Event Recap / November 2021

Future-Proofing for a Changing Privacy and Security Landscape

 

On November 10, 2021, Steve Weber, Faculty Director of the University of California, Berkeley’s Center for Long-Term Cybersecurity, engaged in a conversation with Kate Charlet, Director for Data Governance at Google, addressing a wide range of questions related to how organizations can “future-proof” themselves in a dynamic security and privacy landscape.

Among the questions they covered: What’s on the horizon for federal privacy legislation? How can technology companies rebuild trust with consumers? And what are the potential impacts of divergent approaches to tech policy in the U.S., China, and beyond?

At Google, Charlet’s work focuses on issues related to privacy, information security, and government access, and the intersection of these issues with technology and internet policy. She was previously the inaugural director of the Technology and International Affairs Program at the Carnegie Endowment for International Peace. Prior to her role at Carnegie, she spent a decade as a civil servant in the U.S. government, including as the deputy assistant secretary of defense (acting) for cyber policy and as director for strategic planning at the White House National Security Council.

A recap of the conversation is below. Note that questions and responses below have been edited for length and clarity.

Q: Tell us about your role at Google and what kinds of issues you’re working on these days. What drew you to move from the government and think-tank world into the private sector?

I’m in government affairs and public policy in Google. What that means is we are engaging with civil society — with academia, policymakers, industry, colleagues, regulators, and others – on issues of public policy and regulatory interest. We also have an internal function, advising the company on those kinds of issues as they’re thinking about decisions for the business and its products. We’ve got a wide range of products at Google that all have different ways in which they operate. It can be broad and complicated — and fun.

I am the Director for Data governance in what we call our Centers of Excellence, which means we’re the global subject-matter experts for the government affairs team on our issue areas. For me, that’s privacy, issues related to law enforcement’s access to data, and government surveillance. And it’s also cybersecurity. Any time you think of an issue that cuts across regions and product areas, that’s where we get involved — for example on data flows, biometrics, and children’s data protection regulation, globally. That’s where the Centers of Excellence come in.

In 2001, I was a senior in college studying molecular biology. I was visiting Berkeley that year to apply to the PhD program in genetics. And that was the year the 9-11 attacks happened, and after that, the anthrax attacks. Watching the response to the anthrax attacks in particular made me realize I could do something else with my molecular biology degree, other than go to medical school or research. So I made a leap and moved to Washington, DC and got an internship that really opened my eyes to international relations and public service. That’s where I began to work in technology and security for the better part of the next 20 years.

I really enjoyed working on cyber issues at the Department of Defense. You couldn’t walk five feet without tripping over a huge policy issue. I loved working on global stability issues at Carnegie. And I ended up coming to Google because the issues that I would be working on — surveillance, cybersecurity, and privacy — are so important to our society. The parameters around which companies and governments manage data protection and data governance are incredibly impactful, especially for a company like Google. We scan 100 billion installed apps for malware, and we block 15 billion spam messages every day. That kind of impact connected me back to what I had been doing at DOD and gives a real mission and orientation to the work.

Q: Every year, we seem to hear that this is the year we’re going to have a federal privacy law. What’s on the horizon for federal private legislation? Is something coming in 2022, and if it is, what’s it likely to look like? And if not, why not?

New regulations in the space are a matter of when, not if. I firmly believe, whatever the year, it is going to happen. And you’re right that the conversation has evolved. There are a lot of new facets to it, even just this year, and there’s new urgency to it. There’s definitely not a shortage of activity in the U.S. I would welcome a federal law. Google supports a federal law. We think that sentiment is shared very widely in the private sector.

In terms of what’s coming for federal legislation, it’s clear to me that Congress has a real interest in legislating, but there are still political hurdles. The ones that we hear about the most are private right of action and preemption. They get a lot of attention. But I don’t think we should be spending all our time thinking about those issues when we think about federal legislation, because there are a lot of other fundamental questions that need to be thought through. The substantive provisions of a bill and how it is drafted matter a great deal.

The good news is that there has been a lot of conversation around this. There’s a lot of alignment across the privacy community about some of the core parts of a privacy bill, including things like access and deletion or data minimization and individual control. There’s a lot to learn and capture from GDPR, and lessons to learn, as well. One of the things that will be different this year is that companies will move into the compliance phase of the California Privacy Rights Act (CPRA), and the Virginia and Colorado laws will take effect in 2023. You will see companies start to prepare for compliance with those in 2022.

It’s important to recognize that those aren’t just copy-and-paste bills. They are different bills that have different definitions and obligations. I’ll be interested to watch in 2022 as companies start to get real about pursuing compliance. We’ll hear more about the impact of those bills and about the differences between them. That could feed into and affect the federal conversation.

The other big thing folks will be watching is the FTC, which has indicated it will consider using its Magnuson-Moss rulemaking authority to issue privacy rules. That’s all just developing, and hopefully that could unlock some progress in Congress, as well.

