Today Anthony was joined by Karima Noren & Neal Cohen for a thought-provoking episode of our Privacy in The New World series. Karima is a Co-Founder of The Privacy Compliance Hub and Neal is the Director of Privacy at Onfido.
Speaker1: [00:00:01] Hello, I’m Anthony Brown, and I’m very pleased to welcome you to another episode of my Privacy and Data Talks podcast today, delighted to be joined by two guests actually for the first time for what I hope will be a topical and thought-Provoking episode for all privacy pros. So without further ado, firstly, I’d like to introduce Karima Noren. Karima is a co-founder at the Privacy Compliance Hub. Privacy Compliance Hub is a truly innovative company that has developed a privacy platform that enables their clients to build and maintain privacy compliance from one easy to use hub alongside Karima all the way from the US, although he’s now in the UK. I’d like to welcome Neal Cohen. Neil. Hello to you. I’m very pleased to welcome you. Neil is the Director of Privacy at Onfido. Onfido is a hugely exciting technology business that helps businesses verify people’s identities using a photo based identity document, a selfie from their phone and very, very clever artificial intelligence algorithms. So, Karima and Neal, good morning, its a nice bright morning, welcome to the show. It’s great to have you both on.
Speaker2: [00:01:28] Hello, thank you for inviting us.
Speaker1: [00:01:32] You are most welcome. You are most welcome. So here we are. It’s Monday, the 19th of October, and the world’s a little bit crazy, of course, as we know. But we’re all we’re all sticking together and getting through. And I think in the spirit of today’s episode, which, as I’ve already said, is a bit different because it’s the first episode with with two guests, we wanted to do something different and maybe have a fairly philosophical conversation around privacy today. And we wanted to actually shine a light on a conversation that we think is more crucial and more relevant than other, despite all the craziness going on in the world. But actually, it all goes hand in hand. But we feel that this is an area that needs a light shone on it. So obviously, as we all know, events over the last few months have really fast forwarded the use of of online services and products and, you know, the general public’s use of them. It’s almost an unimaginable way and speed that everything has been transformed. So I guess, you know, as a result of this, many of us are now increasingly unknowingly, at times handing over more and more of our personal data with potentially damaging consequences. So we believe this is a conversation that needs to be had. I really wanted to get Karima and Neal on board today because they bring deep privacy experience, real, genuine thought, leadership and understanding of the various moral and ethical questions and challenges within the privacy ecosystem. So I’ll stop waffling. Now, the first question really, and how I want to kick this off? And maybe I’ll pass this firstly to you, Neal Actually, if you don’t mind, I’m going to pass this to you first. As a society, have we lost control of our privacy?
Speaker3: [00:03:30] Thank you. Thank you. It’s a really good question, it’s not, I think, a very easy question to answer either have we lost control of our privacy? What I think makes it so difficult as a society is that when we engage in over and over again throughout every day with all of the organizations that we engage with, whether it be in person or just as people, is that we’re engaging with a singular company, a singular organization, but that’s not really how technology works, it’s not how the Internet works, something that will often see when engaging with a company or, you know, we won’t read the full privacy policies, but maybe they will give a few words of some high level points. It’s quite common for companies to say we do not sell your data. In fact, it’s now required in some legislation around the world when people see this sort of language, the some of the danger that occurs is they think, OK, I’m only giving my data to one company and they don’t see the supply chain that is really behind that, a concept that, you know, many people are familiar with as economies of scale. And it’s something we’ve seen for quite a long time has nothing to do with the Internet.
Speaker3: [00:04:56] Just it doesn’t make sense for everyone to build this complex system or software technology or widget over and over again. Really, what you want to do is to have one entity build it and build it really well available to others. And the same applies to the Internet. You know, there’s only so many companies that provide cloud storage, so many companies that do these different aspects that make up a digital supply chain, a technology supply chain. So we see quite often is that when we engage with a company for a digital service is that we’re really engaging with a complex stack of technologies and we don’t always see or understand what’s happening with our data as it goes through that stack. And so this question arises as to what happens to that data. How is that data controlled? Are those controls ultimately going back to the person or someone else controlling them? So I think there’s a lot of issues with just sort of unpeeling the complexity that exists with the Internet. And I don’t think most people have been really exposed to that. Karima what do you think?
