mention of them first. The other is and what what you're describing is kind of a technological challenge of, well, how do I prove to you I don't have it if I deleted it? Right? And more importantly, how do I know I don't have it if I deleted it? The answer there is there are a number of different ways that this comes to bear in the real world from a technology perspective. I've I've seen approaches everything from, you know, encrypting and throwing away keys, which I think the jury is still out on, to deleting and then replacing information with some type of unique identifier that simply states, okay, in place of Ryan's actual information, here are some identifiers, but we no longer have that information about them. So some form of deidentification process. A deidentification process is probably where the the the loosening of that friction starts to occur. Again, if I am this this, this organization that likes to sell books online and just about everything else for that matter, I probably also wanna understand how people similar to Ryan shop so that I can sell them books also. And so if Ryan asked me not to maintain any information about him, how do I grow my business that way? This is where the identification comes into play, of course. Right? So now the only things I keep around are things I know about people like Ryan, but not things that are directly identifiable to Ryan. So so that's another way. But but to answer your question a bit more pointedly, yeah, there's there's a bit of friction in the how, you know, how do we keep it, what do we keep, how do we prove we no longer keep it. We we get smarter every day,
Speaker 0
13:31 – 13:56
since that regulation has been put into place, and there are a lot of firm mechanisms now for being able to tackle that challenge in particular, few of which I just mentioned. What you've described at the end there sounds a bit to me kind of, like, in a way, kind of like a soft delete where it's like, well, you know, this information is no longer attached to somebody, so now it's kind of like a an anonymized dataset that we can try to run things against. Is is that is am I hearing that correctly?
Speaker 1
13:56 – 16:02
You're not wrong. Your development background might, might might come well into play here. The difference between being anonymous and de identified, though, is is a distinction worth worth calling out, because it's not really a soft soft delete. In order for it to be properly de identified, it means it should be resistant to re identification attacks. What does that mean? That means if I gave you a ledger with a bunch of names and other identifying information about individuals inside that ledger. And then I did things like only remove two tuples of that data. For example, I removed their first name, and I removed their age. But I left in things like the, like, their ZIP code, and their sex, and, you know, the profession area, etcetera. As I start adding in more tools of information, it makes it easier for me to reidentify that individual. There are a couple of of well known examples of this, in in in the news, if you would. Some dating back as early as the eighties, if not yeah. I'd say the eighties probably the first time I've the first paper I recall reading on and not that I read it in the eighties. I'm not that old yet. Hopefully, I will be one day. But reidentification attacks are not new. Right? Taking multiple datasets and putting them back together to reidentify folks. So you have to do more than simply kinda anonymize them from that perspective. And as a developer, and we see this often in the development world, you need real world data to work with. You can't just have a bunch of fake anonymous data in your system because the system might not respond the way you intended to. So how do you test your system without real world data? And that's where synthetic data and and and deidentify data can come into play there versus simply anonymized data. So it's not really a soft delete. When I think soft delete, I think I think closer to, you know, encrypted throw away the keys kind of thing. It's like, yes. Theoretically, even quantum computing couldn't break that key. But theoretically, if quantum computing came around someday in the future, then there it is. It's still there waiting to be de identified. Right? So when the Gorgons show up with their supercomputer, all is lost.
Speaker 0
16:03 – 16:29
As as organizations, you know, look to comply with with these sorts of regulations as they appear. I mean, the ones we've talked about, GDPR, CCPA. AI remember the acronym. They've been around for a while and have gone into effect. I imagine there's some work to catch up. You know, most folks maybe aren't designing to already be at these standards. Well, may not or most is probably incorrect, but there's probably a collection of folks that aren't there yet. As organizations
Speaker 1
16:29 – 18:02
seek to get there, are there any bugbears that kind of come to you that are, like, things that they should be watching out for as they try to comply? You were right in your first assertion that, many are not. Most are not, in fact. And part of that is a byproduct of CCPA is literally still going through yet another round of changes and has only been in effect for under a year. GDPR has been in effect for under five years. By contrast, one of the other most famous privacy laws, that this The US has is HIPAA. Right? The health care information, portability accountability act. Right? So HIPAA is largely a privacy regulation, which which equally states, you know, the those 16 different identifiers of of an individual's personal health inform protected health information need to be protected. So a lot of folks are quite behind in this in this way, except for the ones that have had to have complied with things like HIPAA for quite some time. They've been they've been dealing with similar challenges for some time, so so they kind of have have an understanding of how to do this. And what's one of those bugbears? What's one of those things that that folks who've been at this for a while understand is that first and foremost, we need to even know where that data is. Without an understanding of where it is and what it is, it is literally impossible for you to for you to be able to apply any of the other regulatory requirements to that dataset. Like, understanding what your lawful basis for collection was, understanding who has access to it, how it's being used, what systems it it resides in, and how it flows through those systems. Do you even have it at all? You can't answer any of those questions if you've not actually found it, located, identified it.