At CLTC, we like to talk about looking over the horizon and preparing for the long-term future. When you’re thinking about longer-term issues of data governance, how do you think about “future-proofing” for the next three to five years, for example around an issue like data flows?

Future-proofing is an area where academia and academic organizations have a lot to offer and collaborate on. What’s the biggest privacy and data protection challenge or imperative? To me, it’s about, how do you unlock the value of information and insights in a privacy-preserving way to be useful and actionable for society?

I had been at Google for about six months when the pandemic hit. We developed a number of products to contribute to that, including community and mobility reports, which provided aggregate insights into people’s mobility patterns during the COVID pandemic, but used privacy-preserving technology to make sure that that was protected.

Technology is often portrayed as a threat to privacy. But actually, technology can help stakeholders everywhere, in any sector, gain access to insights based on sensitive data. If you were to share the raw data directly, that would be problematic. We’re in a moment where privacy-by-design and privacy-preserving technologies are critical. A lot of new technologies are expanding in scale and scope and speed, but we haven’t yet fully realized the potential of that. There’s a lot that governments and regulators and all of us could do in understanding these technologies, incentivizing their use, and moving to a world where it’s easier to unlock the power of information and still get the value and the use cases out of it.

We’re in a moment where privacy-by-design and privacy-preserving technologies are critical. A lot of new technologies are expanding in scale and scope and speed, but we haven’t yet fully realized the potential of that.

Switching to the question of data flows and future-proofing, and the invalidation of enhanced privacy shield, one of the big takeaways from that is the need for stable and durable frameworks that are global in nature, for greater understanding of government access to data, and for frameworks around data flows that allow greater interoperability and stability for data flows over the long run. Cross-border privacy rules are an example, and there’s a lot more to be done there.

One of the big issues that continues to plague the industry is the reliance on advertising-supported business models. We’ve started to see how this has changed around Apple’s iOS 14 approach, which is maybe the first example of a mass privacy-protecting technology. How is this all playing out for Google?

It’s reflective of a broader set of ecosystem changes under way. Our focus has been to support developers, businesses, advertisers, creators, and publishers — the whole ecosystem — through the changes that are happening today. We want to work with industry in an open, multi-stakeholder way and make the web private by default. That’s why we’re experimenting with some new approaches to privacy on the web, which we call The Privacy Sandbox. It’s why we’re working to prevent invasive covert tracking, which can be the result of overly blunt approaches. And we’re doing that in a way that that allows sites to provide useful ads and fund their businesses.

The open web was founded on the ability to provide content to folks and to make it available for everybody through ads. We’re continuing to have the discussion about how to provide that functionality and support the open web, but to do it in a privacy-preserving way. And that’s not going to be easy. It’s hard to do, but that’s all the more more reason to do it.

Google ran an interesting experiment with Federated Learning of Cohorts [FLOC], but the marketplace didn’t like it. What were you trying to do, and why do you think there was such a negative reaction to it?

Federated Learning of Cohorts, or FLOC, was one of several proposals for technologies that we have put out to replace third-party cookies in the future. We received substantial feedback from the web community on FLOCs, and we’re incorporating that input before we go to further ecosystem testing.

In 2019, we saw that user expectations were changing around third-party cookies. Pew Research, for example, said that 72 percent of people felt like almost everything they do is being tracked online by advertisers and technology firms, and something like 80+ percent said the potential risks they face because of that data collection outweigh the benefits. To end cross-site tracking, the web needs to move away from third-party cookies. The challenge is that, over the last 30 years, many of the core functionalities of the web have grown to depend on those same techniques, and we don’t want the web to lose those critical capabilities. Some fraud- and abuse-fighting and spam fighting technologies are core to that.

Privacy Sandbox is Google-led, but it’s an industry-wide effort to replace mechanisms like third-party cookies with safer solutions that protect privacy. That’s where FLOC comes in. We’re trying to have a conversation with industry to figure out how to replace that functionality with something more privacy-preserving. FLOC is a technology where the browser uses on-device computation. The browser history never leaves the person’s browser or device but places you in a large group numbering in the 1000s. Unlike today’s technology, individuals can’t be identified. But members who would likely be interested in the same kind of content or ads can maintain the same sort of functionality without ever sharing individual personal information.

The web community raised a lot of questions about this, and we learned a few things from those engagements. Some of the concerns were, how do you make sure you don’t replicate issues with third-party cookies, just in a new way? FLOC shouldn’t make it easy to collect and use sensitive data to target vulnerable groups – not just individuals, but vulnerable groups. You shouldn’t be able to join FLOC data with existing user profiles. We’re taking a lot of those inputs on board to further incorporate into the design. At a more meta level, it showed that there’s a lot of interest from civil society and regulators and industry in getting the next version of ad targeting right. That we agree on that is a good thing.

The other lesson is that balancing privacy and utility is difficult. It is possible to have both those things, but it’s hard. We have to find ways to have the utility and have the privacy-preserving nature of that. That’s taking an approach that involves a lot of stakeholder engagement. We’re really welcoming and inviting of others to contribute ideas.