Speaker2: [00:06:05] Yeah, well, I, fundamentally agree with what you’re saying, and I think there is tension. What is going on is I think this has been going on for a very long time and it’s a very slow it’s a very slow move. I don’t think that any of these companies that we’re talking about, whether it’s Amazon with Alexa, Apple with Siri, Google with Gmail, you know, and the cookies and DoubleClick and all this, this is just a world that we have slowly morphed into and we have stepped inside it as individuals. And the problem is, is as Neal is saying it’s incredibly complex to understand, OK, but at its core, what I think we were doing as individual is assuming, well, I’m OK with Gmail. I want it to be free, for example. And I trust Google. You know, I worked for Google for a long time , I trust Google. I think it’s OK. And we do that with all the individual people we interact with. I would will do that with deliveroo. Go. I’m okay with deliveroo because I want my my pizza to be delivered. I’m OK with you because I would like to go and take an Uber because it’s cheaper than a black cab.
Speaker2: [00:07:11] So when that individual we compartmentalize these services, feeling that we’re safe in the hands of each of them, we don’t actually realize that the information is (A) not kept within these companies. And also it’s shared for other purposes that we don’t understand. And I’m not necessarily suggesting that the other purposes are not beneficial to it, to us. Some of them might be beneficial, but it’s because we don’t understand and we don’t have time to understand this and it’s not even being explained to us. And even if us as professionals tried to explain it in simple language, it’s almost impossible to do so. I think the simple answer to your question is yes, we have lost control of our data because I don’t think a single one of us would be able to say, I know exactly where my data is and how it’s being used. And very importantly, I know how to reign it in then I have no idea how to reign it in unless I stop using these services and that I don’t want to do.
Speaker1: [00:08:14] It’s what ultimately then what would what are the consequences of this if this continues on this path, you know, for the general public, you know, any three of us included, of course, in not you know, what are the ultimate consequences, do you think?
Speaker3: [00:08:32] So this is really a broad range of things that might happen, and it really depends on what data is lost and how that might be used. Some things could just be a simple maybe you get some advertisements that you didn’t expect to see and maybe you like that or you don’t like that. Another end of the spectrum, your identity, who you are. Gets stolen people. Take out a mortgage in your name. They do things that can destroy your life. You know, you keep going further. Information can be used to understand where you are, where you might be doing. Have you committed a crime where you might be after that crime to get arrested? You’re going through an airport and your face gets scanned and you show up that you’re on a watch list and someone comes down and they ask to have a conversation. It’s the autonomy you have over your own personal life is being sacrificed.
Speaker1: [00:09:27] This makes me really nervous!
Speaker2: [00:09:29] And think the problem is, is that I think the fundamental problem is that there is no focus on it by enough group of people. So it’s starting, by the way, but there’s not enough focus. But, you know, just this morning, just to highlight this little bit more to people who might be listening to us, just this morning, I was reading about an initiative in France where they have this data health hub. Right. And the the article I was reading was actually mainly about whether the hub, this data hub containing all the health of French health data of French citizens was in the Microsoft cloud in Azure. And therefore, if it was in the U.S. cloud, is it accessible by U.S. surveillance companies? Right. Just a big question, right? Well, what was interesting was the data that was inside that hub because it had data about your Fitbit and your teleconferencing with your doctor or your hospital data, the things you bought in the pharmacy. And so it was an amalgamation of your entire sort of. But let’s be honest, some of us might want to go to a private online doctor looking at their website, which says this is private just between us because we don’t actually want it to be known by anyone else. Right. So have we lost that? Have we lost that choice? And I think that as society becomes more complex and it’s all digital, we don’t actually have the choice anymore. We can’t we can’t ring-fence it and make it sort of you know, we literally have to do it, like go to the park and read the in park and ask the doctor to leave their phone at home to talk to you. That’s kind of where we’re at if we really want to keep our information private, you know.