Speaker 0
18:04 – 18:53
I I'm I'm hearing something in there that is, is interesting. So so in my experience, when when you're, like, when when you're when you start building an application, right, there's always kind of that stage where it matures to a point, and it's grown to a point that it's, like, too big for any, like, one of the developers or designers to, like, really fully comprehend it in in just a single brain, like, everything it's doing. And I it sounds like that maybe that's the case also for information architecture. At some point, you're collecting so many different pieces of connected information that, like, any one person doesn't have that inventory, like, that can understand exactly where everything's at. So then you start to rely on, oh, like, different groups having to collaborate to figure out where things are. And I imagine that can lead to, you know, through the fact that you have to communicate now, the like, essentially, just not understanding the the full scope of things. Is that is that is that accurate?
Speaker 1
18:54 – 20:09
That is accurate. I would I would say that one of the things that we can do to to narrow that, that field of vision, if you would, that that fog of war is by first making sure we understand, again, that that basis for collection to begin with. How did we get this data? Right? Did we did we intake it through our bookselling portal? And if so, that's where we should start. Because from there, if we're peeling some of it off and shoving it through a Kafka stream over to the left so the data science team can analyze it so they can sell more books to people like Ryan, then instead of working away from the bottom up and trying to figure out, hey. Data science team, that data you have, does Does it belong to Ryan? Does it belong to people like Ryan? Where'd you get it from? Right? We should start from the top down. And okay. So we've collected data. Where'd we collect it from? What are the business reasons we currently collect data? And where are the interfaces where that occurs? And that that's the same with when you think about an application. Where's data coming into where does it make its way into the application? Right? Where's that source before it makes its way to 99 other syncs? If you start looking at the syncs, you're gonna you're gonna have a hard time trying to get everyone to, well, pun intended, sync up. But if you start at the source, then then that does become a bit easy, but your assertion is positive.
Speaker 0
20:10 – 20:28
And so if if there is somebody out there listening to this right now, and maybe they started a new organization or maybe listening to this podcast, they realize, oh, maybe I should be complying with this. Maybe there's people I need to talk to. Is is there any advice that you would give them as they head off to start on this compliance journey?
Speaker 1
20:29 – 22:10
The very first tip of advice is every advice that I give you, I am not a lawyer, so you should, number one, check with in house counsel if you have. If you don't have any, and some folks don't. Right? Like, small organizations, you might outsource, you might not at all, then you need to go back to that question that I just referenced a minute ago. What data are you collecting on people outside of your organization? How are you getting that that information? Where's that who are the people that that information belongs to? If that information belongs to EU citizens, well, you might be subject to GDPR. You might not actually because there are a bunch of other thresholds. Same is true. Are you collecting do you do business in California, and and do you do business with California residents? Then you might. Again, there are other thresholds. There are revenue thresholds. There's size thresholds. So your organization may be too small to have to have fallen inside of any of these regulatory, requirements. But they may not. So the first step is just even understanding, do I meet those minimum thresholds? And there there are a number of resources that, break some of those things down. You know, at my organization in particular, Experian, we've got a wonderful gentleman by the name of Scott Giordano. Shout out to Scott Giordano, who has a number of resources and and blog posts and other webinars, etcetera, that we give on just that topic in particular. The IAPP, an organization that spends their time, focused on this privacy challenge, has a lot of resources on that as well. The what am I thinking? I'm thinking the freedom foul. There's another one that I wanted to to toss out there, and it it's killing me that I don't know. Future privacy forum. That's what I was thinking. The future privacy forum, that's another great resource that that, folks can go and and start getting up to speed on.
Speaker 0
22:11 – 22:41
The one thing I wonder about with with these, these regulation changes is if it could cause, kind of, like, larger strategic shifts in the sort of business models that tech companies are using. For example, is it possible that we might see a shift away from the model where a service is free? Because you're essentially trading, like, the data about you for the value of the service, and that's kinda like how you're paying for it. As you kinda look at the space, do you do you see that the potential for those kinds of trends happening?