You spent a lot of your career working on technology and national security issues. There’s a very live conversation about that these days, often in relation to China. What are the most important questions on your mind these days that need to be addressed as we think about the technology-national security nexus?

I haven’t had a chance to deep-dive into recent laws in China, and many of our core products, like Google Search and Gmail, aren’t available in China. Processing personal information in China is really limited for us compared to other multinational tech companies.

But your questions are good, and everybody is actively grappling with them, including us. It actually tracks back nicely to the question of federal privacy legislation, and why that is important for American global influence. We are already a leader in technology and data services, and I think we should be a leader in data protection, too, not least because the flow of data contributes more now to GDP than does the flow of goods. [We can] have federal privacy legislation in place that can promote data flows and promote compatibility with rules in other countries that are both pro-privacy and pro-innovation.

We will continue to support the US government and other like-minded countries in preserving democratic values in digital economies. We will continue protecting fundamental rights, like freedom of speech and expression. And we think there’s a role for industry to play in that by focusing less on borders, and more on making sure that the products people use every day, the information people need every day, is available globally.

Is there a conversation taking place at Google about re-entering the China market, or are there laws the Chinese government could pass that would make us interested in that conversation?

What we want is interoperability of data protection laws and data flows. That is what is going to bring an integrated global economy that has data flows with trust. We can have strong privacy protections, and we can have open data flows. We can have both of those things with the right frameworks in place. At the root of it, it’s about interoperability. It’s about global frameworks. It’s about bringing countries together, for example at the OECD, which has been an effective and important forum to have conversations. We’ve got to continue having those conversations.

How do you think about this issue of user trust?

Trust is foundational. It’s essential for a company like ours, and for other companies, for the technologies that we’re putting forward. An example was the exposure notification work that Google and Apple collaborated on last year, to enable exposure notifications of folks who were in proximity to one another when somebody later tested positive for COVID. There are ways to enable that, and there is a very robust debate internationally in the United States among academics about the best way to do that.

We need a law with clear individual controls, clear expectations for businesses, and strong accountability and enforcement mechanisms.

To get people to use the technology that’s going to have value like the COVID-19 response, they have to trust it. If you don’t have that trust, you don’t have the uptake. It doesn’t work. Expectations are rising from consumers, and from leaders from everyone, and that’s rightly so. And it’s Google’s job to rise to that challenge of giving better product experiences, better security, and better privacy protections, and making it easy for people to fit into their lives without 100 toggles or a master’s degree in privacy. It’s increasingly clear that this can’t just be a choice for businesses and organizations. We need a law with clear individual controls, clear expectations for businesses, and strong accountability and enforcement mechanisms. Let’s not just talk about trust; let’s enshrine it in in regulation, too. That’s one of the reasons we’re supportive of a federal privacy law.

You mentioned that you work on law enforcement’s access to data and exceptional access. Where do you think law enforcement access issues might be headed?

At the level of government surveillance, [the focus is on] interoperability and thinking through the frameworks so we have a common understanding of, what are the expectations of governments in terms of access to data, or in terms of their use of technology? Facial recognition is a really interesting one that we’ve grappled with. For example, we made a decision pretty early on not to offer an open-purpose API on facial recognition. When there’s a technology like this, that has so much potential but could evolve in many unforeseen ways, that’s an argument for a robust, multi-stakeholder conversation.

It’s clear that we need to have that conversation around where we think this technology is going to go, and what are the right kinds of guardrails to put around that, both from a government and industry perspective. We’ve seen the debate change and evolve, often including legislation addressing concerns about the impact of encryption on law enforcement access to data. When I was at Carnegie, we worked on an encryption policy working group to bring people to the table to try to find a tractable way forward on that conversation. Encryption is so critical to the security of the web. I think we’re going to continue to see it as a challenging problem that we have to keep working on together.

It’s not uncommon these days for people to move from the think-tank and government world into industry. Some in academia might say there are clear conflicts of interest between those domains, but others will say they are just different cultures of problem solving. What are your reflections on that?

There are plenty of examples I could cite where interests do align. Cybersecurity is a very clear example. We’ve contributed in to a collective conversation around supply chain security, around best practices for cyber hygiene, and around strategies for zero trust within government. At its best, we’ve all got different capabilities and different lenses and insights and experiences that we can contribute to a conversation around moving things forward, even on federal privacy legislation. We all want federal privacy legislation, and there are other areas where we have alignment.

For academics who have freedom to decide what they should be working on, what would you have us do? What is the one problem where you feel like, oh boy, I wish somebody in the academic world would solve this problem for me?

Work on enhancing the state of the art in privacy-preserving technology: federated learning, machine learning without removing underlying data from a device; differential privacy, a mathematical technique to enable us to obtain aggregate insights from data; and secure multi-party computing, cryptographic technology to help you connect encrypted datasets and share and combine the results. There’s so much more work that can be done on advancing the state of these technologies.

For policy stakeholders, there are key questions on data flows, on children’s protection, and on biometrics and facial recognition. The more insight and research we have in those areas, the better off we’re going to be.