Speaker1: [00:11:22] And my next question Karima because I was going to ask and sorry sorry to interrupt, but I was going to say, is it too late to unravel this or to to regain more control over our privacy? But it sounds like, you know, that we are where we are. And I guess in my view, and I’m not as smart as you guys, I’m not a privacy pro, but I have got a grasp. But, you know, it sounds to me that really the only solution to this ongoing is for organizations and businesses to be increasingly transparent about everything and just, you know, to to obviously gain the trust. As we know, businesses are going to continue to live and die over the course of time by, you know, how transparent they are about what they’re doing with their data and ultimately our data. So I guess it’s too late, is it?
Speaker2: [00:12:16] What do you think Neal – too late?
Speaker3: [00:12:19] I don’t think it I mean, I like to be a bit of an optimist here. I think there’s always things to do and always improvements to be had. I think, though, kind of talking about transparency and maybe like what is privacy compliance? I think a big part of the problem is that we’re operating with it.
Speaker1: [00:12:43] Neal Sorry to interrupt. We’ve lost you a little bit and got to apologize for tech problems here. We’ve kind of lost you a little bit, Neal. Can you hear us?
Speaker2: [00:12:55] Oh, no. I will answer the question then as soon as Neal is back. Yeah, he will come, I will see him moving. This is the new world. It is authentic.
Speaker1: [00:13:07] We’re authentic. What can we do?!
Speaker2: [00:13:10] We will I will just pick up and I will go back when I heard him left off, which is being an optimist. And I think that. We are, you know, as a society know, I believe in the good in society. OK, and we have been in lots of places before where things can go wrong. But and there is a point now where. There will be organizations because as individuals are going to start asking, right, and because there’s always going to be sort of a model where somebody comes forward and said, you know what, I’m going to offer you, you know, a search engine which is already out there, which doesn’t track you. Right. And you can pay for it. And so as people come in and introduce products which say, listen, let’s just do it completely differently, we’re going to give you the service and this service doesn’t track you, OK, or doesn’t doesn’t follow you. It truly doesn’t share your information as people become aware of it. And if these products and services are successful, individuals are going to switch and some individuals are going to switch. But at least we start getting a little bit more more choice. I think that the tension is the business model. And we all know this isn’t just a business model. Is this sort of it’s free, but is it really free? You know? And so I think that and, you know, Neal and I work in companies where, you know, our objective was to think about when to get online terms and conditions started. Right. People were accepting terms online. The biggest debate we were having when I was was I was a junior lawyer was how do we get people to just click since the conversations we were having with the product people, it’s how do we design this that we are within the law, but people actually don’t read these terms like conditions and just click so we can do it. And so I think that now. There is something to be said for the introduction of an ethical conversation, which I think people are willing to have, I do not believe that the people who work at Facebook and Twitter and Google. None of these people actually want some of the consequences they have, but they don’t. They’re good, decent people. So the question is, how do we bring it back in? And these organizations say, OK, let’s develop this product, lets make money, let’s make the product really clever for the user. But what is the ethical here? What is the privacy aspect? What can we do to make it better from a privacy perspective? And I think we’re going to get there.
Speaker3: [00:15:36] Yeah, yeah. No, I agree with a lot of what Karima is saying. And I think it’s quite difficult in the current environment of how privacy legislation works, how compliance works, what the different motivations are from organizations, how these laws are enforced and it’s been quite combative, I think is something that many folks that have seen this first hand. You know, if a regulator has a question and then there’s wrongdoing, they’re coming at you as an adversary, not as necessarily an entity that says, how can we do this in a better way? How can we improve privacy? This creates a very difficult environment in which to operate and privacy laws. Even really structured that way. We look at GDPR and that talks that was talked about for years before came into force.
Speaker1: [00:16:37] we have lost Neal again, just in his flow, and then it just seems to
Speaker2: [00:16:44] So so I’ve got a question. While Neal just comes back and we know where he stopped, which is sort of the regulator. But, you know, I can’t help thinking what would happen if any company. Sorry, Neal, we lost you for a bit. So we played the duet here. Let’s finish the last point you were on GDPR.