Speaker 1
22:42 – 24:16
Well, I'd like to be fairly data driven in in most things. And, the truth is, to answer that question, I could look at the $70,000,000,000 that Facebook made in 2020. Yeah, was it 70,000,000,000? I forget exactly what it was. No. That's the total that David Mouse. I don't recall the number exactly off top my head. I'd I'd have to to go pull it up, but it's a really large number. Yeah. I feel like it's in the 70,000,000,000 range. But nonetheless, to answer your question, that business model clearly works still. That giving the thing away for free so I can collect data is extremely profitable. We're only going to move further towards that model, not away from it. The businesses don't look at the success of of those types of organizations and think, yeah. That's great. But I wanna do something so radically different that, you know, I'll completely buck that trend and not take any of those lessons away. So just realistically speaking, the the money tells us that we are going to be faced with more of this. I think the onus is on us as consumers to start deciding what is our data worth to us, and how are we going to transact it. Are we getting enough in return for what we're giving up? For many of us, that answer is no. For a lot of us, I think the answer is not yes or no. It's simply the question hasn't been been posed either by someone else or or by themselves. And so they're not thinking about it in that that sense. The realization that if they're not the consumer that they are, the product hasn't quite set in yet.
Speaker 0
24:16 – 25:02
And I I think your comment about how profitable that model is is maybe a good segue into I wanted to get back back into the kind of GDPR, CCI, those sorts of policies and talk a bit about the, like, incentive systems they attempt to create. If you want compliance, it it occurs to me that something like those policies, if they wanna be successful, they have to think about the those incentives. For instance, if if you have a system of fines, right, but the fines are much lower or or the fine yeah. The the cost of the fines is much lower than the the cost to comply, then really an organization is gonna see in their best interest to just keep doing what they're doing and pay the fines every time the regulators decide to look into it. As the as, like, these policies are, do you think that they're managing that kind of incentive system relationship effectively?
Speaker 1
25:03 – 26:38
No. There are a lot of perverse incentives in the world, and they tend to skew towards those that can afford those, those fines. Right? You're you're at one extreme example, but just kind of a more day to day example. You know, some jerk base pulls up into a handicap parking spot and knows it is, but whatever. I'll I'll eat the $200. That's not a lot of people, but but there are some people. Right? And it's not because they're necessarily just jerks. It's like, I am more concerned with the thing I need to do right now, and that $20 or $200, that's just not enough to disincentivize me from that bad behavior. So there is certainly a a, there's certainly a misalignment there of of those things. You know, to pick on Facebook just a little bit more, I think they were recently fined yet again. And I think to the tune of I don't remember. It was a 100,000,000 or less. Maybe it was 200,000,000. Whatever that number was, I recall looking at it and thinking it was a rounding error in in their profits from the year before. And so, no, they are not incentivized to do it because of the binds. We're hopeful that they're incentivized to to take better care of our privacy for other reasons now. Right? Reasons like being threatened to break the organization up. Right? So those monopolistic practices, that that, some believe that they engage in, which are all part and parcel of some of of the this other behavior, those things might stop them from doing it. Public perception, those things might stop them from doing it. So we do need to have multiple levers because I'm not saying get rid of the fines. The fines are good. The fines just don't work against some of the most egregious offenders as they challenge.
Speaker 0
26:39 – 27:27
Yeah. I I I think I'm with you on that. I think even, I saw that, for example, there's, like, there's, like, an increase. There's some increase in the fines. I think I saw there's, like, a 40% on a on a source I was looking at. And I think, like like, one of the flashy ones in the past year was I think Google got, like, a $56,600,000 fine from the EU, which not even couch change for Google. Like Right. Yeah. I'm sitting there thinking, like, you know, if I change that million to a billion, that might be, like, a quarterly report or something for them. So it just doesn't feel like it's it's it's it's a it's really there. So I'm wondering, like, let's say I'm gonna create, like, a theoretical scenario. Let's say that some legislative body is it's been like, Gabe, like, we wanna talk to you. We're gonna sit you down and have you do, like, a testimony. If if you were to, like, give them advice, like, how how do we try to wrangle this behavior? Like, what what what would you suggest to them personally?
Speaker 1
27:28 – 29:44
Well, I think we we start with what I said. Fines obviously don't work at that tier. We keep the fines in place, but at that tier, we start imposing other types of sanctions. Right? And depending on how draconian one may or may not wanna be, I think that depends on just how egregious their their fractions are. But I don't think we start with monetary, you know, fines for those types of organizations. We we start with monitoring. You know, we saw this back in the February when, when Microsoft, was under the microscope for their for some of their monopolistic practices. Our government literally installed a number of of compliance monitors, basically. They said, alright. The for the next ten years, you will answer these questions to these people, and you can't get rid of them. Like, they they will be crawling all up inside your organization until we feel comfortable that you are no longer, you know, participating in these types of activities. They equally threatened to break break some of those things up. In fact, we we broke up some things. I don't recall the last time we broke up in this country. Any large business. I'm I'm fairly certain I'm old enough that if I jog my memory, I could think of, And I mean big businesses, like, you know, like the Ma Bell of of the the seventies breakup style. It may be time to return to that. And I know that that is is something that's currently being talked about in some legislative circles, and I know it's it's a bit of a taboo conversation. But, obviously, our current approach is not working. So we have two choices. We can continue to let every single citizen, be at the mercy of of these outcomes and events, whether those things are are are individuals taking advantage of us financially, maybe manipulating our our emotions and feelings for political gain, or simply profiting from us. That that's the other side of this coin. Like, we we allow those things to happen. We can't let capitalism just go rampantly unchecked in the face of real harm to people. And I don't feel like that is such a hot take that labels, like, you know, bleeding heart liberal should be applied to it. It's like, no. We just we just shouldn't because it's literally everyone that's affected by it. All of society is affected by it negatively.
Speaker 0
29:45 – 29:54
As you're thinking about the the future of the data privacy space, what's something you're worried about? And then on the other end, what's something that is giving you a lot of hope?
Speaker 1
29:54 – 31:57
I'm worried that we would not have learned our lessons from the cybersecurity space when it comes to attracting and retaining talent that is capable of solving these problems. It is equally not as esoteric as some might make it out to seem, and we are going to equally be faced with a shortage of of individuals coming to the space. And it's not because they're not there, it's because I don't think we're looking for and attracting talent with transferable skill sets to address these problems. And we're not just gonna natively grow them all from the ground up and take the next generation of of of kids and, you know, have them all get degrees in data privacy. Nah. There you go. Problem solved. That that won't do it. We'll have to recognize that there are transferable skills, that there are engineers that can help solve this problem because the problem does need to be solved at engineering levels as well. And they don't need to be privacy professionals, but they do need to understand, they being engineers such as yourself, they do need to understand, okay. If I build this application just to collect as much as much as I can because I can, that's problematic. Right? There's no reason for your mobile app to request access to everything. You don't need access to everything. So it's things like that. Like, actually putting in place, the the types of controls, but the knowledge of those controls to folks who are inadvertently making some of these decisions. And that's the hopeful part of it, if I if I would, is that there are people that are endeavoring on on this at the moment. The IAPP, again, for example, are there's a strong movement to to bring developers in particular into that fold. There's folks like, who was on our podcast recently. He heads up privacy over at, engineering privacy over at Uber, who does an amazing job of helping his teams understand the role privacy plays in the products they build. So there's a lot of hope out there for me. As we get to the the tail end of our conversation,
Speaker 0
31:58 – 32:11
a thing we tend to do on Civic Tech Chat is leave some space at the end, for the guests to kinda give us an idea of what they'd like us to leave this conversation thinking about. So for you, Gabe, in this conversation, what should we leave it thinking about?
Speaker 1
32:12 – 32:39
I'd like everyone to leave thinking about how they can make this personal to themselves. The in much the same way I I turn one of your questions to yourself and ask you as a developer or as a person even before I turned it onto you as a developer, how you see these things is we we should all make this person to ourselves that we can understand what role we can play in in these challenges versus simply saying, that sounds like a problem that Gabe needs to go solve for, and he can call me back next Monday once he's figured it out.
Speaker 0
32:40 – 32:52
Gabe, thank you so much for taking the time out of your day to join us here on Civic Tech Chat. I I have no doubt that folks listening in are gonna learn something and gain something valuable, that they can kind of incorporate into what they're doing.
Speaker 1
32:52 – 32:55
I appreciate. Thank you for having me on. Pleasure was mine.
Speaker 0
32:56 – 33:08
You can follow us on Twitter using the handle at civic tech chat. Visit us on the web at civictech.chat, or subscribe to us for content updates wherever it is you download your podcasts.