Speaker3: [00:17:06] Oh, yes. So we’ve been waiting for the GDPR to come into force. There was so many conversations just focused on how high the sanctions could be and how that impacts a company. And if that if you’re leading with the stick rather than saying how can we bring bring a better privacy benefit to individuals, that that creates a problem. Now, some regulators are initiatives have been coming out to try to address this. I think the is soundbox from the ICO. The information commissioner’s office in the UK has really been amazing. And just saying, let’s figure out how we can co-exist with privacy and technology and make things better for people. But where laws and regulations are written in the negative, you must not do these things. That creates a difficult environment. And I think we really need to get to a place where we can say, how can we have technologies? How can we have privacy? How can we not put it all individual person, expect them to guard their own world when they don’t have the time to do these things? How can we make a material change? And I don’t know if those conversations are happening enough as they should.
Speaker2: [00:18:19] I agree with that. And I think there is. There is, though, one of the things that needs to change and what’s interesting about privacy is that we we all care about it. Right. So, you know, there was this big talk about how the leaders of these tech companies don’t let their children access technology. I don’t know whether this is true or not, but the point is, this is. For each individual person, if you take any person in any room anywhere in the world and you ask them questions about whether they care about their privacy, everyone is because of course, I care about my privacy. I don’t want people to record my conversations without me understanding my conversations recorded. It is it’s completely obvious. Right. And so the question is, is how do we as founders, as innovators of companies, as builders of products, as users of AI, how do we come together as a society and say we have an obligation to do this properly? You know, it’s almost as introducing laws that said we are not going to kill our neighbors when we get angry with them. We can’t just shoot them. The wild, wild West is over. It’s kind of this big appreciation that companies are going to have to decide is how can we’re going to make this matter? And if they start from that, of course, they can make it happen. I mean, it’s just a question of whether we’re really, you know, and I think that, you know, it’s bound to happen at some point. But I was going to say one thing. I don’t know what Neal thinks about this in very simplistic terms, but I agree that you can’t get individuals to make the decisions because we don’t have time. OK, so I’m going to say something. I’m going to put myself out there, say something rather embarrassing. But I was listening to radio 4 this week or last week, and they were for
Speaker1: [00:20:06] Radio 4 is fine that’s not embarrassing Karima.
Speaker2: [00:20:07] But this is the bit that is embarrassing. They were talking about stockpiling and whether if we go into a lockdown again, will people stockpile again and then this person comes on because you don’t have a fundamental issue with stockpiling because it creates a social diversity. Sorry, it creates, you know, social division. And I’m just brushing my teeth and thinking, what? Why? And I’m trying to think, you know, and then he says, you know, which is so obvious. Right? If somebody only has £20 a week, they cannot stockpile and somebody has £100 a week, they can stockpile. So it’s not fair. Right. But here’s the point. This is a very obvious point that it wasn’t stated. And I am busy. My mind is busy. I have a job. I have children. I can’t focus. So how can we expect individuals to interact with all these things online and actually really focus in the way that the information is currently being presented to people? But what if we change the presentation now? This year, I’m taking the view of the individuals and usually I’m on the side of the organization. Yes.
Speaker2: [00:21:08] So it’s a bit like the employer employee tension. Right. But at the moment, let’s be honest, you could have a set of an experience online where when you get to pay for something, it says price check out and it says your personal information price your personal information. And then it has no tick boxes your personal information to do the following with very clear examples. So if you’re going to buy and, you know, a fitness app, it will say personal information is shared with insurance companies. So if it was highlighted this way, would it jerk people into reacting. At the moment, most organizations are still trying to hide what is happening because they need people to just accept and purchase the product. So just to conclude that what I’m trying to say is what you need, an organization is a balance between the people who are there to sell the product, to increase user engagement and the people who are going to think, OK, but how do we keep that data safe and they have to have equal powers. I think that’s quite far away. But that’s what needs to happen.
Speaker1: [00:22:19] Yeah. I mean, it sounds to me, from what you’ve both said, that you know, it’s a microcosm of society itself and the world as it’s developed in the sense it’s going to take great communication, collegiate teamwork, shining a light on all of this and everyone agreeing that this is a route that we should all go down from a moral and ethical perspective its hugely important. It’s just a shame that there’s so many other things going on in the world at the moment, its maybe just within the privacy community, that this is, you know, having as much as a light shone on it . Meanwhile, all this stuff is, like you said Karima people are busy. They don’t always have time to really consider these sort of things and don’t always want you know, they want to get stuck into the nitty gritty about what’s really going on in the backend. So so I think we’re coming towards the end of the session, guys. I just wanted to ask you something both, if you don’t mind. I always like to end with a sort of sort of interesting question, I think, for privacy pros. And I’ll throw this out to both of you. Neal, what do you enjoy most about working in privacy? You’ve you’ve been in it for many, many years and you’re incredibly well read. And you’ve worked for some great businesses, so you must love it. You know what do you enjoy the most about your role?
Speaker3: [00:23:46] Well, I think I enjoy most is really digging deep into the technology with the engineers, with the researchers, with the data, with the scientists and trying to understand how it really works. And once you can understand how it really works and you can get to a point where you’re really moving beyond the law to just figuring out what you can do for people, how you can accomplish certain objectives while protecting people. And then when those product teams release those products and you know that you made a difference and how that it’s going to interact with the world, it’s very rewarding. And that’s where I think real privacy work happens on the code level, not in privacy policies or terms of services. It’s how things interact, how the technology works. And in impacting that process and making change happen, there is what I enjoy the most.
Speaker1: [00:24:48] Fantastic and Karima What about yourself?
Speaker2: [00:24:50] I think that this is a job role in its own right. It’s far beyond managing privacy program. What you’re talking about, Neal, is almost like the new it’s just a new function. It’s a new role. And it needs to exist in all organizations. But interesting. So I fully agree with what Neal is saying, because if fundamentally the product is embedding all these principles of privacy. Then it will be safe. But the journey I am on and the thing I find very challenging to achieve, but I, I think would also make a big difference is changing the mindset of people. And I think that there is a huge amount of work there, probably work for a lot of people. How do we get this this culture to change, which I keep talking about? How do we get people around the table having the conversation and the reason why this is important? Because it’s exactly the conversation that Neal is talking about, Neal will take his time and sit with the technology team, really understand the technology they’re trying to build, and then input his knowledge and expertise of privacy to make it safe. And that conversation needs to happen across the organization for all functions continuously. And that’s really difficult to do. Right, because these people are not rewarded on that. So that that is the bit that I find very interesting, is changing the mindset. And actually, all three of us have children, even though Neal’s child is very small so he has no view on this. But, you know, I’m really concerned when I look at my teenage children, young teenagers, no matter how many conversations I have about their privacy. It’s not sinking in or know its not sinking in that it is not not private. It’s not private to them, you know?
Speaker1: [00:26:47] And so it’s kind of it’s quite a nice way to sort of end, really, because I guess there’s a message here for me that if we had more Neal and Karima’s sort of looking at very early stage, you know, the products, how things work and building it in and considering all the moral and ethical issues from the outset, then ultimately we won’t have a problem in the end because businesses will really be factoring that into what they do rather than just sort of fire fight and do something they feel they have to do to appease the regulator. So superb, is there anything else. And any other points you’d like to mention before we say farewell?
Speaker2: [00:27:31] No, before we terrify people further.
Speaker1: [00:27:38] You know what? We agreed, didn’t we? It’s important to shine a light on this stuff. And I think the only way things change will happen will be if everyone takes around the small steps to create the bigger conversation throughout the community and that is filtered into society. So I’d just like to say thank you so much. An absolute pleasure. I really hope our listeners have enjoyed it and will take something away and in turn will actually decide that they’re going to make changes or carry the discussion on. So thank you both. Have a great day and we will undoubtedly catch up soon. Guys, thank you so much
Speaker2: [00:28:17] Bye bye